A little while ago, I purchased Zsun SD111 W-Fi USB flash drive, and after several tentatives, I finally found a way to access the device’s serial console. Since then the company announced another wireless storage device with Zsun Wi-Fi card reader, and Zoobab decided to try to hack it too.
Since the device is pretty hard to open without damaging the enclosure, connecting the serial pin was not really an option, and the first exploit was to input shell commands in the web interface SSID field… For example, entering
reboot there, would indeed reboot the device.
However, this would still not allow full shell access, and finally after a broader port scan, it was found out that TCP port 11880 was open for telnet daemon. You can then access the shell as root with the same password as SD111: “zsun1188”. For some reasons, telnet can’t work with the device, and socat must be used instead.
zoobab@zoobab /Users/zoobab $ socat - TCP4:10.168.168.1:11880
(none) login: root
------- | / /--/ ___ |
/ | /| \/ _____ --|--|
/_____\ |--- --|-- //--/ / / |
__|__ | /|\ / \/ /___\ / |
___|___ ___|____ / | \ / / \|
Shenzhen Zsun Cloud Technology Co., LTD.
BusyBox v1.01 (2014.12.27-02:50+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.
That’s it you now have full access to this small and inexpensive Linux device powered by Atheros AR9331 SoC with 32MB RAM and 16MB flash, plus up to 64GB storage on micro SD card.
Thanks to Zoobab for his work.