For those of you who have a desire to crash Microsoft's PPTP stack, I have a pptp .spk script linked off of http://www.immunitysec.com/spike.html. It would probably be good to run against other PPTP stacks as well. (Likewise, SPIKE's msrpcfuzzer takes down free software dce-rpc stacks just as fast as it takes down the non-free stacks.) It's not a bad demonstration of how to use SPIKE scripts either, if you're inclined to learn. Finding this bug took less than thirty minutes...(</marketing>) To run it: # first enable the shared library fun bash$ . ./ls.sh # now run the script against 192.168.1.100 after setting up PPTP on that machine. It's a good idea to set up SoftIce as well. bash$ ./generic_send_tcp 192.168.1.100 1723 ./pptp.spk 0 0 #wait for crash. It's in the second packet, I believe. Dave Aitel Immunity, Inc. References ----------------------------- [1] phion Information Technologies http://www.phion.com/ Exploit ----------------------------- phion Information Technologies will not provide an exploit for this issue. :>
This archive was generated by hypermail 2b30 : Tue Oct 01 2002 - 14:19:01 PDT