printerxpl-forge 6.2.0__py3-none-any.whl

nse/scripts/printer-lexmark-ipp.nse

@@ -0,0 +1,203 @@
+local description = [[
+printer-lexmark-ipp — Lexmark-specific IPP vulnerability assessment.
+
+Targets Lexmark MFPs and printers via port 631 (IPP) and port 80 (EWS).
+Detects and validates:
+  - CVE-2023-50739: IPP heap buffer overflow → RCE (100+ models, ZDI-CAN-22549)
+  - CVE-2023-23560: Lexmark Web Services SSRF → RCE (Pwn2Own Toronto 2022)
+  - CVE-2023-26067: Post-auth RCE via device configuration API
+  - CVE-2023-50733: EWS SSRF — printer as lateral movement pivot
+  - CVE-2023-50738: Firmware downgrade bypass
+  - CVE-2022-24935: Lexmark authentication bypass
+
+Author: André Henrique (@mrhenrike) | União Geek
+]]
+
+---
+-- @usage
+--   nmap -p 631,80 --script printer-lexmark-ipp <target>
+-- @output
+-- PORT    STATE SERVICE
+-- 631/tcp open  ipp
+-- | printer-lexmark-ipp:
+-- |   Vendor  : Lexmark
+-- |   Model   : CX622 (detected from IPP attributes)
+-- |   [CRITICAL] CVE-2023-23560 (CVSS 9.0) — Lexmark SSRF-to-RCE
+-- |   [HIGH]    CVE-2023-50739 (CVSS 8.8) — Lexmark IPP heap BOF (100+ models)
+-- |   [MEDIUM]  CVE-2023-50733 (CVSS 6.5) — Lexmark EWS SSRF pivot
+-- |   Verdict : POSSIBLY VULNERABLE
+-- |_  Suggest : printerxpl-forge run --module xpl/edb-51928 --target <IP>
+---
+
+categories = { "vuln", "safe" }
+author     = "André Henrique (@mrhenrike) | União Geek"
+license    = "Same as Nmap -- See https://nmap.org/book/man-legal.html"
+
+local stdnse    = require "stdnse"
+local shortport = require "shortport"
+local http      = require "http"
+local string    = require "string"
+local table     = require "table"
+
+portrule = shortport.port_or_service({ 631, 80, 443 }, { "ipp", "http", "https" }, "tcp")
+
+local LEXMARK_CVES = {
+  { id="CVE-2023-23560", cvss=9.0, sev="CRITICAL",
+    desc="Lexmark SSRF-to-RCE via Web Services interface — unauthenticated (Pwn2Own Toronto 2022)",
+    xpl="xpl/edb-51928",
+    port_check=80 },
+  { id="CVE-2023-26067", cvss=9.1, sev="CRITICAL",
+    desc="Lexmark post-auth RCE via device configuration API",
+    xpl="xpl/edb-cve-2023-26067",
+    port_check=80 },
+  { id="CVE-2023-50739", cvss=8.8, sev="HIGH",
+    desc="Lexmark IPP heap buffer overflow → RCE (100+ models, ZDI-CAN-22549)",
+    xpl="xpl/edb-cve-2023-50739",
+    port_check=631 },
+  { id="CVE-2023-50733", cvss=6.5, sev="MEDIUM",
+    desc="Lexmark EWS SSRF — pivot to internal network resources",
+    xpl="xpl/edb-cve-2023-50733",
+    port_check=80 },
+  { id="CVE-2023-50738", cvss=7.2, sev="HIGH",
+    desc="Lexmark firmware downgrade bypass → re-expose historical vulnerabilities",
+    xpl="xpl/research/research-lexmark-fw-decrypt",
+    port_check=80 },
+  { id="CVE-2022-24935", cvss=8.0, sev="HIGH",
+    desc="Lexmark authentication bypass via crafted POST to NPS endpoint",
+    xpl="xpl/research/research-lexmark-auth",
+    port_check=80 },
+}
+
+-- IPP probe to detect Lexmark
+local function ipp_fingerprint(host, port)
+  if port.number ~= 631 then return nil end
+  local req =
+    "\x02\x00\x00\x0b\x00\x00\x00\x01\x01" ..
+    "\x47\x00\x12attributes-charset\x00\x05utf-8" ..
+    "\x48\x00\x1battributes-natural-language\x00\x05en-us" ..
