PRET – Printer Exploitation Toolkit

PRET is a new tool for printer security testing developed in the scope of a Master’s Thesis at Ruhr University Bochum. It connects to a device via network or USB and exploits the features of a given printer language. Currently PostScript, PJL and PCL are supported which are spoken by most laser printers. This allows cool stuff like capturing or manipulating print jobs, accessing the printer’s file system and memory or even causing physical damage to the device. All attacks are documented in detail in the Hacking Printers Wiki.The main idea of PRET is to facilitate the communication between the end-user and the printer. Thus, after entering a UNIX-like command, PRET translates it to PostScript, PJL or PCL, sends it to the printer, evaluates the result and translates it back to a user-friendly format. PRET offers a whole bunch of commands useful for printer attacks and fuzzing.InstallationPRET only requires a Python2 interpreter. For colored output and SNMP support however, third party party modules need to be installed:# pip install colorama pysnmpIf running on a Windows console and Unicode characters are not displayed correctly, install the win_unicode_console module:# pip install win_unicode_consoleFor experimental, ‘driverless’ printing (see print command), ImageMagick and GhostScript need to be installed:# apt-get install imagemagick ghostscriptUsageusage: pret.py [-h] [-s] [-q] [-d] [-i file] [-o file] target {ps,pjl,pcl}positional arguments: target printer device or hostname {ps,pjl,pcl} printing language to abuseoptional arguments: -h, –help show this help message and exit -s, –safe verify if language is supported -q, –quiet suppress warnings and chit-chat -d, –debug enter debug mode (show traffic) -i file, –load file load and run commands from file -o file, –log file log raw data sent to the targetExample usage:$ ./pret.py laserjet.lan ps$ ./pret.py /dev/usb/lp0 pjlPositional Arguments:PRET requires a valid target and a printer language as arguments. The target can either be the IP address/hostname of a network printer (with port 9100/tcp open) or a device like /dev/usb/lp0 for a local USB printer. To quickly discover all network printers in your subnet using SNMP broadcast, simply run PRET without arguments:./pret.pyNo target given, discovering local printersaddress device uptime status ───────────────────────────────────────────────────────────────────────────────192.168.1.5 hp LaserJet 4250 10:21:49 Ready 192.168.1.11 HP LaserJet M3027 MFP 13 days Paper jam 192.168.1.27 Lexmark X792 153 days Ready 192.168.1.28 Brother MFC-7860DW 16:31:17 Sleep mode The printer language to be abused must be one of ps, pjl or pcl. Not all languages are supported by every printer, so you may wan’t to switch languages if you don’t receive any feedback. Each printer language is mapped to a different set of PRET commands and has different capabilities to exploit.Optional Arguments:–safe tries to check via IPP, HTTP and SNMP if the selected printing language (PS/PJL/PCL) is actually supported by the device before connecting. On non-networked printers (USB, parallel cable) this test will fail.–quit suppresses printer model determination, intro message and some other chit-chat.–debug shows the datastream actually sent to the device and the feedback received. Note that header data and other overhead is filtered. The see the whole traffic, use wireshark. Debugging can also be switched on/off within a PRET session using the debug command–load filename reads and executes PRET commands from a text file. This is usefull for automation. Command files can also be invoked later within a PRET session via the load command.–log filename writes a copy of the raw datastream sent to the printer into a file. This can be useful to build a malicious print job file which can be deployed on another printer not directly reachable, for example by printing it from USB drive.Generic CommandsAfter connecting to a printer device, you will see the PRET shell and can execute various commands:$ ./pret.py laserjet.lan pjl ________________ _/_______________/| /___________/___//|| PRET | Printer Exploitation Toolkit v0.25 |=== |—-| || by Jens Mueller | | ô| || |___________| ô| || | ||/.´—.