Penetration Testing mailing list archives

Re: Port 9090 WServer??

From: xyberpix <xyberpix () xyberpix com>
Date: Tue, 17 May 2005 23:38:18 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi All,

Just like to say thanks to everyone that replied.
I've got more than enough to go on now.

xyberpix

On 17 May 2005, at 19:25, Nathan Einwechter wrote:

Looks to me as though they're using telnet to do client-server
communications/commands. This could definitely be a possible
vulnerability point.

If this is the case, I would suggest you can do one of a few things.

1) Do a little reverse engineering on the programs to find some
interesting strings that may be commands etc..

2) Place the software into a test environment and sniff the exchangesto

and from this port during normal operation.

These should give you a general idea of what the server expects and,
potentially, where you could cram it full of data to create a buffer
overflow, information leakage, etc.

-- Nathan

-----Original Message-----
From: xyberpix [mailto:xyberpix () xyberpix com]
Sent: Tuesday, May 17, 2005 11:12 AM
To: pen-test () securityfocus com
Subject: Port 9090 WServer??

Hi All,

I am evaluating a bit of kit here, and it has 3 open ports on it, 22,
9090
and 30000.
22 is obviously ssh, as I have an account on the device, and using ssh
to
gain access drops me into a restricted shell.I have tried a couple of
way

of breaking out of this, and none of them seem to work, so if anyonehasany sure fire ways to break out of a restricted shell, would theyplease

be kind enough to share them.
The next interesting point about the device is that if I telnet to port
9090, this is what I get:

xyberpix@su621unix1> telnet hmc 9090
Trying 10.163.8.42...
Connected to sa44bshmc01.
Escape character is '^]'.


---> Now I hit Enter a couple of times and get this:

Language received from client:
Setlocale: C
Memory fault
WServer.HANDSHAKING 30001 WServer.HANDSHAKING
Connection to sa44bshmc01 closed by foreign host.
xyberpix@su621unix1>

Does anyone know of anyway that I could try and use this to my
advantage,
as it looks hopefull, but I'm not too sure?

TIA

xyberpix

For Security And Open Source News And Info Visit:
http://www.xyberpix.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)

iD8DBQFCinJbcRMkOnlkwMERAkS6AJ9X4YCIqToJP/r/SXE6HUdT2U2TyACcCuzf
HBP20/stqq4Sbz0p23ecYSw=
=4Poh
-----END PGP SIGNATURE-----

Current thread:

Re: Wireless cards, (continued)
- Re: Wireless cards Jeffrey Denton (May 15)
- Re: Wireless cards Zac Mutrux (May 15)
  - Re: Wireless cards Lockdown (May 16)
- Re: Wireless cards Mark Owen (May 15)
  - Message not available
    - Re: Wireless cards (Unsupported Card fix) Mark Owen (May 16)
- Re: Wireless cards Guido Bolognesi [Zen] (May 15)
- Re: Wireless cards Larent (May 16)
- Re: Wireless cards rusty chiles (May 16)
  - Port 9090 WServer?? xyberpix (May 17)
    - RE: Port 9090 WServer?? Nathan Einwechter (May 18)
    - Re: Port 9090 WServer?? xyberpix (May 18)
    - Re: Port 9090 WServer?? Anders Thulin (May 18)
  - Westell wirespeed modem Sherwyn Williams (May 27)
- RE: Wireless cards Andrew Meyers (May 15)
  - RE: Wireless cards Mark Dickson (May 16)
  - RE: Wireless cards marko ruotsalainen (May 16)
  - RE: Wireless cards Richard Zaluski (May 16)
- RE: Wireless cards Steve A (May 15)