关联漏洞
标题:Oracle Solaris 缓冲区错误漏洞 (CVE-2020-14871)Description:Oracle Solaris是美国甲骨文(Oracle)公司的一套UNIX操作系统。 Oracle Solaris 可插入身份验证模块10版本,11版本存在安全漏洞,该漏洞允许未经身份验证攻击者通过多种协议进行网络访问,从而危害Oracle Solaris。尽管此漏洞位于Oracle Solaris中,但攻击可能会严重影响其他产品。
Description
This is a basic ROP based exploit for CVE 2020-14871. CVE 2020-14871 is a vulnerability in Sun Solaris systems libpam library, and exploitable over ssh
介绍
# CVE 2020-14871 Solaris exploit
This is a basic ROP based exploit for CVE 2020-14871. CVE 2020-14871 is a vulnerability in Sun Solaris systems.
The actual vulnerability is a classic stack-based buffer overflow located in the PAM parse_user_name function.
It can be reached by manipulating SSH client settings to force Keyboard-Interactive authentication to prompt
for the username, an attacker can then pass unlimited input to the PAM parse_user_name function. At 512 bytes
the username buffer will overflow. It was discovered in the wild as part of a compromise assesment performed
by mandiant, where it was used as the initial exploit to gain entry to a system.
More info here:
https://www.mandiant.com/resources/critical-buffer-overflow-vulnerability-in-solaris-can-allow-remote-takeover
This version was developed using sun-solaris 10 on VMWare, and tested on a bare-metal production machine. The
location on stack may vary based on versions of libpam. This version worked for me. You may have success by
spraying the base address, as crashing the exploited ssh process is without consequence.
The exploit will execute shell commands on the system. In the version provided, it will create a python based
reverse shell and execute it with 'disown'.
文件快照
[4.0K] /data/pocs/8cdf6919c2ce978aec8768987e789a200e0d9325
├── [4.2K] CVE2020-14871.py
└── [1.2K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。