printerxpl-forge 6.2.0__py3-none-any.whl

nse/scripts/printer-printnightmare.nse

@@ -0,0 +1,211 @@
+local description = [[
+printer-printnightmare — Windows Print Spooler vulnerability detection.
+
+Detects exposure of the Windows Print Spooler service (spoolsv.exe) and assesses
+vulnerability to the PrintNightmare family of exploits:
+
+  - CVE-2021-1675:  PrintNightmare RCE via RpcAddPrinterDriverEx (unauthenticated + network)
+  - CVE-2021-34527: PrintNightmare (official patch bypass) — still exploitable in some configs
+  - CVE-2020-1048:  PrintDemon — persistent SYSTEM backdoor via printer port race condition
+  - CVE-2020-1337:  PrintDemon hardlink bypass — arbitrary privileged file write
+  - CVE-2021-36958: Windows Print Spooler remote code execution
+  - CVE-2022-38028: GooseEgg — APT28 Print Spooler LPE (CISA KEV 2024, actively exploited)
+  - CVE-2022-21999: SpoolFool — Windows Print Spooler LPE
+
+Probes: SMB (445), RPC (135), and WSD (3702) to confirm spooler exposure.
+
+Author: André Henrique (@mrhenrike) | União Geek
+]]
+
+---
+-- @usage
+--   nmap -p 445,135,3702 --script printer-printnightmare <target>
+-- @output
+-- PORT    STATE SERVICE
+-- 445/tcp open  microsoft-ds
+-- | printer-printnightmare:
+-- |   SMB       : Open (Windows detected)
+-- |   OS        : Windows 10 / Server 2019
+-- |   Spooler   : POSSIBLY ACTIVE (SMB open, historical exposure)
+-- |   [CRITICAL] CVE-2021-1675 (CVSS 9.8) — PrintNightmare unauthenticated network RCE
+-- |   [HIGH]     CVE-2022-38028 (CVSS 7.8) — GooseEgg LPE (APT28, CISA KEV)
+-- |   [HIGH]     CVE-2020-1048  (CVSS 7.8) — PrintDemon persistent SYSTEM backdoor
+-- |   Verdict   : POSSIBLY VULNERABLE
+-- |_  Suggest   : printerxpl-forge run --module xpl/edb-50498 --target <IP>
+---
+
+categories = { "vuln", "safe" }
+author     = "André Henrique (@mrhenrike) | União Geek"
+license    = "Same as Nmap -- See https://nmap.org/book/man-legal.html"
+
+local stdnse    = require "stdnse"
+local shortport = require "shortport"
+local smb       = require "smb"
+local smb2      = require "smb2"
+local comm      = require "comm"
+local string    = require "string"
+local table     = require "table"
+
+portrule = shortport.port_or_service(
+  { 445, 135, 3702, 139 },
+  { "microsoft-ds", "msrpc", "wsd", "netbios-ssn" },
+  "tcp"
+)
+
+local SPOOLER_CVES = {
+  { id="CVE-2021-1675",  cvss=9.8, sev="CRITICAL",
+    desc="PrintNightmare — Windows Print Spooler unauthenticated RCE via RpcAddPrinterDriverEx",
+    xpl="xpl/edb-50498" },
+  { id="CVE-2021-34527", cvss=8.8, sev="HIGH",
+    desc="PrintNightmare (official) — patch bypass via RpcAddPrinterDriverEx with Point&Print",
+    xpl="xpl/edb-50498" },
+  { id="CVE-2022-38028", cvss=7.8, sev="HIGH",
