Re: Exploit for PoPToP PPTP server - Linux version

From: John Leach (bugtraqat_private)
Date: Tue Apr 22 2003 - 08:03:40 PDT

Next message: Gervaize Maquard: "RE : IE / Outlook / MS SHLWAPI Render - more trivial crash"

Previous message: rjfixat_private: "Defeating HTML "Encryption""
In reply to: einstein, dhtm: "Exploit for PoPToP PPTP server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello world,

Find attached a modified version that will compile with gcc on Linux. 
The vulnerability check seems to work, but I've not yet managed a
successful exploit.

John.

P.S: Greets to my Mum.

On Fri, 2003-04-18 at 15:27, einstein, dhtm wrote: 
> hello bugtraq,
> 
> Here is an exploit for a recently discovered vulnerability in PoPToP
> PPTP server under Linux. Versions affected are all prior to
> 1.1.4-b3 and 1.1.3-20030409.
> The exploit is capable of bruteforcing the RET address to find our
> buffer in the stack. Upon a successfull run it brings up a reverse
> shell with privileges of the pptpd daemon (typically root)
> on the victim server.
> 
> P.S. Greets to ERRor, Death and all others.
> 

-- 
GPG KEY: B89C D450 5B2C 74D8 58FB A360 9B06 B5C2 26F0 3047
   HTTP: http://www.johnleach.co.uk

text/x-c attachment: pptpd-exploit.c__charset_ISO-8859-1

application/pgp-signature attachment: This is a digitally signed message part

Next message: Gervaize Maquard: "RE : IE / Outlook / MS SHLWAPI Render - more trivial crash"
Previous message: rjfixat_private: "Defeating HTML "Encryption""
In reply to: einstein, dhtm: "Exploit for PoPToP PPTP server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Apr 22 2003 - 14:27:30 PDT