+    "\x45\x00\x0bprinter-uri\x00\x0cipp://0.0.0.0/" ..
+    "\x03"
+  local resp = http.post(host, 631, "/printers/",
+    { header = { ["Content-Type"] = "application/ipp" }, timeout = 5000 },
+    nil, req)
+  if resp and resp.body then return resp.body end
+  return nil
+end
+
+-- HTTP EWS probe to detect Lexmark
+local function http_fingerprint(host, port)
+  local paths = { "/", "/cgi-bin/dynamic/", "/lexmark/", "/printer.html" }
+  for _, p in ipairs(paths) do
+    local r = http.get(host, port.number, p, { timeout = 5000 })
+    if r and r.status == 200 and r.body then
+      if r.body:lower():match("lexmark") then
+        return r.body
+      end
+    end
+  end
+  return nil
+end
+
+-- Test CVE-2023-23560 SSRF surface
+local function check_ssrf_surface(host, port)
+  local r = http.get(host, port.number, "/cgi-bin/dynamic/config/webservices.html",
+    { timeout = 4000 })
+  if r and (r.status == 200 or r.status == 302) then
+    return true
+  end
+  -- Try alternate
+  r = http.get(host, port.number, "/webservices", { timeout = 3000 })
+  if r and (r.status == 200 or r.status == 302) then return true end
+  return false
+end
+
+-- Test CVE-2022-24935 auth bypass surface
+local function check_nps_bypass(host, port)
+  local r = http.post(host, port.number, "/cgi-bin/dynamic/nps",
+    { header = { ["Content-Type"] = "application/x-www-form-urlencoded" },
+      timeout = 4000 },
+    nil, "auth=probe")
+  if r and r.status == 200 then
+    if r.body and r.body:lower():match("lexmark") then
+      return true
+    end
+  end
+  return false
+end
+
+action = function(host, port)
+  local out = stdnse.output_table()
+
+  -- Fingerprint
+  local banner = nil
+  local is_lexmark = false
+
+  if port.number == 631 then
+    banner = ipp_fingerprint(host, port)
+    if banner and banner:lower():match("lexmark") then is_lexmark = true end
+  end
+
+  if not is_lexmark then
+    banner = http_fingerprint(host, port)
+    if banner then is_lexmark = true end
+  end
+
+  if not is_lexmark then
+    return "Lexmark not detected on port " .. port.number ..
+           " — use printer-cve-detect for generic CVE matching"
+  end
+
+  out["Vendor"] = "Lexmark"
+
+  -- Extract model if possible
+  if banner then
+    local model = banner:match("[Ll]exmark%s+([%w%-]+%s*[%w%-]*)")
+    if model then out["Model"] = model:match("^%s*(.-)%s*$"):sub(1, 60) end
+  end
+
+  -- Active surface checks
+  local ssrf_exposed  = check_ssrf_surface(host, port)
+  local nps_exposed   = check_nps_bypass(host, port)
+
+  if ssrf_exposed  then out["SSRF-Surface"]  = "Web Services config accessible — CVE-2023-23560" end
+  if nps_exposed   then out["NPS-Surface"]   = "NPS endpoint responding — CVE-2022-24935" end
+
+  -- Match CVEs
+  local matched = {}
+  for _, cve in ipairs(LEXMARK_CVES) do
+    local relevant = (not cve.port_check) or (cve.port_check == port.number)
+    if not relevant then
+      relevant = cve.cvss >= 9.0  -- always include critical
+    end
+    local triggered = relevant
+    if cve.id == "CVE-2023-23560" and not ssrf_exposed then triggered = relevant end
+    if cve.id == "CVE-2022-24935" and not nps_exposed  then triggered = relevant end
+    if triggered then table.insert(matched, cve) end
+  end
+
+  -- Sort by CVSS
+  table.sort(matched, function(a, b) return a.cvss > b.cvss end)
+
+  if #matched > 0 then
+    local cve_lines = {}
+    for _, c in ipairs(matched) do
+      table.insert(cve_lines, string.format("[%s] %s (CVSS %.1f) — %s\n            module: %s",
+        c.sev, c.id, c.cvss, c.desc, c.xpl))
+    end
+    out["CVEs"] = cve_lines
+  end
+
+  -- Verdict
+  local is_vuln = ssrf_exposed or nps_exposed
+  if is_vuln then
+    out["Verdict"] = "POSSIBLY VULNERABLE — active surface exposure confirmed"
+    out["Suggest"] = "printerxpl-forge run --module " .. matched[1].xpl .. " --target " .. host.ip
+  else
+    out["Verdict"] = "POSSIBLY VULNERABLE — Lexmark confirmed but active surfaces not exposed"
+    out["Suggest"] = "printerxpl-forge run --module " .. matched[1].xpl .. " --dry-run --target " .. host.ip
+  end
+
+  out["Full-Scan"] = "pip install printerxpl-forge  |  printerxpl-forge scan --target " .. host.ip
+
+  return out
+end

nse/scripts/printer-passback.nse

@@ -0,0 +1,204 @@
+local description = [[
+printer-passback — LDAP/SMB credential passback attack surface detection.
