Xerox Workstation/WorkCentre - Exploit - Hex00010

1. Re - Linking all of my old ' guest ' pastebins to one main account so i dont have to search for all of them through google
2.  
3.  
4. Main PasteBin Link -> http://pastebin.com/urSwn6db
5. -------------------------------------------------------------------------------------------------------
6.  
7. Xerox WorkCentre Exploit
8.  
9. By:Hex00010
10.  
11. 03/12/2012
12.  
13.  
14.  
15.  
16.  
17.  
18. What is Xerox WorkCentre?
19.  
20.  
21. in very very very very quick easy to use term its a printer
22.  
23.  
24. yeah you see printer everyone is like okay whats the big deal about this?
25.  
26. its a fucking printer for christ sakes?
27.  
28.  
29.  
30.  
31. True it is BUT when this software is deployed onto client machines it also adds a service
32.  
33.  
34. this service runs through the whole network as think of it as a " root admin "
35.  
36.  
37. this root admin can alter the entire network through simple methods.
38.  
39.  
40.  
41.  
42. The Severity of this exploit is that of a local root exploit
43.  
44.  
45.  
46.  
47. Major companies use this software such as
48.  
49. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
50. NorthwesTel -
51.  
52. For over 60 years, Northwestel has served the largest operating area in the Western hemisphere and played a large hand in transforming communications in Northern Canada.
53. As part of our 2011 Vision, we will focus on offering innovative technology to our customers - making connections happen in their lives.
54.  
55.  
56.  
57.  
58. United States Houston Texas , University Of Houston
59.  
60. University of Alaska
61.  
62. United States Foley Mebtel Communications
63.  
64. Brazil Campina Grande Universidade Federal De Campina Grande
65.  
66. etc etc etc etc
67.  
68.  
69. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
70.  
71.  
72. Note that this is just a quick type up to show people and what not - All of this will be re-posted in the upcoming days in a more better detailed , and graphed explanation
73.  
74.  
75. Below is just random copy / paste i decided to show that this exploit reveals to you once executed
76.  
77.  
78.  
79.  
80.  
81. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
82.  
83.  
84.  
85.  
86. Protocols -
87.  
88. AppleTalk
89. NetWare
90. TCP/IP
91. SNMP
92. SSDP
93. LPR/LPD
94. Raw TCP/IP Printing
95. IPP
96. SMTP Server
97. LDAP Directory
98. HTTP
99.  
100.  
101.  
102. { Example Copy / paste text on page LDAP Directory
103.  
104.  
105. Server Information Name or IP Address: IP Address
106. Host Name
107. Primary LDAP Host Name and Port: :
108. Alternate LDAP Host Name and Port:
109.  
110.  
111.  
112. LDAP Access
113.  
114. Search Directory Root: ou=business units,dc=*******Deleted TEXT******linprofac,dc=com
115. Login Credentials to Access LDAP Server :
116.  
117.  
118.  
119. LDAP Bind
120.  
121. Bind Method : Anonymous
122. Simple
123. Login Name: <---------- Allows you to update account information
124. Password:
125. Retype Password:
126. Select to save new password
127. Append base DN:
128.  
129.  
130.  
131.  
132.  
133.  
134. { Example Copy / paste text on page SMTP
135.  
136.  
137. Server Information
138.  
139. Name or IP Address: IP Address
140. Host Name
141. SMTP Host Name and Port: smtptor.snclav********** DELETED TEXT *****.com :
142. SMTP Server Authentication: Server Requires SMTP Authentication
143. Login Name: prof******\********xerox2
144.  
145.  
146.  
147.  
148.  
149.  
150.  
151. DNS SETTINGS
152.  
153. TCP/IP General
154.  
155. Protocol: Enable
156. Physical Connection: Ethernet
157. Host Name:
158. IP Address Resolution:
159. Machine IP Address:
160. Subnet Mask:
161. Gateway Address:
162. DNS Settings Domain Name:
163. Primary DNS Server:
164. Secondary DNS Server:
165. Dynamic DNS Registration: Enable
166. Primary WINS Server:
167. Secondary WINS Server:
168. SLP Configuration Protocol: Enable
169. Port Number: 427
170. Character Set: US-ASCII
171. Directory Agent:
172. Scope 1:
173. Scope 2:
174. Scope 3:
175. Message Type:
176. Multicast Radius: (0-255)
177. MTU:
178.  
179.  
180.  
181.  
182.  
183. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
184.  
185.  
186.  
187. Services -
188.  
189.  
190. Authentication Setup
191.  
192. Add new user accounts - Email Accounts
193.  
194.  
195.  
196. Even got Printer Settings on this bitch lol
197.  
198. Font Number:
199. Symbol Set:
200. Font Pitch:
201. Font Height:
202. Lines Per Form:
203. Line Termination:
204.  
205.  
206.  
207.  
208.  
209.  
210.  
211. Machine Name: Customer ID Name:
212. Fax Number: Customer ID Number:
213. Ring To Answer: Times Prefix Dial:
214. Redial Term: Minutes Discard Size: mm
215. Redial Count: Times Stamp Receiver Name:
216. Speaker: ECM Mode:
217. Ringer: Auto Report:
218. Receive Mode: Rx Reduction:
219. Fax Duplex: Auto Clear Timeout: Sec
220. Sending Confirmation:
221.  
222.  
223.  
224.  
225.  
226.  
227.  
228. Anyways - This exploit is available for sell
229.  
230.  
231.  
232. What you will get
233.  
234.  
235.  
236.  
237. 1. Script to Detect International Systems using this software
238.  
239. 2. Exploit + Method to gain full root internal access
240.  
241.  
242.  
243.  
244.  
245. This is just a draft type up so dont expect a lot to be typed in here and what not i will do the real paper later on
246.  
247.  
248.  
249.  
250. Anyways with that said Hope you liked it :)
251.  
252.  
253.  
254.  
255. Proof of Concept -> http://i41.tinypic.com/29239ki.png