+    desc="GooseEgg — APT28 LPE via Windows Print Spooler (CISA KEV 2024, actively exploited)",
+    xpl="xpl/research/research-gooseegg-spooler" },
+  { id="CVE-2020-1048",  cvss=7.8, sev="HIGH",
+    desc="PrintDemon — persistent SYSTEM backdoor via printer port + DLL side-loading",
+    xpl="xpl/msf-cve-2020-1048-printerdemon" },
+  { id="CVE-2020-1337",  cvss=7.8, sev="HIGH",
+    desc="PrintDemon hardlink bypass — arbitrary privileged file write → SYSTEM",
+    xpl="xpl/edb-cve-2020-1337" },
+  { id="CVE-2021-36958", cvss=7.8, sev="HIGH",
+    desc="Windows Print Spooler remote code execution (out-of-band patch)",
+    xpl="xpl/edb-50498" },
+  { id="CVE-2022-21999", cvss=7.8, sev="HIGH",
+    desc="SpoolFool — Windows Print Spooler LPE via printer driver DLL planting",
+    xpl="xpl/edb-cve-2022-21999" },
+  { id="CVE-2023-21678", cvss=7.8, sev="HIGH",
+    desc="Windows Print Spooler elevation of privilege (Jan 2023 Patch Tuesday)",
+    xpl="xpl/research/research-spooler-eop-2023" },
+}
+
+-- SMB negotiation probe to detect Windows
+local function smb_probe(host, port)
+  if port.number ~= 445 and port.number ~= 139 then return nil end
+  local smb_neg =
+    "\x00\x00\x00\x2f" ..  -- NetBIOS length
+    "\xff\x53\x4d\x42" ..  -- SMB magic
+    "\x72\x00\x00\x00\x00\x08\x01\x40\x00\x00\x00\x00\x00\x00\x00\x00" ..
+    "\x00\x00\x00\x00\xff\xff\xff\xfe\x00\x00\x00\x00" ..
+    "\x00\x0c\x00\x02NT LM 0.12\x00"
+
+  local ok, resp = comm.exchange(host, port, smb_neg,
+    { timeout = 5000, bytes = 256 })
+  if ok and resp then return resp end
+  return nil
+end
+
+-- RPC portmapper probe to check if spooler is registered
+local function rpc_probe(host, port)
+  if port.number ~= 135 then return nil end
+  -- Minimal DCE/RPC bind to portmapper
+  local rpc_bind =
+    "\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00\x01\x00\x00\x00" ..
+    "\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00" ..
+    "\x08\x83\xaf\xe1\x1f\x5d\xc9\x11\x91\xa4\x08\x00\x2b\x14\xa0\xfa" ..
+    "\x03\x00\x00\x00\x33\x05\x71\x71\xba\xbe\x37\x49\x83\x19\xb5\xdb" ..
+    "\xef\x9c\xcc\x36\x01\x00\x00\x00"
+  local ok, resp = comm.exchange(host, port, rpc_bind,
+    { timeout = 4000, bytes = 256 })
+  if ok and resp then return resp end
+  return nil
+end
+
+-- WSD (Web Services for Devices) probe on 3702/UDP
+local function wsd_probe(host, port)
+  if port.number ~= 3702 then return nil end
+  local wsd_probe_xml =
+    '<?xml version="1.0" encoding="utf-8"?>' ..
+    '<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" ' ..
+    'xmlns:wsd="http://schemas.xmlsoap.org/ws/2005/04/discovery">' ..
+    '<soap:Body><wsd:Probe><wsd:Types>wsdp:Printer</wsd:Types></wsd:Probe></soap:Body>' ..
