printerxpl-forge 6.2.0__py3-none-any.whl

nse/scripts/printer-banner.nse

@@ -0,0 +1,217 @@
+local description = [[
+printer-banner — Multi-protocol printer banner grabber and vendor fingerprinting.
+
+Probes ports 9100 (PJL/RAW), 631 (IPP), 80/443 (HTTP EWS), 515 (LPD), and 23 (Telnet)
+to collect the printer's manufacturer, model, firmware version, and serial number.
+Fingerprint results are cross-referenced against the PrinterXPL-Forge CVE database to
+list potentially exploitable vulnerabilities and suggest specific exploit modules.
+
+References:
+  https://github.com/mrhenrike/PrinterXPL-Forge
+  https://github.com/mrhenrike/PrinterXPL-Forge/wiki/NSE
+
+Author: André Henrique (@mrhenrike) | União Geek
+]]
+
+---
+-- @usage
+--   nmap -sV -p 9100,631,80,443,515,23 --script printer-banner <target>
+-- @output
+-- PORT     STATE SERVICE
+-- 9100/tcp open  jetdirect
+-- | printer-banner:
+-- |   Vendor   : HP
+-- |   Family   : LaserJet/OfficeJet/PageWide
+-- |   Banner   : HP LaserJet M606 / FutureSmart 5.6
+-- |   Firmware : FY5L.04.A.00.00
+-- |   Serial   : JPGD12345
+-- |   CVEs     : 3 matching (run printer-cve-detect for details)
+-- |_  Suggest  : printerxpl-forge run --module xpl/edb-cve-2025-26506 --target <IP>
+--
+-- @xmloutput
+-- <table key="banner">...</table>
+---
+
+categories = { "discovery", "safe", "default" }
+author     = "André Henrique (@mrhenrike) | União Geek"
+license    = "Same as Nmap -- See https://nmap.org/book/man-legal.html"
+
+local stdnse  = require "stdnse"
+local nmap    = require "nmap"
+local shortport = require "shortport"
+local comm    = require "comm"
+local http    = require "http"
+local string  = require "string"
+local table   = require "table"
+
+-- Load shared library (must be placed in nmap/nselib/ or nse/lib/ during install)
+local ok, printerxpl = pcall(require, "printerxpl")
+if not ok then
+  printerxpl = nil
+end
+
+-- ── Port rule: fire on any of the typical printer ports ──────────────────────
+portrule = shortport.port_or_service(
+  { 9100, 631, 80, 443, 515, 23 },
+  { "jetdirect", "ipp", "http", "https", "printer", "telnet" },
+  "tcp"
+)
+
+-- ── PJL probe: send @PJL INFO ID and @PJL INFO CONFIG ────────────────────────
+local function pjl_probe(host, port)
+  local uel = "\x1b%-12345X"
+  local cmd = uel .. "@PJL\r\n@PJL INFO ID\r\n@PJL INFO CONFIG\r\n@PJL INFO STATUS\r\n" .. uel
+  local status, result = comm.exchange(host, port, cmd, { timeout = 5000, bytes = 4096 })
+  if status then return result end
+  return nil
+end
+
+-- ── IPP probe: Get-Printer-Attributes (minimal) ───────────────────────────────
+local function ipp_probe(host, port)
+  local resp = http.post(
+    host, port, "/ipp/print",
+    { header = { ["Content-Type"] = "application/ipp" } },
+    nil,
+    -- IPP Get-Printer-Attributes request (version 1.1)
+    "\x01\x01\x00\x0b\x00\x00\x00\x01" ..
+    "\x01" ..
+    "\x47\x00\x12attributes-charset\x00\x05utf-8" ..
+    "\x48\x00\x1battributes-natural-language\x00\x05en-us" ..
+    "\x03"
+  )
+  if resp and resp.status then
+    return resp.body or ""
+  end
+  return nil
+end
+
+-- ── HTTP EWS probe ───────────────────────────────────────────────────────────
+local function http_probe(host, port)
+  local paths = { "/", "/hp/device/", "/cgi-bin/dynamic/", "/TopAccess/", "/web/index.html" }
+  for _, path in ipairs(paths) do
+    local resp = http.get(host, port, path, { timeout = 5000 })
+    if resp and resp.status == 200 and resp.body and #resp.body > 50 then
+      return resp.body
+    end
+  end
+  return nil
+end
+
+-- ── LPD probe: send LPD short-status request ─────────────────────────────────
+local function lpd_probe(host, port)
+  local status, result = comm.exchange(host, port, "\x01\n", { timeout = 3000, bytes = 512 })
+  if status then return result end
+  return nil
+end
+
+-- ── Extract fields from combined banner text ──────────────────────────────────
+local function extract_info(text)
+  local info = {}
+  -- Firmware / version
+  local fw = text:match("[Ff]irmware[Vv]ersion[^:]*:%s*([%w%.%-]+)")
+              or text:match("DATECODE=%s*([%w%.]+)")
+              or text:match("[Vv]ersion[^:]*:%s*([%w%.%-]+)")
+  if fw then info.firmware = fw end
+  -- Serial
+  local sn = text:match("[Ss]erial[Nn]umber[^:]*:%s*([%w%-]+)")
+              or text:match("SERIALNUMBER=%s*([%w%-]+)")
+  if sn then info.serial = sn end
+  -- Model (PJL style: DESCRIPTION="HP LaserJet P3015")
+  local model = text:match('[Dd][Ee][Ss][Cc][Rr][Ii][Pp][Tt][Ii][Oo][Nn]="([^"]+)"')
+                or text:match("[Mm]odel[^:]*:%s*([^\r\n]+)")
+                or text:match("[Pp]roduct:%s*([^\r\n]+)")
+  if model then info.model = model:match("^%s*(.-)%s*$") end
+  -- IP address (from CUPS / IPP response)
+  local ip = text:match("printer%-name%s*=%s*([%w%.%-]+)")
+  if ip then info.printer_name = ip end
+  return info
+end
+
+-- ── Main action ──────────────────────────────────────────────────────────────
+action = function(host, port)
+  local portnum = port.number
+  local banner_text = ""
+  local source = ""
+
+  if portnum == 9100 then
+    local r = pjl_probe(host, port)
+    if r then banner_text = r; source = "PJL" end
+  elseif portnum == 631 then
+    local r = ipp_probe(host, port)
+    if r then banner_text = r; source = "IPP" end
+  elseif portnum == 80 or portnum == 443 then
+    local r = http_probe(host, port)
+    if r then banner_text = r; source = "HTTP-EWS" end
+  elseif portnum == 515 then
+    local r = lpd_probe(host, port)
+    if r then banner_text = r; source = "LPD" end
+  end
+
+  if banner_text == "" then
+    return nil
+  end
+
+  -- Vendor detection
+  local vendor, family = nil, nil
+  if printerxpl then
+    vendor, family = printerxpl.detect_vendor(banner_text)
+  else
+    -- Fallback inline detection
+    local b = banner_text:lower()
+    if b:match("hp") or b:match("hewlett") or b:match("laserjet") then
+      vendor, family = "HP", "LaserJet/OfficeJet"
+    elseif b:match("canon") then vendor, family = "Canon", "imageCLASS/imageRUNNER"
+    elseif b:match("lexmark") then vendor, family = "Lexmark", "MX/CX series"
+    elseif b:match("ricoh") or b:match("aficio") then vendor, family = "Ricoh", "Aficio/MP"
+    elseif b:match("xerox") then vendor, family = "Xerox", "WorkCentre/VersaLink"
+    elseif b:match("brother") then vendor, family = "Brother", "MFC/DCP"
+    elseif b:match("epson") then vendor, family = "Epson", "WorkForce"
+    elseif b:match("konica") or b:match("bizhub") then vendor, family = "Konica Minolta", "bizhub"
+    elseif b:match("kyocera") then vendor, family = "Kyocera", "ECOSYS"
+    elseif b:match("sharp") then vendor, family = "Sharp", "MX"
