Metasploit Framework Solaris File Read Methods Crash Vulnerability

漏洞信息

漏洞名称： Metasploit Framework Solaris File Read Methods Crash Vulnerability

漏洞类型： 其他

漏洞等级： 中危

漏洞描述： Metasploit Framework是一款广泛使用的渗透测试工具，它提供了丰富的模块来测试和利用各种安全漏洞。该工具支持多种操作系统，包括Solaris。此次发现的漏洞影响了Metasploit Framework在Solaris系统上的文件读取功能。具体来说，当使用readable?、exists?或read_file方法时，会导致会话崩溃并抛出EOFError错误。这一漏洞的技术根源在于Metasploit Framework在处理Solaris系统上的文件读取操作时，未能正确处理EOF（文件结束）条件，从而导致会话异常终止。虽然这一漏洞不会直接导致远程代码执行或数据泄露，但它会影响渗透测试的连续性和可靠性，特别是在自动化测试场景中。由于需要先获取一个Solaris系统的shell会话才能触发此漏洞，因此其利用条件相对较高。尽管如此，对于依赖Metasploit Framework进行安全测试的专业人士来说，这一漏洞仍然需要关注和修复。

产品厂商： Rapid7

产品名称： Metasploit Framework

来源： https://github.com/rapid7/metasploit-framework/issues/20103

类型： rapid7/metasploit-framework:github issues

来源概述

Get a solaris/x86/shell_reverse_tcp session on Solaris (tested on Solaris 10u2)
Run a module which reads a file, or create a module which uses readable? / exists? / read_file

msf6 post(solaris/gather/enum_packages) > run
[*] 192.168.200.166 - Command shell session 3 closed.
[-] Post failed: EOFError EOFError
[-] Call stack:
[-]   /var/lib/gems/3.3.0/gems/rex-core-0.1.33/lib/rex/io/stream.rb:224:in `get_once'
[-]   /root/Desktop/metasploit-framework/lib/msf/base/sessions/command_shell.rb:668:in `shell_read'
[-]   /root/Desktop/metasploit-framework/lib/msf/core/session/provider/single_command_shell.rb:64:in `block (2 levels) in shell_read_until_token'
[-]   <internal:kernel>:187:in `loop'
[-]   /root/Desktop/metasploit-framework/lib/msf/core/session/provider/single_command_shell.rb:63:in `block in shell_read_until_token'
[-]   /var/lib/gems/3.3.0/gems/timeout-0.4.3/lib/timeout.rb:185:in `block in timeout'
[-]   /var/lib/gems/3.3.0/gems/timeout-0.4.3/lib/timeout.rb:38:in `handle_timeout'
[-]   /var/lib/gems/3.3.0/gems/timeout-0.4.3/lib/timeout.rb:194:in `timeout'
[-]   /root/Desktop/metasploit-framework/lib/msf/core/session/provider/single_command_shell.rb:60:in `shell_read_until_token'
[-]   /root/Desktop/metasploit-framework/lib/msf/core/session/provider/single_command_shell.rb:158:in `shell_command_token_base'
[-]   /root/Desktop/metasploit-framework/lib/msf/core/session/provider/single_command_shell.rb:130:in `shell_command_token_unix'
[-]   /root/Desktop/metasploit-framework/lib/msf/base/sessions/unix_escaping.rb:4:in `shell_command_token'
[-]   /root/Desktop/metasploit-framework/lib/msf/core/post/common.rb:197:in `cmd_exec'
[-]   /root/Desktop/metasploit-framework/lib/msf/core/post/file.rb:313:in `exist?'
[-]   /root/Desktop/metasploit-framework/lib/msf/core/post/file.rb:279:in `readable?'
[-]   /root/Desktop/metasploit-framework/lib/msf/core/post/file.rb:488:in `read_file'
[-]   /root/Desktop/metasploit-framework/lib/msf/core/post/solaris/system.rb:17:in `get_sysinfo'
[-]   /root/Desktop/metasploit-framework/modules/post/solaris/gather/enum_packages.rb:32:in `run'
[*] Post module execution completed

Github Poc

#rapid7/metasploit-framework:github issues #其他

Metasploit Framework Solaris File Read Methods Crash Vulnerability

http://example.com/2025/07/31/github_274689488/

作者

lianccc

发布于

2025年7月31日

许可协议

R7-2019-32 Denial-of-Service Vulnerabilities in Beckhoff TwinCAT PLC Environment 上一篇

WP Alone 主题漏洞下一篇