After spending a few hours with my SmartStor NS2300N while trying to guess why its download station plugin does not function like I want it to, I finally was able to find a solution.
Download plugin for NS2300N is simply MLDonkey P2P client. That is, you are able to connect to it and manage it using a bunch of GUIs, including Sancho which I could recommend as a best choice. GUI allows managing downloads and (more interesting!) managing MLDonkey configuration also.
My goal was to gain full access to the ways MLDonkey runs and manages files & torrents.
So we had:
1) MLDonkey, running on the target device with root privileges
2) open port 4001 for GUI connection;
3) empty GUI password (I guess, Promise did it because they were trying to avoid hard-coding password into SmartNAVI - the latter uses MLDonkey GUI protocol to do very basic download management)
Soon I found out that there is allow_any_command option; when it's set to true, this is possible to run ANY shell command from Sancho console. Just prefix shell command with ! so MLDonkey could distinguish it from its own commands, and you are done.
The following sequence lets you gain root access to your NS2300N. USE AT YOUR OWN RISK! This might void your warranty and you may seriously damage your data.
1. In MLDonkey GUI, copy /etc/crontab to any folder you have write access to. Use command ! /bin/cp /etc/crontab /VOLUME1/FOLDER_NAME.
2. Comment out the line
* * * * * root /usr/sbin/chkhttpd >/dev/null 2>/dev/null
This line rewrites /etc/telnet.user every single minute; we'll need this file two steps later. Copy modified file back to its original location: ! /bin/cp /VOLUME1/FOLDER_NAME/crontab /etc/
3. Similarly, take /etc/sudoers and add one line:
username ALL=(ALL) NOPASSWD: ALL
And copy it back to its original location. username is NS2300N username that has been previously added via SmartNAVI or PASM. Of course you need to know the password for that account.
4. Last step: fix /etc/telnet.user (copy it to write-permitted folder, add username to it and copy back to its original location).
After that:
telnet -l username <nas_hostname> 2380 sudo -s
You are done! If you want to turn maintenance script chkhttpd back on, copy it out of /usr filesystem (which is write-protected), remove lines that rewrite /etc/telnet.user and add modified script to /etc/crontab instead of original one. It could be a good idea to create /opt folder to accomplish that task.
You can hack and reconfigure your NS2300N according to your choice (but be careful if you have sensitive data on it).
Re: Promise SmartStor NS2300N remote root exploit
After waiting a long time a new official Promise DLNA Plugin running, I decided to recompile MediaTomb UPnP 0.11.0 for SmartStor NS2300N, since it has good potential.
---------------------------------
Use Heavy Equipment :: Wheel Loader Cat-966F :: Excavators