General NAS-Central Forums

Welcome to the NAS community
It is currently Fri Nov 24, 2017 2:13 am

All times are UTC




Post new topic Reply to topic  [ 3 posts ] 
Author Message
PostPosted: Wed Jun 03, 2009 7:21 pm 
Offline

Joined: Mon Jun 01, 2009 11:53 am
Posts: 7
Hi to nas-central readers.
Here is a small howto in order to add a telnet access to the "d2 network" (Here is the specs of the LaCie's D2 network.).

Note: this howto should work also for other LaCie's network family product.
[*] Big disk network (not confirmed)
[*] 2 Big network (not confirmed)
[*] 5 Big network (not confirmed)

Image
("network" family products).

Note: I've done this howto with my NAS opened (which void the warranty). But you should take a close look at belese's post : add ssh without dissambling (in the "Network Space" section of this forum).

[*] Make a backup of you're disk using a unix live CD (ie: knoppix) and the dd command.
Browse this forum if you don't know how to do this.
For the moment dd images of the d2 network are not in the nas-central repository, I'll upload mine when I've some spare time.

[*] Open you're NAS and get the hard drive (!!! THIS WILL REMOVE YOUR WARRANTY !!!):
ImageImage
ImageImage
ImageImage
ImageImage

It's easy to avoid breaking the warranty seal. This is just a sticker on one of the 4 rear screws. So do not unscrew the one with the sticker and rotate the rear part to get the disk.

[*] Downoad the telnet deamon has explained by Jimmy in his his blog : http://downloads.nas-central.org/Uploads/LSPro/Binaries/utelnetd

[*] Create a backdoor script :
Quote:
#!/bin/sh

echo "Content-type: text/plain"
echo ""
echo $QUERY_STRING | sed s/"%20"/" "/
eval `echo "$QUERY_STRING" | sed s/"%20"/" "/`


I've called mine "exploit.cgi".
The "sed" command replace "%20" characters send by your web browser by spaces. Thus allow us to use command with spaces (like "ls -lsa").

[*] Put the utelned and exploit.cgi files in a drive readable from the live cd (usb key, primary HDD...).

[*] Launch you're Live CD with the disk plugged in your PC and browse to the sdX8 partition (the one with the "www" folder). For my config the disk was sda8 (if you've plug your hard drive in second this can be sdb8).

Code:
mkdir /mnt/sda8
mount /dev/sda8 /mnt/sda8 -text3
cd mnt/sda8/www/cgi-bin/public


Copy the utelnetd and exploit file in the www public folder, and make them executable :
Code:
cp <my_source>/utelnetd /mnt/sda8/www/cgi-bin/public/
cp <my_source>/exploit.cgi /mnt/sda8/www/cgi-bin/public/
chmod +x utelnetd
chmod +x exploit.cgi


Note: You're exploit.cgi file is not in DOS format ?
Code:
cat exploit.cgi

You shouldn't have "^M" at the end of each lines.

[*] Shut down you're computer, place the d2 disk in his box. Start the D2, start your web browser and enter the following url :

Image
(replace "cerise" by your d2 IP)

If the content of the www public folder is displayed then your backdoor is working (also try "ls -lsa" to see if the sed command works).


[*] If the backdoor works you can launch the telnet deamon :
http://<your d2 ip>/cgi-bin/public/exploit.cgi?utelnetd -l /bin/sh

[*] now you can telnet your d2 !
Image

Happy hacking !
SuperPoney


Top
 Profile  
 
PostPosted: Sun Jun 20, 2010 6:40 am 
Offline

Joined: Sun Jun 20, 2010 6:15 am
Posts: 5
For a really easy 2Big Network hack without opening the box see here: http://forum.nas-central.org/viewtopic.php?f=156&t=676&p=6441#p6441


Top
 Profile  
 
PostPosted: Sun Nov 11, 2012 3:12 pm 
Offline

Joined: Wed Nov 07, 2012 6:02 pm
Posts: 4
It doesn't work. I followed the instructions to the letter, and I couldn't get the backdoor to work.

I think that Lacie have disabled the method in their latest firmware.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 3 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 10 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group