|
ファームウェア 1.20 がリリースされてからほったらかしだし、
これを機会にハックキットをインストールして
・ファームウェア 1.20 +ハックキットの検証
・K-OF 展示環境の構築
を行う。
その他、 HS-DH250GL の標準ファームウェアにログインできるようにするために ハックキット化した LS-GL を使う。
ude:~# tail -f /var/log/messages : : Nov 1 10:16:17 ude kernel: usb 2-1: new high speed USB device using ehci_platform and address 2 Nov 1 10:16:17 ude kernel: usb 2-1: configuration #1 chosen from 1 choice Nov 1 10:16:17 ude kernel: scsi2 : SCSI emulation for USB Mass Storage devices Nov 1 10:16:22 ude kernel: Vendor: SAMSUNG Model: JDPPB08546 Rev: 0-05 Nov 1 10:16:22 ude kernel: Type: Direct-Access ANSI SCSI revision: 02 Nov 1 10:16:22 ude kernel: SCSI device sdb: 488397168 512-byte hdwr sectors (250059 MB) Nov 1 10:16:22 ude kernel: sdb: Write Protect is off Nov 1 10:16:22 ude kernel: SCSI device sdb: 488397168 512-byte hdwr sectors (250059 MB) Nov 1 10:16:22 ude kernel: sdb: Write Protect is off Nov 1 10:16:22 ude kernel: sdb: sdb1 sdb2 sdb4 < sdb5 sdb6 > Nov 1 10:16:22 ude kernel: sd 2:0:0:0: Attached scsi disk sdb Nov 1 10:16:22 ude kernel: sd 2:0:0:0: Attached scsi generic sg1 type 0
ude:~# mkdir /tmp/root ude:~# mount /dev/sdb2 /tmp/root ude:~# ls /tmp/root bin boot dev etc home lib lost+found mnt proc root sbin share sys tmp usr var www ude:~#
ude:~# ls -l /tmp/root/usr/sbin/telnetd lrwxrwxrwx 1 root root 17 Sep 2 02:31 /tmp/root/usr/sbin/telnetd -> ../../bin/busybox ude:~# cd /tmp/root/etc/init.d/ ude:/tmp/root/etc/init.d# mv rcS rcS.orig ude:/tmp/root/etc/init.d# cp rcS.orig rcS ude:/tmp/root/etc/init.d# ls -l rcS* -rwxr-xr-x 1 root root 1374 Nov 1 2008 rcS -rwxr-xr-x 1 root root 1374 Jun 6 10:19 rcS.orig ude:/tmp/root/etc/init.d# vi rcS : : ude:/tmp/root/etc/init.d# diff -c rcS.orig rcS *** rcS.orig Fri Jun 6 10:19:55 2008 --- rcS Sat Nov 1 10:22:11 2008 *************** *** 41,47 **** done # telnetd for debug ! # /usr/sbin/telnetd # echo "** step3 **" --- 41,47 ---- done # telnetd for debug ! /usr/sbin/telnetd # echo "** step3 **" ude:/tmp/root/etc/init.d#
ude:/tmp/root/etc/init.d# cd .. ude:/tmp/root/etc# mv shadow shadow.orig ude:/tmp/root/etc# cp shadow.orig shadow ude:/tmp/root/etc# ls -l shadow* -r-------- 1 root root 370 Nov 1 10:23 shadow -rw------- 1 root root 344 Mar 1 2008 shadow- -r-------- 1 root root 370 Oct 8 22:53 shadow.orig ude:/tmp/root/etc# vi shadow : : ude:/tmp/root/etc# diff -c shadow.orig shadow *** shadow.orig Wed Oct 8 22:53:31 2008 --- shadow Sat Nov 1 10:24:06 2008 *************** *** 1,4 **** ! root:(暗号化されたパスワード):11009:0:99999:7::: bin:*:11009:0:99999:7::: daemon:*:11009:0:99999:7::: halt:*:11009:0:99999:7::: --- 1,4 ---- ! root::11009:0:99999:7::: bin:*:11009:0:99999:7::: daemon:*:11009:0:99999:7::: halt:*:11009:0:99999:7::: ude:/tmp/root/etc#終わり。
ude:/tmp/root/etc# cd / ude:/# umount /tmp/root ude:/# ude:/# tail -f /var/log/messages : : Nov 1 10:27:18 ude kernel: usb 2-1: USB disconnect, address 2
telnet する。
BUFFALO INC. LinkStation series HS-DHGL(JINMU)
HS-DHGLEA2 login: root
root@HS-DHGLEA2:~# cat /etc/linkstation_release
VERSION=1.20
SUBVERSION=HDD 0.76
PRODUCTID=0x0000000A
BUILDDATE=2008/10/01 11:00:22
root@HS-DHGLEA2:~# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:16:01:FC:0E:A2
inet addr:192.168.2.43 Bcast:192.168.2.255 Mask:255.255.255.0
UP BROADCAST NOTRAILERS RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:36647 errors:0 dropped:0 overruns:0 frame:0
TX packets:20812 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:512
RX bytes:47963117 (45.7 MiB) TX bytes:1686727 (1.6 MiB)
Interrupt:21
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:323 errors:0 dropped:0 overruns:0 frame:0
TX packets:323 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:74893 (73.1 KiB) TX bytes:74893 (73.1 KiB)
root@HS-DHGLEA2:~#
IP アドレスは、192.168.2.43 が割り当てられている。
root@HS-DHGLEA2:~# cd /mnt/disk1/share/debian root@HS-DHGLEA2:/mnt/disk1/share/debian# ls LS-GL_hackkit_2.10.sh LS-GL_hackkit_2.10.tar.gz root@HS-DHGLEA2:/mnt/disk1/share/debian#
root@HS-DHGLEA2:/mnt/disk1/share/debian# mv LS-GL_hackkit_2.10.sh LS-GL_hackkit_2.10.sh.orig root@HS-DHGLEA2:/mnt/disk1/share/debian# cp LS-GL_hackkit_2.10.sh.orig LS-GL_hackkit_2.10.sh root@HS-DHGLEA2:/mnt/disk1/share/debian# vi LS-GL_hackkit_2.10.sh : : root@HS-DHGLEA2:/mnt/disk1/share/debian# diff -c LS-GL_hackkit_2.10.sh.orig LS-GL_hackkit_2.10.sh *** LS-GL_hackkit_2.10.sh.orig Sat Jan 26 09:56:58 2008 --- LS-GL_hackkit_2.10.sh Sat Nov 1 10:51:15 2008 *************** *** 1,10 **** #! /bin/sh -x ! ADDRESS=192.168.1.38 ! NETWORK=192.168.1.0 NETMASK=255.255.255.0 ! BROADCAST=192.168.1.255 ! GATEWAY=192.168.1.1 NAMESERVER=192.168.1.2 HOSTNAME=hackkit --- 1,10 ---- #! /bin/sh -x ! ADDRESS=192.168.2.46 ! NETWORK=192.168.2.0 NETMASK=255.255.255.0 ! BROADCAST=192.168.2.255 ! GATEWAY=192.168.2.1 NAMESERVER=192.168.1.2 HOSTNAME=hackkit root@HS-DHGLEA2:/mnt/disk1/share/debian#
Nov 1 10:59:33 HS-DHGLEA2 kernel: usb 2-1: new high speed USB device using ehci_platform and address 2 Nov 1 10:59:34 HS-DHGLEA2 kernel: usb 2-1: configuration #1 chosen from 1 choice Nov 1 10:59:34 HS-DHGLEA2 kernel: scsi2 : SCSI emulation for USB Mass Storage devices Nov 1 10:59:39 HS-DHGLEA2 kernel: Vendor: Maxtor 6 Model: J6QE Rev: 11W0 Nov 1 10:59:39 HS-DHGLEA2 kernel: Type: Direct-Access ANSI SCSI revision: 02 Nov 1 10:59:39 HS-DHGLEA2 kernel: SCSI device sdb: 320173056 512-byte hdwr sectors (163929 MB) Nov 1 10:59:39 HS-DHGLEA2 kernel: sdb: Write Protect is off Nov 1 10:59:39 HS-DHGLEA2 kernel: sdb: assuming drive cache: write through Nov 1 10:59:39 HS-DHGLEA2 kernel: SCSI device sdb: 320173056 512-byte hdwr sectors (163929 MB) Nov 1 10:59:39 HS-DHGLEA2 kernel: sdb: Write Protect is off Nov 1 10:59:39 HS-DHGLEA2 kernel: sdb: assuming drive cache: write through Nov 1 10:59:39 HS-DHGLEA2 kernel: sdb: sdb1 sdb2 sdb4 < sdb5 sdb6 > Nov 1 10:59:39 HS-DHGLEA2 kernel: sd 2:0:0:0: Attached scsi disk sdb Nov 1 10:59:39 HS-DHGLEA2 kernel: sd 2:0:0:0: Attached scsi generic sg1 type 0 Nov 1 10:59:41 HS-DHGLEA2 kernel: ext3: No journal on filesystem on sdb1LS-WSGL 用にパーティションが切ってある。
root@HS-DHGLEA2:/mnt/disk1/share/debian# df Filesystem 1k-blocks Used Available Use% Mounted on /dev/sda2 493212 281048 212164 57% / /dev/ram1 15360 116 15244 1% /mnt/ram /dev/ls_disk1_1 287785 14890 258037 5% /boot /dev/ls_disk1_6 243057136 140256 242916880 0% /mnt/disk1 /dev/ls_usbdisk2_1 988064 120764 867300 12% /mnt/usbdisk2 root@HS-DHGLEA2:/mnt/disk1/share/debian#自動的に /mnt/usbdisk2 にマウントされたので、 アンマウントする。
root@HS-DHGLEA2:/mnt/disk1/share/debian# umount /mnt/usbdisk2 root@HS-DHGLEA2:/mnt/disk1/share/debian#
root@HS-DHGLEA2:/mnt/disk1/share/debian# fdisk /dev/sdb The number of cylinders for this disk is set to 19929. There is nothing wrong with that, but this is larger than 1024, and could in certain setups cause problems with: 1) software that runs at boot time (e.g., old versions of LILO) 2) booting and partitioning software from other OSs (e.g., DOS FDISK, OS/2 FDISK) Command (m for help): p Disk /dev/sdb: 163.9 GB, 163928604672 bytes 255 heads, 63 sectors/track, 19929 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/sdb1 1 125 1004031 83 Linux /dev/sdb2 126 748 5004247+ 83 Linux /dev/sdb4 749 19929 154071382+ 5 Extended /dev/sdb5 749 873 1004031 83 Linux /dev/sdb6 874 19929 153067288+ 83 Linux Command (m for help):まずはパーティションを消す。
Command (m for help): d Partition number (1-6): 6 Command (m for help): d Partition number (1-5): 5 Command (m for help): d Partition number (1-5): 4 Command (m for help): d Partition number (1-4): 2 Command (m for help): d Selected partition 1 Command (m for help): p Disk /dev/sdb: 163.9 GB, 163928604672 bytes 255 heads, 63 sectors/track, 19929 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System Command (m for help):続いて、パーティションを切る。
