I will explain how to I have execution as root at FT3563-BT NAS. This also
work s on NS-348S NAS, and will work on the other NAS family.
Devices what seems identical or similars:
- Coolmax CN-570 http://www.smallnetbuilder.com/content/view/29899/75/1/3/
- NS-348S http://www.multicase.de/en/products/76/ns348s.html http://www.enclosureservice.com/
- Emprex NSD-100 http://www.emprex.com/02_products_02.php?id=205
- Agestar NCB3AHT http://www.agestar.com/english/products/ncb3aht.asp
- http://shenztech.com/code/ui/product/product.aspx?prdid=NAS2&subcatid=9
- revoltec rs049
This family of NAS, will create three partitions:
/dev/sda1 are swap
/dev/sda2 mount at /conf and are some conf files
/dev/sda3 mount at /mnt/data are data.
To have root execution we will:
1.- Put Hard disk and format (from web interface) as XFS (fat not tested, will work also)
2.- Create a user (and share) from web interface
3.- Turn-off NAS, and connect to PC with a USB cable. You may use
Linux to have acces at conf partition.
4.- Copy netcat for arm, to this partition. You can get it at my web:
http://www.uv.es/cuan/arxius/FT3563-BT/
and mark it as executable (chmod +x netcat)
5.- Edit smb.conf, and add this line to share what you created:
root preexec = /conf/netcat -e /bin/ash -l -p 10001 2>> /mnt/data/public/err.log
6.- Connect to this share, ie (my share are sh_toni, and my user are toni):
smbclient //NAS_IP/sh_toni -U toni
When you connect, netcat at NAS wil lbe executed
7.- Connect to NAS using netcat (we use 1001 port):
nc IP_NAS 10001
Now, we are capable to execute programs, like ls, dmesg, ….
If we want access using telnet, we will add “pts/0″ to
/etc/securetty, ie, form netcat:
echo “pts/0″ >> /etc/securetty
/usr/sbin/telnetd
Now, we can login to nas using telnet, user root without password.
NOTE: As you can see if execute mount, root filesystem are in
/dev/ram0 , and any modification (execept modifications to /conf) will
be lost.