CVE-1999-0977

Solaris - Buffer Overflow via NETMGT_PROC_SERVICE Request

Title source: llm

Exploitation Summary

EIP tracks 5 public exploits for CVE-1999-0977. PoCs published by Optyx, nikolai abromov, Cheez Whiz.

AI-analyzed exploit summary This exploit targets a buffer overflow vulnerability in Solaris sadmin (CVE-1999-0977) to achieve remote code execution. It includes shellcode for both SPARC and x86 architectures and leverages RPC to deliver the payload.

Description

Buffer overflow in Solaris sadmind allows remote attackers to gain root privileges using a NETMGT_PROC_SERVICE request.

Exploits (5)

exploitdb WORKING POC VERIFIED

by Optyx · cremotesolaris

https://www.exploit-db.com/exploits/213

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in Solaris sadmin (CVE-1999-0977) to achieve remote code execution. It includes shellcode for both SPARC and x86 architectures and leverages RPC to deliver the payload.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Solaris sadmin (Solaris 2.6, 2.7)

No auth needed

Prerequisites: Network access to the target system · Vulnerable version of Solaris sadmin running

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by nikolai abromov · cremotesolaris

https://www.exploit-db.com/exploits/19670

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in Solaris sadmind (CVE-1999-0977) to achieve remote code execution as root. It brute-forces stack pointer addresses for different Solaris versions and architectures (x86/SPARC, 2.6/7.0) to trigger the overflow.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Solaris sadmind (versions 2.6 and 7.0)

No auth needed

Prerequisites: Network access to target's sadmind service (port 1524) · Presence of vulnerable sadmind version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Cheez Whiz · cremotesolaris

https://www.exploit-db.com/exploits/19672

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in Solaris sadmind (CVE-1999-0977) by sending a maliciously crafted NETMGT_PROC_SERVICE request. It includes shellcode for both SPARC and x86 architectures to achieve remote code execution with root privileges.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Solaris sadmind (versions 2.6 and 7.0 tested)

No auth needed

Prerequisites: Network access to the target's sadmind service (typically port 100232) · Vulnerable version of Solaris with sadmind enabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Cheez Whiz · cremotesolaris

https://www.exploit-db.com/exploits/19669

View Code ZIP pw:eip

This exploit targets a buffer overflow vulnerability in Solaris sadmind (CVE-1999-0977) to achieve remote code execution as root. It constructs a malicious RPC request with a long domain name to overwrite the stack pointer and execute arbitrary shellcode.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Solaris sadmind (2.6, 7.0)

No auth needed

Prerequisites: Network access to vulnerable sadmind service · Knowledge of target stack pointer value

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

exploitdb WORKING POC VERIFIED

by Cheez Whiz · cremotesolaris

https://www.exploit-db.com/exploits/19668

View Code ZIP pw:eip

This exploit targets a buffer overflow in Solaris sadmind (CVE-1999-0977) via a maliciously crafted NETMGT_PROC_SERVICE request, allowing remote code execution as root. The PoC includes shellcode and detailed instructions for alignment and stack pointer manipulation.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Solaris sadmind (2.6, 7.0)

No auth needed

Prerequisites: Network access to vulnerable sadmind service · Correct stack pointer value for target system

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4

Core References

Vendor Advisory vendor-advisory x_refsource_sun

http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/191

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/2354

Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb

http://www.osvdb.org/2558

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/866

Scores

EPSS 0.1263

EPSS Percentile 95.7%

Details

Status published

Products (8)

sun/solaris 2.5

sun/solaris 2.5.1 (2 CPE variants)

sun/solaris 2.6

sun/solaris 7.0

sun/sunos

sun/sunos 5.5

sun/sunos 5.5.1

sun/sunos 5.7

Published Dec 10, 1999

Tracked Since Feb 18, 2026