[13444] in bugtraq
SubSeven 2.1a (trojan)
daemon@ATHENA.MIT.EDU (Andrew Griffiths)
Thu Jan 20 15:31:08 2000
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-Id: <20000119225841.17413.qmail@hotmail.com>
Date: Wed, 19 Jan 2000 22:58:41 GMT
Reply-To: Andrew Griffiths <d1g17al@HOTMAIL.COM>
From: Andrew Griffiths <d1g17al@HOTMAIL.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
There is a buffer overflow in Subseven 2.1a. It happens when you tell the
server to execute a dos command > 315 chars long. Depending on how long it
is, you can get it to quit quietly (not sure how long) plain crash (eip not
written over) or trash every variable there. (Around 4000 i think.)
Hell, I'm not sure if it's a bug in the OS (Win95 tested on) that can't
handle it but anyway.
An interesting side effect seems to be that stops connections to 139. I'm
not sure if it affects others I haven't had the time, lately.
The default install port is 27374, (assuming no password) type DOS
xxxxx(lot's x's)xxxxx and the connection should drop. There is some script I
wrote for the Nessus scanner (www.nessus.org) that'll get it to crash.
Catch ya,
Andrew Griffiths
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
