Re: Port 9090 WServer??

From: xyberpix (xyberpix_at_xyberpix.com)
Date: 05/18/05

  • Next message: Qlstad=2C_Roger?=: "penetrating web-based authentication if you know one of the usernames" 
    Date: Tue, 17 May 2005 23:38:18 +0100
To: "Nathan Einwechter" <nathan@ontologystream.com>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hi All,

    Just like to say thanks to everyone that replied.
    I've got more than enough to go on now.

    xyberpix

    On 17 May 2005, at 19:25, Nathan Einwechter wrote:

    > Looks to me as though they're using telnet to do client-server
    > communications/commands. This could definitely be a possible
    > vulnerability point.
    >
    > If this is the case, I would suggest you can do one of a few things.
    >
    > 1) Do a little reverse engineering on the programs to find some
    > interesting strings that may be commands etc..
    > 2) Place the software into a test environment and sniff the exchanges
    > to
    > and from this port during normal operation.
    >
    > These should give you a general idea of what the server expects and,
    > potentially, where you could cram it full of data to create a buffer
    > overflow, information leakage, etc.
    >
    > -- Nathan
    >
    > -----Original Message-----
    > From: xyberpix [mailto:xyberpix@xyberpix.com]
    > Sent: Tuesday, May 17, 2005 11:12 AM
    > To: pen-test@securityfocus.com
    > Subject: Port 9090 WServer??
    >
    > Hi All,
    >
    > I am evaluating a bit of kit here, and it has 3 open ports on it, 22,
    > 9090
    > and 30000.
    > 22 is obviously ssh, as I have an account on the device, and using ssh
    > to
    > gain access drops me into a restricted shell.I have tried a couple of
    > way
    > of breaking out of this, and none of them seem to work, so if anyone
    > has
    > any sure fire ways to break out of a restricted shell, would they
    > please
    > be kind enough to share them.
    > The next interesting point about the device is that if I telnet to port
    > 9090, this is what I get:
    >
    > xyberpix@su621unix1> telnet hmc 9090
    > Trying 10.163.8.42...
    > Connected to sa44bshmc01.
    > Escape character is '^]'.
    >
    >
    > ---> Now I hit Enter a couple of times and get this:
    >
    > Language received from client:
    > Setlocale: C
    > Memory fault
    > WServer.HANDSHAKING 30001 WServer.HANDSHAKING
    > Connection to sa44bshmc01 closed by foreign host.
    > xyberpix@su621unix1>
    >
    > Does anyone know of anyway that I could try and use this to my
    > advantage,
    > as it looks hopefull, but I'm not too sure?
    >
    > TIA
    >
    > xyberpix
    >
    >
    >
    >
    For Security And Open Source News And Info Visit:
    http://www.xyberpix.com
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (Darwin)

    iD8DBQFCinJbcRMkOnlkwMERAkS6AJ9X4YCIqToJP/r/SXE6HUdT2U2TyACcCuzf
    HBP20/stqq4Sbz0p23ecYSw=
    =4Poh
    -----END PGP SIGNATURE-----

  • Next message: Qlstad=2C_Roger?=: "penetrating web-based authentication if you know one of the usernames"