Loading ...
Sorry, an error occurred while loading the content.

Re: [LinkStation_General] Re: Howto gain root access to the LInkstation

Expand Messages
  • Derek Taubert
    Try this one on for size: Sep 16 23:39:16 HD-HLANA09 syslogd 1.3-3: restart. Sep 16 23:39:16 HD-HLANA09 kernel: klogd 1.3-3, log source = /proc/kmsg started.
    Message 1 of 6 , Sep 21, 2004
    • 0 Attachment
      Try this one on for size:

      Sep 16 23:39:16 HD-HLANA09 syslogd 1.3-3: restart.
      Sep 16 23:39:16 HD-HLANA09 kernel: klogd 1.3-3, log source = /proc/kmsg started.
      Sep 16 23:39:16 HD-HLANA09 kernel: Memory BAT mapping: BAT2=64Mb, BAT3=0Mb, residual: 0Mb
      Sep 16 23:39:16 HD-HLANA09 kernel: Linux version 2.4.17_mvl21-sandpoint (root@toda_dev.melcoinc.co.jp) (gcc version 2.95.3 20010315 (release/MontaVista)) #990 2004 5 21 13:39:00 JST
      Sep 16 23:39:16 HD-HLANA09 kernel: BUFFALO Network Attached Storage Series
      Sep 16 23:39:16 HD-HLANA09 kernel: 2002-2004 BUFFALO INC.
      Sep 16 23:39:16 HD-HLANA09 kernel: On node 0 totalpages: 16384
      Sep 16 23:39:16 HD-HLANA09 kernel: zone(0): 16384 pages.
      Sep 16 23:39:16 HD-HLANA09 kernel: zone(1): 0 pages.
      Sep 16 23:39:16 HD-HLANA09 kernel: zone(2): 0 pages.
      Sep 16 23:39:16 HD-HLANA09 kernel: Kernel command line: root=/dev/hda1
      Sep 16 23:39:16 HD-HLANA09 kernel: OpenPIC Version 1.2 (1 CPUs and 139 IRQ sources) at 80040000
      Sep 16 23:39:16 HD-HLANA09 kernel: decrementer frequency = 24.519423 MHz
      Sep 16 23:39:16 HD-HLANA09 kernel: rtc sec count 1095377944
      Sep 16 23:39:16 HD-HLANA09 kernel: Calibrating delay loop... 130.66 BogoMIPS
      Sep 16 23:39:16 HD-HLANA09 kernel: Memory: 60356k available (1332k kernel code, 568k data, 192k init, 0k highmem)
      Sep 16 23:39:16 HD-HLANA09 kernel: Dentry-cache hash table entries: 8192 (order: 4, 65536 bytes)
      Sep 16 23:39:16 HD-HLANA09 kernel: Inode-cache hash table entries: 4096 (order: 3, 32768 bytes)
      Sep 16 23:39:16 HD-HLANA09 kernel: Mount-cache hash table entries: 1024 (order: 1, 8192 bytes)
      Sep 16 23:39:16 HD-HLANA09 kernel: Buffer-cache hash table entries: 4096 (order: 2, 16384 bytes)
      Sep 16 23:39:16 HD-HLANA09 kernel: Page-cache hash table entries: 16384 (order: 4, 65536 bytes)
      Sep 16 23:39:16 HD-HLANA09 kernel: POSIX conformance testing by UNIFIX
      Sep 16 23:39:16 HD-HLANA09 kernel: PCI: Probing PCI hardware
      Sep 16 23:39:16 HD-HLANA09 kernel: Linux NET4.0 for Linux 2.4
      Sep 16 23:39:16 HD-HLANA09 kernel: Based upon Swansea University Computer Society NET3.039
      Sep 16 23:39:16 HD-HLANA09 kernel: Initializing RT netlink socket
      Sep 16 23:39:16 HD-HLANA09 kernel: Starting kswapd
      Sep 16 23:39:16 HD-HLANA09 kernel: Disabling the Out Of Memory Killer
      Sep 16 23:39:16 HD-HLANA09 kernel: Journalled Block Device driver loaded
      Sep 16 23:39:16 HD-HLANA09 kernel: pty: 256 Unix98 ptys configured
      Sep 16 23:39:16 HD-HLANA09 kernel: MELCO INC. RTC driver ver 1.00
      Sep 16 23:39:16 HD-HLANA09 kernel: Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled
      Sep 16 23:39:16 HD-HLANA09 kernel: ttyS00 at 0x80004600 (irq = 138) is a 16550A
      Sep 16 23:39:16 HD-HLANA09 kernel: ttyS01 at 0x80004500 (irq = 137) is a 16550A
      Sep 16 23:39:16 HD-HLANA09 kernel: block: 128 slots per queue, batch=32
      Sep 16 23:39:16 HD-HLANA09 kernel: RAMDISK driver initialized: 16 RAM disks of 10000K size 1024 blocksize
