Dropbear without disassembling (Networkspace)
From NAS-Central Lacie Wiki
Contents[hide] |
Howto install
Download dropbear.zip here, extract it to openshare, open 'openme.html' in a browser, and follow the instructions.
Dropbear will be installed and started, and the root password will be reset to 'root'.
How it works
It uses the trick described in this thread, I only added some automation.
http://networkspace/cgi-bin/admin/backup
It is possible to copy any subdirectory to any other place using http://networkspace/cgi-bin/admin/backup. Just browse to http://networkspace/cgi-bin/admin/backup?update=true&select1=targetdir&select2=sourcedir. In this case it will generate a new directory like this: targetdir/<basename-of-sourcedir>-2010121315121292277769 The addendum looks like a timestamp, but on closer look it seems something different.
/usr/bin/edmini_backup.sh
The new directory name is created in /usr/bin/edmini_backup.sh:
DATE=`date +%Y%m%d%H%m%s`
BACKUP_NAME=$3/${SRC_NAME}-$DATE
At first sight this look as a neat timestamp, but when you look at 'man date', you will find something else:
| %Y | Year, 4 digits |
| %m | Month (01..12) |
| %d | Day (01..31) |
| %H | Hour (00..23) |
| %m | Month (again) (01..12) |
| %s | seconds since 1970-01-01 00:00:00 UTC |
So while I would have choosen another string, it's perfectly predictable, when you know the time on the server when the backup started.
The javascript in the html page
The script first loads http://networkspace.lan/cgi-bin/admin/config in an iframe, and as soon as it's loaded it will start the backup action by loading the backup page in a hidden iframe. Then the user is asked to copy the timestamp from the config page to an edit box, and the script will try 30 consecutive seconds, starting at the given timestamp, to guess the right url of the script copied from openshare.
The to_be_copied/to_be_executed script on openshare
This script will generate a page with a green background, so you can see a green flash when it's executed. Then it will extract dropbear.tgz to /, start dropbear, and reset the root password to 'root'
When it fails
When the embedded javascript fails to find the right url, it either couldn't parse the given timestamp (I tried it on Firefox and Opera), or there is something wrong with the timezone. I'm not sure if the NAS handles daylight saving time. You could try to put both your computer and the NAS on UTC, (Restart the browser after that)
 - NAS-Central Lacie Wiki_files/poweredby_mediawiki_88x31.png)
 - NAS-Central Lacie Wiki_files/88x31.png)