Looks to me as though they're using telnet to do client-server
communications/commands. This could definitely be a possible
vulnerability point.
If this is the case, I would suggest you can do one of a few things.
1) Do a little reverse engineering on the programs to find some
interesting strings that may be commands etc..
2) Place the software into a test environment and sniff the exchanges to
and from this port during normal operation.
These should give you a general idea of what the server expects and,
potentially, where you could cram it full of data to create a buffer
overflow, information leakage, etc.
-- Nathan
-----Original Message-----
From: xyberpix [mailto:xyberpix@xyberpix.com]
Sent: Tuesday, May 17, 2005 11:12 AM
To: pen-test@securityfocus.com
Subject: Port 9090 WServer??
Hi All,
I am evaluating a bit of kit here, and it has 3 open ports on it, 22,
9090
and 30000.
22 is obviously ssh, as I have an account on the device, and using ssh
to
gain access drops me into a restricted shell.I have tried a couple of
way
of breaking out of this, and none of them seem to work, so if anyone has
any sure fire ways to break out of a restricted shell, would they please
be kind enough to share them.
The next interesting point about the device is that if I telnet to port
9090, this is what I get:
xyberpix@su621unix1> telnet hmc 9090
Trying 10.163.8.42...
Connected to sa44bshmc01.
Escape character is '^]'.
---> Now I hit Enter a couple of times and get this:
Language received from client:
Setlocale: C
Memory fault
WServer.HANDSHAKING 30001 WServer.HANDSHAKING
Connection to sa44bshmc01 closed by foreign host.
xyberpix@su621unix1>
Does anyone know of anyway that I could try and use this to my
advantage,
as it looks hopefull, but I'm not too sure?
TIA
xyberpix
