BlackBag 0.9.1 - New link and minor fixes

Eric Monti | May 1st, 2008 | Filed Under: Uncategorized

It seems our old link to Black Bag on here went bad some time ago. We’ve been getting lots of requests for a new link.

P.S. Thanks to Marcin, for pointing us at sockpuppet. Nobody at Matasano could seem to remember where we’d seen it last!

You may notice the minor version number bumped. In the process of digging up a working tarball, I took the opportunity to make two very trivial tweaks:

  • Fixed a small bug in tsec.c that was causing “make” to fail.
  • Added offsets to deeze’s output (culled from the silly little patch I mentioned in my last post)

2 Comments so far

  • Martin

    May 24th, 2008 3:57 pm

    I see that the README file talks about a util called sextract for reading and concatting TCP payloads which would be really cool, from the description, but is not included in blackbag. Any chance of including it?

    Thanks,

    Martin

  • kokanin

    June 9th, 2008 3:16 am

    Since blackbag is resurfacing I thought I’d repost a small example of the deezee part in action:

    remote un-passworded root access in IBM’s totalstorage ds400 storage thingie, like this:
    # download blackbag from http://www.matasano.com/download/blackbag-0.9.1.tgz
    # download firmware for totalstorage ds400
    lort# wget -q http://parker.vslib.cz/MIRRORS/ftp.adaptec.com/tmp0001/oem/ibm/IBM_TotalStorage_DS_Series_FW_v4.15.zip
    lort# unzip -q IBM_TotalStorage_DS_Series_FW_v4.15.zip
    lort# rm IBM_TotalStorage_DS_Series_FW_v4.15.zip
    lort# ls
    Copy of IBM_TotalStorage_DS_Series_FW_v4.15.upgrade
    README_Single_IBM_TotalStorage_DS_Series_FW_v4.15.txt.TXT
    lort# mv Copy\ of\ IBM_TotalStorage_DS_Series_FW_v4.15.upgrade ds400.4.15.fw
    lort# bkb deezee ds400.4.15.fw
    Scanning file ds400.4.15.fw for compressed components
    Compressed size: 21898976 bytes
    Compressed segment found. Expanded to 2181580 bytes
    Compressed segment found. Expanded to 16777216 bytes
    Compressed segment found. Expanded to 67108864 bytes
    lort# mkdir /mnt/1 /mnt/2
    lort# mdconfig -a -t vnode -f ./ds400.4.15.fw.1 -u 1
    lort# mdconfig -a -t vnode -f ./ds400.4.15.fw.2 -u 2
    lort# mount_ext2fs /dev/md1 /mnt/1
    lort# mount_ext2fs /dev/md2 /mnt/2

    # part where you look for vulnerabilities intentionally skipped

    lort# cat /mnt/2/etc/shadow
    root::11430:0:10000::::
    bin:*:8902:0:10000::::
    daemon:*:8902:0:10000::::
    ftp:*:8902:0:10000::::
    named:*:8902:0:10000::::
    nobody:*:0:0:10000::::
    user::11430:0:10000::::
    manager::11430:0:10000::::
    administrator::11430:0:10000::::
    operator::11430:0:10000::::
    lort# cat /mnt/2/etc/inetd.conf
    # See “man 8 inetd” for more information.
    #
    # If you make changes to this file, either reboot your machine or send the
    # inetd a HUP signal:
    # Do a “ps x” as root and look up the pid of inetd. Then do a
    # “kill -HUP “.
    # The inetd will re-read this file whenever it gets that signal.
    #
    #
    #
    # If you want telnetd not to “keep-alives” (e.g. if it runs over a ISDN
    # uplink), add “-n”. See ‘man telnetd’ for more deatails.
    #
    telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
    cli stream tcp nowait root /usr/sbin/tcpd
    in.telnetd -L /etc/eurologic/bin/cli
    login stream tcp nowait root /usr/sbin/tcpd in.rlogind
    shell stream tcp nowait.500 root /usr/sbin/tcpd in.rshd -Lh
    #
    # End.
    lort# grep ^telnet /mnt/2/etc/services
    telnet 6000/tcp

    # sit back and laugh at the passwordless accounts and the undocumented telnet daemon.

    • Leave a reply