[<prev] [next>] [day] [month] [year] [list]
Message-ID: <a2e8ca0706120727i775b6b4at122c091a00b97949@mail.gmail.com>
Date: Tue, 12 Jun 2007 16:27:51 +0200
From: "Knud Erik Højgaard" <kokanin@...il.com>
To: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: using matasano's blackbag/deezee to find 0day and
stuff
remote un-passworded root access in IBM's totalstorage ds400 storage
thingie, like this:
# download deezee from http://www.matasano.com/tools/deezee.tar.gz
# download firmware for totalstorage ds400
lort# wget -q http://parker.vslib.cz/MIRRORS/ftp.adaptec.com/tmp0001/oem/ibm/IBM_TotalStorage_DS_Series_FW_v4.15.zip
lort# unzip -q IBM_TotalStorage_DS_Series_FW_v4.15.zip
lort# rm IBM_TotalStorage_DS_Series_FW_v4.15.zip
lort# ls
Copy of IBM_TotalStorage_DS_Series_FW_v4.15.upgrade
README_Single_IBM_TotalStorage_DS_Series_FW_v4.15.txt.TXT
lort# mv Copy\ of\ IBM_TotalStorage_DS_Series_FW_v4.15.upgrade ds400.4.15.fw
lort# ../deezee/deezee ds400.4.15.fw
Scanning file ds400.4.15.fw for compressed components
Compressed size: 21898976 bytes
Compressed segment found. Expanded to 2181580 bytes
Compressed segment found. Expanded to 16777216 bytes
Compressed segment found. Expanded to 67108864 bytes
lort# mkdir /mnt/1 /mnt/2
lort# mdconfig -a -t vnode -f ./ds400.4.15.fw.1 -u 1
lort# mdconfig -a -t vnode -f ./ds400.4.15.fw.2 -u 2
lort# mount_ext2fs /dev/md1 /mnt/1
lort# mount_ext2fs /dev/md2 /mnt/2
# part where you look for vulnerabilities intentionally skipped
lort# cat /mnt/2/etc/shadow
root::11430:0:10000::::
bin:*:8902:0:10000::::
daemon:*:8902:0:10000::::
ftp:*:8902:0:10000::::
named:*:8902:0:10000::::
nobody:*:0:0:10000::::
user::11430:0:10000::::
manager::11430:0:10000::::
administrator::11430:0:10000::::
operator::11430:0:10000::::
lort# cat /mnt/2/etc/inetd.conf
# See "man 8 inetd" for more information.
#
# If you make changes to this file, either reboot your machine or send the
# inetd a HUP signal:
# Do a "ps x" as root and look up the pid of inetd. Then do a
# "kill -HUP <pid of inetd>".
# The inetd will re-read this file whenever it gets that signal.
#
# <service_name> <sock_type> <proto> <flags> <user> <server_path> <args>
#
# If you want telnetd not to "keep-alives" (e.g. if it runs over a ISDN
# uplink), add "-n". See 'man telnetd' for more deatails.
#
telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
cli stream tcp nowait root /usr/sbin/tcpd
in.telnetd -L /etc/eurologic/bin/cli
login stream tcp nowait root /usr/sbin/tcpd in.rlogind
shell stream tcp nowait.500 root /usr/sbin/tcpd in.rshd -Lh
#
# End.
lort# grep ^telnet /mnt/2/etc/services
telnet 6000/tcp
# sit back and laugh at the passwordless accounts and the undocumented
telnet daemon.
--
Knud
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists