http://matasanochargen.disqus.com/enThu, 05 Mar 2009 16:37:55 -0000http://www.matasano.com/log/1048/blackbag-091-new-link-and-minor-fixes/#comment-6923043and... sorry, it's back alive now!Eric_MontiThu, 05 Mar 2009 16:37:55 -0000http://www.matasano.com/log/1048/blackbag-091-new-link-and-minor-fixes/#comment-6133234And the link to blackbag is dead again.Apneet JollyTue, 10 Feb 2009 01:39:34 -0000http://www.matasano.com/log/1048/blackbag-091-new-link-and-minor-fixes/#comment-2323936Since blackbag is resurfacing I thought I'd repost a small example of the deezee part in action: <br>[code]<br>remote un-passworded root access in IBM's totalstorage ds400 storage thingie, like this: <br># download blackbag from <a href="http://www.matasano.com/download/blackbag-0.9.1.tgz" rel="nofollow">http://www.matasano.com/download/blackbag-0.9.1...</a><br># download firmware for totalstorage ds400 <br>lort# wget -q <a href="http://parker.vslib.cz/MIRRORS/ftp.adaptec.com/tmp0001/oem/ibm/IBM_TotalStorage_DS_Series_FW_v4.15.zip" rel="nofollow">http://parker.vslib.cz/MIRRORS/ftp.adaptec.com/...</a> <br>lort# unzip -q IBM_TotalStorage_DS_Series_FW_v4.15.zip <br>lort# rm IBM_TotalStorage_DS_Series_FW_v4.15.zip <br>lort# ls <br>Copy of IBM_TotalStorage_DS_Series_FW_v4.15.upgrade <br>README_Single_IBM_TotalStorage_DS_Series_FW_v4.15.txt.TXT <br>lort# mv Copy\ of\ IBM_TotalStorage_DS_Series_FW_v4.15.upgrade ds400.4.15.fw <br>lort# bkb deezee ds400.4.15.fw <br>Scanning file ds400.4.15.fw for compressed components <br>Compressed size: 21898976 bytes <br>Compressed segment found. Expanded to 2181580 bytes <br>Compressed segment found. Expanded to 16777216 bytes <br>Compressed segment found. Expanded to 67108864 bytes <br>lort# mkdir /mnt/1 /mnt/2 <br>lort# mdconfig -a -t vnode -f ./ds400.4.15.fw.1 -u 1 <br>lort# mdconfig -a -t vnode -f ./ds400.4.15.fw.2 -u 2 <br>lort# mount_ext2fs /dev/md1 /mnt/1 <br>lort# mount_ext2fs /dev/md2 /mnt/2 <br><br># part where you look for vulnerabilities intentionally skipped <br><br>lort# cat /mnt/2/etc/shadow <br>root::11430:0:10000:::: <br>bin:*:8902:0:10000:::: <br>daemon:*:8902:0:10000:::: <br>ftp:*:8902:0:10000:::: <br>named:*:8902:0:10000:::: <br>nobody:*:0:0:10000:::: <br>user::11430:0:10000:::: <br>manager::11430:0:10000:::: <br>administrator::11430:0:10000:::: <br>operator::11430:0:10000:::: <br>lort# cat /mnt/2/etc/inetd.conf <br># See "man 8 inetd" for more information. <br># <br># If you make changes to this file, either reboot your machine or send the <br># inetd a HUP signal: <br># Do a "ps x" as root and look up the pid of inetd. Then do a <br># "kill -HUP ". <br># The inetd will re-read this file whenever it gets that signal. <br># <br># <br># <br># If you want telnetd not to "keep-alives" (e.g. if it runs over a ISDN <br># uplink), add "-n". See 'man telnetd' for more deatails. <br># <br>telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd <br>cli stream tcp nowait root /usr/sbin/tcpd <br>in.telnetd -L /etc/eurologic/bin/cli <br>login stream tcp nowait root /usr/sbin/tcpd in.rlogind <br>shell stream tcp nowait.500 root /usr/sbin/tcpd in.rshd -Lh <br># <br># End. <br>lort# grep ^telnet /mnt/2/etc/services <br>telnet 6000/tcp <br><br># sit back and laugh at the passwordless accounts and the undocumented telnet daemon. [/code]kokaninMon, 09 Jun 2008 03:16:33 -0000http://www.matasano.com/log/1048/blackbag-091-new-link-and-minor-fixes/#comment-2323937I see that the README file talks about a util called sextract for reading and concatting TCP payloads which would be really cool, from the description, but is not included in blackbag. Any chance of including it?<br><br>Thanks,<br><br>MartinMartinSat, 24 May 2008 15:57:03 -0000