+
+Modern multifunction printers (MFPs) support scan-to-email, scan-to-folder
+(SMB), LDAP authentication, and network scanning. If these features are
+configured, a rogue LDAP/SMB server can capture domain credentials when the
+printer initiates a connection ("passback attack").
+
+This script detects:
+  - Accessible LDAP configuration pages (scan-to-email / address book LDAP)
+  - SMB scan destination configuration pages
+  - Network credential test endpoints
+  - Active Directory integration surfaces
+
+CVE coverage:
+  - CVE-2022-23968: Xerox FutureSmart LDAP passback
+  - CVE-2022-23969: Xerox FutureSmart SMB passback
+  - Generic passback surface detection for HP, Ricoh, Konica, Canon, etc.
+
+Author: André Henrique (@mrhenrike) | União Geek
+]]
+
+---
+-- @usage
+--   nmap -p 80,443 --script printer-passback <target>
+-- @output
+-- PORT   STATE SERVICE
+-- 80/tcp open  http
+-- | printer-passback:
+-- |   LDAP-Config  : /hp/device/LdapConfiguration.htm (HTTP 200 — accessible)
+-- |   SMB-Config   : /hp/device/SmbConfiguration.htm  (HTTP 200 — accessible)
+-- |   [HIGH] CVE-2022-23968 — Xerox LDAP passback → domain credential capture
+-- |   [HIGH] CVE-2022-23969 — Xerox SMB passback → domain credential capture
+-- |   Verdict : POSSIBLY VULNERABLE — LDAP/SMB config pages accessible
+-- |_  Suggest : printerxpl-forge run --module xpl/research/research-passback-ldap
+---
+
+categories = { "vuln", "safe", "discovery" }
+author     = "André Henrique (@mrhenrike) | União Geek"
+license    = "Same as Nmap -- See https://nmap.org/book/man-legal.html"
+
+local stdnse    = require "stdnse"
+local shortport = require "shortport"
+local http      = require "http"
+local string    = require "string"
+local table     = require "table"
+
+portrule = shortport.http
+
+-- Passback surface endpoints per vendor
+local PASSBACK_ENDPOINTS = {
+  -- HP
+  { path="/hp/device/LdapConfiguration.htm",     vendor="HP",     proto="LDAP",
+    cve="CVE-2022-23968-HP", desc="HP EWS LDAP directory config" },
+  { path="/hp/device/NetworkFolderConfiguration.htm", vendor="HP", proto="SMB",
+    cve="CVE-2022-23969-HP", desc="HP EWS SMB scan-to-folder config" },
+  { path="/hp/device/EmailConfiguration.htm",    vendor="HP",     proto="SMTP",
+    cve=nil, desc="HP EWS email config (SMTP credentials)" },
+  -- Xerox
+  { path="/cgi-bin/dynamic/userprefs/LdapConfiguration.html", vendor="Xerox", proto="LDAP",
+    cve="CVE-2022-23968", desc="Xerox FutureSmart LDAP config (CISA alert)" },
+  { path="/cgi-bin/dynamic/userprefs/SmtpConfiguration.html", vendor="Xerox", proto="SMTP",
+    cve=nil, desc="Xerox SMTP config (email credentials)" },
+  { path="/cgi-bin/dynamic/userprefs/SmbConfiguration.html",  vendor="Xerox", proto="SMB",
+    cve="CVE-2022-23969", desc="Xerox FutureSmart SMB config (CISA alert)" },
+  { path="/web/entry.cgi?id=ldap",               vendor="Ricoh",  proto="LDAP",
+    cve=nil, desc="Ricoh LDAP config" },
+  { path="/web/entry.cgi?id=scan_folder",        vendor="Ricoh",  proto="SMB",
+    cve=nil, desc="Ricoh scan-to-folder SMB config" },
+  -- Konica
+  { path="/wcd/ldap.html",                       vendor="Konica", proto="LDAP",
+    cve=nil, desc="Konica bizhub LDAP config" },
+  { path="/wcd/smb_setting.html",                vendor="Konica", proto="SMB",
+    cve=nil, desc="Konica bizhub SMB scan config" },
+  -- Toshiba
+  { path="/TopAccess/Admin/Setting/E-MAIL/LDAPSetting.htm", vendor="Toshiba", proto="LDAP",
+    cve=nil, desc="Toshiba TopAccess LDAP auth config" },
+  -- Canon
+  { path="/cgi-bin/dynamicconfig",               vendor="Canon",  proto="LDAP",
+    cve=nil, desc="Canon dynamic config (may include LDAP)" },