      Sep 16 23:39:16 HD-HLANA09 kernel: Uniform Multi-Platform E-IDE driver Revision: 6.31
      Sep 16 23:39:16 HD-HLANA09 kernel: ide: Assuming 33MHz system bus speed for PIO modes; override with idebus=xx
      Sep 16 23:39:16 HD-HLANA09 kernel: CMD680: IDE controller on PCI bus 00 dev 60
      Sep 16 23:39:16 HD-HLANA09 kernel: CMD680: chipset revision 2
      Sep 16 23:39:16 HD-HLANA09 kernel: CMD680: 100% native mode on irq 17
      Sep 16 23:39:16 HD-HLANA09 kernel: ide0: BM-DMA at 0xbffed0-0xbffed7, BIOS settings: hda:pio, hdb:pio
      Sep 16 23:39:16 HD-HLANA09 kernel: ide1: BM-DMA at 0xbffed8-0xbffedf, BIOS settings: hdc:pio, hdd:pio
      Sep 16 23:39:16 HD-HLANA09 kernel: hda: SAMSUNG SV1203N, ATA DISK drive
      Sep 16 23:39:16 HD-HLANA09 kernel: ide0 at 0xbffef8-0xbffeff,0xbffef6 on irq 17
      Sep 16 23:39:16 HD-HLANA09 kernel: hda: 234493056 sectors (120060 MB) w/2048KiB Cache, CHS=14596/255/63, UDMA(100)
      Sep 16 23:39:16 HD-HLANA09 kernel: Partition check:
      Sep 16 23:39:16 HD-HLANA09 kernel: hda: hda1 hda2 hda3
      Sep 16 23:39:16 HD-HLANA09 kernel: FLASHDISK:Initialized [STMICRO M29W320DT]
      Sep 16 23:39:16 HD-HLANA09 kernel: Linux Tulip driver version 0.9.15-pre9 (Nov 6, 2001)
      Sep 16 23:39:16 HD-HLANA09 kernel: tulip0: MII transceiver #1 config 3100 status 7849 advertising 05e1.
      Sep 16 23:39:16 HD-HLANA09 kernel: eth0: ADMtek Comet rev 17 at 0xbfff00, 00:07:40:A4:BA:09, IRQ 16.
      Sep 16 23:39:16 HD-HLANA09 kernel: SCSI subsystem driver Revision: 1.00
      Sep 16 23:39:16 HD-HLANA09 kernel: request_module[scsi_hostadapter]: Root fs not mounted
      Sep 16 23:39:16 HD-HLANA09 kernel: request_module[scsi_hostadapter]: Root fs not mounted
      Sep 16 23:39:16 HD-HLANA09 kernel: usb.c: registered new driver usbdevfs
      Sep 16 23:39:16 HD-HLANA09 kernel: usb.c: registered new driver hub
      Sep 16 23:39:16 HD-HLANA09 kernel: hcd.c: ehci-hcd @ 00:0e.2, PCI device 1033:00e0 (NEC Corporation)
      Sep 16 23:39:16 HD-HLANA09 kernel: hcd.c: irq 19, pci mem c5000f00
      Sep 16 23:39:16 HD-HLANA09 kernel: usb.c: new USB bus registered, assigned bus number 1
      Sep 16 23:39:16 HD-HLANA09 kernel: hcd/ehci-hcd.c: USB 2.0 support enabled, EHCI rev 1. 0
      Sep 16 23:39:16 HD-HLANA09 kernel: hub.c: USB hub found
      Sep 16 23:39:16 HD-HLANA09 kernel: hub.c: 5 ports detected
      Sep 16 23:39:16 HD-HLANA09 kernel: usb-ohci.c: USB OHCI at membase 0xc5002000, IRQ 19
      Sep 16 23:39:16 HD-HLANA09 kernel: usb-ohci.c: usb-00:0e.0, NEC Corporation USB
      Sep 16 23:39:16 HD-HLANA09 kernel: usb.c: new USB bus registered, assigned bus number 2
      Sep 16 23:39:16 HD-HLANA09 kernel: hub.c: USB hub found
      Sep 16 23:39:16 HD-HLANA09 kernel: hub.c: 3 ports detected
      Sep 16 23:39:16 HD-HLANA09 kernel: usb-ohci.c: USB OHCI at membase 0xc5004000, IRQ 19
      Sep 16 23:39:16 HD-HLANA09 kernel: usb-ohci.c: usb-00:0e.1, NEC Corporation USB (#2)
      Sep 16 23:39:16 HD-HLANA09 kernel: usb.c: new USB bus registered, assigned bus number 3
      Sep 16 23:39:16 HD-HLANA09 kernel: hub.c: USB hub found
      Sep 16 23:39:16 HD-HLANA09 kernel: hub.c: 2 ports detected
      Sep 16 23:39:16 HD-HLANA09 kernel: usb.c: registered new driver usblp
      Sep 16 23:39:16 HD-HLANA09 kernel: printer.c: v0.11: USB Printer Device Class driver
      Sep 16 23:39:16 HD-HLANA09 kernel: Initializing USB Mass Storage driver...