+    elseif b:match("toshiba") then vendor, family = "Toshiba", "e-STUDIO"
+    elseif b:match("samsung") then vendor, family = "Samsung", "CLX/SCX"
+    elseif b:match("cups") then vendor, family = "Linux/CUPS", "CUPS scheduler"
+    end
+  end
+
+  local info = extract_info(banner_text)
+
+  -- Collect CVE count hint
+  local cve_count = 0
+  local best_xpl = nil
+  if printerxpl and vendor then
+    local cves = printerxpl.match_cves(vendor)
+    cve_count = #cves
+    if cve_count > 0 then
+      best_xpl = cves[1].xpl
+    end
+  end
+
+  -- Build output
+  local out = stdnse.output_table()
+  out["Protocol"] = source
+  if vendor then
+    out["Vendor"]   = vendor
+    out["Family"]   = family or "Unknown"
+  end
+  if info.model    then out["Model"]    = info.model    end
+  if info.firmware then out["Firmware"] = info.firmware end
+  if info.serial   then out["Serial"]   = info.serial   end
+
+  -- Banner snippet (first 200 printable chars)
+  local snippet = banner_text:gsub("[%c]", " "):sub(1, 200):match("^%s*(.-)%s*$")
+  if #snippet > 0 then out["Banner"] = snippet end
+
+  if cve_count > 0 then
+    out["CVE-Count"] = string.format("%d matching CVEs (run printer-cve-detect for details)", cve_count)
+    out["Suggest"]   = string.format(
+      "printerxpl-forge run --module %s --target %s", best_xpl, host.ip)
+  elseif vendor then
+    out["CVE-Count"] = "0 matching (vendor known but no specific CVE match on this port)"
+  end
+
+  out["Full-Scan"] = "pip install printerxpl-forge  |  printerxpl-forge scan --target " .. host.ip
+
+  return out
+end

nse/scripts/printer-cups-rce.nse

@@ -0,0 +1,189 @@
+local description = [[
+printer-cups-rce — CUPS vulnerability detection (CVE-2024-47176 / CVE-2026-34980).
+
+Specifically targets CUPS schedulers to detect:
+  - CVE-2024-47176: cups-browsed listens on UDP 631 and accepts any browsing packet
+    that can redirect to an attacker-controlled IPP server → unauthenticated RCE
+  - CVE-2026-34980: CUPS 2.4.16 accepts newline characters in print job-name option,
+    allowing injection of PPD: FoomaticRIPCommandLine directives → unauthenticated RCE
+
+Detection is passive + version-based; no actual exploit payload is sent.
+
+Author: André Henrique (@mrhenrike) | União Geek
+]]
+
+---
+-- @usage
+--   nmap -sU -sT -p U:631,T:631 --script printer-cups-rce <target>
+--   nmap -p 631 --script printer-cups-rce <target>
+-- @output
+-- PORT    STATE SERVICE
+-- 631/tcp open  ipp
+-- | printer-cups-rce:
+-- |   CUPS-Version  : 2.4.16
+-- |   cups-browsed  : DETECTED (listening on UDP 631)
+-- |   [CRITICAL] CVE-2026-34980 — CUPS 2.4.16 unauthenticated RCE via PPD injection
+-- |   [CRITICAL] CVE-2024-47176 — cups-browsed unauthenticated RCE chain
+-- |   Verdict       : VULNERABLE
+-- |_  Suggest       : printerxpl-forge run --module xpl/research/research-cups-chain-2026
+---
+
+categories = { "vuln", "safe" }
+author     = "André Henrique (@mrhenrike) | União Geek"
+license    = "Same as Nmap -- See https://nmap.org/book/man-legal.html"
+
+local stdnse    = require "stdnse"
+local shortport = require "shortport"
+local http      = require "http"
+local comm      = require "comm"
+local string    = require "string"
+local table     = require "table"
+
+portrule = shortport.port_or_service(631, { "ipp", "cups" }, { "tcp", "udp" })
+
+local V = { VULN = "VULNERABLE", POSS = "POSSIBLY VULNERABLE", NOT = "NOT VULNERABLE" }
+
+-- IPP Get-Printer-Attributes minimal request
+local function ipp_probe(host, port)
+  local printer_uri = string.format("ipp://%s:%d/", host.ip, port.number)
+  local req =
+    "\x02\x00\x00\x0b\x00\x00\x00\x01\x01" ..
