9100/tcp - PJL (Printer Job Language)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.

Taarifa za Msingi

From here: Uchapishaji wa raw ndio tunavyoelezea kama mchakato wa kuanzisha muunganisho kwenye bandari 9100/tcp ya kiprinta cha mtandao. Ni mbinu ya chaguo-msingi inayotumika na CUPS na usanifu wa uchapishaji wa Windows kuwasiliana na vichapishi vya mtandao kwa sababu inachukuliwa kuwa ‘protokoli ya mtandao rahisi zaidi, ya haraka zaidi, na kwa ujumla yenye kuaminika zaidi inayotumika kwa vichapishi’. Uchapishaji wa bandari raw 9100, unaojulikana pia kama JetDirect, AppSocket au PDL-datastream kwa kweli si protokoli ya uchapishaji yenyewe. Badala yake data zote zinazotumwa zinachakatwa moja kwa moja na kifaa cha kuchapisha, kama muunganisho wa sambamba juu ya TCP. Ikilinganishwa na LPD, IPP na SMB, hii inaweza kutuma mrejesho wa moja kwa moja kwa mteja, ikiwa ni pamoja na ujumbe wa hali na makosa. Kituo cha mawasiliano cha pembe mbili kama hicho kinatupa ufikiaji wa moja kwa moja kwa matokeo ya amri za PJL, PostScript au PCL. Hivyo uchapishaji kwa bandari raw 9100 — ambao unasaidiwa na karibu kiprinta chochote cha mtandao — hutumika kama njia ya uchambuzi wa usalama kwa kutumia PRET na PFT.

If you want to learn more about hacking printers read this page.

Bandari ya chaguo-msingi: 9100

9100/tcp open  jetdirect

Uorodheshaji

Kwa Mkono

nc -vn <IP> 9100
@PJL INFO STATUS      #CODE=40000   DISPLAY="Sleep"   ONLINE=TRUE
@PJL INFO ID          # ID (Brand an version): Brother HL-L2360D series:84U-F75:Ver.b.26
@PJL INFO PRODINFO    #Product info
@PJL FSDIRLIST NAME="0:\" ENTRY=1 COUNT=65535  #List dir
@PJL INFO VARIABLES   #Env variales
@PJL INFO FILESYS     #?
@PJL INFO TIMEOUT     #Timeout variables
@PJL RDYMSG           #Ready message
@PJL FSINIT
@PJL FSDIRLIST
@PJL FSUPLOAD         #Useful to upload a file
@PJL FSDOWNLOAD       #Useful to download a file
@PJL FSDELETE         #Useful to delete a file

Kiotomatiki

nmap -sV --script pjl-ready-message -p <PORT> <IP>

msf> use auxiliary/scanner/printer/printer_env_vars
msf> use auxiliary/scanner/printer/printer_list_dir
msf> use auxiliary/scanner/printer/printer_list_volumes
msf> use auxiliary/scanner/printer/printer_ready_message
msf> use auxiliary/scanner/printer/printer_version_info
msf> use auxiliary/scanner/printer/printer_download_file
msf> use auxiliary/scanner/printer/printer_upload_file
msf> use auxiliary/scanner/printer/printer_delete_file

Chombo cha Hacking cha Vichapishaji

Huu ndio chombo unachotaka kutumia kutumia vibaya vichapishaji: PRET

XPS/TrueType VM exploitation (Canon ImageCLASS)

• Tuma XPS kwa kutumia PJL:

• @PJL ENTER LANGUAGE = XPS

• Kisha tuma bytes za XPS ZIP kwenye muunganisho huo wa TCP.

• Ukurasa wa XPS mdogo unaorejelea fonti ya mshambuliaji:

<Glyphs Fill="#ff000000" FontUri="/Resources/evil.ttf" FontRenderingEmSize="12" OriginX="10" OriginY="10"/>

• Muhtasari wa primitive ya RCE (TrueType hinting VM):

• Hinting bytecode katika TTF hutekelezwa na TrueType VM. Canon’s VM ilikosa stack bounds checks.

• CINDEX: OOB stack read → info leak

• DELTAP1: unchecked relative stack pivot → controlled writes with subsequent pushes

• Changanya WS/RS (VM storage write/read) ili kuweka thamani na kufanya uandishi sahihi wa 32-bit baada ya pivot.

• Exploit outline:

1. Unda XPS yenye ukurasa ulio hapo juu na ujumuishe /Resources/evil.ttf.
2. Katika fpgm/prep, tumia CINDEX kufanya leak na kuhesabu stack_cur.
3. Panga thamani lengwa kwa WS; fanya pivot kwa DELTAP1 hadi destination; tumia RS kuiandika (kwa mfano, kwa function pointer) ili kupata udhibiti wa PC.

• Tuma kupitia 9100/tcp:

{ printf "@PJL ENTER LANGUAGE = XPS\r\n"; cat exploit.xps; } | nc -q0 <PRINTER_IP> 9100

• exploit.xps ni XPS ZIP halali inayojumuisha Documents/1/Pages/1.fpage na /Resources/evil.ttf.

Shodan

• pjl port:9100

Marejeo

• Hacking printers using fonts (Canon ImageCLASS TrueType VM bugs)
• Apple TrueType Reference Manual – Instruction Set and VM (26.6 fixed point)

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

• Angalia mpango wa usajili!
• Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
• Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.