MoD
29-10-2006, 18:44
I do not understand the booting sequence of the router. I studied Oleg modified wl500g series firmware and dd-wrt project firmware sources to undrerstand how can I create password protected telnet shell. This is what I understood:
There is a modification of rc.c file (as there is no full source of firmware v.1.0.46 and the rc.c file is missing, I am working with firmware v.1.0.42). The idea is that in function main_loop() you are modifying /tmp/passwd file.
This is how the original /tmp/passwd file looks like:
root::0:0:root:/:/bin/sh
guest::35000:42000:guest:/:/bin/sh
this is how the original /tmp/group file looks like:
root::0:root
users::42000:
I added a new function to rc.c:
/* create /etc/{passwd,group} */
make_etc(void)
{
FILE *f;
char *name, *pass;
/* crypt using md5, no salt */
name = nvram_get("http_username1") ? : "admin";
pass = crypt(nvram_get("http_passwd1") ? : "admin", "$1$");
/* create homedir for root account */
if (stat ("/tmp/root", &buf) != 0) {
mkdir ("/tmp/root", 0700);
}
if ((f = fopen("/tmp/passwd", "w"))) {
fprintf(f, "%s:%s:0:0:root:/tmp/root:/bin/sh\n"
"guest::35000:42000:guest:/:/bin/sh\n", name, pass);
fclose(f);
}
if ((f = fopen("/tmp/group", "w"))) {
fprintf(f, "root:x:0:%s\nusers::42000:\n", name);
fclose(f);
}
}
The function make_etc() should create home directory for root account in /tmp directory and modify /tpm/passwd and /tmp/group files. The function is executed in main_loop() function right before /* loop forever */. However when I compile the firmware and flash it to the router, the changes in /tmp directory are not seen.
I even created the firmware whith modified make_etc() function to create only a /tmp/root directory:
/* create /etc/{passwd,group} */
make_etc(void)
{
mkdir ("/tmp/root", 0700);
}
The result was the same - there are no changes in /tmp folder.
The problem
I think by the time when make_etc() function is executed, /tmp is not yet mounted?! Could it be so?
Does anybody can explain how the default /etc/passwd and /etc/group files are created in /tmp file?
There is a modification of rc.c file (as there is no full source of firmware v.1.0.46 and the rc.c file is missing, I am working with firmware v.1.0.42). The idea is that in function main_loop() you are modifying /tmp/passwd file.
This is how the original /tmp/passwd file looks like:
root::0:0:root:/:/bin/sh
guest::35000:42000:guest:/:/bin/sh
this is how the original /tmp/group file looks like:
root::0:root
users::42000:
I added a new function to rc.c:
/* create /etc/{passwd,group} */
make_etc(void)
{
FILE *f;
char *name, *pass;
/* crypt using md5, no salt */
name = nvram_get("http_username1") ? : "admin";
pass = crypt(nvram_get("http_passwd1") ? : "admin", "$1$");
/* create homedir for root account */
if (stat ("/tmp/root", &buf) != 0) {
mkdir ("/tmp/root", 0700);
}
if ((f = fopen("/tmp/passwd", "w"))) {
fprintf(f, "%s:%s:0:0:root:/tmp/root:/bin/sh\n"
"guest::35000:42000:guest:/:/bin/sh\n", name, pass);
fclose(f);
}
if ((f = fopen("/tmp/group", "w"))) {
fprintf(f, "root:x:0:%s\nusers::42000:\n", name);
fclose(f);
}
}
The function make_etc() should create home directory for root account in /tmp directory and modify /tpm/passwd and /tmp/group files. The function is executed in main_loop() function right before /* loop forever */. However when I compile the firmware and flash it to the router, the changes in /tmp directory are not seen.
I even created the firmware whith modified make_etc() function to create only a /tmp/root directory:
/* create /etc/{passwd,group} */
make_etc(void)
{
mkdir ("/tmp/root", 0700);
}
The result was the same - there are no changes in /tmp folder.
The problem
I think by the time when make_etc() function is executed, /tmp is not yet mounted?! Could it be so?
Does anybody can explain how the default /etc/passwd and /etc/group files are created in /tmp file?