      Sep 16 23:39:16 HD-HLANA09 kernel: usb.c: registered new driver usb-storage
      Sep 16 23:39:16 HD-HLANA09 kernel: USB Mass Storage support registered.
      Sep 16 23:39:16 HD-HLANA09 kernel: NET4: Linux TCP/IP 1.0 for NET4.0
      Sep 16 23:39:16 HD-HLANA09 kernel: IP Protocols: ICMP, UDP, TCP, IGMP
      Sep 16 23:39:16 HD-HLANA09 kernel: IP: routing cache hash table of 512 buckets, 4Kbytes
      Sep 16 23:39:16 HD-HLANA09 kernel: TCP: Hash tables configured (established 4096 bind 4096)
      Sep 16 23:39:16 HD-HLANA09 kernel: NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
      Sep 16 23:39:16 HD-HLANA09 kernel: NET4: AppleTalk 0.18a for Linux NET4.0
      Sep 16 23:39:16 HD-HLANA09 kernel: RAMDISK: Compressed image found at block 0
      Sep 16 23:39:16 HD-HLANA09 kernel: Freeing initrd memory: 1993k freed
      Sep 16 23:39:16 HD-HLANA09 kernel: fff70000:4f4b4f4b
      Sep 16 23:39:16 HD-HLANA09 kernel: VFS: Mounted root (ext2 filesystem).
      Sep 16 23:39:16 HD-HLANA09 kernel: fff70000:4f4b4f4b
      Sep 16 23:39:16 HD-HLANA09 kernel: kjournald starting. Commit interval 5 seconds
      Sep 16 23:39:16 HD-HLANA09 kernel: EXT3-fs: mounted filesystem with ordered data mode.
      Sep 16 23:39:16 HD-HLANA09 kernel: VFS: Mounted root (ext3 filesystem) readonly.
      Sep 16 23:39:16 HD-HLANA09 kernel: change_root: old root has d_count=2
      Sep 16 23:39:16 HD-HLANA09 kernel: Trying to unmount old root ... okay
      Sep 16 23:39:16 HD-HLANA09 kernel: Freeing unused kernel memory: 192k init
      Sep 16 23:39:16 HD-HLANA09 kernel: hub.c: new USB device 00:0e.2-2, assigned address 2
      Sep 16 23:39:16 HD-HLANA09 kernel: scsi0 : SCSI emulation for USB Mass Storage devices
      Sep 16 23:39:16 HD-HLANA09 kernel: Vendor: WDC WD25 Model: 00JB-00GVA0 Rev: 0 0
      Sep 16 23:39:16 HD-HLANA09 kernel: Type: Direct-Access ANSI SCSI revision: 02
      Sep 16 23:39:16 HD-HLANA09 kernel: Attached scsi disk sda at scsi0, channel 0, id 0, lun 0
      Sep 16 23:39:16 HD-HLANA09 kernel: SCSI device sda: 488397168 512-byte hdwr sectors (250059 MB)
      Sep 16 23:39:16 HD-HLANA09 kernel: sda:<7>usb-storage: task-switchin
      Sep 16 23:39:16 HD-HLANA09 kernel: sda1
      Sep 16 23:39:16 HD-HLANA09 kernel: Adding Swap: 257032k swap-space (priority -1)
      Sep 16 23:39:16 HD-HLANA09 kernel: EXT3 FS 2.4-0.9.17, 10 Jan 2002 on ide0(3,1), internal journal
      Sep 16 23:39:16 HD-HLANA09 kernel: kjournald starting. Commit interval 5 seconds
      Sep 16 23:39:16 HD-HLANA09 kernel: EXT3-fs warning: checktime reached, running e2fsck is recommended
      Sep 16 23:39:16 HD-HLANA09 kernel: EXT3 FS 2.4-0.9.17, 10 Jan 2002 on ide0(3,3), internal journal
      Sep 16 23:39:16 HD-HLANA09 kernel: EXT3-fs: mounted filesystem with ordered data mode.