+    "\x47\x00\x12attributes-charset\x00\x05utf-8" ..
+    "\x48\x00\x1battributes-natural-language\x00\x05en-us" ..
+    "\x45\x00\x0bprinter-uri" ..
+    string.char(0x00, #printer_uri >> 8, #printer_uri & 0xff) .. printer_uri ..
+    "\x03"
+  local resp = http.post(
+    host, port.number, "/printers/",
+    { header = { ["Content-Type"] = "application/ipp" }, timeout = 6000 },
+    nil, req
+  )
+  if resp and resp.body then return resp.body end
+  return nil
+end
+
+-- cups-browsed UDP probe: send a CUPS browse packet to port 631 UDP
+local function probe_cups_browsed(host, port)
+  -- Legacy CUPS browse packet (type=3 = printer, uri format)
+  local browse_pkt = "3 5 http://nmap-probe:631/printers/ ipp://nmap-probe/printers/default\n"
+  local ok, resp = comm.exchange(host, { number = 631, protocol = "udp" },
+    browse_pkt, { timeout = 3000, bytes = 256 })
+  -- If port sends any response or error, cups-browsed likely running
+  return ok
+end
+
+-- HTTP check on CUPS web interface
+local function get_cups_web(host, port)
+  local r = http.get(host, port.number, "/", { timeout = 4000 })
+  if r and r.body then return r.body end
+  return nil
+end
+
+action = function(host, port)
+  local out = stdnse.output_table()
+
+  -- 1. IPP probe
+  local ipp_body = ipp_probe(host, port)
+
+  -- 2. HTTP CUPS web interface
+  local web_body = get_cups_web(host, port)
+
+  -- Combine for analysis
+  local combined = (ipp_body or "") .. (web_body or "")
+
+  if #combined < 10 then
+    return "No IPP/CUPS response on port " .. port.number
+  end
+
+  -- Check if CUPS
+  local is_cups = combined:lower():match("cups")
+  if not is_cups then
+    return "CUPS not detected on port " .. port.number .. " — try printer-ipp-info for generic IPP"
+  end
+
+  out["Service"] = "CUPS"
+
+  -- Extract version
+  local version = combined:match("CUPS%s+([%d%.]+)")
+               or combined:match("cups%-(%d+%.%d+%.%d+)")
+               or combined:match("<version>([%d%.]+)</version>")
+  if version then out["CUPS-Version"] = version end
+
+  -- cups-browsed probe
+  local browsed = probe_cups_browsed(host, port)
+  out["cups-browsed"] = browsed and "DETECTED (UDP 631 responding)" or "Not detected / filtered"
+
+  -- CVE determination
+  local cves = {}
+
+  if version == "2.4.16" then
+    table.insert(cves, {
+      id   = "CVE-2026-34980",
+      sev  = "CRITICAL",
+      cvss = 9.1,
+      desc = "CUPS 2.4.16 unauthenticated RCE via job-name newline → PPD FoomaticRIPCommandLine injection",
+      xpl  = "xpl/research/research-cups-chain-2026",
+    })
+    table.insert(cves, {
+      id   = "CVE-2026-34990",
+      sev  = "HIGH",
+      cvss = 7.8,
+      desc = "CUPS 2.4.16 LPE to root via local printer race condition (chain with CVE-2026-34980)",
+      xpl  = "xpl/research/research-cups-root-2026",
+    })
+  end
+
+  if browsed then
+    table.insert(cves, {
+      id   = "CVE-2024-47176",
+      sev  = "CRITICAL",
+      cvss = 9.9,
+      desc = "cups-browsed accepts any UDP browse packet → redirects print jobs to attacker IPP server → RCE chain",
+      xpl  = "xpl/edb-cve-2024-47176",
+    })
+    table.insert(cves, {
+      id   = "CVE-2024-47076",
+      sev  = "HIGH",
+      cvss = 8.6,
+      desc = "libcupsfilters cfGetPrinterAttributes5 — no IPP attribute validation → data poisoning",
