printerxpl-forge 6.2.0__py3-none-any.whl

nse/scripts/printer-discover.nse

@@ -0,0 +1,205 @@
+local description = [[
+printer-discover — High-speed multi-protocol printer discovery and fingerprinting.
+
+Performs rapid identification of printers and MFPs on a network segment by probing:
+  9100/tcp  JetDirect/RAW (PJL)
+  631/tcp   IPP / CUPS
+  80,443/tcp HTTP EWS (Embedded Web Server)
+  515/tcp   LPD (Line Printer Daemon)
+  161/udp   SNMP
+  23/tcp    Telnet (legacy printers)
+  3702/udp  WSD (Windows printers)
+
+Outputs: device type, vendor, model, firmware, open ports, and a quick verdict on
+whether PrinterXPL-Forge or EmbedXPL-Forge should be used for complete testing.
+
+Designed for quick network-wide sweeps:
+  nmap -sV --open -p 9100,631,80,443,515,161,23 --script printer-discover <CIDR>
+
+Author: André Henrique (@mrhenrike) | União Geek
+]]
+
+---
+-- @usage
+--   nmap -p 9100,631,80 --script printer-discover <target>
+--   nmap -sV --open -p 9100,631,80,443 --script printer-discover 192.168.1.0/24
+-- @output
+-- 192.168.1.100:
+-- | printer-discover:
+-- |   Device-Type : Network Printer / MFP
+-- |   Vendor      : HP
+-- |   Model       : LaserJet Enterprise M606dn
+-- |   Open-Ports  : 9100 (PJL), 631 (IPP), 80 (EWS)
+-- |   CVEs        : 5 potential (CRITICAL: CVE-2025-26506, CVE-2017-2741)
+-- |   Tool        : printerxpl-forge (pip install printerxpl-forge)
+-- |_  Quick-Scan  : printerxpl-forge scan --target 192.168.1.100
+---
+
+categories = { "discovery", "safe", "default" }
+author     = "André Henrique (@mrhenrike) | União Geek"
+license    = "Same as Nmap -- See https://nmap.org/book/man-legal.html"
+
+local stdnse    = require "stdnse"
+local shortport = require "shortport"
+local comm      = require "comm"
+local http      = require "http"
+local string    = require "string"
+local table     = require "table"
+local nmap      = require "nmap"
+
+portrule = shortport.port_or_service(
+  { 9100, 631, 80, 443, 515, 23 },
+  { "jetdirect", "ipp", "http", "https", "printer", "telnet" },
+  "tcp"
+)
+
+local UEL = "\x1b%-12345X"
+
+-- Vendor patterns (ordered by specificity)
+local VENDOR_PATTERNS = {
+  { pat = "laserjet|pagewide|officejet|jetdirect|futuresmart|hp print",
+    vendor = "HP", tool = "printerxpl-forge", cve_count_est = 5 },
+  { pat = "imagerunner|imageclass|imagepress|pixma|lbp[%s%-]?%d",
+    vendor = "Canon", tool = "printerxpl-forge", cve_count_est = 3 },
+  { pat = "lexmark",
+    vendor = "Lexmark", tool = "printerxpl-forge", cve_count_est = 6 },
+  { pat = "versalink|workcentre|altalink|phaser|colorqube",
+    vendor = "Xerox", tool = "printerxpl-forge", cve_count_est = 3 },
+  { pat = "aficio|ricoh mp|ricoh sp|ricoh im",