+  -- Brother
+  { path="/network/network.html",                vendor="Brother", proto="SMTP",
+    cve=nil, desc="Brother network config (SMTP credentials)" },
+  -- Kyocera
+  { path="/js/jssrc/model/system/LdapSetting.js", vendor="Kyocera", proto="LDAP",
+    cve=nil, desc="Kyocera LDAP setting JS (check for config exposure)" },
+  -- Generic
+  { path="/cgi-bin/dynamic/config/ldapconfig.html", vendor="Generic", proto="LDAP",
+    cve=nil, desc="Generic LDAP config endpoint" },
+  { path="/ldap",                                vendor="Generic", proto="LDAP",
+    cve=nil, desc="Generic /ldap path" },
+  { path="/scan/smb",                            vendor="Generic", proto="SMB",
+    cve=nil, desc="Generic scan-to-SMB endpoint" },
+}
+
+-- Known passback CVEs for detailed output
+local PASSBACK_CVES = {
+  ["CVE-2022-23968"] = {
+    sev="HIGH", cvss=7.5,
+    desc="Xerox FutureSmart LDAP passback — printer sends LDAP bind to rogue server capturing domain creds",
+    xpl="xpl/research/research-passback-ldap",
+  },
+  ["CVE-2022-23969"] = {
+    sev="HIGH", cvss=7.5,
+    desc="Xerox FutureSmart SMB passback — printer authenticates to rogue SMB share capturing NTLM hashes",
+    xpl="xpl/research/research-passback-smb",
+  },
+}
+
+action = function(host, port)
+  local out = stdnse.output_table()
+
+  -- Quick root check
+  local root = http.get(host, port.number, "/", { timeout = 4000 })
+  if not root then return "HTTP not responding" end
+
+  local accessible = {}
+  local cves_triggered = {}
+  local seen = {}
+  local protos_found = {}
+
+  for _, ep in ipairs(PASSBACK_ENDPOINTS) do
+    local resp = http.get(host, port.number, ep.path,
+      { timeout = 4000, redirect_ok = false })
+    if resp and (resp.status == 200 or resp.status == 302) then
+      local entry = string.format("%s (%s, HTTP %d) [%s — %s]",
+        ep.path, ep.proto, resp.status, ep.vendor, ep.desc)
+      table.insert(accessible, entry)
+      protos_found[ep.proto] = true
+
+      if ep.cve and not seen[ep.cve] then
+        seen[ep.cve] = true
+        local cve_detail = PASSBACK_CVES[ep.cve]
+        if cve_detail then
+          table.insert(cves_triggered, {
+            id   = ep.cve,
+            sev  = cve_detail.sev,
+            cvss = cve_detail.cvss,
+            desc = cve_detail.desc,
+            xpl  = cve_detail.xpl,
+          })
+        end
+      end
+    end
+  end
+
+  if #accessible == 0 then
+    return "No LDAP/SMB passback surfaces detected (admin pages may require auth or non-standard paths)"
+  end
+
+  -- Protocol summary
+  local proto_list = {}
+  for p, _ in pairs(protos_found) do table.insert(proto_list, p) end
+  out["Protocols"] = table.concat(proto_list, ", ")
+
+  out["Config-Pages-Found"] = accessible
+
+  -- CVE output
+  if #cves_triggered > 0 then
+    local cve_lines = {}
+    for _, c in ipairs(cves_triggered) do
+      table.insert(cve_lines, string.format("[%s] %s (CVSS %.1f) — %s",
+        c.sev, c.id, c.cvss, c.desc))
+    end
+    out["CVEs"] = cve_lines
+  end
+
+  -- Passback explanation
+  local has_ldap = protos_found["LDAP"]
+  local has_smb  = protos_found["SMB"]
+
+  local attack_desc = {}
+  if has_ldap then
+    table.insert(attack_desc,
+      "LDAP passback: redirect printer LDAP queries to rogue server → capture domain credentials")
+  end
+  if has_smb then
+    table.insert(attack_desc,
+      "SMB passback: redirect printer SMB auth to Responder/rogue share → capture NTLM hashes")
+  end
+  if #attack_desc > 0 then
+    out["Attack-Vector"] = attack_desc
+  end
+
+  -- Verdict
+  out["Verdict"] = "POSSIBLY VULNERABLE — " ..
+    #accessible .. " config page(s) accessible; passback attack feasible if admin credentials known"
+
+  if #cves_triggered > 0 then
+    out["Suggest"] = "printerxpl-forge run --module " .. cves_triggered[1].xpl .. " --target " .. host.ip
+  else
+    out["Suggest"] = "printerxpl-forge run --module xpl/research/research-passback-ldap --target " .. host.ip
+  end
+
+  out["Manual-Steps"] =
+    "1. Set up rogue LDAP/SMB server (Responder or custom)  " ..
+    "2. Modify printer LDAP/SMB server IP to attacker IP  " ..
+    "3. Trigger auth test from printer web UI  " ..
+    "4. Capture credentials on rogue server"
+
+  out["Full-Scan"] = "pip install printerxpl-forge  |  printerxpl-forge scan --target " .. host.ip
+
+  return out
+end

nse/scripts/printer-pjl-info.nse

@@ -0,0 +1,146 @@
+local description = [[
+printer-pjl-info — Deep PJL enumeration via port 9100.
+
+Sends multiple @PJL INFO commands to extract: device identity (ID, MODEL),
+environment variables (TIMEOUT, RESOLUTION, COPIES), filesystem listing (FSLIST),
+status (JOB status, READY state), and network configuration.
+
+Also tests for PJL password protection — unprotected devices are flagged.
+
+References:
+  https://github.com/mrhenrike/PrinterXPL-Forge
+  https://h20195.www2.hp.com/v2/GetDocument.aspx?docname=bpl13208 (HP PJL Tech Ref)
+
+Author: André Henrique (@mrhenrike) | União Geek
+]]
+
+---
+-- @usage
+--   nmap -p 9100 --script printer-pjl-info <target>
+-- @output
+-- PORT     STATE SERVICE
+-- 9100/tcp open  jetdirect
+-- | printer-pjl-info:
+-- |   ID           : HP LASERJET M606
+-- |   Model        : HP LaserJet Enterprise M606dn
+-- |   Firmware     : FY5L.04.A.00.00
+-- |   Serial       : JPGD12345
+-- |   Resolution   : 1200
+-- |   Timeout      : 15
+-- |   Filesystem   : 0:\ [HDD 40GB]
+-- |   PJL-Password : NOT SET (unprotected — PJL job injection possible)
+-- |_  Verdict      : POSSIBLY VULNERABLE (unrestricted PJL access)
+---
+
+categories = { "discovery", "safe", "vuln" }
+author     = "André Henrique (@mrhenrike) | União Geek"
+license    = "Same as Nmap -- See https://nmap.org/book/man-legal.html"
+
+local stdnse    = require "stdnse"
+local shortport = require "shortport"
+local comm      = require "comm"
+local string    = require "string"
+
+portrule = shortport.port_or_service(9100, "jetdirect", "tcp")
+
+local UEL = "\x1b%-12345X"
+
+local PJL_QUERIES = {
+  { cmd = "@PJL INFO ID\r\n",          key = "ID" },
+  { cmd = "@PJL INFO CONFIG\r\n",      key = "Config" },
+  { cmd = "@PJL INFO VARIABLES\r\n",   key = "Variables" },
+  { cmd = "@PJL INFO FILESYS\r\n",     key = "Filesystem" },
+  { cmd = "@PJL INFO STATUS\r\n",      key = "Status" },
+  { cmd = "@PJL INFO PRODINFO\r\n",    key = "ProductInfo" },
+  { cmd = "@PJL INFO MEMORY\r\n",      key = "Memory" },
+}
+
+local function pjl_send(host, port, cmds)
+  local payload = UEL .. "@PJL\r\n"
+  for _, q in ipairs(cmds) do
+    payload = payload .. q.cmd
