FT3563-BT Hacking

I will explain how to I have execution as root at FT3563-BT NAS. This also
work s on NS-348S NAS, and will work on the other NAS family.

Devices what seems identical or similars:

• Coolmax CN-570 http://www.smallnetbuilder.com/content/view/29899/75/1/3/
• NS-348S http://www.multicase.de/en/products/76/ns348s.html http://www.enclosureservice.com/
• Emprex NSD-100 http://www.emprex.com/02_products_02.php?id=205
• Agestar NCB3AHT http://www.agestar.com/english/products/ncb3aht.asp
• http://shenztech.com/code/ui/product/product.aspx?prdid=NAS2&subcatid=9
• revoltec rs049

This family of NAS, will create three partitions:

/dev/sda1 are swap
/dev/sda2 mount at /conf and are some conf files
/dev/sda3 mount at /mnt/data are data.

To have root execution we will:

1.- Put Hard disk and format (from web interface) as XFS (fat not tested, will work also)

2.- Create a user (and share) from web interface

3.- Turn-off NAS, and connect to PC with a USB cable. You may use
Linux to have acces at conf partition.

4.- Copy netcat for arm, to this partition. You can get it at my web:
http://www.uv.es/cuan/arxius/FT3563-BT/
and mark it as executable (chmod +x netcat)

5.- Edit smb.conf, and add this line to share what you created:

root preexec = /conf/netcat -e /bin/ash -l -p 10001 2>> /mnt/data/public/err.log

6.- Connect to this share, ie (my share are sh_toni, and my user are toni):

smbclient //NAS_IP/sh_toni -U toni

When you connect, netcat at NAS wil lbe executed

7.- Connect to NAS using netcat (we use 1001 port):

nc IP_NAS 10001

Now, we are capable to execute programs, like ls, dmesg, ….
If we want access using telnet, we will add “pts/0″ to
/etc/securetty, ie, form netcat:

echo “pts/0″ >> /etc/securetty
/usr/sbin/telnetd

Now, we can login to nas using telnet, user root without password.

NOTE: As you can see if execute mount, root filesystem are in
/dev/ram0 , and any modification (execept modifications to /conf) will
be lost.