+      xpl  = "xpl/edb-cve-2024-47176",
+    })
+    table.insert(cves, {
+      id   = "CVE-2024-47175",
+      sev  = "HIGH",
+      cvss = 8.6,
+      desc = "libppd ppdCreatePPDFromIPP2 — unsanitized IPP attrs written to PPD → code injection",
+      xpl  = "xpl/edb-cve-2024-47176",
+    })
+    table.insert(cves, {
+      id   = "CVE-2024-47177",
+      sev  = "CRITICAL",
+      cvss = 9.9,
+      desc = "cups-filters FoomaticRIPCommandLine arbitrary command execution",
+      xpl  = "xpl/edb-cve-2024-47176",
+    })
+  end
+
+  if #cves > 0 then
+    local lines = {}
+    for _, c in ipairs(cves) do
+      table.insert(lines, string.format("[%s] %s (CVSS %.1f) — %s",
+        c.sev, c.id, c.cvss, c.desc))
+    end
+    out["CVEs"] = lines
+
+    local is_vuln = version == "2.4.16" or browsed
+    if is_vuln then
+      out["Verdict"] = V.VULN .. " — " .. cves[1].id
+    else
+      out["Verdict"] = V.POSS .. " — check printer-vuln-check for confirmation"
+    end
+    out["Suggest"] = "printerxpl-forge run --module " .. cves[1].xpl .. " --target " .. host.ip
+  else
+    out["Verdict"] = V.NOT .. " — CUPS version not in vulnerable range and cups-browsed not detected"
+  end
+
+  out["Full-Scan"] = "pip install printerxpl-forge  |  printerxpl-forge run --module xpl/research/research-cups-chain-2026 --target " .. host.ip
+
+  return out
+end

nse/scripts/printer-cve-detect.nse

@@ -0,0 +1,279 @@
+local description = [[
+printer-cve-detect — Passive CVE detection from fingerprint data.
+
+Aggregates banners collected by printer-banner, printer-pjl-info, printer-ipp-info,
+and printer-http-ews scripts (via nmap registry) or performs its own lightweight
+fingerprint if run standalone. Cross-references against the full PrinterXPL-Forge
+CVE database (80+ CVEs) and outputs a ranked list of applicable vulnerabilities.
+
+This script does NOT perform active exploitation — it is safe/non-intrusive.
+For active validation use printer-vuln-check.
+
+Author: André Henrique (@mrhenrike) | União Geek
+]]
+
+---
+-- @usage
+--   nmap -sV -p 9100,631,80 --script printer-banner,printer-cve-detect <target>
+--   nmap -sV -p 9100,631,80 --script printer-cve-detect <target>
+-- @output
+-- PORT   STATE SERVICE
+-- 80/tcp open  http
+-- | printer-cve-detect:
+-- |   Vendor : Lexmark
+-- |   Model  : CX622 (detected from HTTP EWS)
+-- |   CVEs (3 matching):
+-- |     [CRITICAL] CVE-2023-23560 CVSS 9.0 — Lexmark SSRF-to-RCE | module: xpl/edb-51928
+-- |     [HIGH]     CVE-2023-50739 CVSS 8.8 — Lexmark IPP heap BOF | module: xpl/edb-cve-2023-50739
+-- |     [MEDIUM]   CVE-2023-50733 CVSS 6.5 — Lexmark EWS SSRF     | module: xpl/edb-cve-2023-50733
+-- |   Top Verdict : POSSIBLY VULNERABLE (CVE-2023-23560 — confirm with printer-vuln-check)
+-- |_  Suggest     : printerxpl-forge run --module xpl/edb-51928 --target <IP>
+---
+
+categories = { "vuln", "safe", "discovery" }
+author     = "André Henrique (@mrhenrike) | União Geek"
+license    = "Same as Nmap -- See https://nmap.org/book/man-legal.html"
+
+local stdnse    = require "stdnse"
+local shortport = require "shortport"
+local http      = require "http"
+local comm      = require "comm"
+local string    = require "string"
+local table     = require "table"
+
+portrule = shortport.port_or_service(
+  { 9100, 631, 80, 443, 515, 161 },
+  { "jetdirect", "ipp", "http", "https", "printer", "snmp" },
