## https://sploitus.com/exploit?id=DD6340FF-4AAD-5685-8CAD-AF44A280C9D1
# LPD Server โ Shell Injection Exploit (RFC 1179)
## Disclaimer
THIS SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
THE AUTHOR TAKES NO RESPONSIBILITY FOR ANY DAMAGE OR HARM CAUSED BY THE USE
OF THIS PROOF-OF-CONCEPT CODE.
THIS EXPLOIT WAS CREATED EXCLUSIVELY FOR CAPTURE THE FLAG (CTF) PURPOSES
TARGETING THE "CORPORATE DIGITAL ARCHIVING SOLUTIONS v1.02" CTF PSEUDO MACHINE.
DO NOT USE THIS CODE AGAINST ANY SYSTEM FOR WHICH YOU DO NOT HAVE EXPLICIT
WRITTEN AUTHORIZATION. UNAUTHORIZED ACCESS TO COMPUTER SYSTEMS IS ILLEGAL.
---
## Overview
This is a proof-of-concept exploit for a Remote Code Execution (RCE) vulnerability
in a Python-based LPD (Line Printer Daemon) server that implements a simplified
version of the RFC 1179 protocol.
The vulnerability exists in the server's use of `subprocess.Popen(shell=True)`
with unsanitized user input derived from the LPD control file's `J` (job name)
field. By injecting shell metacharacters into the job name, an attacker can
break out of the enclosing quotes and execute arbitrary operating system commands
on the target host.
Additionally, the remote server enforces a lightweight "legacy intake processor"
validation requiring the job name to begin with a valid archival identifier.
This exploit prepends a configurable identifier to satisfy that check before
delivering the injection payload.
---
## Vulnerability Details
**Affected Software:** Corporate Digital Archiving Solutions v1.02
**Vulnerability Type:** CWE-78 โ Improper Neutralization of Special Elements
used in an OS Command (OS Command Injection)
**Vulnerable Code:**
```python
subprocess.Popen(f"echo 'Archive: {job_name}' >> /tmp/archive.log", shell=True)
```
## Usage
1. On your attacking machine: `nc -lvnp 443`
2. `python3 poc.py RHOST -q TARGET_QUEUE -c 'COMMAND'`