+  end
+  payload = payload .. UEL
+
+  local status, resp = comm.exchange(host, port, payload,
+    { timeout = 7000, bytes = 16384 })
+  if status then return resp end
+  return nil
+end
+
+local function extract_field(text, pattern)
+  local val = text:match(pattern)
+  if val then return val:match("^%s*(.-)%s*$") end
+  return nil
+end
+
+action = function(host, port)
+  local resp = pjl_send(host, port, PJL_QUERIES)
+  if not resp then
+    return "No PJL response — port may be closed or require credentials"
+  end
+
+  local out = stdnse.output_table()
+
+  -- Basic identity
+  local id_val = extract_field(resp, "@PJL INFO ID%s*\r?\n(.-)%r?\n%s*@PJL")
+                 or extract_field(resp, 'ID%s*=%s*"([^"]+)"')
+                 or extract_field(resp, "ID%s*\r?\n%s*([^\r\n]+)")
+  if id_val then out["ID"] = id_val end
+
+  -- Firmware
+  local fw = extract_field(resp, "DATECODE%s*=%s*([%w%.%-]+)")
+             or extract_field(resp, "[Ff]irmware[Vv]ersion%s*=%s*([%w%.%-]+)")
+  if fw then out["Firmware"] = fw end
+
+  -- Serial
+  local sn = extract_field(resp, "SERIALNUMBER%s*=%s*([%w%-]+)")
+             or extract_field(resp, "SERIAL%s*=%s*([%w%-]+)")
+  if sn then out["Serial"] = sn end
+
+  -- Resolution
+  local res = extract_field(resp, "RESOLUTION%s*=%s*(%d+)")
+  if res then out["Resolution-DPI"] = res end
+
+  -- Memory
+  local mem = extract_field(resp, "TOTALMEMORY%s*=%s*(%d+)")
+  if mem then out["Memory-KB"] = mem end
+
+  -- Filesystem
+  local fs = extract_field(resp, "VOLUME%s*=%s*([^\r\n]+)")
+             or extract_field(resp, "NAME%s*=%s*\"([^\"]+)\"")
+  if fs then out["Filesystem"] = fs end
+
+  -- Job count / status
+  local jobs = extract_field(resp, "JOBNAME%s*=%s*\"([^\"]+)\"")
+  if jobs then out["Last-Job"] = jobs end
+
+  -- PJL Password check: try @PJL DEFAULT PASSWORD test
+  local pwd_check = UEL .. "@PJL\r\n@PJL DEFAULT PASSWORD=0\r\n" .. UEL
+  local ps, pr = comm.exchange(host, port, pwd_check, { timeout = 3000, bytes = 512 })
+  local pwd_set = false
+  if ps and pr and (pr:match("PASSWORD") or pr:match("ACCESS")) then
+    pwd_set = true
+    out["PJL-Password"] = "SET (access control enabled)"
+  else
+    out["PJL-Password"] = "NOT SET — PJL unrestricted (job injection / NVRAM access possible)"
+    pwd_set = false
+  end
+
+  -- Verdict
+  local is_vuln = not pwd_set
+  local is_possible = resp and resp:match("READY") ~= nil
+
+  if is_vuln then
+    out["Verdict"] = "POSSIBLY VULNERABLE — unrestricted PJL: use printer-vuln-check for deep scan"
+    out["Suggest"] = "printerxpl-forge run --module xpl/edb-cve-2017-2741 --target " .. host.ip
+  elseif is_possible then
+    out["Verdict"] = "NOT VULNERABLE to unrestricted PJL (password set)"
+  else
+    out["Verdict"] = "UNKNOWN — partial PJL response"
+  end
+
+  out["Full-Exploitation"] = "pip install printerxpl-forge  |  printerxpl-forge run --target " .. host.ip
+
+  return out
+end