+  { "tcp", "udp" }
+)
+
+-- Compact CVE database (VENDOR → list of CVEs)
+local CVE_DB = {
+  HP = {
+    { id="CVE-2025-26506", cvss=9.8, sev="CRITICAL", port=9100,
+      desc="HP LaserJet Enterprise PostScript unauthenticated RCE",
+      xpl="xpl/edb-cve-2025-26506" },
+    { id="CVE-2023-6018",  cvss=9.8, sev="CRITICAL", port=443,
+      desc="HP LaserJet Enterprise firmware auth bypass → arbitrary upload",
+      xpl="xpl/research/research-hp-fw-bypass" },
+    { id="CVE-2023-1707",  cvss=9.1, sev="CRITICAL", port=443,
+      desc="HP FutureSmart 5.6 scan job data disclosure (IPsec enabled)",
+      xpl="xpl/research/research-hp-futuresmart-leak" },
+    { id="CVE-2017-2741",  cvss=9.8, sev="CRITICAL", port=9100,
+      desc="HP PageWide PJL path traversal to RCE",
+      xpl="xpl/edb-cve-2017-2741" },
+    { id="CVE-2018-5924",  cvss=9.8, sev="CRITICAL", port=9100,
+      desc="Faxploit — HP fax stack overflow via malformed fax data",
+      xpl="xpl/edb-cve-2018-5924" },
+  },
+  Canon = {
+    { id="CVE-2022-24673", cvss=9.8, sev="CRITICAL", port=427,
+      desc="Canon imageCLASS SLP pre-auth stack BOF → root RCE (ZDI-22-515)",
+      xpl="xpl/edb-cve-2022-24673" },
+    { id="CVE-2025-14235", cvss=9.8, sev="CRITICAL", port=9100,
+      desc="Canon imageCLASS PCL buffer overflow → RCE",
+      xpl="xpl/research/research-canon-pcl-bof" },
+  },
+  Lexmark = {
+    { id="CVE-2023-23560", cvss=9.0, sev="CRITICAL", port=80,
+      desc="Lexmark SSRF-to-RCE via Web Services interface (Pwn2Own 2022)",
+      xpl="xpl/edb-51928" },
+    { id="CVE-2023-26067", cvss=9.1, sev="CRITICAL", port=80,
+      desc="Lexmark post-auth RCE via device configuration API",
+      xpl="xpl/edb-cve-2023-26067" },
+    { id="CVE-2023-50739", cvss=8.8, sev="HIGH", port=631,
+      desc="Lexmark IPP heap buffer overflow → RCE (100+ models, ZDI-CAN-22549)",
+      xpl="xpl/edb-cve-2023-50739" },
+    { id="CVE-2023-50733", cvss=6.5, sev="MEDIUM", port=80,
+      desc="Lexmark EWS SSRF — printer as lateral movement pivot",
+      xpl="xpl/edb-cve-2023-50733" },
+    { id="CVE-2023-50738", cvss=7.2, sev="HIGH", port=80,
+      desc="Lexmark firmware downgrade bypass → re-expose historical vulns",
+      xpl="xpl/research/research-lexmark-fw-decrypt" },
+  },
+  Xerox = {
+    { id="CVE-2024-6333",  cvss=8.1, sev="HIGH", port=80,
+      desc="Xerox VersaLink authenticated OS command injection",
+      xpl="xpl/edb-cve-2024-6333" },
+    { id="CVE-2021-27508", cvss=8.0, sev="HIGH", port=80,
+      desc="Xerox WorkCentre 78xx OS command injection via clone_group",
+      xpl="xpl/research/research-xerox-workcentre-cmdinject" },
+  },
+  Ricoh = {
+    { id="CVE-2024-34161", cvss=8.8, sev="HIGH", port=80,
+      desc="Ricoh MP EWS malformed HTTP → RCE",
+      xpl="xpl/research/research-ricoh-ews-rce" },
+    { id="CVE-2021-33945", cvss=7.5, sev="HIGH", port=80,
+      desc="Ricoh SP wpa_supplicant stack overflow → DoS/RCE",
+      xpl="xpl/research/research-ricoh-wpa-bof" },
+  },
+  Brother = {
+    { id="CVE-2024-51977", cvss=7.5, sev="HIGH", port=80,
+      desc="Brother admin password derivable from serial number (info disc.)",
+      xpl="xpl/research/research-brother-serial-pwd" },
+    { id="CVE-2024-51978", cvss=9.1, sev="CRITICAL", port=80,
+      desc="Brother auth bypass via serial-derived default credential",
