-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HP Jetdirect Path Traversal Arbitrary Code Execution CVE-2017-2741 #9364
HP Jetdirect Path Traversal Arbitrary Code Execution CVE-2017-2741 #9364
Conversation
Excellent job @mkienow-r7 |
}, | ||
'Author' => [ | ||
'Jacob Baines', # Python PoC | ||
'Matthew Kienow <matthew_kienow[AT]rapid7.com>', # Metasploit module |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, next time remember to add your e-mail to https://github.com/rapid7/metasploit-framework/blob/master/.mailmap, that way you won't need to manually put your e-mail here all the time :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome!
def exploit | ||
begin | ||
print_status("Exploiting...") | ||
if target.name =~ /Unix/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, excuse me if I'm missing something obvious.... as far as I can tell this condition is always true, right? Because you only have one target that is Unix. Is the module actually using the else
block?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that is currently true. I was hoping we would eventually be able to get an ELF stager to run, which would use a different target name and drop into the else calling the execute_cmdstager
method.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Gotcha! :-)
|
||
Impacted printers have a firmware version below 1708D. | ||
|
||
| Product Name | Model | |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have you tried to view this with info -d
? I don't think this format works well :-(
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't. Thanks for pointing that out as I had quickly created Markdown that I tested with GitHub.
I forgot to note that all corrections per my conversation with @wvu-r7 are complete. |
allow(tmp_sock).to receive(:put).with(an_instance_of(String)) | ||
allow(tmp_sock).to receive(:get).with(Rex::Proto::PJL::DEFAULT_TIMEOUT).and_return(response) | ||
tmp_cli = Rex::Proto::PJL::Client.new(tmp_sock) | ||
expect(tmp_cli.fsdownload("Miscellaneous Data", "1:root/.workspace/.garbage.", is_file: false)).to eq(true) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Update module info, remove intermediate ARCH_ARMLE target, simply options and add cleanup command so that the payload kills telnetd
70718b8
to
ecc6c47
Compare
Release NotesThis adds an exploit for CVE-2017-2741 against HP printers using the PJL (JetDirect) and SNMP protocols. |
Adds exploit module for HP Jetdirect path traversal arbitrary code execution (CVE-2017-2741) and BusyBox telnetd bind TCP Unix command shell payload. The payload uses the recently introduced CommandShellCleanupCommand advanced option from #9353.
Verification
msfconsole
use exploit/linux/misc/hp_jetdirect_path_traversal
set rhost <hostname>
exploit
documentation/modules/exploit/linux/misc/hp_jetdirect_path_traversal.md
documentation/modules/payload/cmd/unix/bind_busybox_telnetd.md
Demonstration
The following demonstrates the exploit against a vulnerable HP OfficeJet Pro 8210 printer.
Port Scan Before Aborting Session
Port Scan After Aborting Session
🔺 Only one HP OfficeJet Pro 8210 printer was bricked in the development of this exploit module.