CVE 2020-14871 Solaris exploit
This is a basic ROP based exploit for CVE 2020-14871. CVE 2020-14871 is a vulnerability in Sun Solaris systems. The actual vulnerability is a classic stack-based buffer overflow located in the PAM parse_user_name function. It can be reached by manipulating SSH client settings to force Keyboard-Interactive authentication to prompt for the username, an attacker can then pass unlimited input to the PAM parse_user_name function. At 512 bytes the username buffer will overflow. It was discovered in the wild as part of a compromise assesment performed by mandiant, where it was used as the initial exploit to gain entry to a system.
More info here: https://www.mandiant.com/resources/critical-buffer-overflow-vulnerability-in-solaris-can-allow-remote-takeover
This version was developed using sun-solaris 10 on VMWare, and tested on a bare-metal production machine. The location on stack may vary based on versions of libpam. This version worked for me. You may have success by spraying the base address, as crashing the exploited ssh process is without consequence.
The exploit will execute shell commands on the system. In the version provided, it will create a python based reverse shell and execute it with 'disown'.
4 Jun 05, 2022
9.8k Dec 31, 2022
16 Dec 18, 2022
20 Nov 30, 2022
16 Dec 08, 2022
1 Nov 12, 2021
10 Dec 06, 2022
157 Nov 24, 2022
1 Dec 31, 2021
43 Dec 23, 2022
170 Dec 11, 2022
1 May 06, 2022
25 Nov 10, 2022
23 Nov 17, 2022
1 Jun 21, 2022
130 Dec 17, 2022
31 Oct 21, 2022
38 Aug 09, 2022
8 Jan 03, 2023
220 Dec 14, 2022