+      xpl="xpl/research/research-brother-serial-pwd" },
+  },
+  Sharp = {
+    { id="CVE-2022-45796", cvss=9.8, sev="CRITICAL", port=80,
+      desc="Sharp MX unauthenticated OS command injection",
+      xpl="xpl/research/research-sharp-rce" },
+  },
+  Toshiba = {
+    { id="CVE-2024-21911", cvss=8.8, sev="HIGH", port=80,
+      desc="Toshiba e-STUDIO TopAccess authentication bypass → RCE",
+      xpl="xpl/research/research-toshiba-auth-bypass" },
+  },
+  Kyocera = {
+    { id="CVE-2022-1026", cvss=7.5, sev="HIGH", port=9100,
+      desc="Kyocera ECOSYS unauthenticated address book credential dump",
+      xpl="xpl/edb-cve-2022-1026" },
+  },
+  Microsoft = {
+    { id="CVE-2021-1675",  cvss=9.8, sev="CRITICAL", port=445,
+      desc="PrintNightmare — Windows Print Spooler unauthenticated RCE/LPE",
+      xpl="xpl/edb-50498" },
+    { id="CVE-2022-38028", cvss=7.8, sev="HIGH", port=445,
+      desc="GooseEgg — APT28 Windows Print Spooler LPE (CISA KEV 2024)",
+      xpl="xpl/research/research-gooseegg-spooler" },
+    { id="CVE-2020-1048",  cvss=7.8, sev="HIGH", port=445,
+      desc="PrintDemon — Windows Print Spooler persistent SYSTEM backdoor",
+      xpl="xpl/msf-cve-2020-1048-printerdemon" },
+    { id="CVE-2020-1337",  cvss=7.8, sev="HIGH", port=445,
+      desc="PrintDemon hardlink bypass — arbitrary privileged file write",
+      xpl="xpl/edb-cve-2020-1337" },
+  },
+  ["Linux/CUPS"] = {
+    { id="CVE-2024-47176", cvss=9.9, sev="CRITICAL", port=631,
+      desc="CUPS cups-browsed unauthenticated RCE chain (2024)",
+      xpl="xpl/edb-cve-2024-47176" },
+    { id="CVE-2026-34980", cvss=9.1, sev="CRITICAL", port=631,
+      desc="CUPS 2.4.16 unauthenticated RCE via PPD newline injection (2026)",
+      xpl="xpl/research/research-cups-chain-2026" },
+    { id="CVE-2026-34990", cvss=7.8, sev="HIGH", port=631,
+      desc="CUPS 2.4.16 LPE to root via race condition on local printer",
+      xpl="xpl/research/research-cups-root-2026" },
+  },
+}
+
+-- Grab any banner we can get quickly
+local function quick_fingerprint(host, port)
+  local portnum = port.number
+  local text = ""
+
+  if portnum == 9100 then
+    local uel = "\x1b%-12345X"
+    local ok, r = comm.exchange(host, port,
+      uel .. "@PJL\r\n@PJL INFO ID\r\n" .. uel,
+      { timeout = 4000, bytes = 2048 })
+    if ok then text = r end
+  elseif portnum == 80 or portnum == 443 then
+    local r = http.get(host, portnum, "/", { timeout = 4000 })
+    if r and r.body then text = r.body:sub(1, 2048) end
+  elseif portnum == 631 then
+    local r = http.get(host, portnum, "/", { timeout = 4000 })
+    if r and r.body then text = r.body:sub(1, 2048) end
+  end
+
+  return text
+end
+
+-- Detect vendor from text
+local function detect_vendor(text)
+  if not text or text == "" then return nil end
+  local t = text:lower()
+  local checks = {
+    { pat = "hp laserjet|hewlett.packard|jetdirect|futuresmart", v = "HP" },
+    { pat = "canon imagerunner|canon imageclass|canon lbp",      v = "Canon" },
+    { pat = "lexmark",                                           v = "Lexmark" },
+    { pat = "xerox versalink|xerox workcentre|xerox altalink|xerox", v = "Xerox" },
+    { pat = "ricoh|aficio",                                      v = "Ricoh" },
+    { pat = "brother mfc|brother dcp",                           v = "Brother" },
