Version 2.3 Updates - January 22, 2005

[hdm at metasploit.com (H D Moore)]

Hello everyone,

A couple new Solaris exploits were added today, these are available via 
msfupdate and the 2.3 snapshot download on the metasploit.com web site. 
The samba trans2open module still needs some bugs worked out, if you have 
a Solaris/SPARC box handy and would like to help, please drop me an 
email :-)


[ solaris_ttyprompt ]

MC <yo[at]w00tshell.net> contributed this module, it uses the TTYPROMPT 
authentication flag overwrite to gain an interactive shell on Solaris 
systems. Another module is in the works that uses the pam_handler_t 
overwrite to execute arbitrary code as root. A new payload has been added 
to work with this module (cmd_interact), which is basically a do-nothing 
payload that attaches a socket to the FindConnection handler.


[ solaris_lpd_exec ]

I finally got time to finish this module last night, it is based on 
ron1n's 'remorse' exploit code. This module will scan for the correct 
number of slashes needed to trick the queue name check and then execute 
arbitrary commands via remorse's sendmail configuration file ninjaness.

-HD