Unauthenticated Authentication Bypass and RCE in PaperCut MF/NG

This is a small standalone exploit repository for CVE-2023-27350 targeting PaperCut NG/MF. The repository contains only three files: LICENSE, README.md, and a single Python exploit script (exploit.py). The code is not part of a larger exploitation framework; it is a self-contained operational exploit that automates authentication bypass, configuration changes, malicious script injection, and delivery of a Java payload. The exploit flow is straightforward: it first abuses the unauthenticated /app?service=page/SetupCompleted endpoint to obtain an authenticated administrative session. It then parses the returned HTML to estimate the major PaperCut version. For versions 19 and newer, it uses ConfigEditor POST requests to enable print scripting (print-and-device.script.enabled=Y) and disable sandboxing (print.script.sandboxed=N). Next, it selects a hardcoded printer object (l1001) and submits a malicious RhinoJS print script through the PrinterDetails form. That script constructs a java.net.URLClassLoader pointing to an attacker-controlled URL hosting payload.jar, loads the payload's Main-Class, instantiates it, and invokes main([]), resulting in arbitrary code execution inside the PaperCut JVM. The script also starts a minimal local HTTP server using Python's http.server/socketserver modules to serve the attacker-provided JAR exactly once. It reads META-INF/MANIFEST.MF from the JAR to determine the Main-Class automatically, defaulting to metasploit.Payload if none is found. The README instructs the operator to generate the JAR with msfvenom using java/shell_reverse_tcp and to catch the callback with netcat, so the intended end result is a reverse shell. Notable implementation details: TLS verification is disabled; success detection for the auth bypass is based on HTTP 200 and presence of the string 'papercut' in the response body; printer ID l1001 is hardcoded; and the exploit attempts to restore the modified PaperCut settings after execution. Overall, this repository is a real exploit, not a detector, and provides authenticated bypass plus RCE capability against vulnerable PaperCut instances that can reach the attacker's HTTP server.

This repository contains a Bash exploit script (rce.sh) targeting CVE-2023-27350, a critical authentication bypass and remote code execution vulnerability in PaperCut NG/MG print management software. The exploit automates the process of bypassing authentication, enabling the printer scripting engine, disabling its sandbox, and injecting a malicious script that executes arbitrary system commands on the server. The script interacts with the PaperCut web interface over HTTP(S), optionally via a proxy, and requires the attacker to specify the target URL and command to execute. The README provides usage instructions and example payloads, including reverse shell callbacks. The exploit is operational, providing real RCE if the target is vulnerable and properly configured. No detection-only scripts are present; the code is a working exploit. The only code file is rce.sh, with LICENSE and README.md providing documentation and legal information.

This repository contains a Python proof-of-concept exploit for CVE-2023-27350, a critical authentication bypass and remote code execution vulnerability in PaperCut MF/NG (version 8.0 or later, unpatched). The exploit consists of a single Python script (CVE-2023-27350.py) and a README.md file. The script automates the exploitation process by first bypassing authentication to obtain a valid session, then enabling and abusing the PaperCut scripting functionality to execute arbitrary system commands on the server. The exploit interacts with the PaperCut web interface via HTTP requests to specific endpoints, and can be used to run any command supplied by the attacker. The README provides usage instructions and mitigation advice. The exploit is operational and demonstrates real-world impact, allowing unauthenticated attackers with network access to the PaperCut web interface to achieve remote code execution.

This repository contains a proof-of-concept exploit for CVE-2023-27350, targeting PaperCut MF/NG web applications. The exploit is implemented in a single Python script (cve-2023-27350.py) and is accompanied by a README.md that explains the vulnerability and usage. The script takes a target IP address as input and attempts to access the PaperCut web interface on port 9191. It first checks the version by accessing the SetupCompleted page, then demonstrates how to bypass authentication by directly visiting the Dashboard page. If successful, this grants the attacker unauthenticated access to the admin panel, allowing them to review or change system settings. The exploit is a network-based web exploit and does not require valid credentials. The repository is structured simply, with one exploit script and a README providing context and usage instructions.

This repository contains a Python exploit (exploit.py) targeting CVE-2023-27350, an unauthenticated remote code execution vulnerability in PaperCut MF/NG servers prior to version 22.0.8. The exploit leverages improper access controls in the SetupCompleted Java class to bypass authentication and gain administrative access. It then reconfigures the server to enable scripting and disables sandboxing, allowing the injection of a malicious print script that executes arbitrary system commands via java.lang.Runtime.getRuntime().exec(). The exploit provides an interactive shell for the attacker, running commands as SYSTEM/root. The script attempts to revert configuration changes on exit or when interrupted. The main attack vector is network-based, requiring access to the PaperCut web interface. The endpoints targeted are various /app HTTP endpoints used for authentication bypass, configuration changes, and command execution. The repository consists of a single exploit script and a README with usage instructions and warnings.

This repository provides a Python script (papercut.py) that targets CVE-2023-27350, an authentication bypass vulnerability in PaperCut MF/NG print management software. The script is designed for mass scanning: it takes a file containing a list of domain names or IP addresses, then uses multithreading to check each target for the vulnerability. It does this by sending HTTP requests to specific endpoints (/app?service=page/SetupCompleted and /app?service=page/Dashboard) and parsing the responses to determine if authentication can be bypassed and to extract the PaperCut version. Results are saved to a Results/Results.txt file. The repository also includes a README.md with usage instructions and a requirements.txt listing Python dependencies. The exploit is a proof-of-concept for mass vulnerability assessment, not a weaponized exploit, and does not provide post-exploitation payloads.

This repository contains a proof-of-concept (POC) exploit for CVE-2023-27350, an authentication bypass and remote code execution vulnerability in PaperCut MF/NG. The main file, 'CVE-2023-27350.py', is a Python script that automates exploitation by first bypassing authentication to obtain a valid session, then abusing the application's scripting functionality to execute arbitrary system commands on the target server. The exploit interacts with the PaperCut web interface via HTTP requests, modifying configuration settings to enable scripting and disable sandboxing, and then injects a malicious script to trigger command execution. The script is parameterized to allow the user to specify the target URL and the command to execute. The README provides usage instructions, technical background, and mitigation advice. The exploit is network-based and targets PaperCut servers accessible over HTTP(S). Notable endpoints include the PaperCut web interface (e.g., 'http://10.0.40.56:9191/app') and a hardcoded callback URL used in a sample payload. The repository is structured simply, with one exploit script and a README.

This repository provides a Python-based proof-of-concept exploit for CVE-2023-27350, a critical unauthenticated remote code execution vulnerability in PaperCut MF/NG. The main exploit script (CVE-2023-27350.py) allows an attacker to: - Check if one or more PaperCut servers are vulnerable (via a single URL or a file of IPs) - Exploit the vulnerability to execute arbitrary commands or obtain a reverse shell as SYSTEM on the target The exploit works by interacting with the PaperCut web management interface, modifying configuration settings to enable scripting, and injecting a malicious script that executes attacker-supplied commands. The script supports both direct command execution and reverse shell payloads. The repository includes a README with detailed usage instructions, a requirements.txt for dependencies (argparse, requests), and standard project files. The attack vector is network-based, targeting the HTTP interface of PaperCut servers. The exploit is operational and can be used for real-world attacks if the target is unpatched.