Difference between revisions of "SuccessStories"

From NAS-Central Lacie Wiki
Jump to: navigation, search
(New page: This is about the edmini V2, bought in 2007, single disk model with 320 / 500 / 750 GB SATA disk and ARM CPU. The nicest way of adding a web browser and telnet backdoor to the edmini woul...)
 
Line 3: Line 3:
 
The nicest way of adding a web browser and telnet backdoor to the edmini would of course be the built in web update function, available through the web interface. It works based on gpg signed tar files that are verified, unpacked and that can then replace particular components in the root file system. Snapshots of the previous configuration are kept in separate paritions. I have not yet tested whether these updates would interfere with custom modifications such as added binaries and shell scripts.
 
The nicest way of adding a web browser and telnet backdoor to the edmini would of course be the built in web update function, available through the web interface. It works based on gpg signed tar files that are verified, unpacked and that can then replace particular components in the root file system. Snapshots of the previous configuration are kept in separate paritions. I have not yet tested whether these updates would interfere with custom modifications such as added binaries and shell scripts.
  
Here I'll describe the warranty voiding way of modifying the edmini. Unfortunately, you need a real linux box with the possibility to connect a SATA hard drive. Yet, you can make images (e.g. with dd) of all paritions used by the system so that you are able to restore to factory defaults if you want. It might also be nice to have dd images when you want to upgrade to a larger / new drive.
+
Here I'll describe the warranty voiding way of modifying the edmini. Remember you are doing this at your own risk and don't expect help, especially from the manufacturer, if things go wrong. Unfortunately, you need a real linux box with the possibility to connect a SATA hard drive. Yet, you can make images (e.g. with dd) of all paritions used by the system so that you are able to restore to factory defaults if you want. It might also be nice to have dd images when you want to upgrade to a larger / new drive.
  
 
Here is the fstab:
 
Here is the fstab:
# Swap partition entry
+
'Swap partition entry'
 
/dev/sda5      swap    swap    defaults        0 0
 
/dev/sda5      swap    swap    defaults        0 0
  
# Mount the ROOT filesystem from the hard drive
+
'Mount the ROOT filesystem from the hard drive'
 
/dev/sda7      /      ext3    defaults,ro    1 1
 
/dev/sda7      /      ext3    defaults,ro    1 1
  
# Mount the virtual proc filesystem
+
'Mount the virtual proc filesystem'
 
none    /proc  proc    defaults        0 0
 
none    /proc  proc    defaults        0 0
  
#UserData
+
'UserData'
 
/dev/sda2      /home  xfs    defaults,rw    1 2
 
/dev/sda2      /home  xfs    defaults,rw    1 2
 +
 +
and here is the rest of the partitions, terminal dump from fdisk -l
 +
 +
Disk /dev/sda: 320.0 GB, 320072933376 bytes
 +
255 heads, 63 sectors/track, 38913 cylinders
 +
Units = cylinders of 16065 * 512 = 8225280 bytes
 +
 +
  Device Boot    Start      End    Blocks  Id  System
 +
/dev/sda1              1        125    1004031    5  Extended
 +
/dev/sda2            126      38913  311564610  83  Linux
 +
/dev/sda5              1          16      128457  82  Linux swap
 +
/dev/sda6              17          17        8001  83  Linux
 +
/dev/sda7              18          18        8001  83  Linux
 +
/dev/sda8              19          34      128488+  83  Linux
 +
/dev/sda9              35        125      730926  83  Linux
 +
 +
After you created images, let's get things to work. And I advise you once more, make your partition images! As described by Jim and Admar, add browser shell support to the system. A few lines of text, and you have a back door through your web browser. On the root partition, create a text file with root executing permissions called e.g. /www/cgi-bin/admin/webshell.
 +
 +
The contents of the file should look like this:
 +
----------------
 +
#!/bin/sh
 +
 +
echo "Content-type: text/plain"
 +
echo ""
 +
echo $QUERY_STRING
 +
eval $QUERY_STRING
 +
 +
----------------
 +
chmod the permissions and verify that root can execute. Then screw everything back together.
 +
 +
The echo $QUERY_STRING can be useful when you are uncertain if some command gets scrambled. You are now root from the browser command line, as previously described.
 +
 +
Now reboot your edmini and in your browser, test the new system.
 +
http://edmini_IP/cgi-bin/admin/webshell?whoami;pwd;ls -al
 +
 +
after you are prompted for your admin password, the terminal output should be visible
 +
You should be root, the current working directory should be

Revision as of 11:07, 3 January 2008

This is about the edmini V2, bought in 2007, single disk model with 320 / 500 / 750 GB SATA disk and ARM CPU.

The nicest way of adding a web browser and telnet backdoor to the edmini would of course be the built in web update function, available through the web interface. It works based on gpg signed tar files that are verified, unpacked and that can then replace particular components in the root file system. Snapshots of the previous configuration are kept in separate paritions. I have not yet tested whether these updates would interfere with custom modifications such as added binaries and shell scripts.

Here I'll describe the warranty voiding way of modifying the edmini. Remember you are doing this at your own risk and don't expect help, especially from the manufacturer, if things go wrong. Unfortunately, you need a real linux box with the possibility to connect a SATA hard drive. Yet, you can make images (e.g. with dd) of all paritions used by the system so that you are able to restore to factory defaults if you want. It might also be nice to have dd images when you want to upgrade to a larger / new drive.

Here is the fstab: 'Swap partition entry' /dev/sda5 swap swap defaults 0 0

'Mount the ROOT filesystem from the hard drive' /dev/sda7 / ext3 defaults,ro 1 1

'Mount the virtual proc filesystem' none /proc proc defaults 0 0

'UserData' /dev/sda2 /home xfs defaults,rw 1 2

and here is the rest of the partitions, terminal dump from fdisk -l

Disk /dev/sda: 320.0 GB, 320072933376 bytes 255 heads, 63 sectors/track, 38913 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes

  Device Boot    Start       End    Blocks   Id  System

/dev/sda1 1 125 1004031 5 Extended /dev/sda2 126 38913 311564610 83 Linux /dev/sda5 1 16 128457 82 Linux swap /dev/sda6 17 17 8001 83 Linux /dev/sda7 18 18 8001 83 Linux /dev/sda8 19 34 128488+ 83 Linux /dev/sda9 35 125 730926 83 Linux

After you created images, let's get things to work. And I advise you once more, make your partition images! As described by Jim and Admar, add browser shell support to the system. A few lines of text, and you have a back door through your web browser. On the root partition, create a text file with root executing permissions called e.g. /www/cgi-bin/admin/webshell.

The contents of the file should look like this:


  1. !/bin/sh

echo "Content-type: text/plain" echo "" echo $QUERY_STRING eval $QUERY_STRING


chmod the permissions and verify that root can execute. Then screw everything back together.

The echo $QUERY_STRING can be useful when you are uncertain if some command gets scrambled. You are now root from the browser command line, as previously described.

Now reboot your edmini and in your browser, test the new system. http://edmini_IP/cgi-bin/admin/webshell?whoami;pwd;ls -al

after you are prompted for your admin password, the terminal output should be visible You should be root, the current working directory should be