Skip to content

Exploit Library

Jump to bottom
Andre Henrique edited this page Mar 25, 2026 · 1 revision

Exploit Library

PrinterReaper ships with 39+ curated exploit modules in xpl/. Each module implements a standard check() (non-destructive probe) and run() interface.

Listing Exploits

# All exploits, sorted by CVSS score
python printer-reaper.py 192.168.1.100 --xpl-list

# Filter by source
python printer-reaper.py 192.168.1.100 --xpl-list --xpl-source metasploit
python printer-reaper.py 192.168.1.100 --xpl-list --xpl-source exploit-db
python printer-reaper.py 192.168.1.100 --xpl-list --xpl-source research
python printer-reaper.py 192.168.1.100 --xpl-list --xpl-source custom

Output:

  ID                                CVSS  CVE              Protocol  Title
  research-ldap-hash-capture        9.0   -                HTTP      LDAP/AD NTLM Hash Capture
  msf-pjl-traversal                 9.0   -                PJL       PJL Filesystem Traversal
  msf-hp-ews-auth                   8.8   CVE-2019-6329    HTTP      HP EWS Auth Bypass
  msf-samsung-6600                  8.5   CVE-2012-4964    HTTP      Samsung SCX-6600 RCE
  edb-15631                         8.3   CVE-2010-4107    PJL       HP PJL Directory Traversal
  edb-35151                         7.8   CVE-2010-4107    HTTP      HP LaserJet Info Disclosure
  edb-cve-2024-51978                7.5   CVE-2024-51978   SNMP      Brother WBM SNMP Password Leak
  edb-45273                         7.5   CVE-2019-14308   HTTP      Ricoh EWS Auth Bypass
  edb-20565                         7.5   CVE-2013-6234    HTTP      Lexmark HTTP Auth Bypass
  edb-17636                         7.0   CVE-2010-4231    FTP       Xerox FTP Default Credentials

Check Vulnerability (Non-Destructive)

python printer-reaper.py 192.168.1.100 --xpl-check edb-35151
python printer-reaper.py 192.168.1.100 --xpl-check msf-pjl-traversal
python printer-reaper.py 192.168.1.100 --xpl-check edb-cve-2024-51978
python printer-reaper.py 192.168.1.100 --xpl-check research-ldap-hash-capture

Output:

[CHECK] edb-35151  HP LaserJet Remote Info Disclosure
  Probe: GET /hp/device/info_deviceStatus.htm
  Result: [+] VULNERABLE - 200 OK, firmware string in response body

Run an Exploit

# Dry-run (safe default - checks but does not exploit)
python printer-reaper.py 192.168.1.100 --xpl-run edb-35151
python printer-reaper.py 192.168.1.100 --xpl-run edb-45273
python printer-reaper.py 192.168.1.100 --xpl-run research-ldap-hash-capture

# Live exploitation - AUTHORIZED LABS ONLY
python printer-reaper.py 192.168.1.100 --xpl-run edb-35151 --no-dry
python printer-reaper.py 192.168.1.100 --xpl-run msf-pjl-traversal --no-dry

Download from ExploitDB

python printer-reaper.py --xpl-fetch 45273     # Ricoh EWS auth bypass
python printer-reaper.py --xpl-fetch 17636     # Xerox FTP default creds
python printer-reaper.py --xpl-fetch 15631     # HP PJL traversal

Rebuild Index

After adding or modifying modules:

python printer-reaper.py --xpl-update

Auto-Match After Scan

python printer-reaper.py 192.168.1.100 --scan --xpl

Runs check() for all modules matching the detected vendor/model.

Exploit Directory Structure

xpl/
  edb-15631/              # HP PJL directory traversal
    metadata.json
    exploit.py            # check() + run()
  edb-17636/              # Xerox FTP default credentials
  edb-20565/              # Lexmark HTTP auth bypass
  edb-35151/              # HP LaserJet info disclosure
  edb-45273/              # Ricoh EWS auth bypass
  msf-pjl-traversal/
  msf-hp-ews-auth/
  msf-samsung-6600/
  research-ldap-hash-capture/
  edb-cve-2024-51978/     # Brother WBM SNMP password leak
  custom/
    TEMPLATE.py
  index.json              # auto-generated

Writing a Custom Exploit

xpl/custom/my_exploit/exploit.py:

METADATA = {
    "id":       "custom-my-exploit",
    "title":    "My Custom Printer Exploit",
    "source":   "custom",
    "cve":      None,
    "cvss":     7.5,
    "protocol": "http",
    "port":     80,
    "tags":     ["information-disclosure"],
    "vendors":  ["epson", "hp"],
}

def check(host: str, port: int = 80, **kwargs) -> bool:
    """Non-destructive probe. Returns True if target appears vulnerable."""
    import requests
    try:
        r = requests.get(f"http://{host}:{port}/status", timeout=5)
        return "vulnerable-string" in r.text
    except Exception:
        return False

def run(host: str, port: int = 80, dry_run: bool = True, **kwargs) -> dict:
    """Execute exploit. Always respect dry_run."""
    if dry_run:
        return {"success": False, "output": "[DRY-RUN]", "evidence": ""}
    return {"success": True, "output": "Exploited.", "evidence": "..."}

Then run: python printer-reaper.py --xpl-update

Full Exploit Catalog (v3.7.0)

Module ID Source CVE CVSS Protocol Target
edb-15631 ExploitDB CVE-2010-4107 8.3 PJL HP LaserJet
edb-17636 ExploitDB CVE-2010-4231 7.0 FTP Xerox WorkCentre
edb-20565 ExploitDB CVE-2013-6234 7.5 HTTP Lexmark
edb-35151 ExploitDB CVE-2010-4107 7.8 HTTP HP LaserJet
edb-45273 ExploitDB CVE-2019-14308 7.5 HTTP Ricoh EWS
edb-cve-2024-51978 ExploitDB CVE-2024-51978 7.5 SNMP Brother WBM
msf-pjl-traversal Metasploit - 9.0 PJL Multi-vendor
msf-hp-ews-auth Metasploit CVE-2019-6329 8.8 HTTP HP EWS
msf-samsung-6600 Metasploit CVE-2012-4964 8.5 HTTP Samsung SCX-6600
research-ldap-hash-capture Research - 9.0 HTTP Multi-vendor
research-pjl-nvram-damage Research - 7.0 PJL Multi-vendor
research-ps-job-capture Research - 7.5 PS Multi-vendor
research-xsp-cors Research - 6.5 HTTP+PS Multi-vendor
research-ipp-anon-job Research - 6.0 IPP Multi-vendor
research-snmp-write Research - 7.0 SNMP Multi-vendor
research-hp-factory-reset Research - 7.5 PJL HP
research-canon-session-fixation Research CVE-2023-27516 6.5 HTTP Canon
research-epson-http-auth-bypass Research CVE-2022-3426 7.5 HTTP Epson
research-brother-telnet Research - 6.0 Telnet Brother
research-kyocera-snmp-creds Research - 7.0 SNMP Kyocera

Clone this wiki locally