Share
## https://sploitus.com/exploit?id=PACKETSTORM:180920
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::SNMPClient  
include Msf::Auxiliary::Report  
include Msf::Auxiliary::Scanner  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'HP LaserJet Printer SNMP Enumeration',  
'Description' => %q{  
This module allows enumeration of files previously printed.  
It provides details as filename, client, timestamp and username information.  
The default community used is "public".  
},  
'References' =>  
[  
[ 'URL', 'https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol' ],  
[ 'URL', 'https://net-snmp.sourceforge.io/docs/man/snmpwalk.html' ],  
[ 'URL', 'http://www.nothink.org/codes/snmpcheck/index.php' ],  
[ 'URL', 'http://www.securiteam.com/securitynews/5AP0S2KGVS.html' ],  
[ 'URL', 'http://stuff.mit.edu/afs/athena/dept/cron/tools/share/mibs/290923.mib' ],  
],  
'Author' => 'Matteo Cantoni <goony[at]nothink.org>',  
'License' => MSF_LICENSE  
))  
end  
  
def run_host(ip)  
begin  
snmp = connect_snmp  
  
vprint_status("Connecting to #{ip}")  
  
output_data = []  
  
output_data << "IP address : #{ip}"  
  
sysName = snmp.get_value('1.3.6.1.2.1.1.5.0').to_s  
output_data << "Hostname : #{sysName.strip}"  
  
sysDesc = snmp.get_value('1.3.6.1.2.1.1.1.0').to_s  
sysDesc.gsub!(/^\s+|\s+$|\n+|\r+/, ' ')  
output_data << "Description : #{sysDesc.strip}"  
  
sysContact = snmp.get_value('1.3.6.1.2.1.1.4.0').to_s  
output_data << "Contact : #{sysContact.strip}" if not sysContact.empty?  
  
sysLocation = snmp.get_value('1.3.6.1.2.1.1.6.0').to_s  
output_data << "Location : #{sysLocation.strip}" if not sysLocation.empty?  
  
output_data << ""  
  
snmp.walk([  
"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.1", # job-info-name1 - document name1  
"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.2", # job-info-name2 - document name2  
"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.1", # job-info-attr-1 - username  
"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.2", # job-info-attr-2 - machine name  
"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.3", # job-info-attr-3 - domain (?)  
"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.4", # job-info-attr-4 - timestamp  
"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.6", # job-info-attr-6 - application name  
"1.3.6.1.4.1.11.2.3.9.4.2.1.1.6.5.23.7", # job-info-attr-7 - application command  
]) do |name1,name2,username,client,domain,timestamp,app_name,app_command|  
  
filename = name1.value.to_s + name2.value.to_s  
  
if (username.value.to_s !~ /noSuchInstance/)  
if username.value.to_s =~ /^JobAcct(\d+)=(.*)/  
username = $2  
end  
else  
username = ''  
end  
  
if (client.value.to_s !~ /noSuchInstance/)  
if client.value.to_s =~ /^JobAcct(\d+)=(.*)/  
client = $2  
end  
else  
client = ''  
end  
  
if (domain.value.to_s !~ /noSuchInstance/)  
if domain.value.to_s =~ /^JobAcct(\d+)=(.*)/  
domain = $2  
end  
else  
domain = ''  
end  
  
if (timestamp.value.to_s !~ /noSuchInstance/)  
if timestamp.value.to_s =~ /^JobAcct(\d+)=(.*)/  
timestamp = $2  
end  
else  
timestamp = ''  
end  
  
if (app_name.value.to_s !~ /noSuchInstance/)  
if app_name.value.to_s =~ /^JobAcct(\d+)=(.*)/  
app_name = $2  
end  
else  
app_name = ''  
end  
  
if (app_command.value.to_s !~ /noSuchInstance/)  
if app_command.value.to_s =~ /^JobAcct(\d+)=(.*)/  
app_command = $2  
end  
else  
app_command = ''  
end  
  
if not timestamp.empty?  
output_data << "File name : #{filename}"  
output_data << "Username : #{username}" if not username.empty?  
output_data << "Client : #{client}" if not client.empty?  
output_data << "Domain : #{domain}" if not domain.empty?  
output_data << "Timestamp : #{timestamp}" if not timestamp.empty?  
output_data << "Application : #{app_name} (#{app_command})" if not app_name.empty?  
output_data << ""  
end  
end  
  
output_data.each do |row|  
print_good("#{row}")  
end  
  
disconnect_snmp  
  
rescue SNMP::RequestTimeout  
print_error("#{ip}, SNMP request timeout.")  
rescue Errno::ECONNREFUSED  
print_error("#{ip}, Connection refused.")  
rescue SNMP::InvalidIpAddress  
print_error("#{ip}, Invalid IP Address. Check it with 'snmpwalk tool'.")  
rescue ::Interrupt  
raise $!  
rescue ::Exception => e  
print_error("#{ip}, Unknown error: #{e.class} #{e}")  
end  
end  
end