General NAS-Central Forums

Hi,

i found a way to add webshell without dissassembling.

it suppose you have acces to admin of twonkymedia

http://lacie.nas-central.org/wiki/NetworkSpace:_MultimediaServers

First you have to create a file Webshell and copy it to a folder on an usb key



Plug the usb key on the NAS.

i can't upload file so copy this code on a html page :

open it, complete with correct value and click copy

it will display an error, but copy the file but it create a directory with a timestamp.

so to know the name of the directory.

http://your ip:9000/rpc/set_option?contentbase=/

no go to a config page of twonky media(http://your ip:9000/config), and look for a directory, you have now acces to all directory.
go to "/www/cgi-bin/admin/"
there is there the directory with the time-stamp.

copy it and paste to :
http://your ip/cgi-bin/admin/your directory/webshell?

webshell is now working.

after you can follow the procedure here :

http://jebimony.com/blog/content/add-ssh-lacie-edmini-v2

Wow...

That's great!

Hmmm. I'm trying to apply your hack, but I have a hard time modifying backup.html. You have single quotation marks (') where I have double ("), and in your third line they do not match. Your last line I cannot find at all.

Do you mind posting your entire modified backup.html?

I clean the code and put in in my first post, so i remove this post

Thank you for the nice html file. I have tried it and it works.
I already had access because I have opened the NAS before, but now a I have an additional webshell.

It is actually surprisingly simple if I understand it correctly. From a desktop pc, your html file issues commands available on the NAS coded in scripts in /www/cgi-bin/admin and in /usr/bin/edmini.sh to copy files from an usb disk or stick to any location on the NAS. These commands are meant to make backups, but they let you copy any file, anywhere, with executable rights, and we use it to put the webshell backdoor in place. You don't need Twonky to do that. You can exploit Twonky to find out the exact name of the directory, which is difficult to guess because it is the name of the original directory with a many digit time stamp added. Therefore we set the top directory of Twonky to the root directory of the NAS (/) with your nifty command



Then we can use Twonky's web config page to get a directory listing of /www/cgi-bin/admin and see the name of the "backed up" directory. In my case, I could access the webshell by 'going to'



in a web browser. The answer I got to the whoami was

"root"



Anyone else got it working?

hi

thanks to translate my explanation in "real" english!!!
i'm sorry for my english, but i'm a french native speaker.

Thank you for the hack! Let's include it in the wiki. But first some more people that have used it successfully. For instance: does the original webshell file that is "backed up" need to have permissions set to executable? Does it need to come from a ext3-like file system?

i think when it copy, it keep the same right, but i have not test it really.
i think too that you don't need to have a usb key, and can copy directly from /home/openshare, but also, i don't test it.
and for ext3, no, i've done everything from windows with an usb key in ntfs(but be sur your webshell is in UNIX format!!) i've lost more than 2 hours because my webshell was in Windows text mode.

Hi,

Great find (Why didn't i come up with it myself )

I confirm it works and you don't need the usb-stick. Just copy the file (using samba/windows share) to your openshare (create a new folder, as all in this folder will be copied to the admin page. And you just want the backdoor there.

For instance: create a folder 'hack' and name the injection script 'backdoor' (the small script, not the html).

How open your HTML-page and edit the source path to '/home/openshare/hack' and that should be it
You get an error that there is no USB device connected (so what ) and you need to find the timestamped folder. (use twonky)

To make the hack complete:
Copy the telnet deamon (utelnetd) to your openshare and call the following page:
http://networkspace/cgi-bin/admin/hack-<yourtimestamp>/backdoor?/home/openshare/utelnetd -l /bin/bash

This will start telnet without password check. Password check is not (yet) possible as root has no password assigned. You will be authenticated as root.

You're done

Kind regards,
Theike

Congratulations, this is really neat. THANK YOU!

I was less patient with my first edmini V2 more than 2 years ago and grabbed the screwdriver very quickly. Yet, I was always hoping someone would come up with an idea!

I wonder if the hack can be applied to the 2big as well. Here, the RAID1 is kind of an obstacle when trying to access and modify the HD content with another computer. If that worked here (assuming similar applications and shell scripts on the 2big) as well the 2big might be modified while running in RAID 1. And that would mean: No problem with synchronizing two drives and no messing around with mounting them as RAID 1. As soon as I get hold of a 2big I will try it.

Hi

Well, I am either doing something wrong, or lacie have changed some of their scripts. (This is a bit moot, as i have already gained access to the box using earlier techniques, but some folks may strike the same problem)

Also, my device is very new, but i am not sure how to check firmware versions etc.

Anyways...

I have created the directories and scripts as directed above, but when i load the webpage and press the button, the following error message appears briefly before the backup webpage then loads.

"df: /www/cgi-bin/admin: can't find mount point. /www/cgi-bin/admin/backup: line 131: [: -lt: unary operator expected"

some lines of the the backup script i.e. /www/cgi-bin/admin/backup are shown below, line 131 is in red.
I think the real culprit is line 121, in blue - as it appears to be checking that /home is in the destination path. If /home is not in the destination path, the script bombs out and prevents this hack working !?

Is anyone else getting the same problem ?

You can see the firmware version by surfing to the Configuration web page and the click "Support".

Mine is version 1.1.6.

and mine with a possibly new set of (not so hackable) backup scripts, is version 1.1.8

Has anyone else with version 1.1.8 had any success in using the approach as defined in this thread ?

Ack.

Any chance of providing us with a copy of the .8-scripts?

Kind regards,
Theike

hi,

i've got the same error, but it copy file anyway (for me, but i've also 1.1.6).