Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2020-14871 PoC — Oracle Solaris 缓冲区错误漏洞

Source
https://github.com/robidev/CVE-2020-14871-Exploit
Associated Vulnerability
Title:Oracle Solaris 缓冲区错误漏洞 (CVE-2020-14871)
Description:Vulnerability in the Oracle Solaris product of Oracle Systems (component: Pluggable authentication module). Supported versions that are affected are 10 and 11. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. Note: This CVE is not exploitable for Solaris 11.1 and later releases, and ZFSSA 8.7 and later releases, thus the CVSS Base Score is 0.0. CVSS 3.1 Base Score 10.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
Description
This is a basic ROP based exploit for CVE 2020-14871. CVE 2020-14871 is a vulnerability in Sun Solaris systems libpam library, and exploitable over ssh
Readme
# CVE 2020-14871 Solaris exploit

This is a basic ROP based exploit for CVE 2020-14871. CVE 2020-14871 is a vulnerability in Sun Solaris systems.
The actual vulnerability is a classic stack-based buffer overflow located in the PAM parse_user_name function. 
It can be reached by manipulating SSH client settings to force Keyboard-Interactive authentication to prompt 
for the username, an attacker can then pass unlimited input to the PAM parse_user_name function. At 512 bytes
the username buffer will overflow. It was discovered in the wild as part of a compromise assesment performed 
by mandiant, where it was used as the initial exploit to gain entry to a system.

More info here:
https://www.mandiant.com/resources/critical-buffer-overflow-vulnerability-in-solaris-can-allow-remote-takeover

This version was developed using sun-solaris 10 on VMWare, and tested on a bare-metal production machine. The
location on stack may vary based on versions of libpam. This version worked for me. You may have success by
spraying the base address, as crashing the exploited ssh process is without consequence.

The exploit will execute shell commands on the system. In the version provided, it will create a python based
reverse shell and execute it with 'disown'.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →