Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-47176 PoC — cups-browsed binds to `INADDR_ANY:631`, trusting any packet from any source

Source
https://github.com/tonyarris/CVE-2024-47176-Scanner
Associated Vulnerability
Title:cups-browsed binds to `INADDR_ANY:631`, trusting any packet from any source (CVE-2024-47176)
Description:CUPS is a standards-based, open-source printing system, and `cups-browsed` contains network printing functionality including, but not limited to, auto-discovering print services and shared printers. `cups-browsed` binds to `INADDR_ANY:631`, causing it to trust any packet from any source, and can cause the `Get-Printer-Attributes` IPP request to an attacker controlled URL. When combined with other vulnerabilities, such as CVE-2024-47076, CVE-2024-47175, and CVE-2024-47177, an attacker can execute arbitrary commands remotely on the target machine without authentication when a malicious printer is printed to.
Description
Scanner for the CUPS vulnerability CVE-2024-47176
Readme
CVE-2024-47176 Scanner
===

Evilsocket's PoC for CVE-2024-47176, trimmed and turned into a scanner. I literally opened it in vim and held down the d key.

Read his research [here](https://www.evilsocket.net/2024/09/26/Attacking-UNIX-systems-via-CUPS-Part-I/). This script just sends the initial UDP packet to port 631 and triggers an http callback, signalling a vulnerable host.

Usage:
```
# clone the repo
git clone https://github.com/tonyarris/CVE-2024-47176-Scanner && cd CVE-2024-47176-Scanner/

# set up a virtualenv
python3 -m venv venv && source venv/bin/activate

# install ippserver
pip3 install ippserver

# set up an http listener, e.g. on app.interactsh.com or with Burp Collaborator

# prepare an input list of IPv4 addresses, one per line

# run
python3 scan.py your.callback-server.com input-list.txt
```
See your results on your callback server:

![results](image.png)
File Snapshot

 [4.0K]  /data/pocs/283044c086d608887e599451d4bd1653ac56e1fd
├── [108K]  image.png
├── [ 885]  README.md
└── [1.3K]  scan.py

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →