Hi to nas-central readers.
Here is a small howto in order to add a telnet access to the "d2 network" (Here is the specs of the LaCie's D2 network.
Note: this howto should work also for other LaCie's network family product.
[*] Big disk network (not confirmed)
[*] 2 Big network (not confirmed)
[*] 5 Big network (not confirmed)
("network" family products).
Note: I've done this howto with my NAS opened (which void the warranty). But you should take a close look at belese's post : add ssh without dissambling
(in the "Network Space" section of this forum).
[*] Make a backup
of you're disk using a unix live CD (ie: knoppix) and the dd
Browse this forum if you don't know how to do this.
For the moment dd images of the d2 network are not in the nas-central repository
, I'll upload mine when I've some spare time.
[*] Open you're NAS and get the hard drive (!!! THIS WILL REMOVE YOUR WARRANTY !!!):
to avoid breaking the warranty seal. This is just a sticker on one of the 4 rear screws. So do not unscrew the one with the sticker and rotate the rear part to get the disk.
[*] Downoad the telnet deamon has explained by Jimmy in his his blog
[*] Create a backdoor script :
echo "Content-type: text/plain"
echo $QUERY_STRING | sed s/"%20"/" "/
eval `echo "$QUERY_STRING" | sed s/"%20"/" "/`
I've called mine "exploit.cgi".
The "sed" command replace "%20" characters send by your web browser by spaces. Thus allow us to use command with spaces (like "ls -lsa").
[*] Put the utelned and exploit.cgi files in a drive readable from the live cd (usb key, primary HDD...).
[*] Launch you're Live CD with the disk plugged in your PC and browse to the sdX8 partition (the one with the "www" folder). For my config the disk was sda8 (if you've plug your hard drive in second this can be sdb8).
mount /dev/sda8 /mnt/sda8 -text3
Copy the utelnetd and exploit file in the www public folder, and make them executable :
cp <my_source>/utelnetd /mnt/sda8/www/cgi-bin/public/
cp <my_source>/exploit.cgi /mnt/sda8/www/cgi-bin/public/
chmod +x utelnetd
chmod +x exploit.cgi
Note: You're exploit.cgi file is not in DOS format ?
You shouldn't have "^M" at the end of each lines.
[*] Shut down you're computer, place the d2 disk in his box. Start the D2, start your web browser and enter the following url :
(replace "cerise" by your d2 IP)
If the content of the www public folder is displayed then your backdoor is working (also try "ls -lsa" to see if the sed command works).
[*] If the backdoor works you can launch the telnet deamon :
http://<your d2 ip>
/cgi-bin/public/exploit.cgi?utelnetd -l /bin/sh
[*] now you can telnet your d2 !
Happy hacking !