+    '</soap:Envelope>'
+  local ok, resp = comm.exchange(host, { number = 3702, protocol = "udp" },
+    wsd_probe_xml, { timeout = 3000, bytes = 1024 })
+  if ok then return resp end
+  return nil
+end
+
+action = function(host, port)
+  local out = stdnse.output_table()
+  local windows_detected = false
+  local smb_open = false
+  local rpc_open  = false
+  local wsd_open  = false
+  local os_hint   = nil
+
+  -- SMB probe
+  if port.number == 445 or port.number == 139 then
+    local smb_resp = smb_probe(host, port)
+    if smb_resp then
+      smb_open = true
+      -- Check for Windows response marker
+      if smb_resp:match("\xff\x53\x4d\x42") then
+        windows_detected = true
+        -- Try to extract OS info
+        local os_str = smb_resp:match("Windows[%w%s%.]+")
+        if os_str then os_hint = os_str:sub(1, 50) end
+      end
+    end
+  end
+
+  -- RPC probe
+  if port.number == 135 then
+    local rpc_resp = rpc_probe(host, port)
+    if rpc_resp then
+      rpc_open = true
+      windows_detected = true
+    end
+  end
+
+  -- WSD probe
+  if port.number == 3702 then
+    local wsd_resp = wsd_probe(host, port)
+    if wsd_resp then
+      wsd_open = true
+      if wsd_resp:lower():match("printer") then
+        windows_detected = true
+      end
+    end
+  end
+
+  if not smb_open and not rpc_open and not wsd_open then
+    return "No SMB/RPC/WSD response — Print Spooler not exposed or target is not Windows"
+  end
+
+  -- Build output
+  if smb_open  then out["SMB"]  = "Open" end
+  if rpc_open  then out["RPC"]  = "Open (DCE/RPC portmapper responding)" end
+  if wsd_open  then out["WSD"]  = "Open (WSD printer broadcast)" end
+  if os_hint   then out["OS"]   = os_hint end
+  out["Windows"] = windows_detected and "Detected" or "Possible (SMB open, no OS banner)"
+
+  -- Spooler estimation
+  if smb_open and windows_detected then
+    out["Spooler-Status"] = "LIKELY RUNNING — SMB open on Windows host"
+  elseif smb_open then
+    out["Spooler-Status"] = "POSSIBLY RUNNING — SMB open, OS unconfirmed"
+  end
+
+  -- CVE output
+  local cve_lines = {}
+  for _, c in ipairs(SPOOLER_CVES) do
+    table.insert(cve_lines, string.format("[%s] %s (CVSS %.1f) — %s\n            module: %s",
+      c.sev, c.id, c.cvss, c.desc, c.xpl))
+  end
+  out["CVEs"] = cve_lines
+
+  -- Verdict
+  if windows_detected and smb_open then
+    out["Verdict"] = "POSSIBLY VULNERABLE — Windows + SMB confirmed; spooler status requires auth check"
+    out["Note"]    = "Requires auth check: printerxpl-forge can enumerate spooler via NULL session or valid creds"
+    out["Suggest"] = "printerxpl-forge run --module xpl/edb-50498 --target " .. host.ip
+  else
+    out["Verdict"] = "POSSIBLY VULNERABLE — some exposure indicators present"
+    out["Suggest"] = "printerxpl-forge run --module xpl/edb-50498 --dry-run --target " .. host.ip
+  end
+
+  out["Full-Scan"] = "pip install printerxpl-forge  |  printerxpl-forge scan --target " .. host.ip
+
+  return out
+end

nse/scripts/printer-snmp-info.nse

@@ -0,0 +1,176 @@
+local description = [[
+printer-snmp-info — SNMP-based printer information extraction.
+
+Queries standard Printer MIB (RFC 3805) and vendor-specific OIDs to retrieve:
+device description, location, contact, serial number, firmware, page count,
+ink/toner levels, and error log. Community strings tested: public, private,
+internal, printer (common defaults).
+
+CVE check: CVE-2022-1026 (Kyocera unauthenticated address book dump via SNMP).
+
+Author: André Henrique (@mrhenrike) | União Geek
+]]
+
+---
+-- @usage
+--   nmap -sU -p 161 --script printer-snmp-info <target>
+-- @output
+-- PORT    STATE SERVICE
+-- 161/udp open  snmp
+-- | printer-snmp-info:
+-- |   sysDescr    : HP LaserJet M606 FW FY5L.04
+-- |   sysLocation : Server Room B
+-- |   Serial      : JPGD12345
+-- |   Page-Count  : 127,493
+-- |   Community   : public (readable — unauthenticated SNMP)
+-- |   Verdict     : POSSIBLY VULNERABLE (public community writable?)
+-- |_  Suggest     : printerxpl-forge run --module xpl/edb-cve-2022-1026
+---
+
+categories = { "discovery", "safe", "vuln" }
+author     = "André Henrique (@mrhenrike) | União Geek"
+license    = "Same as Nmap -- See https://nmap.org/book/man-legal.html"
+
+local stdnse    = require "stdnse"
+local shortport = require "shortport"
+local snmp      = require "snmp"
+local comm      = require "comm"
+local string    = require "string"
+local table     = require "table"
+
+portrule = shortport.port_or_service(161, "snmp", "udp")
+
+-- Standard + Printer MIB OIDs
+local OIDS = {
+  { oid = "1.3.6.1.2.1.1.1.0",            key = "sysDescr" },
+  { oid = "1.3.6.1.2.1.1.5.0",            key = "sysName" },
+  { oid = "1.3.6.1.2.1.1.6.0",            key = "sysLocation" },
+  { oid = "1.3.6.1.2.1.1.4.0",            key = "sysContact" },
+  { oid = "1.3.6.1.2.1.43.5.1.1.17.1",    key = "Serial-Number" },
+  { oid = "1.3.6.1.2.1.43.10.2.1.4.1.1",  key = "Page-Count" },
+  { oid = "1.3.6.1.2.1.43.11.1.1.9.1.1",  key = "Toner-Level-%" },
+  { oid = "1.3.6.1.4.1.11.2.3.9.1.1.7.0", key = "HP-Firmware" },
+  { oid = "1.3.6.1.4.1.2435.2.3.9.4.2.1.5.5.8.0", key = "Brother-Model" },
+  { oid = "1.3.6.1.4.1.18334.1.1.1.5.7.2.1.1.19.1", key = "Kyocera-Serial" },
+}
+
+local COMMUNITIES = { "public", "private", "internal", "printer", "snmpv1", "community", "admin" }
+
+action = function(host, port)
+  local out  = stdnse.output_table()
+  local community_used = nil
+  local results = {}
+
+  -- Try communities
+  for _, community in ipairs(COMMUNITIES) do
+    local req = snmp.buildPacket(snmp.PDU:new("GETNEXT", OIDS[1].oid), community)
+    local ok, resp = comm.exchange(host, port, req,
+      { proto = "udp", timeout = 3000 })
+    if ok and resp and not resp:match("noSuchName") then
+      community_used = community
+      break
+    end
+  end
+
+  if not community_used then
+    return "SNMP community not found — try: nmap -p 161 --script snmp-brute"
+  end
+
+  out["Community"] = community_used .. " (readable)"
+
+  -- Walk OIDs with found community
+  for _, entry in ipairs(OIDS) do
+    local req = snmp.buildPacket(snmp.PDU:new("GET", entry.oid), community_used)
+    local ok, resp = comm.exchange(host, port, req,
+      { proto = "udp", timeout = 2000 })
+    if ok and resp then
+      local val = snmp.parseResponse(resp)
+      if val and val ~= "" then
+        results[entry.key] = tostring(val):match("^%s*(.-)%s*$")
+      end
+    end
+  end
+
+  for k, v in pairs(results) do
+    out[k] = v:sub(1, 120)
+  end
+
+  -- Detect vendor from sysDescr
+  local desc_lower = (results["sysDescr"] or ""):lower()
+  local vendor = nil
+  if desc_lower:match("hp ") or desc_lower:match("laserjet") then
+    vendor = "HP"
+  elseif desc_lower:match("kyocera") then
+    vendor = "Kyocera"
+  elseif desc_lower:match("ricoh") or desc_lower:match("aficio") then
+    vendor = "Ricoh"
+  elseif desc_lower:match("lexmark") then
+    vendor = "Lexmark"
+  elseif desc_lower:match("canon") then
+    vendor = "Canon"
+  elseif desc_lower:match("xerox") then
+    vendor = "Xerox"
+  elseif desc_lower:match("brother") then
+    vendor = "Brother"
+  elseif desc_lower:match("konica") or desc_lower:match("bizhub") then
+    vendor = "Konica Minolta"
+  end
+
+  if vendor then out["Vendor"] = vendor end
+
+  -- SNMP write test (COMMUNITY "private")
+  local write_possible = false
+  if community_used == "public" then
+    -- Try write with private
+    local write_req = snmp.buildPacket(
+      snmp.PDU:new("SET", "1.3.6.1.2.1.1.6.0", "nmap-test"), "private")
+    local wok, wresp = comm.exchange(host, port, write_req,
+      { proto = "udp", timeout = 2000 })
+    if wok and wresp and not wresp:match("noAccess") and not wresp:match("readOnly") then
+      write_possible = true
+      out["SNMP-Write"] = "POSSIBLE with 'private' community — SNMP SET attacks feasible"
+    else
+      out["SNMP-Write"] = "Not available (read-only with public)"
+    end
+  end
+
+  -- Kyocera CVE-2022-1026 check
+  local cves_found = {}
+  if vendor == "Kyocera" or (results["Kyocera-Serial"] ~= nil) then
+    table.insert(cves_found, {
+      id   = "CVE-2022-1026",
+      sev  = "HIGH",
+      cvss = 7.5,
+      desc = "Kyocera ECOSYS unauthenticated address book dump via SNMP/PJL",
+      xpl  = "xpl/edb-cve-2022-1026",
+    })
+  end
+
+  -- Build verdict
+  local is_vuln     = write_possible or #cves_found > 0
+  local is_possible = community_used == "public"
+
+  if #cves_found > 0 then
+    local cve_lines = {}
+    for _, c in ipairs(cves_found) do
+      table.insert(cve_lines, string.format("[%s] %s (CVSS %.1f) — %s | module: %s",
+        c.sev, c.id, c.cvss, c.desc, c.xpl))
+    end
+    out["CVEs"] = table.concat(cve_lines, "  |  ")
+  end
+
+  if is_vuln then
+    out["Verdict"] = "POSSIBLY VULNERABLE — CVE match or SNMP write enabled"
+    if cves_found[1] then
+      out["Suggest"] = "printerxpl-forge run --module " .. cves_found[1].xpl .. " --target " .. host.ip
+    end
+  elseif is_possible then
+    out["Verdict"] = "POSSIBLY VULNERABLE — public community accessible (enumeration only)"
+  else
+    out["Verdict"] = "NOT VULNERABLE to detected CVEs (SNMP read-only, no CVE match)"
+  end
+
+  out["Full-Scan"] = "pip install printerxpl-forge  |  printerxpl-forge scan --target " .. host.ip
+
+  return out
+end

nse/scripts/printer-vuln-check.nse

@@ -0,0 +1,256 @@
+local description = [[
+printer-vuln-check — Active, non-destructive vulnerability validation.
+
+Performs lightweight active probes to confirm or rule out specific CVEs detected
+by printer-cve-detect. Each check sends a minimal proof-of-concept payload and
+evaluates the response — no damage, no file writes, no persistence.
+
+Active checks included:
+  1. PJL NVRAM info-leak (DISPLAY/USTATUS abuse)
+  2. HP PostScript RCE probe (print error dict exploit path)
+  3. CUPS IPP newline injection marker (CVE-2026-34980)
+  4. Lexmark IPP malformed attr overflow indicator (CVE-2023-50739)
+  5. Canon SLP pre-auth probe (CVE-2022-24673)
+  6. Xerox command injection surface check (CVE-2021-27508/CVE-2024-6333)
+  7. Sharp unauthenticated command execution probe (CVE-2022-45796)
+  8. PrintNightmare SMB print spooler exposure check
+
+Author: André Henrique (@mrhenrike) | União Geek
+]]
+
+---
+-- @usage
+--   nmap -p 9100,631,80,427,445 --script printer-vuln-check <target>
+-- @output
+-- PORT     STATE SERVICE
+-- 9100/tcp open  jetdirect
+-- | printer-vuln-check:
+-- |   [CHECK 1] PJL NVRAM info-leak    : PASS (firmware info disclosed)
+-- |   [CHECK 2] HP PostScript RCE path : POSSIBLY VULNERABLE (error dict accessible)
+-- |   [CHECK 3] CUPS PPD injection     : NOT VULNERABLE (CUPS not detected)
+-- |   Overall Verdict : POSSIBLY VULNERABLE
+-- |_  Suggest         : printerxpl-forge run --module xpl/edb-cve-2025-26506 --target <IP>
+---
+
+categories = { "vuln", "intrusive" }
+author     = "André Henrique (@mrhenrike) | União Geek"
+license    = "Same as Nmap -- See https://nmap.org/book/man-legal.html"
+
+local stdnse    = require "stdnse"
+local shortport = require "shortport"
+local comm      = require "comm"
+local http      = require "http"
+local string    = require "string"
+local table     = require "table"
+
+portrule = shortport.port_or_service(
+  { 9100, 631, 80, 443, 427, 445, 515 },
+  { "jetdirect", "ipp", "http", "https", "snmp", "printer" },
+  "tcp"
+)
+
+local UEL = "\x1b%-12345X"
+local V = { VULN = "VULNERABLE", POSS = "POSSIBLY VULNERABLE", NOT = "NOT VULNERABLE", SKIP = "SKIP" }
+
+-- ── Check helpers ────────────────────────────────────────────────────────────
+
+local function check_pjl_nvram(host, port)
+  if port.number ~= 9100 then return V.SKIP, nil end
+  local cmd = UEL .. "@PJL INFO VARIABLES\r\nDISPLAY\r\n" .. UEL
+  local ok, r = comm.exchange(host, port, cmd, { timeout = 5000, bytes = 4096 })
+  if not ok then return V.SKIP, "no response" end
+  if r:match("VARIABLES") or r:match("DISPLAY") then
+    return V.POSS, "PJL VARIABLES/DISPLAY responded — NVRAM read-back possible"
+  end
+  return V.NOT, "PJL VARIABLES not readable"
+end
+
+local function check_hp_ps_rce(host, port)
+  if port.number ~= 9100 then return V.SKIP, nil end
+  -- Minimal PS: push serverdict begin and check for response
+  local ps_probe = UEL ..
+    "@PJL ENTER LANGUAGE=POSTSCRIPT\r\n" ..
+    "serverdict begin 0 exitserver\r\n" ..
+    "systemdict begin\r\n" ..
+    "/internaldict where { pop internaldict /setpassword known { (probe-xpl) } if } if\r\n" ..
+    "flush\r\n" ..
+    UEL
+  local ok, r = comm.exchange(host, port, ps_probe, { timeout = 6000, bytes = 2048 })
+  if not ok then return V.SKIP, "no PS response" end
+  if r:match("probe.xpl") or r:match("internaldict") or r:match("setpassword") then
+    return V.VULN, "PostScript serverdict/exitserver accepted — RCE path confirmed"
+  elseif r:match("exitserver") or r:match("[Ee]rror") then
+    return V.POSS, "PS interpreter responded (exitserver/error) — partial RCE surface"
+  end
+  return V.NOT, "PS probe not reflected"
+end
+
+local function check_cups_ppd_inject(host, port)
+  if port.number ~= 631 then return V.SKIP, nil end
+  local resp = http.get(host, port.number, "/", { timeout = 4000 })
+  if not resp or not resp.body then return V.SKIP, "IPP/HTTP not responding" end
+  local body = resp.body:lower()
+  if not body:match("cups") then return V.NOT, "CUPS not detected on port 631" end
+  local ver = resp.body:match("CUPS%s+([%d%.]+)")
+  if ver then
+    if ver == "2.4.16" then
+      return V.VULN, "CUPS 2.4.16 detected — CVE-2026-34980 unauthenticated RCE confirmed"
+    elseif ver >= "2.4.0" then
+      return V.POSS, "CUPS " .. ver .. " — possible CVE-2024-47176 (cups-browsed RCE chain)"
+    else
+      return V.NOT, "CUPS " .. ver .. " — not in vulnerable range"
+    end
+  end
+  return V.POSS, "CUPS detected but version unknown — manual check recommended"
+end
+
+local function check_lexmark_ipp_bof(host, port)
+  if port.number ~= 631 then return V.SKIP, nil end
+  -- Send IPP with oversized attribute name to test length validation
+  local big_attr = string.rep("A", 2048)
+  local payload =
+    "\x02\x00\x00\x0b\x00\x00\x00\x01\x01" ..