+    vendor = "Ricoh", tool = "printerxpl-forge", cve_count_est = 3 },
+  { pat = "brother mfc|brother dcp|brother hl",
+    vendor = "Brother", tool = "printerxpl-forge", cve_count_est = 2 },
+  { pat = "bizhub|konica minolta|konicaminolta",
+    vendor = "Konica Minolta", tool = "printerxpl-forge", cve_count_est = 2 },
+  { pat = "ecosys|taskalfa|kyocera",
+    vendor = "Kyocera", tool = "printerxpl-forge", cve_count_est = 1 },
+  { pat = "sharp mx|sharp ar|sharp bp",
+    vendor = "Sharp", tool = "printerxpl-forge", cve_count_est = 1 },
+  { pat = "e.studio|topaccess|toshiba",
+    vendor = "Toshiba", tool = "printerxpl-forge", cve_count_est = 1 },
+  { pat = "workforce|ecotank|epson stylus",
+    vendor = "Epson", tool = "printerxpl-forge", cve_count_est = 1 },
+  { pat = "samsung scx|samsung clx|samsung ml",
+    vendor = "Samsung", tool = "printerxpl-forge", cve_count_est = 2 },
+  { pat = "cups",
+    vendor = "Linux/CUPS", tool = "printerxpl-forge", cve_count_est = 4 },
+  { pat = "zebra|zpl ii",
+    vendor = "Zebra", tool = "embedxpl-forge", cve_count_est = 1 },
+  { pat = "oki data|okidata",
+    vendor = "OKI", tool = "printerxpl-forge", cve_count_est = 1 },
+  { pat = "dell.*print|dell.*laser",
+    vendor = "Dell", tool = "printerxpl-forge", cve_count_est = 1 },
+}
+
+local function detect_vendor(text)
+  if not text then return nil, nil, nil end
+  local t = text:lower()
+  for _, v in ipairs(VENDOR_PATTERNS) do
+    if t:match(v.pat) then
+      return v.vendor, v.tool, v.cve_count_est
+    end
+  end
+  return nil, nil, nil
+end
+
+local function extract_model(text)
+  if not text then return nil end
+  local model = text:match('[Dd][Ee][Ss][Cc][Rr][Ii][Pp][Tt][Ii][Oo][Nn]%s*=%s*"([^"]+)"')
+             or text:match("<title>([^<]+)</title>")
+             or text:match("[Mm]odel[^:]*:%s*([^\r\n]+)")
+             or text:match("[Pp]roduct[^:]*:%s*([^\r\n]+)")
+  if model then return model:match("^%s*(.-)%s*$"):sub(1, 80) end
+  return nil
+end
+
+local function quick_pjl(host, port)
+  local ok, r = comm.exchange(host, port,
+    UEL .. "@PJL\r\n@PJL INFO ID\r\n" .. UEL,
+    { timeout = 3000, bytes = 1024 })
+  if ok then return r end
+  return nil
+end
+
+local function quick_http(host, port)
+  local r = http.get(host, port.number, "/", { timeout = 3000 })
+  if r and r.status == 200 and r.body then return r.body end
+  return nil
+end
+
+local function quick_ipp(host, port)
+  local r = http.post(host, port.number, "/printers/",
+    { header = { ["Content-Type"] = "application/ipp" }, timeout = 3000 },
+    nil,
+    "\x02\x00\x00\x0b\x00\x00\x00\x01\x01" ..
+    "\x47\x00\x12attributes-charset\x00\x05utf-8" ..
+    "\x48\x00\x1battributes-natural-language\x00\x05en-us" ..