      Sep 16 23:39:16 HD-HLANA09 init: Entering runlevel: 2
      Sep 16 23:39:17 HD-HLANA09 modprobe: modprobe: Can't locate module printer
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[175]: beep is defined as "off"
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[175]: usb device is added
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[175]: vendor:0x0 product:0x0 Dclass:0x9 Dsubclass:0x0 Dprotocol:0x0 Iclass:0x0 Isubclass:0x0 Iprotocol:0x0
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[175]: The device match nothing in mapfile
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[175]: Please change MODULE in following line to the appropriate module name, add it to /etc/murasaki/murasaki.usbmap
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[175]: MODULE 0x0010 0x0 0x0 0 0 0x9 0x0 0x0 0x0 0x0 0x0 0x00000000
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[176]: beep is defined as "off"
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[176]: usb device is added
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[176]: vendor:0x0 product:0x0 Dclass:0x9 Dsubclass:0x0 Dprotocol:0x0 Iclass:0x0 Isubclass:0x0 Iprotocol:0x0
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[176]: The device match nothing in mapfile
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[176]: Please change MODULE in following line to the appropriate module name, add it to /etc/murasaki/murasaki.usbmap
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[176]: MODULE 0x0010 0x0 0x0 0 0 0x9 0x0 0x0 0x0 0x0 0x0 0x00000000
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[177]: beep is defined as "off"
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[177]: usb device is added
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[177]: vendor:0x0 product:0x0 Dclass:0x9 Dsubclass:0x0 Dprotocol:0x0 Iclass:0x0 Isubclass:0x0 Iprotocol:0x0
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[177]: The device match nothing in mapfile
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[177]: Please change MODULE in following line to the appropriate module name, add it to /etc/murasaki/murasaki.usbmap
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[177]: MODULE 0x0010 0x0 0x0 0 0 0x9 0x0 0x0 0x0 0x0 0x0 0x00000000
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[178]: beep is defined as "off"
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[178]: usb device is added
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[178]: vendor:0x6e1 product:0xd835 Dclass:0x0 Dsubclass:0x0 Dprotocol:0x0 Iclass:0x8 Isubclass:0x6 Iprotocol:0x32
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[178]: The device match nothing in mapfile
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[178]: Please change MODULE in following line to the appropriate module name, add it to /etc/murasaki/murasaki.usbmap
      Sep 16 23:39:17 HD-HLANA09 murasaki.usb[178]: MODULE 0x0383 0x6e1 0xd835 0 0 0x0 0x0 0x0 0x8 0x6 0x32 0x00000000
      Sep 16 23:39:17 HD-HLANA09 kernel: FAT: bogus logical sector size 0
      Sep 16 23:39:17 HD-HLANA09 kernel: VFS: Can't find a valid FAT filesystem on dev 08:01.
      Sep 16 23:39:17 HD-HLANA09 kernel: NTFS driver v1.1.21 [Flags: R/O MODULE]
      Sep 16 23:39:17 HD-HLANA09 kernel: kjournald starting. Commit interval 5 seconds
      Sep 16 23:39:17 HD-HLANA09 kernel: EXT3 FS 2.4-0.9.17, 10 Jan 2002 on sd(8,1), internal journal
      Sep 16 23:39:17 HD-HLANA09 kernel: EXT3-fs: mounted filesystem with ordered data mode.
      Sep 16 23:39:22 HD-HLANA09 ap_serd[215]: startup daemon
      Sep 16 23:39:22 HD-HLANA09 ap_serd[215]: assigned intreface eth0
      Sep 16 23:39:22 HD-HLANA09 ap_serd[215]: standalone mode

      Derek
    • cs_h1
      Done all this for LSII - how do you actually start the music server? ... You ... copying
      Message 2 of 6 , Aug 18, 2005
      • 0 Attachment
        Done all this for LSII - how do you actually start the music server?



