So, I completed day three of Blackhat 2006 today and today was the 1st day of my Advanced Database Hacking class, but it was actually riddled with technical difficulties and issues with the material, so I am going to put off a recap until after class tomorrow in the hope that it will pick up and come through with some good stuff for the last day.
I do however, own a recap of day 2 which was the final day of “Ultimate Hacking” put on by Foundstone. Day two covered Unix based exploits and involved some really good tools and techniques. While in general it is harder to hack than Windows, because it can be locked down better, I was surprised by how many useful techiques can be employed to enumerate and attack Unix based hosts.
The gem of the day I am going to share with you, is a tool that exploits the ‘sadmind’ utility in Solaris to remotely gain root access on any version of Solaris 9 and below. The “feature” was labeled such by Solaris and so it was not patched for some time as they insisted that the functionality was desireable, and in most Solaris installs has not been unconfigured since it involves a fairly security conscious admin to know how to fix the flaw.
The tool is a script called ‘rootdown.pl’ and can be downloaded from metasploit here. To execute it on a remote host and initiate an interactive session, issue the following command:
perl -w rootdown.pl -h -i