+    "\x03")
+  if r and r.body then return r.body end
+  return nil
+end
+
+action = function(host, port)
+  local out = stdnse.output_table()
+
+  -- Collect banner based on port
+  local banner = nil
+  local portnum = port.number
+
+  if portnum == 9100 then
+    banner = quick_pjl(host, port)
+    if banner then out["Source"] = "PJL (port 9100)" end
+  elseif portnum == 631 then
+    banner = quick_ipp(host, port)
+    if banner then out["Source"] = "IPP (port 631)" end
+  elseif portnum == 80 or portnum == 443 then
+    banner = quick_http(host, port)
+    if banner then out["Source"] = "HTTP EWS (port " .. portnum .. ")" end
+  elseif portnum == 515 then
+    local ok, r = comm.exchange(host, port, "\x01\n", { timeout = 2000, bytes = 256 })
+    if ok then banner = r; out["Source"] = "LPD (port 515)" end
+  elseif portnum == 23 then
+    local ok, r = comm.exchange(host, port, "\n", { timeout = 2000, bytes = 256 })
+    if ok then banner = r; out["Source"] = "Telnet (port 23)" end
+  end
+
+  if not banner or #banner < 5 then
+    return "No banner received — port may be filtered or device requires special probe"
+  end
+
+  -- Detect vendor
+  local vendor, tool, cve_est = detect_vendor(banner)
+  local model = extract_model(banner)
+
+  -- Store for other scripts
+  if vendor then
+    stdnse.registry_set({ host.ip, "printer-vendor" }, vendor)
+    stdnse.registry_set({ host.ip, "printer-banner" }, banner:sub(1, 2048))
+  end
+
+  out["Device-Type"] = "Network Printer / MFP"
+  out["Vendor"]      = vendor or "Unknown (banner detected — check printer-banner)"
+
+  if model then out["Model"] = model end
+
+  local fw = banner:match("DATECODE%s*=%s*([%w%.%-]+)")
+          or banner:match("[Ff]irmware[Vv]er%s*=%s*([%w%.%-]+)")
+  if fw then out["Firmware"] = fw end
+
+  -- CVE count hint
+  if vendor and cve_est and cve_est > 0 then
+    out["CVE-Potential"] = string.format(
+      "~%d CVEs for %s in PrinterXPL-Forge DB (run printer-cve-detect for details)",
+      cve_est, vendor)
+  end
+
+  -- Tool recommendation
+  out["Tool"]       = (tool or "printerxpl-forge") ..
+                      "  →  pip install " .. (tool or "printerxpl-forge")
+  out["Quick-Scan"] = string.format(
+    "printerxpl-forge scan --target %s", host.ip)
+  out["Full-Check"] = string.format(
+    "nmap -p 9100,631,80,443,427,445 --script printer-cve-detect,printer-vuln-check %s",
+    host.ip)
+
+  return out
+end

nse/scripts/printer-firmware-exposed.nse

@@ -0,0 +1,219 @@
+local description = [[
+printer-firmware-exposed — Firmware update endpoint exposure detection.
+
+Probes vendor-specific HTTP endpoints commonly used for firmware updates to detect:
+  - Unauthenticated firmware upload interfaces
+  - Exposed firmware management APIs
+  - Insecure firmware download endpoints (prone to MitM firmware replacement)
+
+Covers: HP, Ricoh, Konica Minolta, Brother, Epson, Kyocera, Lexmark, Canon,
+        Toshiba, Xerox, Sharp, Samsung, OKI.
+
+CVE coverage: CVE-2023-6018, FIRMWARE-RICOH-001, FIRMWARE-KONICA-001,
+              FIRMWARE-BROTHER-001, FIRMWARE-EPSON-001, CVE-2023-50738
+
+Author: André Henrique (@mrhenrike) | União Geek
+]]
+
+---
+-- @usage
+--   nmap -p 80,443,8080 --script printer-firmware-exposed <target>
+-- @output
+-- PORT   STATE SERVICE
+-- 80/tcp open  http
+-- | printer-firmware-exposed:
+-- |   Exposed Endpoints (3):
+-- |     /hp/device/FirmwareUpdate (HTTP 200 — no auth required)
+-- |     /cgi-bin/fw_update        (HTTP 200 — no auth required)