        --- In LinkStation_General@yahoogroups.com, "Thom Mason"
        <t.e.mason@c...> wrote:
        > dtaubert on the Roku Forums figured out a backdoor into the
        > Linkstation (see http://www.rokulabs.com/forums/viewtopic.php?
        t=186):
        >
        > The 1.44 firmware update has telnet access enabled. You can login
        > using a user account setup through the Admin web interface.
        > dtauberts poking around revealed:
        >
        > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME
        > COMMAND
        > root 373 0.0 0.8 2132 536 ? SN Sep16
        > 0:01 /usr/sbin/thttpd -C /etc/thttpd.conf
        >
        > $ cat /etc/thttpd.conf
        > dir=/www
        > user=root
        > logfile=/var/log/thttpd.log
        > pidfile=/var/run/thttpd.pid
        > port=80
        > charset=
        > cgipat=/cgi-bin*/*
        >
        > $ ls -ald /www
        > drwxrwxrwx 9 root root 1024 Sep 17 15:40 /www
        >
        > In other words:
        >
        > 1) The http server is run as root.
        > 2) The cgipat contains a wildcard in the directory name.
        > 3) The /www directory is writable by all.
        >
        > mkdir /www/cgi-bin3 and plop a script in (it will run as root).
        You
        > can either make a scipt to change access for /etc/passwd:
        >
        > #! /bin/sh
        > chmod 666 /etc/passwd
        >
        > and then paste it into you browser:
        >
        > http://buffalo/cgi-bin3/accesspass.sh
        >
        > making sure the script is set as executable or make a script
        copying
        > a modified passwd file to /etc/passwd.
        >
        > You can then change the root password to a known encrypted one such
        > as the one for the user account you used to gain telnet access.
        > vi works although you may need to set TERM to vt100 since there
        > doesn't appear to be a termcap entry for xterm (depends on you
        > telnet client emulation).
        >
        > Thom
      • cs_h1
        Media server up and running - just got to sort shoutcast out ... login ... such
        Message 3 of 6 , Aug 18, 2005
        • 0 Attachment
          Media server up and running - just got to sort shoutcast out

          --- In LinkStation_General@yahoogroups.com, "cs_h1" <cs_h1@y...>
          wrote:
          > Done all this for LSII - how do you actually start the music server?
          >
          >
          >
          > --- In LinkStation_General@yahoogroups.com, "Thom Mason"
          > <t.e.mason@c...> wrote:
          > > dtaubert on the Roku Forums figured out a backdoor into the
          > > Linkstation (see http://www.rokulabs.com/forums/viewtopic.php?
          > t=186):
          > >
          > > The 1.44 firmware update has telnet access enabled. You can
          login
          > > using a user account setup through the Admin web interface.
          > > dtauberts poking around revealed:
          > >
          > > USER PID %CPU %MEM VSZ RSS TTY STAT START TIME
          > > COMMAND
          > > root 373 0.0 0.8 2132 536 ? SN Sep16
          > > 0:01 /usr/sbin/thttpd -C /etc/thttpd.conf
          > >
          > > $ cat /etc/thttpd.conf
          > > dir=/www
          > > user=root
          > > logfile=/var/log/thttpd.log
          > > pidfile=/var/run/thttpd.pid
          > > port=80
          > > charset=
          > > cgipat=/cgi-bin*/*
          > >
          > > $ ls -ald /www
          > > drwxrwxrwx 9 root root 1024 Sep 17 15:40 /www
          > >
          > > In other words:
          > >
          > > 1) The http server is run as root.
          > > 2) The cgipat contains a wildcard in the directory name.
          > > 3) The /www directory is writable by all.
          > >
          > > mkdir /www/cgi-bin3 and plop a script in (it will run as root).
          > You
          > > can either make a scipt to change access for /etc/passwd:
          > >
          > > #! /bin/sh
          > > chmod 666 /etc/passwd
          > >
          > > and then paste it into you browser:
          > >
          > > http://buffalo/cgi-bin3/accesspass.sh
          > >
          > > making sure the script is set as executable or make a script
          > copying
          > > a modified passwd file to /etc/passwd.
          > >
          > > You can then change the root password to a known encrypted one
          such
          > > as the one for the user account you used to gain telnet access.
          > > vi works although you may need to set TERM to vt100 since there
          > > doesn't appear to be a termcap entry for xterm (depends on you
          > > telnet client emulation).
          > >
          > > Thom
        Your message has been successfully submitted and would be delivered to recipients shortly.