|
以下、
RamRoot の変更
の手順に準じて進める。
ちょっと回り道ではあったが、
tftp サーバを Linux で構築した意義がここにある。
ude:~# cd /srv/tftp/ ude:/srv/tftp# ls LS-CL+HackKit LS-XHL_1.02 ude:/srv/tftp# mkdir LS-XHL_1.02+telnet ude:/srv/tftp# (cd LS-XHL_1.02; tar cf - .)|(cd LS-XHL_1.02+telnet/; tar xvf -) ./ ./initrd.buffalo ./uImage.buffalo ude:/srv/tftp# cd LS-XHL_1.02+telnet/ ude:/srv/tftp/LS-XHL_1.02+telnet#
ude:/srv/tftp/LS-XHL_1.02+telnet# dd if=initrd.buffalo of=initrd.gz bs=64 skip=1 132964+1 records in 132964+1 records out 8509728 bytes (8.5 MB) copied, 4.15671 s, 2.0 MB/s ude:/srv/tftp/LS-XHL_1.02+telnet# ls -l total 18664 -rw-r--r-- 1 root root 8509792 Dec 26 14:21 initrd.buffalo -rw-r--r-- 1 root root 8509728 Jan 24 21:37 initrd.gz -rw-r--r-- 1 root root 2087876 Dec 26 15:39 uImage.buffalo ude:/srv/tftp/LS-XHL_1.02+telnet#
ude:/srv/tftp/LS-XHL_1.02+telnet# gunzip initrd.gz ude:/srv/tftp/LS-XHL_1.02+telnet# ls -l total 43120 -rw-r--r-- 1 root root 33554432 Jan 24 21:37 initrd -rw-r--r-- 1 root root 8509792 Dec 26 14:21 initrd.buffalo -rw-r--r-- 1 root root 2087876 Dec 26 15:39 uImage.buffalo ude:/srv/tftp/LS-XHL_1.02+telnet#
ude:/srv/tftp/LS-XHL_1.02+telnet# mkdir /tmp/root ude:/srv/tftp/LS-XHL_1.02+telnet# mount -o loop initrd /tmp/root ude:/srv/tftp/LS-XHL_1.02+telnet#
ude:/srv/tftp/LS-XHL_1.02+telnet# cd /tmp/root
ude:/tmp/root# ls
bin dev lib lost+found proc rootfs share tmp var
debugtool etc linuxrc mnt root sbin sys usr www
ude:/tmp/root# mv linuxrc linuxrc.orig
ude:/tmp/root# cp linuxrc.orig linuxrc
ude:/tmp/root# vi linuxrc
:
:
ude:/tmp/root# diff -c linuxrc.orig linuxrc
*** linuxrc.orig Thu Jul 17 09:12:42 2008
--- linuxrc Sat Jan 24 21:48:18 2009
***************
*** 352,357 ****
--- 352,358 ----
{
echo "-RamdiskRoot-"
echo "0x100" >/proc/sys/kernel/real-root-dev
+ /usr/sbin/telnetd
}
CommandMode()
***************
*** 457,463 ****
echo "linuxrc:choose operation (timeout 4[s])"
echo -n " 1:RamRoot other:HddRoot ? "
## timeout is 4[s]
! ANSWER=`/usr/local/bin/keyinput -t 4`
case "$ANSWER" in
1) RamdiskRoot ;;
9) CommandMode ;;
--- 458,465 ----
echo "linuxrc:choose operation (timeout 4[s])"
echo -n " 1:RamRoot other:HddRoot ? "
## timeout is 4[s]
! #ANSWER=`/usr/local/bin/keyinput -t 4`
! ANSWER=1
case "$ANSWER" in
1) RamdiskRoot ;;
9) CommandMode ;;
ude:/tmp/root#
こんな物か??
ude:/tmp/root# cd etc/ ude:/tmp/root/etc# mv shadow shadow.orig ude:/tmp/root/etc# cp shadow.orig shadow ude:/tmp/root/etc# ls -l shadow* -rw-r--r-- 1 root root 370 Jan 24 21:49 shadow -rw-r--r-- 1 root root 370 Jul 10 2008 shadow.orig ude:/tmp/root/etc#644 (藁)
ude:/tmp/root/etc# vi shadow : : ude:/tmp/root/etc# diff shadow.orig shadow 1c1 < root:(パスワード):11009:0:99999:7::: --- > root::11009:0:99999:7::: ude:/tmp/root/etc#
ude:/tmp/root/etc# cd / ude:/# umount /tmp/root/ ude:/#
ude:/# cd /srv/tftp/LS-XHL_1.02+telnet/ ude:/srv/tftp/LS-XHL_1.02+telnet# ls initrd initrd.buffalo uImage.buffalo ude:/srv/tftp/LS-XHL_1.02+telnet# gzip initrd長い。
ude:/srv/tftp/LS-XHL_1.02+telnet#
ude:/srv/tftp/LS-XHL_1.02+telnet# mkimage -A ARM -O Linux -T ramdisk -C gzip -a 0x00000000 -e 0x00000000 -n initrd -d initrd.gz initrd.buffalo Image Name: initrd Created: Sat Jan 24 21:57:01 2009 Image Type: ARM Linux RAMDisk Image (gzip compressed) Data Size: 8552785 Bytes = 8352.33 kB = 8.16 MB Load Address: 0x00000000 Entry Point: 0x00000000 ude:/srv/tftp/LS-XHL_1.02+telnet#
ude:/srv/tftp/LS-XHL_1.02+telnet# ln initrd.buffalo .. ude:/srv/tftp/LS-XHL_1.02+telnet# ln uImage.buffalo .. ude:/srv/tftp/LS-XHL_1.02+telnet# cd .. ude:/srv/tftp# ls -al total 10396 drwxr-xr-x 5 root root 69 Jan 24 21:58 . drwxr-xr-x 3 root root 17 Jan 24 09:07 .. drwxr-xr-x 2 root root 48 Jan 24 09:31 LS-CL+HackKit drwxr-xr-x 2 root root 48 Jan 24 18:00 LS-XHL_1.02 drwxr-xr-x 2 root root 64 Jan 24 21:53 LS-XHL_1.02+telnet -rw-r--r-- 2 root root 8552849 Jan 24 21:57 initrd.buffalo -rw-r--r-- 2 root root 2087876 Dec 26 15:39 uImage.buffalo ude:/srv/tftp#
