Unexpected Results From a backtrack attack on DVL live CD

[juergen.fiedler at gmail.com (Juergen Fiedler)]

On Tue, Aug 26, 2008 at 11:04 AM, Mr Gabriel <angelisonline at gmail.com> wrote:
> Dear All,
[...]
> I downloaded DVL, under the assumptions that it is intentionally left
> with vulnerable services for the purpose of teaching lessons on
> vulnerabilities. I downloaded it, ran in, and then ran the autoown
> script, assuming that the box would be FUBAR! in seconds, but alas, no
> such luck. I updated metasploit via SVN, and again, not one single
> session was opened.
>
> I would be most happy, if someone was able to tell me that I am being
> a complete and utter idiot, and have misunderstood the "how" when it
> comes to exploiting a box to prove the existence of a vulnerability,
> or if I completely missed the point, and have now embarrassed myself
> by saying I failed to exploit a linux distro, that was designed to be
> exploited :)

If I remember correctly, DVL does not in fact run vulnerable services
but puts emphasis on local exploits through software flaws. Basically,
its purpose is to teach people how to spot things like buffer
overflows in local software. Remote exploits are outside its scope.

Thus sayeth the guy who tried the very same thing, with the very same
results before taking a closer look at the distro :)

Good luck!