[27238] in bugtraq
PPTP
daemon@ATHENA.MIT.EDU (Dave Aitel)
Tue Oct 1 17:19:49 2002
From: Dave Aitel <dave@immunitysec.com>
To: BugTraq <bugtraq@securityfocus.com>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature";
boundary="=-35IrXPGw2+xTxGz45kHB"
Date: 01 Oct 2002 11:18:36 -0400
Message-Id: <1033485517.4538.123.camel@www.immunitysec.com>
Mime-Version: 1.0
--=-35IrXPGw2+xTxGz45kHB
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
For those of you who have a desire to crash Microsoft's PPTP stack, I
have a pptp .spk script linked off of
http://www.immunitysec.com/spike.html.=20
It would probably be good to run against other PPTP stacks as well.
(Likewise, SPIKE's msrpcfuzzer takes down free software dce-rpc stacks
just as fast as it takes down the non-free stacks.)
It's not a bad demonstration of how to use SPIKE scripts either, if
you're inclined to learn. Finding this bug took less than thirty
minutes...(</marketing>)
To run it:
# first enable the shared library fun
bash$ . ./ls.sh=20
# now run the script against 192.168.1.100 after setting up PPTP on that
machine. It's a good idea to set up SoftIce as well.
bash$ ./generic_send_tcp 192.168.1.100 1723 ./pptp.spk 0 0=20
#wait for crash. It's in the second packet, I believe.
Dave Aitel
Immunity, Inc.
References
-----------------------------
[1] phion Information Technologies
http://www.phion.com/
Exploit
-----------------------------
phion Information Technologies will not provide an exploit for this
issue.
:>
--=-35IrXPGw2+xTxGz45kHB
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQA9mbzMB8JNm+PA+iURAgqcAKCIm4Ur3xBqFUtNBqileJTqBH39NACfWHyn
IL5mQok/ErYRLZ6kcf4oXY8=
=Ac/p
-----END PGP SIGNATURE-----
--=-35IrXPGw2+xTxGz45kHB--