ude:/srv/tftp# tail -f /var/log/daemon.log : : Jan 24 21:59:19 ude ntpd[585]: synchronized to 210.173.160.87, stratum 2 Jan 24 21:59:52 ude in.tftpd[718]: connect from 192.168.11.150 (192.168.11.150) Jan 24 21:59:52 ude tftpd[719]: tftpd: trying to get file: uImage.buffalo Jan 24 21:59:52 ude tftpd[719]: tftpd: serving file from /srv/tftp Jan 24 21:59:52 ude in.tftpd[720]: connect from 192.168.11.150 (192.168.11.150) Jan 24 21:59:52 ude tftpd[721]: tftpd: trying to get file: initrd.buffalo Jan 24 21:59:52 ude tftpd[721]: tftpd: serving file from /srv/tftpLED が青点灯したところで telnet ! と思ったら、アドレスが分からない
いつもなら、DHCP サーバに固定 IP アドレスを登録するのだが、 MAC アドレスがころころ変るので、登録できていない。
192.168.2.203 と
ude:/srv/tftp# telnet 192.168.2.203 -su: telnet: command not found ude:/srv/tftp#ほげ。まだまだ鍛え方が足りない。
ude:/srv/tftp# apt-get install telnet Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: telnet 0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded. Need to get 66.4kB of archives. After this operation, 188kB of additional disk space will be used. Get:1 http://ftp.jp.debian.org lenny/main telnet 0.17-36 [66.4kB] Fetched 66.4kB in 2s (30.3kB/s) Selecting previously deselected package telnet. (Reading database ... 10080 files and directories currently installed.) Unpacking telnet (from .../telnet_0.17-36_armel.deb) ... Processing triggers for man-db ... Setting up telnet (0.17-36) ... ude:/srv/tftp#やりなおし。いけー
ude:/srv/tftp# telnet 192.168.2.203 Trying 192.168.2.203... telnet: Unable to connect to remote host: Connection refused ude:/srv/tftp#あかんやん。
ude:/srv/tftp# ping 192.168.2.203 PING 192.168.2.203 (192.168.2.203) 56(84) bytes of data. 64 bytes from 192.168.2.203: icmp_seq=1 ttl=64 time=0.154 ms 64 bytes from 192.168.2.203: icmp_seq=2 ttl=64 time=0.104 ms 64 bytes from 192.168.2.203: icmp_seq=3 ttl=64 time=0.105 ms --- 192.168.2.203 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 1998ms rtt min/avg/max/mdev = 0.104/0.121/0.154/0.023 ms ude:/srv/tftp#ping は通っている。
やりなおし。
ude:~# cd /tmp/root/ ude:/tmp/root# cd etc/init.d/ ude:/tmp/root/etc/init.d# mv rcS rcS.orig ude:/tmp/root/etc/init.d# cp rcS.orig rcS ude:/tmp/root/etc/init.d# vi rcS : : ude:/tmp/root/etc/init.d# diff -c rcS.orig rcS *** rcS.orig Tue Sep 30 22:13:59 2008 --- rcS Sat Jan 24 22:14:59 2009 *************** *** 80,82 **** --- 80,83 ---- exec_sh daemonwatch.sh exec_sh bootcomplete.sh exec_sh late_inspection_phase.sh + /usr/sbin/telnetd ude:/tmp/root/etc/init.d#これで、どや
ude:/srv/tftp/LS-XHL_1.02+telnet# ls -l total 18760 -rw-r--r-- 2 root root 8559120 Jan 24 22:19 initrd.buffalo -rw-r--r-- 1 root root 8559056 Jan 24 21:37 initrd.gz -rw-r--r-- 2 root root 2087876 Dec 26 15:39 uImage.buffalo ude:/srv/tftp/LS-XHL_1.02+telnet#このように、リンクカウントは2のまま。
ude:~# ping 192.168.2.205 PING 192.168.2.205 (192.168.2.205) 56(84) bytes of data. 64 bytes from 192.168.2.205: icmp_seq=1 ttl=64 time=7.23 ms 64 bytes from 192.168.2.205: icmp_seq=2 ttl=64 time=0.134 ms --- 192.168.2.205 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1007ms rtt min/avg/max/mdev = 0.134/3.686/7.238/3.552 ms ude:~#
ude:~# telnet !$ telnet 192.168.2.205 Trying 192.168.2.205... Connected to 192.168.2.205. Escape character is '^]'. BUFFALO INC. LinkStation series LS-XHL-EME68 login: root No mail. root@LS-XHL-EME68:~#ようやくたどりついた。
|
|
← tftpboot の確認 |
ハックの記録 LinkStation/玄箱 をハックしよう |
→ 分解 / disassemble |
