各类POC集合大全

## PRET - Printer Exploitation Toolkit **Is your printer secure? Check before someone else does...** PRET is a new tool for printer security testing developed in the scope of a [Master's Thesis](http://nds.rub.de/media/ei/arbeiten/2017/01/13/exploiting-printers.pdf) at Ruhr University Bochum. It connects to a device via network or USB and exploits the features of a given printer language. Currently [PostScript](https://www.adobe.com/products/postscript/pdfs/PLRM.pdf), [PJL](http://h10032.www1.hp.com/ctg/Manual/bpl13208.pdf) and [PCL](http://www.hp.com/ctg/Manual/bpl13210.pdf) are supported which are spoken by most laser printers. This allows cool stuff like capturing or manipulating print jobs, accessing the printer's file system and memory or even causing physical damage to the device. All attacks are documented in detail in the [Hacking Printers Wiki](http://hacking-printers.net/wiki/). The main idea of PRET is to facilitate the communication between the end-user and the printer. Thus, after entering a UNIX-like command, PRET translates it to PostScript, PJL or PCL, sends it to the printer, evaluates the result and translates it back to a user-friendly format. PRET offers a whole bunch of commands useful for printer attacks and fuzzing.  ### Installation PRET only requires a Python2 interpreter. For colored output and SNMP support however, third party modules need to be installed: # pip install colorama pysnmp If running on a Windows console and Unicode characters are not displayed correctly, install the *win_unicode_console* module: # pip install win_unicode_console For experimental, ‘driverless’ printing (see print command), ImageMagick and GhostScript need to be installed: # apt-get install imagemagick ghostscript ### Usage ``` usage: pret.py [-h] [-s] [-q] [-d] [-i file] [-o file] target {ps,pjl,pcl} positional arguments: target printer device or hostname {ps,pjl,pcl} printing language to abuse optional arguments: -h, --help show this help message and exit -s, --safe verify if language is supported -q, --quiet suppress warnings and chit-chat -d, --debug enter debug mode (show traffic) -i file, --load file load and run commands from file -o file, --log file log raw data sent to the target ``` ###### Example usage: $ ./pret.py laserjet.lan ps $ ./pret.py /dev/usb/lp0 pjl ###### Positional Arguments: PRET requires a valid target and a printer language as arguments. The target can either be the IP address/hostname of a network printer (with port 9100/tcp open) or a device like `/dev/usb/lp0` for a local USB printer. To quickly discover all network printers in your subnet using SNMP broadcast, simply run PRET without arguments: ``` ./pret.py No target given, discovering local printers address device uptime status ─────────────────────────────────────────────────────────────────────────────── 192.168.1.5 hp LaserJet 4250 10:21:49 Ready 192.168.1.11 HP LaserJet M3027 MFP 13 days Paper jam 192.168.1.27 Lexmark X792 153 days Ready 192.168.1.28 Brother MFC-7860DW 16:31:17 Sleep mode ``` The printer language to be abused must be one of `ps`, `pjl` or `pcl`. Not all languages are supported by every printer, so you may wan't to switch languages if you don't receive any feedback. Each printer language is mapped to a different set of PRET commands and has different capabilities to exploit. ###### Optional Arguments: `--safe` tries to check via IPP, HTTP and SNMP if the selected printing language (PS/PJL/PCL) is actually supported by the device before connecting. On non-networked printers (USB, parallel cable) this test will fail. `--quit` suppresses printer model determination, intro message and some other chit-chat. `--debug` shows the datastream actually sent to the device and the feedback received. Note that header data and other overhead is filtered. The see the whole traffic, use wireshark. Debugging can also be switched on/off within a PRET session using the `debug` command `--load filename` reads and executes PRET commands from a text file. This is usefull for automation. Command files can also be invoked later within a PRET session via the `load` command. `--log filename` writes a copy of the raw datastream sent to the printer into a file. This can be useful to build a malicious print job file which can be deployed on another printer not directly reachable, for example by printing it from USB drive. ### Generic Commands After connecting to a printer device, you will see the PRET shell and can execute various commands: ``` $ ./pret.py laserjet.lan pjl ________________ _/_______________/| /___________/___//|| PRET | Printer Exploitation Toolkit v0.25 |=== |----| || by Jens Mueller <jens.a.mueller@rub.de> | | ô| || |___________| ô| || | ||/.´---.|| | || 「 cause your device can be |-||/_____\||-. | |´ more fun than paper jams 」 |_||=L==H==||_|__|/ (ASCII art by Jan Foerster) Connection to laserjet.lan established Device: hp LaserJet 4250 Welcome to the pret shell. Type help or ? to list commands. laserjet.lan:/> help Available commands (type help <topic>): ======================================= append debug edit free id ls open restart timeout cat delete env fuzz info mirror printenv selftest touch cd df exit get load mkdir put set traversal chvol disable find help lock nvram pwd site unlock close display format hold loop offline reset status version laserjet.lan:/> ls ../../ - 834 .profile d - bin d - dev d - etc d - hp d - hpmnt - 1276 init d - lib d - pipe d - tmp laserjet.lan:/> exit ``` A list of generic PRET commands is given below: ``` help List available commands or get detailed help with 'help cmd'. debug Enter debug mode. Use 'hex' for hexdump: debug [hex] load Run commands from file: load cmd.txt loop Run command for multiple arguments: loop <cmd> <arg1> <arg2> … open Connect to remote device: open <target> close Disconnect from device. timeout Set connection timeout: timeout <seconds> discover Discover local printer devices via SNMP. print Print image file or raw text: print <file>|"text" site Execute custom command on printer: site <command> exit Exit the interpreter. ``` Generic file system operations with a PS/PJL/PCL specific implementation are: ``` ┌───────────┬─────┬─────┬─────┬────────────────────────────────────────┐ │ Command │ PS │ PJL │ PCL │ Description │ ├───────────┼─────┼─────┼─────┼────────────────────────────────────────┤ │ ls │ ✓ │ ✓ │ ✓ │ List contents of remote directory. │ │ get │ ✓ │ ✓ │ ✓ │ Receive file: get <file> │ │ put │ ✓ │ ✓ │ ✓ │ Send file: put <local file> │ │ append │ ✓ │ ✓ │ │ Append to file: append <file> <str> │ │ delete │ ✓ │ ✓ │ ✓ │ Delete remote file: