--- title: "9100 - Printer" weight: 9100 date: "2026-03-10T10:03:28+08:00" lastmod: "2026-03-10T13:26:55+08:00" --- 💡 **学习提示**: 本文档介绍 **9100 - PJL Printer** 的渗透测试方法,适合信息安全初学者和从业人员参考。 ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。 --- > ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。 ## 9100/tcp - PJL (Printer Job Language) ### 基本信息 From [here](http://hacking-printers.net/wiki/index.php/Port_9100_printing): Raw printing is what we define as the process of making a connection to port 9100/tcp of a network printer. It is the default method used by CUPS and the Windows printing architecture to communicate with network printers as it is considered as ‘_the simplest, fastest, and generally the most reliable network protocol used for printers_’. Raw port 9100 printing, also referred to as JetDirect, AppSocket or PDL-datastream actually **is not a printing protocol by itself**. Instead **all data sent is directly processed by the printing device**, just like a parallel connection over TCP. In contrast to LPD, IPP and SMB, this can send direct feedback to the client, including status and error messages. Such a **bidirectional channel** gives us direct **access** to **results** of **PJL**, **PostScript** or **PCL** commands. Therefore raw port 9100 printing – which is supported by almost any network printer – is used as the channel for security analysis with PRET and PFT. If you want to learn more about [**hacking printers read this page**](http://hacking-printers.net/wiki/index.php/Main_Page). **默认 port:** 9100 ``` 9100/tcp open jetdirect ``` ### 信息收集 #### Manual ```bash nc -vn 9100 @PJL INFO STATUS #CODE=40000 DISPLAY="Sleep" ONLINE=TRUE @PJL INFO ID # ID (Brand an version): Brother HL-L2360D series:84U-F75:Ver.b.26 @PJL INFO PRODINFO #Product info @PJL FSDIRLIST NAME="0:\" ENTRY=1 COUNT=65535 #List dir @PJL INFO VARIABLES #Env variales @PJL INFO FILESYS #? @PJL INFO TIMEOUT #Timeout variables @PJL RDYMSG #Ready message @PJL FSINIT @PJL FSDIRLIST @PJL FSUPLOAD #Useful to upload a file @PJL FSDOWNLOAD #Useful to download a file @PJL FSDELETE #Useful to delete a file ``` #### Automatic ```bash nmap -sV --script pjl-ready-message -p ``` ```bash msf> use auxiliary/scanner/printer/printer_env_vars msf> use auxiliary/scanner/printer/printer_list_dir msf> use auxiliary/scanner/printer/printer_list_volumes msf> use auxiliary/scanner/printer/printer_ready_message msf> use auxiliary/scanner/printer/printer_version_info msf> use auxiliary/scanner/printer/printer_download_file msf> use auxiliary/scanner/printer/printer_upload_file msf> use auxiliary/scanner/printer/printer_delete_file ``` ### Printers Hacking tool This is the tool you want to use to abuse printers: [PRET](https://github.com/RUB-NDS/PRET) ### XPS/TrueType VM exploitation (Canon ImageCLASS) - Deliver XPS over PJL: - `@PJL ENTER LANGUAGE = XPS` - Then send the XPS ZIP bytes on the same TCP connection. - Minimal XPS page referencing an attacker font: ```xml ``` - 远程代码执行 primitive summary (TrueType hinting VM): - Hinting bytecode in TTF is executed by a TrueType VM. Canon’s VM lacked stack bounds checks. - CINDEX: OOB stack read → info leak - DELTAP1: unchecked relative stack pivot → controlled writes with subsequent pushes - Combine `WS`/`RS` (VM storage write/read) to stage values and perform a precise 32-bit write after pivot. - 利用 outline: 1) Create XPS with the page above and include `/Resources/evil.ttf`. 2) In `fpgm`/`prep`, use `CINDEX` to leak and compute `stack_cur`. 3) Stage target value with `WS`; pivot with `DELTAP1` to the destination; use `RS` to write it (e.g., to a function pointer) to gain PC control. - Send over 9100/tcp: ```bash { printf "@PJL ENTER LANGUAGE = XPS\r\n"; cat exploit.xps; } | nc -q0 9100 ``` - `exploit.xps` is a valid XPS ZIP containing `Documents/1/Pages/1.fpage` and `/Resources/evil.ttf`. ### **Shodan** - `pjl port:9100` --- ### 搜索引擎语法 #### FOFA ```bash # FOFA 搜索语法 port="9100" ``` #### Shodan ```bash # Shodan 搜索语法 port:9100 ``` #### ZoomEye ```bash # ZoomEye 搜索语法 port:9100 ``` --- ## 📖 参考资料 - [HackTricks - 9100-printer](https://book.hacktricks.wiki/en/network-services-pentesting/9100-printer.html)