+-- |     /firmware                 (HTTP 302 → /firmware/upload)
+-- |   [CRITICAL] CVE-2023-6018 — HP firmware auth bypass → arbitrary .RFU upload
+-- |   [HIGH] FIRMWARE-RICOH-001  — Ricoh Aficio unsigned firmware upload
+-- |   Verdict : VULNERABLE — 3 unprotected firmware endpoints found
+-- |_  Suggest : printerxpl-forge run --module xpl/research/research-hp-fw-bypass
+---
+
+categories = { "vuln", "safe", "discovery" }
+author     = "André Henrique (@mrhenrike) | União Geek"
+license    = "Same as Nmap -- See https://nmap.org/book/man-legal.html"
+
+local stdnse    = require "stdnse"
+local shortport = require "shortport"
+local http      = require "http"
+local string    = require "string"
+local table     = require "table"
+
+portrule = shortport.http
+
+-- Firmware endpoint database: { path, vendor, method, cve, sev, cvss, xpl, desc }
+local FW_ENDPOINTS = {
+  -- HP
+  { path="/hp/device/FirmwareUpdate",          vendor="HP",     method="GET",  auth_check=true,
+    cve="CVE-2023-6018", sev="CRITICAL", cvss=9.8,
+    desc="HP FutureSmart firmware auth bypass → arbitrary .RFU upload",
+    xpl="xpl/research/research-hp-fw-bypass" },
+  { path="/hp/device/info_firmwareupdate.htm", vendor="HP",     method="GET",  auth_check=true,
+    cve="CVE-2023-6018", sev="CRITICAL", cvss=9.8,
+    desc="HP firmware update info page (EWS unauthenticated)",
+    xpl="xpl/research/research-hp-fw-bypass" },
+  -- Ricoh
+  { path="/cgi-bin/fw_update",                 vendor="Ricoh",  method="GET",  auth_check=true,
+    cve="FIRMWARE-RICOH-001", sev="HIGH", cvss=8.0,
+    desc="Ricoh Aficio unsigned firmware upload via /cgi-bin/fw_update",
+    xpl="xpl/research/research-ricoh-fw-unsigned" },
+  { path="/web/entry.cgi?id=fw",               vendor="Ricoh",  method="GET",  auth_check=true,
+    cve="FIRMWARE-RICOH-001", sev="HIGH", cvss=8.0,
+    desc="Ricoh web firmware management entry (no signature check)",
+    xpl="xpl/research/research-ricoh-fw-unsigned" },
+  -- Konica Minolta
+  { path="/wcd/fwdl.cgi",                      vendor="Konica", method="GET",  auth_check=true,
+    cve="FIRMWARE-KONICA-001", sev="HIGH", cvss=8.5,
+    desc="Konica bizhub firmware download/upload via /wcd/fwdl.cgi",
+    xpl="xpl/research/research-konica-fw-upload" },
+  { path="/wcd/index.html",                    vendor="Konica", method="GET",  auth_check=false,
+    cve="FIRMWARE-KONICA-001", sev="HIGH", cvss=8.5,
+    desc="Konica bizhub admin page (check for firmware menu)",
+    xpl="xpl/research/research-konica-fw-upload" },
+  -- Brother
+  { path="/firmware",                          vendor="Brother", method="GET", auth_check=true,
+    cve="FIRMWARE-BROTHER-001", sev="HIGH", cvss=8.0,
+    desc="Brother MFC/DCP firmware upload endpoint",
+    xpl="xpl/research/research-brother-fw-upload" },
+  { path="/general/firmware_update.html",      vendor="Brother", method="GET", auth_check=true,
+    cve="FIRMWARE-BROTHER-001", sev="HIGH", cvss=8.0,
+    desc="Brother firmware update page (chain with CVE-2024-51978)",
+    xpl="xpl/research/research-brother-fw-upload" },
+  -- Epson
+  { path="/PRESENTATION/ADVANCED/FIRMWARE_UPDATE/TOP", vendor="Epson", method="GET", auth_check=true,
+    cve="FIRMWARE-EPSON-001", sev="HIGH", cvss=7.5,
+    desc="Epson firmware update presentation layer (WorkForce/EcoTank)",
+    xpl="xpl/research/research-epson-fw-update" },
+  -- Canon
+  { path="/portal_top.html",                   vendor="Canon",  method="GET",  auth_check=false,
