Skip to content

Create escpos_tcp_command_injector.rb #20478

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 12 commits into
base: master
Choose a base branch
from
Open

Create escpos_tcp_command_injector.rb #20478

wants to merge 12 commits into from

Conversation

futileskills
Copy link

@futileskills futileskills commented Aug 18, 2025
edited
Loading

Add ESC/POS Printer Command Injector Module for Epson-Compatible Printers

Description:
This PR introduces a new auxiliary module to Metasploit that exploits an unauthenticated ESC/POS command vulnerability in networked Epson-compatible printers. The vulnerability allows an attacker to send crafted commands over the network to inject custom ESC/POS print commands, which are used in various receipt printers.

Key Features:

  • Customizable Message: The attacker can specify a custom message to be printed.
  • Cash Drawer Trigger: The module can optionally trigger an attached cash drawer.
  • Paper Feed and Cut: New functionality to feed the paper and then cut it, which provides more realistic and complete receipt testing.
  • Default Behavior: By default, the module can print a message, trigger a cash drawer, or feed and cut paper if configured.

Vulnerable Target:

  • Printer Model: Any Epson-compatible printer that supports the ESC/POS command set over port 9100.
  • CVE Information: CVE is currently under submission for the vulnerability in Epson-compatible network printers.

Module Options:

  • RHOST (Target IP): The target IP address of the printer.
  • RPORT (Target Port): The port used for communication (default is 9100).
  • MESSAGE: The custom message to be printed.
  • PRINT_MESSAGE: Boolean flag to enable printing the message.
  • TRIGGER_DRAWER: Boolean flag to optionally trigger the attached cash drawer.
  • CUT_PAPER: Boolean flag to feed and cut the paper.
  • FEED_LINES: Integer to specify the number of lines to feed before cutting.
  • DRAWER_COUNT: Integer to specify the number of times to trigger the cash drawer.

Exploit Details:

The exploit uses the ESC/POS command sequence to:

  1. Initialize the printer.
  2. Print the user-defined message.
  3. Optionally trigger the connected cash drawer.
  4. Optionally feed the paper and perform a full cut.

Potential Use Cases:

  • Security Research: Test and demonstrate vulnerabilities in legacy or misconfigured Epson-compatible printers.
  • Penetration Testing: Evaluate the physical security and potential unauthorized access to networked receipt printers.
  • Network Forensics: Analyze network traffic involving printers to uncover potential exploits or misconfigurations.

Notes:

  • Compatibility: This module is compatible with networked Epson-compatible printers that expose the ESC/POS protocol on the default port (9100).
  • Safety Warning: This is intended for ethical use in controlled environments. It is illegal to use this tool on devices you do not own or have explicit permission to test.

CVE is pending, will update when I hear back.

@futileskills
Create escpos_tcp_command_injector.rb
4e64a0a
@futileskills
Update escpos_tcp_command_injector.rb
e9a7aba 
Clean up ESC/POS printer command injector: remove unnecessary HEX_COMMANDS feature, add documentation, references, and comments
@github-actions GitHub Actions
Copy link

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

@futileskills
Copy link
Author

I'm new to contributing here and this is my first PR. Could I get some clarification on what kind of documentation you'd like for this module?
I've added a file header and some inline comments, and I can put together a Markdown doc or update the README if that's helpful.
Thanks for any guidance!

@bcoles bcoles added docs and removed needs-docs labels Aug 19, 2025
bcoles
bcoles reviewed Aug 19, 2025
View reviewed changes
@bcoles
Copy link
Contributor

bcoles commented Aug 19, 2025

I'm new to contributing here and this is my first PR.

Welcome!

Could I get some clarification on what kind of documentation you'd like for this module?

Refer to the links here: #20478 (comment)

I can put together a Markdown doc or update the README if that's helpful.

Please also validate your markdown formatted documentation with msftidy_docs:

./tools/dev/msftidy_docs.rb documentation/modules/auxiliary/admin/printer/escpos_tcp_command_injector.md

cdelafuente-r7
cdelafuente-r7 reviewed Aug 21, 2025
View reviewed changes
Copy link
Contributor

@cdelafuente-r7 cdelafuente-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @futileskills for this module! It looks great! I just left a few comments and suggestions for you to review when you get a chance.

@futileskills
Copy link
Author

Thank you @futileskills for this module! It looks great! I just left a few comments and suggestions for you to review when you get a chance.

Thank you! I really appreciate your feedback! I'm just starting to learn Ruby so take it easy on me lol.

@futileskills
Copy link
Author

futileskills commented Aug 23, 2025
edited
Loading

Okay, I think I got everything working. The only thing that I still want to add is additional in depth documentation for this module, but i figured I can add the link to that later on. - Once I finish it. It will be more of a in-depth documentation of what I have learned and the main concept behind the module. Here is what I have so far: https://github.com/futileskills/ESCPOS-Injector-Documentation-
Later on when I am happy with it I will request an update to add the link directly.

If there is anything else y'all would like to see please let me know and thank you again for all the help! @bcoles @cdelafuente-r7

@futileskills futileskills marked this pull request as ready for review August 23, 2025 19:04
cdelafuente-r7
cdelafuente-r7 reviewed Aug 27, 2025
View reviewed changes
Copy link
Contributor

@cdelafuente-r7 cdelafuente-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you @futileskills for making the changes. I just left one more comment, but otherwise it looks good to me. Someone else from R7 will take over and do a second round of review/testing (if possible). Thanks again for your contribution.

@futileskills
Copy link
Author

Thank you @futileskills for making the changes. I just left one more comment, but otherwise it looks good to me. Someone else from R7 will take over and do a second round of review/testing (if possible). Thanks again for your contribution.

Thank you! Glad to be able to finally contribute.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cdelafuente-r7 cdelafuente-r7 cdelafuente-r7 left review comments

@bcoles bcoles Awaiting requested review from bcoles

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
docs module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@futileskills @bcoles @cdelafuente-r7