CVE-2021-3441 CVE Check is a python script to search targets for indicators of compromise to CVE-2021-3441# HP CVE Check
> A python threat intelligence tool for automating IoC discovery for CVE-2021-3441. Easily search targets for indicators of compromnise
```
________________
_/_______________/|
/___________/___//|| CVE-2021-3441 Check
|=== |----| ||
| | �| || Author: Tyler Butler
|___________| �| || @tbutler0x90
| ||/.�---.|| | ||
|-||/_____\||-. | |�
|_||==HP===||_|__|/
```
## About
CVE-2021-3441 CVE Check is a python tool to search targets for indicators of compromise to CVE. The script gets product versions from the target's http response header. If the product version is vulnerable, and a module for the version has been created, the script requests the resource that could contain an exploit payload. Once the html entity that could contain an exploit is loaded, common XSS characters are searched for. The program alerts the user through the console if exploit payloads are found and can log findings to an output file.
<div align="center"><b><i>Searching a local Target for IoCs</i></b></div>
## Use
1) Check a target for indicators of compromise
```python
python3 hp-cve-check.py -i [target ip] -O ./test/output.txt
```
```bash
➜ hp-cve-check git:(master) ✗ python3 hp-cve-check.py -i 192.168.223.1 -O output.txt
________________
_/_______________/|
/___________/___//|| HP CVE Check
|=== |----| ||
| | �| || Author: Tyler Butler
|___________| �| || @tbutler0x90
| ||/.�---.|| | ||
|-||/_____\||-. | |�
|_||==HP===||_|__|/
{!} Starting hp-cve-check
{!} -------- {INFO} Product Version is Supported
{!} -------- {INFO} IoC ID: A1 Path: /DevMgmt/ProductConfigDyn.xml Tag: dd:deviceLocation
{!} Scanning target: 192.168.223.1 for CVE
{!} -------- {INFO} Requesting http://192.168.223.1/DevMgmt/ProductConfigDyn.xml
{!} -------- {INFO}: OK Response, Status Code: 200
{!} -------- {INFO}: Found Something in DeviceLocation Field
{!} -------- {INFO}: Checking for Suspicious characters
{!} -------- {WARNING}: Found Indicator of Compromise
{!} -------- {WARNING}: Field Setting :<script>alert('XSS 2');</script>
{!} -------- {INFO} IoC ID: A2 Path: /DevMgmt/NetAppsDyn.xml Tag: dd:ApplicationServiceName
{!} Scanning target: 192.168.223.1 for CVE
{!} -------- {INFO} Requesting http://192.168.223.1/DevMgmt/NetAppsDyn.xml
{!} -------- {INFO}: OK Response, Status Code: 200
{!} -------- {INFO}: Found Something in DeviceLocation Field
{!} -------- {INFO}: Checking for Suspicious characters
{!} -------- {OK}: No IoCs Detected
{!} -------- {OK}: Payload: test
{!} Ending hp-cve-check ....
```
1) Check a target list for indicators of compromise
```python
python3 hp-cve-check.py -i [target list] -o [output file]
```
## Options
| Option | Description | Use |
|--- |--- |--- |
| -i | target ip | `-i 192.168.223.1` |
| -I | target file | `-i targets.txt` |
| -O | output file | `-O output.txt` |
## Output Format
IF IoC's are found they are logged to the output file in a greppable format, `[target ip]:[payload]`. When no payload objects are found, `None` is used.
```
➜ hp-cve-check git:(master) ✗ cat ./test/output.txt
192.168.223.1:<script>alert('XSS 2');</script>
192.168.223.1:None
```
## Modules
Because indicators of compromise are found in different resources depending on the product version, `modules` are used to store version specific configuration options. Modules are stored in the `modules ` folder in yaml format. One module yml file is created for each supported version and contains the following options,
+ product
+ path
+ tag
**hp-officejet-4630.yml module**
```yml
---
product: 'HP Officejet 4630'
path: '/DevMgmt/ProductConfigDyn.xml'
tag: 'dd:deviceLocation'
paths:
- A1: '/DevMgmt/ProductConfigDyn.xml'
A2: '/DevMgmt/NetAppsDyn.xml'
tags:
- A1: 'dd:deviceLocation'
A2: 'dd:ApplicationServiceName'
```
`Paths` and `tags` are broken down based on the IoC Discovery Table described in the vulnerability report, see below.
## Packages
HP CVE Check is broken down into the `core` and `util` packages.
**HP CVE Check Packages**
```
➜ hp-cve-check git:(master) ✗ tree
├── lib
│ ├── core
│ │ ├── constants.py
│ │ ├── iocCheck.py
│ │ ├── module_parser.py
│ │ └── requests.py
│ └── utils
│ ├── printer.py
│ └── help.py
├── modules
│ └── hp-officejet-4630.yml
```
[4.0K] /data/pocs/d00de8d7a5cfdf3ba0d9eccffe727932ac40c89c
├── [4.0K] docs
│ └── [4.0K] res
│ └── [4.0K] img
│ └── [103K] IoC_Discovery_Table.png
├── [ 15M] example.gif
├── [2.9K] hp-cve-check.py
├── [4.0K] lib
│ ├── [4.0K] core
│ │ ├── [3.5K] constants.py
│ │ ├── [2.5K] iocCheck.py
│ │ ├── [ 187] module_parser.py
│ │ ├── [4.0K] __pycache__
│ │ │ ├── [3.2K] constants.cpython-37.pyc
│ │ │ ├── [2.3K] iocCheck.cpython-37.pyc
│ │ │ ├── [ 472] module_parser.cpython-37.pyc
│ │ │ ├── [ 446] printer.cpython-37.pyc
│ │ │ └── [2.4K] requests.cpython-37.pyc
│ │ └── [3.0K] requests.py
│ └── [4.0K] utils
│ ├── [ 300] help.py
│ ├── [ 185] printer.py
│ ├── [4.0K] __pycache__
│ │ ├── [ 720] help.cpython-37.pyc
│ │ └── [ 447] printer.cpython-37.pyc
│ └── [ 951] shodan_search.py
├── [1.0K] LICENSE
├── [4.0K] modules
│ └── [ 180] hp-officejet-4630.yml
├── [ 494] out.txt
├── [5.1K] README.md
├── [ 57] requirements.txt
├── [947K] screenshot.png
├── [4.0K] test
│ ├── [5.9K] output.txt
│ ├── [ 45] real-output2.txt
│ ├── [ 387] real-output.txt
│ ├── [1.0K] test.txt
│ └── [ 45] today.txt
└── [ 331] test.py
10 directories, 29 files