Command (m for help): n Command action e extended p primary partition (1-4) p Partition number (1-4): 1 First cylinder (1-19929, default 1): Using default value 1 Last cylinder or +size or +sizeM or +sizeK (1-19929, default 19929): +200M Command (m for help): n Command action e extended p primary partition (1-4) p Partition number (1-4): 2 First cylinder (26-19929, default 26): Using default value 26 Last cylinder or +size or +sizeM or +sizeK (26-19929, default 19929): +2048M Command (m for help): n Command action e extended p primary partition (1-4) p Partition number (1-4): 3 First cylinder (276-19929, default 276): Using default value 276 Last cylinder or +size or +sizeM or +sizeK (276-19929, default 19929): +256M Command (m for help): n Command action e extended p primary partition (1-4) p Selected partition 4 First cylinder (308-19929, default 308): Using default value 308 Last cylinder or +size or +sizeM or +sizeK (308-19929, default 19929): Using default value 19929 Command (m for help): p Disk /dev/sdb: 163.9 GB, 163928604672 bytes 255 heads, 63 sectors/track, 19929 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/sdb1 1 25 200781 83 Linux /dev/sdb2 26 275 2008125 83 Linux /dev/sdb3 276 307 257040 83 Linux /dev/sdb4 308 19929 157613715 83 Linux Command (m for help): t Partition number (1-4): 3 Hex code (type L to list codes): 82 Changed system type of partition 3 to 82 (Linux swap) Command (m for help): p Disk /dev/sdb: 163.9 GB, 163928604672 bytes 255 heads, 63 sectors/track, 19929 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Device Boot Start End Blocks Id System /dev/sdb1 1 25 200781 83 Linux /dev/sdb2 26 275 2008125 83 Linux /dev/sdb3 276 307 257040 82 Linux swap /dev/sdb4 308 19929 157613715 83 Linux Command (m for help): w The partition table has been altered! Calling ioctl() to re-read partition table. Syncing disks. root@HS-DHGLEA2:/mnt/disk1/share/debian#
root@HS-DHGLEA2:/mnt/disk1/share/debian# sh LS-GL_hackkit_2.10.sh : : creating network_interfaces ... creating resolv.conf ... creating hosts ... creating hostname ... root@HS-DHGLEA2:/mnt/disk1/share/debian#新型 HS-DHGL の電源ボタンを長押ししてシャットダウン。
Debian GNU/Linux 4.0 hackkit login: guest Password: Linux hackkit 2.6.16.16-arm1 #69 Wed Oct 1 10:59:37 JST 2008 armv5tejl The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. No directory, logging in with HOME=/ guest@hackkit:/$
guest@hackkit:/$ su - root Password: hackkit:~#
hackkit:~# passwd root Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully hackkit:~#
hackkit:~# addgroup yamasita
Adding group `yamasita' (GID 1000) ...
Done.
hackkit:~# mkdir /home/yamasita
hackkit:~# adduser --home /home/yamasita/yasunari --ingroup yamasita yasunari
Adding user `yasunari' ...
Adding new user `yasunari' (1001) with group `yamasita' ...
Creating home directory `/home/yamasita/yasunari' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for yasunari
Enter the new value, or press ENTER for the default
Full Name []: Yasunari Yamashita
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [y/N] y
hackkit:~#
Debian GNU/Linux 4.0 hackkit login: yasunari Password: Linux hackkit 2.6.16.16-arm1 #69 Wed Oct 1 10:59:37 JST 2008 armv5tejl The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. yasunari@hackkit:~$ su - root Password: hackkit:~# deluser guest Removing user `guest' ... Done. hackkit:~#
hackkit:~# apt-get update : :
hackkit:~# apt-get upgrade : :
hackkit:~# apt-get upgrade hackkit:~#こんなところか。
さ、展示機材、揃えよ
|
|
← またまたセキュリティホール |
ハックの記録 LinkStation/玄箱 をハックしよう |
→ KOF 展示環境 |