|| | || 「 cause your device can be |-||/_____\||-. | |´ more fun than paper jams 」 |_||=L==H==||_|__|/ (ASCII art by Jan Foerster)Connection to laserjet.lan establishedDevice: hp LaserJet 4250Welcome to the pret shell. Type help or ? to list commands.laserjet.lan:/> helpAvailable commands (type help <topic>):=======================================append debug edit free id ls open restart timeout cat delete env fuzz info mirror printenv selftest touch cd df exit get load mkdir put set traversalchvol disable find help lock nvram pwd site unlock close display format hold loop offline reset status version laserjet.lan:/> ls ../../- 834 .profiled – bind – devd – etcd – hpd – hpmnt- 1276 initd – libd – piped – tmplaserjet.lan:/> exitA list of generic PRET commands is given below:help List available commands or get detailed help with ‘help cmd’.debug Enter debug mode. Use ‘hex’ for hexdump: debug [hex]load Run commands from file: load cmd.txtloop Run command for multiple arguments: loop <cmd> <arg1> <arg2> …open Connect to remote device: open <target>close Disconnect from device.timeout Set connection timeout: timeout <seconds>discover Discover local printer devices via SNMP.print Print image file or raw text: print <file>|”text"site Execute custom command on printer: site <command>exit Exit the interpreter.Generic file system operations with a PS/PJL/PCL specific implementation are:┌───────────┬─────┬─────┬─────┬────────────────────────────────────────┐│ Command │ PS │ PJL │ PCL │ Description │├───────────┼─────┼─────┼─────┼────────────────────────────────────────┤│ ls │ ✓ │ ✓ │ ✓ │ List contents of remote directory. ││ get │ ✓ │ ✓ │ ✓ │ Receive file: get <file> ││ put │ ✓ │ ✓ │ ✓ │ Send file: put <local file> ││ append │ ✓ │ ✓ │ │ Append to file: append <file> <str> ││ delete │ ✓ │ ✓ │ ✓ │ Delete remote file: delete <file> ││ rename │ ✓ │ │ │ Rename remote file: rename <old> <new> ││ find │ ✓ │ ✓ │ │ Recursively list directory contents. ││ mirror │ ✓ │ ✓ │ │ Mirror remote filesystem to local dir. ││ cat │ ✓ │ ✓ │ ✓ │ Output remote file to stdout. ││ edit │ ✓ │ ✓ │ ✓ │ Edit remote files with vim. ││ touch │ ✓ │ ✓ │ │ Update file timestamps: touch <file> ││ mkdir │ ✓ │ ✓ │ │ Create remote directory: mkdir <path> │├───────────┼─────┼─────┼─────┼────────────────────────────────────────┤│ cd │ ✓ │ ✓ │ │ Change remote working directory. ││ pwd │ ✓ │ ✓ │ │ Show working directory on device. ││ chvol │ ✓ │ ✓ │ │ Change remote volume: chvol <volume> ││ traversal │ ✓ │ ✓ │ │ Set path traversal: traversal <path> │├───────────┼─────┼─────┼─────┼────────────────────────────────────────┤│ format │ ✓ │ ✓ │ │ Initialize printer’s file system. ││ fuzz │ ✓ │ ✓ │ │ File system fuzzing: fuzz <category> │├─ ─ ─ ─ ─ ─┴─ ─ ─┴─ ─ ─┴─ ─ ─┴─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┤│ path – Explore fs structure with path traversal strategies. ││ write – First put/append file, then check for its existence. ││ blind – Read-only tests for existing files like /etc/passwd. │├───────────┬─────┬─────┬─────┬────────────────────────────────────────┤│ df │ ✓ │ ✓ │ │ Show volume information. ││ free │ ✓ │ ✓ │ ✓ │ Show available memory. │└───────────┴─────┴─────┴─────┴────────────────────────────────────────┘Commands in PS modeid Show device information.version Show PostScript interpreter version.devices Show available I/O devices.uptime Show system uptime (might be random).date Show printer’s system date and time.pagecount Show printer’s page counter.lock Set startjob and system parameters password.unlock Unset startjob and system parameters password.restart Restart PostScript interpreter.reset Reset PostScript settings to factory defaults.disable Disable printing functionality.destroy Cause physical damage to printer’s NVRAM.hang Execute PostScript infinite loop.overlay Put overlay eps file on all hardcopies: overlay <file.eps>cross Put printer graffiti on all hardcopies: cross <font> <text>replace Replace string in documents to be printed: replace <old> <new>capture Capture further jobs to be printed on this device.hold Enable job retention.set Set key to value in topmost dictionary: set <key=value>known List supported PostScript operators: known <operator>search Search all dictionaries by key: search <key>dicts Return a list of dictionaries and their permissions.resource List or dump PostScript resource: resource <category> [dump]dump Dump dictionary: dump <dict> Dictionaries: – systemdict – statusdict – userdict – globaldict – serverdict – errordict – internaldict – currentsystemparams – currentuserparams – currentpagedeviceconfig Change printer settings: config <setting> duplex – Set duplex printing. copies # – Set