Hacking printers using fonts

src/network-services-pentesting/9100-pjl.md

@@ -54,15 +54,45 @@ msf> use auxiliary/scanner/printer/printer_delete_file
 
 ## Printers Hacking tool
 
-This is the tool you want to use to abuse printers:
+This is the tool you want to use to abuse printers: [PRET](https://github.com/RUB-NDS/PRET)
 
+## XPS/TrueType VM exploitation (Canon ImageCLASS)
 
-{{#ref}}
-https://github.com/RUB-NDS/PRET
-{{#endref}}
+- Deliver XPS over PJL:
+  - `@PJL ENTER LANGUAGE = XPS`
+  - Then send the XPS ZIP bytes on the same TCP connection.
+
+- Minimal XPS page referencing an attacker font:
+
+```xml
+<Glyphs Fill="#ff000000" FontUri="/Resources/evil.ttf" FontRenderingEmSize="12" OriginX="10" OriginY="10"/>
+```
+
+- RCE primitive summary (TrueType hinting VM):
+  - Hinting bytecode in TTF is executed by a TrueType VM. Canon’s VM lacked stack bounds checks.
+  - CINDEX: OOB stack read → info leak
+  - DELTAP1: unchecked relative stack pivot → controlled writes with subsequent pushes
+  - Combine `WS`/`RS` (VM storage write/read) to stage values and perform a precise 32-bit write after pivot.
+
+- Exploit outline:
+  1) Create XPS with the page above and include `/Resources/evil.ttf`.
+  2) In `fpgm`/`prep`, use `CINDEX` to leak and compute `stack_cur`.
+  3) Stage target value with `WS`; pivot with `DELTAP1` to the destination; use `RS` to write it (e.g., to a function pointer) to gain PC control.
+
+- Send over 9100/tcp:
+
+```bash
+{ printf "@PJL ENTER LANGUAGE = XPS\r\n"; cat exploit.xps; } | nc -q0 <PRINTER_IP> 9100
+```
+
+- `exploit.xps` is a valid XPS ZIP containing `Documents/1/Pages/1.fpage` and `/Resources/evil.ttf`.
 
 ## **Shodan**
 
 - `pjl port:9100`
 
+## References
+- [Hacking printers using fonts (Canon ImageCLASS TrueType VM bugs)](https://haxx.in/posts/2025-09-23-canon-ttf/)
+- [Apple TrueType Reference Manual – Instruction Set and VM (26.6 fixed point)](https://developer.apple.com/fonts/TrueType-Reference-Manual/RM05/Chap5.html)
+
 {{#include ../banners/hacktricks-training.md}}