Re: Net:telnet exploit

From: Dave Aitel (dave@immunitysec.com)
Date: Mon Mar 24 2003 - 11:36:37 EST


If you read the telnet protocol's RFC you might see where they mention
how FF is a control character of some sort, or something. So to send one
\xFF you need to escape it with another \xFF, which is being
automatically done for you.

Try sending your requests raw rather than through a telnet protocol
handler.

Dave Aitel
Recruitment and Training
Immunity, Inc.
http://www.immunitysec.com/CANVAS/ "Hack like you were in the movies."

On Sun, 23 Mar 2003 11:36:34 -0000
"Gary O'leary-Steele" <garyo@sec-1.com> wrote:

> Hello all,
>
> I am coding an exploit using perl. The exploit needs to send each byte
> individually instead of a large string to get round some trivial
> bounds checking.
>
> use Net::Telnet ();
> $t->open(Host=> $host,
> Port => $port,
> Errmode => $mode,
> Timeout => $secs,);
> $t ->put("\xFF");
>
>
>
> However when I send \xFF bytes they get doubled up.
>
> Any ideas?
>
> Regards,
> Gary
>
>
> ---------------------------------------------------------------------
> ------- Did you know that you have VNC running on your network?
> Your hacker does. Plug your security holes now!
> Download a free 15-day trial of VAM:
> http://www2.stillsecure.com/download/sf_vuln_list.html
>
>

top spam and e-mail risk at the gateway.
SurfControl E-mail Filter puts the brakes on spam & viruses
and gives you the reports to prove it. See exactly how much
junk never even makes it in the door. Free 30-day trial:
http://www.surfcontrol.com/go/zsfptl1



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:31 EDT