number of copies. economode – Set economic mode. negative – Set negative print. mirror – Set mirror inversion.Not all commands are supported by every printer. Especially Brother and Kyocera devices use their own PostScript clones – Br-Script and KPDL – instead of licensing original ‘Adobe PostScript’. Such flavours of the PostScript language may not be 100% compatible, especially concerning security sensitive features like capturing print jobs. Access to the file system is supported by most printers, however usually limited to a certain, sandboxed directory.Commands in PJL modeid Show device information.status Enable status messages.version Show firmware version or serial number (from ‘info config’).pagecount Manipulate printer’s page counter: pagecount <number>printenv Show printer environment variable: printenv <VAR>env Show environment variables (alias for ‘info variables’).set Set printer environment variable: set <VAR=VALUE>display Set printer’s display message: display <message>offline Take printer offline and display message: offline <message>restart Restart printer.reset Reset to factory defaults.selftest Perform various printer self-tests.disable Disable printing functionality.destroy Cause physical damage to printer’s NVRAM.flood Flood user input, may reveal buffer overflows.lock Lock control panel settings and disk write access.unlock Unlock control panel settings and disk write access.hold Enable job retention.nvram NVRAM operations: nvram <operation> nvram dump [all] – Dump (all) NVRAM to local file. nvram read addr – Read single byte from address. nvram write addr value – Write single byte to address.info Show information: info <category> info config – Provides configuration information. info filesys – Returns PJL file system information. info id – Provides the printer model number. info memory – Identifies amount of memory available. info pagecount – Returns the number of pages printed. info status – Provides the current printer status. info ustatus – Lists the unsolicited status variables. info variables – Lists printer’s environment variables.Some commands are supported exclusively by HP printers, because other vendors have only implemented a subset of the PJL standard. This is especially true for PML based commands like restartor reset. Enabling long-term job retention via the hold command seems to be possible for some Epson devices only. NVRAM access via the nvram command is a proprietary feature of Brother printers. Limited access to the file system is supported by various HP, OKI, Konica, Xerox, Epson and Ricoh devices.Commands in PCL modeselftest Perform printer self-test.info Show information: info <category> info fonts – Show installed fonts. info macros – Show installed macros. info patterns – Show user-defined patterns. info symbols – Show symbol sets. info extended – Show extended fonts.PCL is a very limited page description language without access to the file system. The get/put/ls commands therefore use a virtual file system based on PCL macros, implemented mostly for the hack value. This proof-of-concept shows that even a device which supports only minimalist languages like PCL can be used to store arbitrary files like copyright infringing material. Although such a file sharing service is not a security vulnerability per se, it might apply as ‘misuse of service’ depending on the corporate policyFile Listingpret.py – Executable main programcapabilities.py – Routines to check for printer langauge supportdiscovery.py – Routines to list printers using SNMP broadcastprinter.py – Generic code to describe a printing devicepostscript.py – PS spezific code (inherits from class printer)pjl.py – PJL spezific code (inherits from class printer)pcl.py – PCL spezific code (inherits from class printer)helper.py – Help functions for output, logging, sockets, etc.codebook.py – Static table of PJL status/error codesfuzzer.py – Constants for file system fuzzingmibs/* – Printer specific SNMP MIBsdb/* – database of supported modelslpd/* – Scripts for LPD fuzzingGetting StartedGiven the features and various proprietary extensions in printing languages like PostScript and PJL, conducting a pentest on printers is not a trivial job. PRET can help to assist and verify known issues in the language. Once you have played around with the tool, you may wan’t to perform a systematic printer security analysis. A good starting point is the Printer Security Testing Cheat Sheet.Download PRET

Link: http://feedproxy.google.com/~r/PentestTools/~3/EzK8p-r9y-E/pret-printer-exploitation-toolkit.html

WikiLeaks Dumps CIA Patient Zero Windows Implant

Pandemic is a Windows implant built by the CIA that turns file servers into Patient Zero on a local network, infecting machines requesting files with Trojanized replacements.

Link: https://threatpost.com/wikileaks-dumps-cia-patient-zero-windows-implant/126036/

CSAPP – Buffer Overflow Attacks / Bufbomb Lab.

CSAPP/Bufbomb assignment will help you develop a detailed understanding of IA-32 calling conventions and stack organization. It involves applying a series of buffer overflow attacks…

Link: http://seclist.us/csapp-buffer-overflow-attacks-bufbomb-lab.html

explo – Human And Machine Readable Web Vulnerability Testing Format

explo is a simple tool to describe web security issues in a human and machine readable format. By defining a request/condition workflow, explo is able to exploit security issues without the need of writing a script. This allows to share complex vulnerabilities in a simple readable and executable format.Example for extracting a csrf token and using this in a form:name: get_csrfdescription: extract csrf tokenmodule: httpparameter: url: http://example.com/contact method: GET header: user-agent: Mozilla/5.0 extract: csrf: [CSS, “#csrf"]—name: exploitdescription: exploits sql injection vulnerability with valid csrf tokenmodule: httpparameter: url: http://example.com/contact method: POST body: csrf: "" username: "’ SQL INJECTION" find: You have an error in your SQL syntaxIn this example definition file the security issue is tested by executing two steps which are run from top to bottom. The last step returns a success or failure, depending on the string ‘You have an error in your SQL syntax’ to be found.InstallationInstall via PyPIpip install exploInstall via sourcegit clone https://github.com/dtag-dev-sec/explocd explopython setup.py installUsageexplo [–verbose|-v] testcase.yamlexplo [–verbose|-v] examples/*.yamlThere are a few example testcases in the examples/ folder.$ explo examples/SQLI_simple_testphp.vulnweb.com.yamlYou can also include explo as a python lib:from explo.core import from_content as explo_from_contentfrom explo.core import ExploException, ProxyExceptiondef save_log(msg): print(msg)try: result = explo_from_content(explo_yaml_file, save_log)except ExploException as err: print(err)ModulesModules can be added to improve functionality and classes of security issues.http (basic)The http modules allows to make a http request, extract content and search/verify content.The following data is made available for following steps:the http response body: stepname.response.contentthe http response cookies: stepname.response.cookiesextracted content: response.extracted.variable_nameIf a find_regex parameter is set, a regular expression match is executed on the response body. If this fails, this module returns a failure and thus stopping the executing of the current workflow (and all steps).When extracting by regular expressions, use the match group extract to mark the value to extract (view below for an example).For referencing cookies, reference the name of the previous step where cookies should be taken from (cookies: the_other_step.response.cookies).Parameter examples:parameter: url: http://example.com method: GET allow_redirects: True headers: User-Agent: explo Content-Type: abc cookies: stepname.response.cookies body: key: value find: search for string find_regex: search for (reg|ular)expression find_in_headers: searchstring in headers extract: variable1: [CSS, ‘#csrf’] variable2: [REGEX, ‘.*?)"’]http_headerThe http header module allows to check if a response misses a specified set of headers (and values). All other parameters are identical to the http module.The following data is made available for other modules:the http response body: stepname.response.contentthe http response cookies: stepname.response.cookiesParameter examples:parameter: url: http://example.com method: GET allow_redirects: True headers: User-Agent: explo Content-Type: abc body: key: value headers_required: X-XSS-Protection: 1 Server: . # all values are validsqli_blindThe sqli_blind module is able to identify time based blind sql injections.The following data is made available for other modules:the http response body: stepname.response.contentthe http response cookies: stepname.response.cookiesParameter examples:parameter: url: http://example.com/vulnerable.php?id=1′ waitfor delay ’00:00:5′– method: GET delay_seconds: 5If the threshold of 5 seconds (delay_seconds) is exceeded, the check returns true (and thus resulting in a success).Download explo

Link: http://feedproxy.google.com/~r/PentestTools/~3/9zhNekCWw1c/explo-human-and-machine-readable-web.html

massExpConsole – Collection of Tools and Exploits with a CLI UI

Collection of Tools and Exploits with a CLI UIWhat does it do?an easy-to-use user interface (cli)execute any adapted exploit with process-level concurrencycrawler for baidu and zoomeyea simple webshell managersome built-in exploits (automated)more to come…RequirementsGNU/Linux or MacOS, WSL (Windows Subsystem Linux), fully tested under Kali Linux (Rolling, 2017), Ubuntu Linux (16.04 LTS) and Fedora 25 (it will work on other distros too as long as you have dealt with all deps)proxychains4 (in $PATH), used by exploiter, requires a working socks5 proxy (you can modify its config in mec.py)Java is required when using Java deserialization exploits, you might want to install openjdk-8-jre if you haven’t installed it yetpython packages (not complete, as some third-party scripts might need other deps as well): requestsbs4beautifulsoup4html5libdocoptpip3 install on the gonote that you have to install all the deps of your exploits or tools as wellUsagejust run mec.py, if it complains about missing modules, install themif you want to add your own exploit script (or binary file, whatever): cd exploits, mkdir your exploit should take the last argument passed to it as its target, dig into mec.py to know morechmod 755 <exploitBin> to make sure it can be executed by current useruse attack command then m to select your custom exploittype help in the console to see all available featuresDownload massExpConsole

Link: http://feedproxy.google.com/~r/PentestTools/~3/n_22lP9qR0U/massexpconsole-collection-of-tools-and.html

QuickSand.io – Tool For Scanning Streams Within Office Documents Plus Xor DB Attack

QuickSand is a compact C framework to analyze suspected malware documents to 1) identify exploits in streams of different encodings, 2) locate and extract embedded executables. By having the ability to locate embedded obfuscated executables, QuickSand could detect documents that contain zero-day or unknown obfuscated exploits.File Formats For Exploit and Active Content Detectiondoc, docx, docm, rtf, etcppt, pptx, pps, ppsx, etcxls, xlsx, etcmime msoeml emailFile Formats For Executable DetectionAll of the above, plus PDF.Any document format such as HWP.Lite Version – Mplv2 LicenseKey dictionary up to 256 byte XORBitwise ROL, ROR, NOTAddition or substraction math cipherExecutable extraction: Windows, Mac, Linux, VBAExploit searchRTF pre processingHex stream extractBase 64 Stream extractEmbedded Zip extractExOleObjStgCompressedAtom extractzLib DecodeMime Mso xml DecodingOpenXML decode (unzip)Yara signatures included: Executables, active content, exploits CVE 2014 and earlierExample results and more info blog postFull Version – Commercial LicenseKey cryptanalysis 1-1024 bytes factors of 2; or a specified odd size 1-1024 bytes1 Byte zerospace not replaced brute force XOR searchXOR Look Ahead cipherMore Yara signatures included: All lite plus most recent exploits 2014-2016 for CVE identificationTry the full version online at QuickSand.ioDependencies (not included)Yara 3.4+zlib 1.2.1+libzip 1.1.1+Distributed components under their own licensingMD5 by RSA Data Security, Inc.SHA1 by Paul E. JonesSHA2 by Aaron D. GiffordjWrite by TonyWilk for json outputtinydir by Cong Xu, Baudouin Feildel for directory processingQuick Start./build.sh./quicksand.out -h./quicksand.out malware.docDocumentationQuickSand.ioDownload QuickSand

Link: http://feedproxy.google.com/~r/PentestTools/~3/iIjwIrdBxC0/quicksandio-tool-for-scanning-streams.html