+    cve=nil, sev="INFO", cvss=0,
+    desc="Canon imageRUNNER admin portal (check for firmware menu)",
+    xpl=nil },
+  { path="/cgi-bin/fwdl.cgi",                  vendor="Canon",  method="GET",  auth_check=true,
+    cve="CVE-2025-14235", sev="CRITICAL", cvss=9.8,
+    desc="Canon imageCLASS firmware download endpoint",
+    xpl="xpl/research/research-canon-pcl-bof" },
+  -- Kyocera
+  { path="/js/jssrc/model/system/FirmwareUpdate.js", vendor="Kyocera", method="GET", auth_check=false,
+    cve=nil, sev="INFO", cvss=0,
+    desc="Kyocera ECOSYS firmware update JS source detected",
+    xpl=nil },
+  -- Lexmark
+  { path="/cgi-bin/dynamic/printer/PrinterStatus.html", vendor="Lexmark", method="GET", auth_check=false,
+    cve="CVE-2023-50738", sev="HIGH", cvss=7.2,
+    desc="Lexmark firmware downgrade bypass surface",
+    xpl="xpl/research/research-lexmark-fw-decrypt" },
+  -- Toshiba
+  { path="/TopAccess/Admin/FirmwareUpdate",    vendor="Toshiba", method="GET", auth_check=true,
+    cve="CVE-2024-21911", sev="HIGH", cvss=8.8,
+    desc="Toshiba e-STUDIO TopAccess firmware update (auth bypass CVE-2024-21911)",
+    xpl="xpl/research/research-toshiba-auth-bypass" },
+  -- Xerox
+  { path="/cgi-bin/dynamic/index.html",        vendor="Xerox",  method="GET",  auth_check=false,
+    cve=nil, sev="INFO", cvss=0,
+    desc="Xerox EWS dynamic page",
+    xpl=nil },
+  -- Generic
+  { path="/firmware/update",                   vendor="Generic", method="GET", auth_check=true,
+    cve=nil, sev="MEDIUM", cvss=5.0,
+    desc="Generic firmware update endpoint",
+    xpl="xpl/research/research-generic-fw-upload" },
+  { path="/upgrade",                           vendor="Generic", method="GET", auth_check=true,
+    cve=nil, sev="MEDIUM", cvss=5.0,
+    desc="Generic upgrade endpoint",
+    xpl=nil },
+}
+
+action = function(host, port)
+  local out = stdnse.output_table()
+
+  -- Quick root probe to confirm HTTP service
+  local root = http.get(host, port.number, "/", { timeout = 4000 })
+  if not root then return "HTTP not responding" end
+
+  local exposed = {}
+  local cves_found = {}
+  local seen_cves = {}
+
+  for _, ep in ipairs(FW_ENDPOINTS) do
+    local resp = http.get(host, port.number, ep.path,
+      { timeout = 4000, redirect_ok = false })
+    if resp then
+      local interesting = (resp.status == 200) or
+                          (resp.status == 302) or
+                          (resp.status == 401)  -- 401 = exists but needs auth
+      if interesting then
+        local status_str = tostring(resp.status)
+        local needs_auth = (resp.status == 401 or resp.status == 403)
+
+        if resp.status == 200 and ep.auth_check then
+          -- Unprotected! High severity
+          table.insert(exposed, string.format("%s (HTTP %s — no auth required) [%s]",
+            ep.path, status_str, ep.vendor))
+          if ep.cve and not seen_cves[ep.cve] then
+            seen_cves[ep.cve] = true
+            table.insert(cves_found, ep)
+          end
+        elseif resp.status == 200 then
+          table.insert(exposed, string.format("%s (HTTP %s) [%s]",
+            ep.path, status_str, ep.vendor))
+        elseif needs_auth then
+          table.insert(exposed, string.format("%s (HTTP %s — auth required, endpoint EXISTS) [%s]",
+            ep.path, status_str, ep.vendor))
+        elseif resp.status == 302 then
+          local loc = resp.header and resp.header["location"] or "?"
