基于PRET

https://github.com/RUB-NDS/PRET

• 依赖

PRET only requires a Python2 interpreter. For colored output and SNMP support however, third party modules need to be installed:

# pip install colorama pysnmp

If running on a Windows console and Unicode characters are not displayed correctly, install the win_unicode_console module:

# pip install win_unicode_console

For experimental, ‘driverless’ printing (see print command), ImageMagick and GhostScript need to be installed:

# apt-get install imagemagick ghostscript

• 下载PRET

get clone https://github.com/RUB-NDS/PRET.git

• 使用PRET

usage: pret.py [-h] [-s] [-q] [-d] [-i file] [-o file] target {ps,pjl,pcl}

positional arguments:
  target                printer device or hostname
  {ps,pjl,pcl}          printing language to abuse

optional arguments:
  -h, --help            show this help message and exit
  -s, --safe            verify if language is supported
  -q, --quiet           suppress warnings and chit-chat
  -d, --debug           enter debug mode (show traffic)
  -i file, --load file  load and run commands from file
  -o file, --log file   log raw data sent to the target

• 利用对象

The target can either be the IP address/hostname of a network printer (with port 9100/tcp open) or a device like /dev/usb/lp0 for a local USB printer.

# HP LaserJet 4250
# HP LaserJet M3027 MFP
# Lexmark X792
# Brother MFC-7860DW

• 实例

shodan检索语句：
# product:"xxx" port:9100

# product:"hp LaserJet 4200" port:9100

root@kali2018:/IoT-Tools/PRET# ./pret.py 192.168.74.100 ps
      ________________                                             
    _/_______________/|                                            
   /___________/___//||   PRET | Printer Exploitation Toolkit v0.40
  |===        |----| ||    by Jens Mueller <jens.a.mueller@rub.de> 
  |           |   ô| ||                                            
  |___________|   ô| ||                                            
  | ||/.´---.||    | ||      「 pentesting tool that made          
  |-||/_____||-.  | |´         dumpster diving obsolete‥ 」       
  |_||=L==H==||_|__|/                                              
                                                                   
     (ASCII art by                                                 
     Jan Foerster)                                                 
                                                                   
Connection to 192.168.74.100 established
Command execution failed (timed out)

Forcing reconnect. Connection closed.
Connection to 192.168.74.100 established

No feedback (Printer busy, non-ps or silent)
Device:   hp LaserJet 4200

Welcome to the pret shell. Type help or ? to list commands.
192.168.74.100:/> help

Available commands (type help <topic>):
=======================================
append   date     discover  get    loop       put       set        version
capture  debug    dump      hang   ls         pwd       shell    
cat      delete   edit      help   mirror     rename    site     
cd       destroy  exit      hold   mkdir      replace   timeout  
chvol    devices  find      id     open       reset     touch    
close    df       format    known  overlay    resource  traversal
config   dicts    free      load   pagecount  restart   unlock   
cross    disable  fuzz      lock   print      search    uptime  

---

参考资料

• 打印机安全研究（一）：不容乐观的网络打印机安全状况

https://www.freebuf.com/articles/terminal/126259.html

• 打印机安全研究（二）：打印机攻击测试方法和利用工具

https://www.freebuf.com/articles/terminal/126455.html

• 披着狼皮的羊——寻找惠普多款打印机中的RCE漏洞

https://paper.seebug.org/549/