+    "\x47\x00\x12attributes-charset\x00\x05utf-8" ..
+    "\x48\x00\x1battributes-natural-language\x00\x05en-us" ..
+    "\x42" .. string.char(0x00, 0x08) .. "job-name" ..
+    string.char(0x08, 0x00) .. big_attr:sub(1, 2048) ..
+    "\x03"
+  local resp = http.post(
+    host, port.number, "/printers/",
+    { header = { ["Content-Type"] = "application/ipp" }, timeout = 5000 },
+    nil, payload
+  )
+  if not resp then return V.SKIP, "no response" end
+  if resp.status == 500 or resp.status == 400 then
+    local body = (resp.body or ""):lower()
+    if body:match("lexmark") or body:match("ipp") then
+      return V.POSS, "Lexmark IPP returned " .. resp.status .. " on oversized attribute — CVE-2023-50739 surface"
+    end
+  elseif resp.status == 200 then
+    return V.NOT, "IPP accepted oversized attr without error (sanitized)"
+  end
+  return V.SKIP, "indeterminate response: HTTP " .. (resp.status or "nil")
+end
+
+local function check_canon_slp(host, port)
+  if port.number ~= 427 then return V.SKIP, nil end
+  -- Minimal SLP service request for "printer" service type
+  local slp_req =
+    "\x02\x01" ..  -- SLP v2, Service Request
+    "\x00\x00\x00\x30" ..
+    "\x00\x00\x00\x00\x00\x01" ..
+    "\x00\x05en\x00\x00" ..
+    "\x00\x07printer\x00\x00\x00"
+  local ok, r = comm.exchange(host, port, slp_req, { timeout = 4000, bytes = 512, proto = "udp" })
+  if not ok then
+    -- Try TCP SLP
+    ok, r = comm.exchange(host, port, slp_req, { timeout = 4000, bytes = 512 })
+  end
+  if ok and r then
+    local body = r:lower()
+    if body:match("canon") or body:match("imageclass") then
+      return V.VULN, "Canon SLP responding with device info — CVE-2022-24673 pre-auth BOF surface"
+    elseif #r > 4 then
+      return V.POSS, "SLP service responding on 427 — check for Canon imageCLASS (CVE-2022-24673)"
+    end
+  end
+  return V.NOT, "SLP not responding on port 427"
+end
+
+local function check_xerox_cmd_inject(host, port)
+  if port.number ~= 80 and port.number ~= 443 then return V.SKIP, nil end
+  -- Probe Xerox clone endpoint (CVE-2021-27508)
+  local r = http.get(host, port.number, "/cgi-bin/cloning", { timeout = 4000 })
+  if r then
+    if r.status == 200 then
+      return V.POSS, "Xerox /cgi-bin/cloning endpoint accessible (200) — CVE-2021-27508 surface"
+    elseif r.status == 302 or r.status == 401 then
+      return V.NOT, "Xerox cloning endpoint requires auth (HTTP " .. r.status .. ")"
+    end
+  end
+  -- Probe VersaLink panel (CVE-2024-6333)
+  local r2 = http.get(host, port.number, "/web/index.html", { timeout = 3000 })
+  if r2 and r2.status == 200 and r2.body then
+    if r2.body:lower():match("versalink") then
+      return V.POSS, "Xerox VersaLink panel detected — CVE-2024-6333 requires authentication"
+    end
+  end
+  return V.NOT, "Xerox endpoints not accessible"
+end
+
+local function check_sharp_rce(host, port)
+  if port.number ~= 80 then return V.SKIP, nil end
+  local r = http.get(host, port.number, "/cgi-bin/system_cmd.cgi", { timeout = 4000 })
+  if r then
+    if r.status == 200 then
+      return V.VULN, "Sharp /cgi-bin/system_cmd.cgi accessible (200) — CVE-2022-45796 unauthenticated RCE"
+    elseif r.status == 401 or r.status == 403 then
+      return V.NOT, "Sharp cmd endpoint requires auth (HTTP " .. r.status .. ")"
+    end
+  end
+  return V.NOT, "Sharp cmd endpoint not found"
+end
+
+local function check_print_spooler(host, port)
+  if port.number ~= 445 then return V.SKIP, nil end
+  -- Check if port 445 is open (SMB) — PrintNightmare requires SMB + Spooler
+  -- We just fingerprint — actual exploit is in xpl/edb-50498
+  local ok, r = comm.exchange(host, port,
+    "\x00\x00\x00\x2f\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x08\x01\x40" ..