+          table.insert(exposed, string.format("%s → %s (HTTP %s) [%s]",
+            ep.path, loc, status_str, ep.vendor))
+        end
+      end
+    end
+  end
+
+  if #exposed == 0 then
+    return "No firmware endpoints found — device may be patched or use non-standard paths"
+  end
+
+  out["Exposed-Endpoints"] = exposed
+
+  -- Build CVE output
+  if #cves_found > 0 then
+    local cve_lines = {}
+    for _, c in ipairs(cves_found) do
+      if c.cve then
+        table.insert(cve_lines, string.format("[%s] %s (CVSS %.1f) — %s",
+          c.sev, c.cve, c.cvss, c.desc))
+      end
+    end
+    out["CVEs"] = cve_lines
+  end
+
+  -- Verdict
+  local unauth_count = 0
+  for _, ep_str in ipairs(exposed) do
+    if ep_str:match("no auth required") then unauth_count = unauth_count + 1 end
+  end
+
+  if unauth_count > 0 then
+    out["Verdict"] = string.format(
+      "VULNERABLE — %d unprotected firmware endpoint(s) found", unauth_count)
+    if cves_found[1] and cves_found[1].xpl then
+      out["Suggest"] = "printerxpl-forge run --module " .. cves_found[1].xpl .. " --target " .. host.ip
+    end
+  elseif #exposed > 0 then
+    out["Verdict"] = string.format(
+      "POSSIBLY VULNERABLE — %d firmware endpoint(s) detected (auth required)", #exposed)
+    if cves_found[1] and cves_found[1].xpl then
+      out["Suggest"] = "printerxpl-forge run --module " .. cves_found[1].xpl ..
+                       " --dry-run --target " .. host.ip
+    end
+  else
+    out["Verdict"] = "NOT VULNERABLE — no firmware endpoints accessible"
+  end
+
+  out["Full-Scan"] = "pip install printerxpl-forge  |  printerxpl-forge scan --target " .. host.ip
+
+  return out
+end

nse/scripts/printer-hp-pjl.nse

@@ -0,0 +1,192 @@
+local description = [[
+printer-hp-pjl — HP-specific PJL deep enumeration and vulnerability assessment.
+
+Targets HP LaserJet, OfficeJet, and PageWide devices via port 9100.
+Performs: model + firmware version extraction, HP NVRAM variable dump,
+filesystem directory listing (PJL FSDIRLIST), and direct CVE checks for:
+
+  - CVE-2025-26506: HP LaserJet Enterprise PostScript RCE (unauthenticated)
+  - CVE-2017-2741:  HP PageWide PJL path traversal to arbitrary file read/write → RCE
+  - CVE-2018-5924:  Faxploit — fax stack overflow (HP / Samsung)
+  - CVE-2023-6018:  HP FutureSmart firmware auth bypass → arbitrary firmware upload
+  - CVE-2023-1707:  HP FutureSmart 5.6 scan job data disclosure
+
+Author: André Henrique (@mrhenrike) | União Geek
+]]
+
+---
+-- @usage
+--   nmap -p 9100 --script printer-hp-pjl <target>
+-- @output
+-- PORT     STATE SERVICE
+-- 9100/tcp open  jetdirect
+-- | printer-hp-pjl:
+-- |   Vendor       : HP
+-- |   Model        : HP LaserJet Enterprise M606dn
+-- |   Firmware     : FY5L.04.A.00.00 (FutureSmart 5.6)
+-- |   Serial       : JPGD12345
+-- |   Filesystem   : 0:\ (HDD) — FSDIRLIST accessible
+-- |   [CRITICAL] CVE-2025-26506 (CVSS 9.8) — PS RCE → printerxpl run --module xpl/edb-cve-2025-26506
+-- |   [CRITICAL] CVE-2017-2741  (CVSS 9.8) — PJL path traversal RCE → printerxpl run --module xpl/edb-cve-2017-2741