+    { pat = "epson workforce|epson ecotank",                     v = "Epson" },
+    { pat = "konica|bizhub",                                     v = "Konica Minolta" },
+    { pat = "kyocera ecosys|kyocera taskalfa",                   v = "Kyocera" },
+    { pat = "sharp mx|sharp ar",                                 v = "Sharp" },
+    { pat = "toshiba e.studio|topaccess",                        v = "Toshiba" },
+    { pat = "samsung scx|samsung clx",                           v = "Samsung" },
+    { pat = "cups 2%.4%.16",                                     v = "Linux/CUPS" },
+    { pat = "cups",                                              v = "Linux/CUPS" },
+    { pat = "windows.*spooler|print spooler|printdemon|spoolsv", v = "Microsoft" },
+  }
+  for _, c in ipairs(checks) do
+    if t:match(c.pat) then return c.v end
+  end
+  return nil
+end
+
+action = function(host, port)
+  -- Try registry first (from other printer scripts running in same session)
+  local banner = stdnse.registry_get({ host.ip, "printer-banner" }) or ""
+  local vendor  = stdnse.registry_get({ host.ip, "printer-vendor" })
+
+  if not vendor or vendor == "" then
+    local fingerprint = quick_fingerprint(host, port)
+    banner = banner .. fingerprint
+    vendor = detect_vendor(fingerprint)
+  end
+
+  if not vendor then
+    return "Cannot determine vendor — combine with printer-banner: " ..
+           "nmap --script printer-banner,printer-cve-detect"
+  end
+
+  -- Store for other scripts
+  stdnse.registry_set({ host.ip, "printer-vendor" }, vendor)
+
+  local cve_list = CVE_DB[vendor] or {}
+  local out = stdnse.output_table()
+  out["Vendor"] = vendor
+
+  if #cve_list == 0 then
+    out["CVEs"] = "0 matching CVEs in database for vendor: " .. vendor
+    out["Verdict"] = "NOT VULNERABLE (no CVE entries for this vendor)"
+    return out
+  end
+
+  -- Filter by port relevance
+  local port_num = port.number
+  local relevant = {}
+  for _, cve in ipairs(cve_list) do
+    if (not cve.port) or cve.port == 0 or cve.port == port_num then
+      table.insert(relevant, cve)
+    else
+      -- Include high-severity regardless of port (printer may have other ports open)
+      if cve.cvss >= 9.0 then
+        table.insert(relevant, cve)
+      end
+    end
+  end
+
+  -- Sort by CVSS descending
+  table.sort(relevant, function(a, b) return a.cvss > b.cvss end)
+
+  out["CVE-Count"] = #relevant .. " matching CVEs for " .. vendor
+
+  local cve_lines = {}
+  for _, c in ipairs(relevant) do
+    table.insert(cve_lines, string.format(
+      "[%s] %s (CVSS %.1f) — %s\n            module: printerxpl-forge run --module %s",
+      c.sev, c.id, c.cvss, c.desc, c.xpl))
+  end
+  out["CVEs"] = cve_lines
+
+  -- Verdict based on CVSS of top match
+  local top = relevant[1]
+  if top.cvss >= 9.0 then
+    out["Verdict"] = "POSSIBLY VULNERABLE — CRITICAL severity CVE match (confirm with printer-vuln-check)"
+  elseif top.cvss >= 7.0 then
+    out["Verdict"] = "POSSIBLY VULNERABLE — HIGH severity CVE match"
+  else
+    out["Verdict"] = "LOW RISK — only MEDIUM/LOW CVEs matched"
+  end
+
+  out["Suggest"] = "printerxpl-forge run --module " .. top.xpl .. " --dry-run --target " .. host.ip
+  out["Full-Scan"] = "pip install printerxpl-forge  |  printerxpl-forge scan --target " .. host.ip
+
+  return out
+end