9100 - Printer

💡 学习提示: 本文档介绍 9100 - PJL Printer 的渗透测试方法,适合信息安全初学者和从业人员参考。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

⚠️ 法律声明: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。

9100/tcp - PJL (Printer Job Language)

基本信息

From here: Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer. It is the default method used by CUPS and the Windows printing architecture to communicate with network printers as it is considered as ‘the simplest, fastest, and generally the most reliable network protocol used for printers’. Raw port 9100 printing, also referred to as JetDirect, AppSocket or PDL-datastream actually is not a printing protocol by itself. Instead all data sent is directly processed by the printing device, just like a parallel connection over TCP. In contrast to LPD, IPP and SMB, this can send direct feedback to the client, including status and error messages. Such a bidirectional channel gives us direct access to results of PJL, PostScript or PCL commands. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with PRET and PFT.

If you want to learn more about hacking printers read this page.

默认 port: 9100

9100/tcp open  jetdirect

信息收集

Manual

nc -vn <IP> 9100
@PJL INFO STATUS      #CODE=40000   DISPLAY="Sleep"   ONLINE=TRUE
@PJL INFO ID          # ID (Brand an version): Brother HL-L2360D series:84U-F75:Ver.b.26
@PJL INFO PRODINFO    #Product info
@PJL FSDIRLIST NAME="0:\" ENTRY=1 COUNT=65535  #List dir
@PJL INFO VARIABLES   #Env variales
@PJL INFO FILESYS     #?
@PJL INFO TIMEOUT     #Timeout variables
@PJL RDYMSG           #Ready message
@PJL FSINIT
@PJL FSDIRLIST
@PJL FSUPLOAD         #Useful to upload a file
@PJL FSDOWNLOAD       #Useful to download a file
@PJL FSDELETE         #Useful to delete a file

Automatic

nmap -sV --script pjl-ready-message -p <PORT> <IP>
msf> use auxiliary/scanner/printer/printer_env_vars
msf> use auxiliary/scanner/printer/printer_list_dir
msf> use auxiliary/scanner/printer/printer_list_volumes
msf> use auxiliary/scanner/printer/printer_ready_message
msf> use auxiliary/scanner/printer/printer_version_info
msf> use auxiliary/scanner/printer/printer_download_file
msf> use auxiliary/scanner/printer/printer_upload_file
msf> use auxiliary/scanner/printer/printer_delete_file

Printers Hacking tool

This is the tool you want to use to abuse printers: PRET

XPS/TrueType VM exploitation (Canon ImageCLASS)

  • Deliver XPS over PJL:

    • @PJL ENTER LANGUAGE = XPS
    • Then send the XPS ZIP bytes on the same TCP connection.

  • Minimal XPS page referencing an attacker font:

<Glyphs Fill="#ff000000" FontUri="/Resources/evil.ttf" FontRenderingEmSize="12" OriginX="10" OriginY="10"/>

  • 远程代码执行 primitive summary (TrueType hinting VM):

    • Hinting bytecode in TTF is executed by a TrueType VM. Canon’s VM lacked stack bounds checks.
    • CINDEX: OOB stack read → info leak
    • DELTAP1: unchecked relative stack pivot → controlled writes with subsequent pushes
    • Combine WS/RS (VM storage write/read) to stage values and perform a precise 32-bit write after pivot.

  • 利用 outline:

    1. Create XPS with the page above and include /Resources/evil.ttf.
    2. In fpgm/prep, use CINDEX to leak and compute stack_cur.
    3. Stage target value with WS; pivot with DELTAP1 to the destination; use RS to write it (e.g., to a function pointer) to gain PC control.

  • Send over 9100/tcp:

{ printf "@PJL ENTER LANGUAGE = XPS\r\n"; cat exploit.xps; } | nc -q0 <PRINTER_IP> 9100
  • exploit.xps is a valid XPS ZIP containing Documents/1/Pages/1.fpage and /Resources/evil.ttf.

Shodan

  • pjl port:9100

搜索引擎语法

FOFA

# FOFA 搜索语法
port="9100"

Shodan

# Shodan 搜索语法
port:9100

ZoomEye

# ZoomEye 搜索语法
port:9100

📖 参考资料