+-- |   Verdict      : POSSIBLY VULNERABLE (HP LaserJet on 9100 — version fingerprint not sufficient)
+-- |_  Suggest      : printerxpl-forge run --module xpl/edb-cve-2025-26506 --target <IP>
+---
+
+categories = { "vuln", "safe", "discovery" }
+author     = "André Henrique (@mrhenrike) | União Geek"
+license    = "Same as Nmap -- See https://nmap.org/book/man-legal.html"
+
+local stdnse    = require "stdnse"
+local shortport = require "shortport"
+local comm      = require "comm"
+local http      = require "http"
+local string    = require "string"
+local table     = require "table"
+
+portrule = shortport.port_or_service(9100, "jetdirect", "tcp")
+
+local UEL = "\x1b%-12345X"
+
+local function pjl_exchange(host, port, cmd, bytes)
+  bytes = bytes or 8192
+  local payload = UEL .. "@PJL\r\n" .. cmd .. "\r\n" .. UEL
+  local ok, resp = comm.exchange(host, port, payload,
+    { timeout = 7000, bytes = bytes })
+  if ok then return resp end
+  return nil
+end
+
+local function extract(text, pattern)
+  if not text then return nil end
+  local v = text:match(pattern)
+  if v then return v:match("^%s*(.-)%s*$") end
+  return nil
+end
+
+action = function(host, port)
+  local out = stdnse.output_table()
+
+  -- Batch query: ID + CONFIG + FILESYS + VARIABLES + PRODINFO
+  local batch = "@PJL INFO ID\r\n@PJL INFO CONFIG\r\n@PJL INFO FILESYS\r\n@PJL INFO VARIABLES\r\n@PJL INFO PRODINFO\r\n"
+  local resp = pjl_exchange(host, port, batch, 16384)
+  if not resp then
+    return "No PJL response — port may be filtered or device is not HP JetDirect-compatible"
+  end
+
+  -- Vendor confirmation
+  local is_hp = resp:lower():match("hp") or resp:lower():match("laserjet") or
+                resp:lower():match("officejet") or resp:lower():match("futuresmart")
+  if not is_hp then
+    return "HP device not confirmed via PJL (use printer-pjl-info for generic PJL)"
+  end
+  out["Vendor"] = "HP"
+
+  -- Model
+  local model = extract(resp, 'DESCRIPTION%s*=%s*"([^"]+)"')
+             or extract(resp, "[Mm]odel%s*:%s*([^\r\n]+)")
+             or extract(resp, "@PJL INFO ID%s*\r?\n([^\r\n]+)")
+  if model then out["Model"] = model end
+
+  -- Firmware
+  local fw = extract(resp, "DATECODE%s*=%s*([%w%.%-]+)")
+          or extract(resp, "FW%s*=%s*([%w%.%-]+)")
+          or extract(resp, "[Ff]irmware[Vv]er%s*=%s*([%w%.%-]+)")
+  if fw then out["Firmware"] = fw end
+
+  -- FutureSmart version
+  local fs_ver = extract(resp, "[Ff]uture[Ss]mart%s+([%d%.]+)")
+  if fs_ver then out["FutureSmart"] = fs_ver end
+
+  -- Serial
+  local sn = extract(resp, "SERIALNUMBER%s*=%s*([%w%-]+)")
+  if sn then out["Serial"] = sn end
+
+  -- Memory
+  local mem = extract(resp, "TOTALMEMORY%s*=%s*(%d+)")
+  if mem then out["Memory-KB"] = mem end
+
+  -- Filesystem
+  local fs_listing = extract(resp, "VOLUME%s*=%s*([^\r\n]+)")
+  if fs_listing then
+    out["Filesystem"] = fs_listing
+    -- Try FSDIRLIST
+    local dir_resp = pjl_exchange(host, port,
+      '@PJL FSDIRLIST NAME="0:\\" ENTRY=1 COUNT=20\r\n', 4096)
+    if dir_resp and dir_resp:match("TYPE") then