+    "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\xff\xfe" ..
+    "\x00\x00\x00\x00\x00\x0c\x00\x02NT LM 0.12\x00",
+    { timeout = 4000, bytes = 256 })
+  if ok and r and r:match("\xff\x53\x4d\x42") then
+    return V.POSS, "SMB port 445 open — PrintNightmare (CVE-2021-1675) requires Spooler + domain enum"
+  end
+  return V.NOT, "SMB not responding or not Windows"
+end
+
+-- ── Main ─────────────────────────────────────────────────────────────────────
+
+action = function(host, port)
+  local out    = stdnse.output_table()
+  local checks = {
+    { name = "PJL NVRAM info-leak",          fn = check_pjl_nvram,       xpl = "xpl/edb-cve-2017-2741" },
+    { name = "HP PostScript RCE path",       fn = check_hp_ps_rce,       xpl = "xpl/edb-cve-2025-26506" },
+    { name = "CUPS PPD injection",           fn = check_cups_ppd_inject,  xpl = "xpl/research/research-cups-chain-2026" },
+    { name = "Lexmark IPP BOF",             fn = check_lexmark_ipp_bof,  xpl = "xpl/edb-cve-2023-50739" },
+    { name = "Canon SLP pre-auth BOF",      fn = check_canon_slp,        xpl = "xpl/edb-cve-2022-24673" },
+    { name = "Xerox command injection surface", fn = check_xerox_cmd_inject, xpl = "xpl/edb-cve-2024-6333" },
+    { name = "Sharp unauthenticated RCE",   fn = check_sharp_rce,        xpl = "xpl/research/research-sharp-rce" },
+    { name = "PrintNightmare SMB exposure", fn = check_print_spooler,    xpl = "xpl/edb-50498" },
+  }
+
+  local results = {}
+  local top_verdict = V.NOT
+  local top_xpl     = nil
+
+  for i, chk in ipairs(checks) do
+    local verdict, detail = chk.fn(host, port)
+    local label = string.format("[CHECK %d] %-30s: %s", i, chk.name, verdict)
+    if detail and detail ~= "" then
+      label = label .. " (" .. detail .. ")"
+    end
+    table.insert(results, label)
+
+    -- Track overall verdict
+    if verdict == V.VULN and top_verdict ~= V.VULN then
+      top_verdict = V.VULN
+      top_xpl     = chk.xpl
+    elseif verdict == V.POSS and top_verdict == V.NOT then
+      top_verdict = V.POSS
+      top_xpl     = chk.xpl
+    end
+  end
+
+  out["Checks"] = results
+  out["Overall-Verdict"] = top_verdict
+
+  if top_xpl then
+    out["Suggest"] = "printerxpl-forge run --module " .. top_xpl .. " --target " .. host.ip
+  end
+
+  out["Full-Scan"] = "pip install printerxpl-forge  |  printerxpl-forge scan --target " .. host.ip
+
+  return out
+end