Metasploit mailing list archives
Version 2.3 Updates - January 22, 2005
From: hdm at metasploit.com (H D Moore)
Date: Sat, 22 Jan 2005 15:27:40 -0600
Hello everyone, A couple new Solaris exploits were added today, these are available via msfupdate and the 2.3 snapshot download on the metasploit.com web site. The samba trans2open module still needs some bugs worked out, if you have a Solaris/SPARC box handy and would like to help, please drop me an email :-) [ solaris_ttyprompt ] MC <yo[at]w00tshell.net> contributed this module, it uses the TTYPROMPT authentication flag overwrite to gain an interactive shell on Solaris systems. Another module is in the works that uses the pam_handler_t overwrite to execute arbitrary code as root. A new payload has been added to work with this module (cmd_interact), which is basically a do-nothing payload that attaches a socket to the FindConnection handler. [ solaris_lpd_exec ] I finally got time to finish this module last night, it is based on ron1n's 'remorse' exploit code. This module will scan for the correct number of slashes needed to trick the queue name check and then execute arbitrary commands via remorse's sendmail configuration file ninjaness. -HD
Current thread:
- Version 2.3 Updates - January 22, 2005 H D Moore (Jan 22)