+      out["FS-Directory"] = dir_resp:match("(.-)%x1b"):match("^%s*(.-)%s*$") or "(see raw)"
+      out["FS-Access"] = "FSDIRLIST accessible — filesystem enumeration possible"
+    end
+  end
+
+  -- CVE assessment
+  local cves = {}
+  -- CVE-2025-26506: HP LaserJet Enterprise PS RCE — affects most modern HP enterprise printers
+  table.insert(cves, {
+    id="CVE-2025-26506", cvss=9.8, sev="CRITICAL",
+    desc="HP LaserJet Enterprise PostScript unauthenticated RCE — malformed PS job triggers code exec",
+    xpl="xpl/edb-cve-2025-26506",
+    check = true,  -- HP + port 9100 is sufficient surface
+  })
+  -- CVE-2017-2741: HP PageWide PJL path traversal
+  table.insert(cves, {
+    id="CVE-2017-2741", cvss=9.8, sev="CRITICAL",
+    desc="HP PageWide/OfficeJet PJL FSUPLOAD path traversal to arbitrary file read → RCE chain",
+    xpl="xpl/edb-cve-2017-2741",
+    check = fs_listing ~= nil,  -- more likely if filesystem accessible
+  })
+  -- CVE-2018-5924: Faxploit
+  table.insert(cves, {
+    id="CVE-2018-5924", cvss=9.8, sev="CRITICAL",
+    desc="HP fax stack overflow via malformed TIFF/G3 fax data — unauthenticated RCE on fax-capable models",
+    xpl="xpl/edb-cve-2018-5924",
+    check = resp:lower():match("fax") ~= nil,
+  })
+  -- CVE-2023-6018: FutureSmart firmware bypass
+  local fw_bypass_check = (fs_ver ~= nil) and (fs_ver >= "5.0")
+  table.insert(cves, {
+    id="CVE-2023-6018", cvss=9.8, sev="CRITICAL",
+    desc="HP FutureSmart firmware auth bypass → arbitrary .RFU firmware upload / implant",
+    xpl="xpl/research/research-hp-fw-bypass",
+    check = fw_bypass_check or (fw ~= nil),
+  })
+  -- CVE-2023-1707
+  table.insert(cves, {
+    id="CVE-2023-1707", cvss=9.1, sev="CRITICAL",
+    desc="HP FutureSmart 5.6 scan-to-email data disclosure when IPsec enabled",
+    xpl="xpl/research/research-hp-futuresmart-leak",
+    check = fs_ver == "5.6" or resp:lower():match("5%.6") ~= nil,
+  })
+
+  local matched = {}
+  for _, c in ipairs(cves) do
+    if c.check then table.insert(matched, c) end
+  end
+
+  if #matched == 0 then
+    -- Still include top 2 as possible (HP on 9100 is strong signal)
+    matched = { cves[1], cves[2] }
+  end
+
+  -- Output CVEs
+  local cve_lines = {}
+  for _, c in ipairs(matched) do
+    table.insert(cve_lines, string.format("[%s] %s (CVSS %.1f) — %s\n            module: %s",
+      c.sev, c.id, c.cvss, c.desc, c.xpl))
+  end
+  out["CVEs"] = cve_lines
+
+  -- Verdict
+  local is_vuln     = resp:lower():match("futuresmart") or fs_listing ~= nil
+  local is_possible = true  -- HP + port 9100 is always at least possible
+
+  if is_vuln then
+    out["Verdict"] = "POSSIBLY VULNERABLE — HP " .. (model or "LaserJet") .. " with exposed PJL/FS"
+  else
+    out["Verdict"] = "POSSIBLY VULNERABLE — HP device detected; version confirmation needed"
+  end
+
+  out["Suggest"]    = "printerxpl-forge run --module " .. matched[1].xpl .. " --target " .. host.ip
+  out["Full-Scan"]  = "pip install printerxpl-forge  |  printerxpl-forge scan --target " .. host.ip
+
+  return out
+end