Skip to content

Commit f519414

Browse files
author
HackTricks News Bot
committed
Add content from: Hacking printers using fonts
1 parent e77a089 commit f519414

File tree

1 file changed

+34
-4
lines changed

1 file changed

+34
-4
lines changed

src/network-services-pentesting/9100-pjl.md

Lines changed: 34 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -54,15 +54,45 @@ msf> use auxiliary/scanner/printer/printer_delete_file
5454
5555
## Printers Hacking tool
5656
57-
This is the tool you want to use to abuse printers:
57+
This is the tool you want to use to abuse printers: [PRET](https://github.com/RUB-NDS/PRET)
5858
59+
## XPS/TrueType VM exploitation (Canon ImageCLASS)
5960
60-
{{#ref}}
61-
https://github.com/RUB-NDS/PRET
62-
{{#endref}}
61+
- Deliver XPS over PJL:
62+
- `@PJL ENTER LANGUAGE = XPS`
63+
- Then send the XPS ZIP bytes on the same TCP connection.
64+
65+
- Minimal XPS page referencing an attacker font:
66+
67+
```xml
68+
<Glyphs Fill="#ff000000" FontUri="/Resources/evil.ttf" FontRenderingEmSize="12" OriginX="10" OriginY="10"/>
69+
```
70+
71+
- RCE primitive summary (TrueType hinting VM):
72+
- Hinting bytecode in TTF is executed by a TrueType VM. Canon’s VM lacked stack bounds checks.
73+
- CINDEX: OOB stack read → info leak
74+
- DELTAP1: unchecked relative stack pivot → controlled writes with subsequent pushes
75+
- Combine `WS`/`RS` (VM storage write/read) to stage values and perform a precise 32-bit write after pivot.
76+
77+
- Exploit outline:
78+
1) Create XPS with the page above and include `/Resources/evil.ttf`.
79+
2) In `fpgm`/`prep`, use `CINDEX` to leak and compute `stack_cur`.
80+
3) Stage target value with `WS`; pivot with `DELTAP1` to the destination; use `RS` to write it (e.g., to a function pointer) to gain PC control.
81+
82+
- Send over 9100/tcp:
83+
84+
```bash
85+
{ printf "@PJL ENTER LANGUAGE = XPS\r\n"; cat exploit.xps; } | nc -q0 <PRINTER_IP> 9100
86+
```
87+
88+
- `exploit.xps` is a valid XPS ZIP containing `Documents/1/Pages/1.fpage` and `/Resources/evil.ttf`.
6389

6490
## **Shodan**
6591

6692
- `pjl port:9100`
6793

94+
## References
95+
- [Hacking printers using fonts (Canon ImageCLASS TrueType VM bugs)](https://haxx.in/posts/2025-09-23-canon-ttf/)
96+
- [Apple TrueType Reference Manual – Instruction Set and VM (26.6 fixed point)](https://developer.apple.com/fonts/TrueType-Reference-Manual/RM05/Chap5.html)
97+
6898
{{#include ../banners/hacktricks-training.md}}

0 commit comments

Comments
 (0)