 |
 |
|
 |
|
| Author |
Message |
eiz
Joined: 11 May 2005
Posts: 152
Location: Florida
|
 Posted: Sun Aug 21, 2005 1:19 pm Post subject: Windows Telnet and the Mystery Nulls |
 |
|
So I'm investigating a problem with our telnet server today and I got a rather interesting Ethereal dump (server lines are indented):
| Code: |
00000000 ff fd 1f ff fd 18 ff fd 27 ff fb 56 57 65 6c 63 ........ '..VWelc
00000010 6f 6d 65 20 74 6f 20 41 65 74 61 73 2e 0d 0a 0d ome to A etas....
00000020 0a 57 68 61 74 20 69 73 20 79 6f 75 72 20 6e 61 .What is your na
00000030 6d 65 3f 20 me?
00000000 ff fb 1f ...
00000003 ff fa 1f 00 50 00 19 ff f0 ff fb 18 ff fb 27 ff ....P... ......'.
00000013 fe 56 .V
00000034 ff fa 18 01 ff f0 ff fa 27 01 ff f0 ........ '...
00000015 ff fa 18 00 41 4e 53 49 ff f0 ....ANSI ..
00000040 ff fa 18 01 ff f0 ......
0000001F ff fa 27 00 ff f0 ..'...
00000025 ff fa 18 00 56 54 31 30 30 ff f0 ....VT10 0..
00000030 75 u
00000046 ff fa 18 01 ff f0 ......
00000031 ff fa 18 00 56 54 35 32 ff f0 6e ....VT52 ..n
0000003C 69 i
0000004C ff fa 18 01 ff f0 ......
0000003D ff fa 18 00 56 54 4e 54 ff f0 01 00 00 00 00 00 ....VTNT ........ ## This is where things start getting wacky!
0000004D 00 00 01 00 49 00 17 00 69 00 00 00 00 00 01 00 ....I... i.......
0000005D 00 00 01 00 00 00 01 00 46 00 21 00 66 00 00 00 ........ F.!.f...
0000006D 00 00 ..
0000006F 01 00 00 00 01 00 00 00 01 00 45 00 12 00 65 00 ........ ..E...e.
0000007F 00 00 00 00 ....
00000052 ff fa 18 01 ff f0 ......
00000083 ff fa 18 00 56 54 4e 54 ff f0 01 00 00 00 00 00 ....VTNT ........
00000093 00 00 01 00 46 00 21 00 66 00 00 00 00 00 01 00 ....F.!. f.......
000000A3 00 00 00 00 00 00 01 00 45 00 12 00 65 00 00 00 ........ E...e...
000000B3 00 00 ..
000000B5 01 00 00 00 01 00 00 00 01 00 58 00 2d 00 78 00 ........ ..X.-.x.
000000C5 00 00 00 00 ....
00000058 0d 0a 1b 5b 31 3b 33 31 6d 57 41 52 4e 49 4e 47 ...[1;31 mWARNING
00000068 3a 1b 5b 30 6d 20 59 6f 75 20 61 72 65 20 75 73 :.[0m Yo u are us
00000078 69 6e 67 20 61 20 62 72 6f 6b 65 6e 20 74 65 6c ing a br oken tel
00000088 6e 65 74 20 63 6c 69 65 6e 74 2e 20 45 6e 61 62 net clie nt. Enab
00000098 6c 69 6e 67 20 73 65 72 76 65 72 2d 73 69 64 65 ling ser ver-side
000000A8 20 65 63 68 6f 2e 0d 0a echo...
000000C9 0d 0a ..
000000B0 ff fb 01 ...
000000CB ff fd 01 ...
000000B3 54 68 65 20 6e 61 6d 65 20 27 75 6e 69 01 00 00 The name 'uni...
000000C3 00 00 00 00 00 01 00 49 00 17 00 69 00 00 00 00 .......I ...i....
000000D3 00 01 00 00 00 01 00 00 00 01 00 46 00 21 00 66 ........ ...F.!.f
000000E3 00 00 00 00 00 01 00 00 00 01 00 00 00 01 00 45 ........ .......E
000000F3 00 12 00 65 00 00 00 00 00 01 00 00 00 00 00 00 ...e.... ........
00000103 00 01 00 46 00 21 00 66 00 00 00 00 00 01 00 00 ...F.!.f ........
00000113 00 00 00 00 00 01 00 45 00 12 00 65 00 00 00 00 .......E ...e....
00000123 00 01 00 00 00 01 00 00 00 01 00 58 00 2d 00 78 ........ ...X.-.x
00000133 00 00 00 00 00 27 20 77 61 73 20 69 6e 76 61 6c .....' w as inval
00000143 69 64 20 62 65 63 61 75 73 65 3a 20 4e 61 6d 65 id becau se: Name
00000153 20 6d 75 73 74 20 63 6f 6e 74 61 69 6e 20 6f 6e must co ntain on
00000163 6c 79 20 61 6c 70 68 61 6e 75 6d 65 72 69 63 20 ly alpha numeric
00000173 63 68 61 72 61 63 74 65 72 73 2e 0d 0a 0d 0a 57 characte rs.....W
00000183 68 61 74 20 69 73 20 79 6f 75 72 20 6e 61 6d 65 hat is y our name
00000193 3f 20 ?
|
This bug is triggered on windows telnet when the user is already entering their name on the prompt while telnet negotiation is happening. For some reason, the client is sending us a bunch of junk characters, and I don't really have any idea why.
Has anyone else encountered a problem like this? |
|
| Back to top |
|
|
|
|
 |
|
 |
|
|
|
|
| Author |
Message |
Kaz
Joined: 05 Jun 2005
Posts: 24
Location: Hampshire, UK
|
| Posted: Wed Aug 24, 2005 2:37 pm Post subject: |
|
|
Yes, I came across this recently. It happens (briefly, in my experience) when activating the VTNT terminal type in Windows Telnet. It starts spitting out the proprietary VTNT protocol, which I managed to decode a little. Here's the small comment in my source code on the issue:
| Code: |
// ==========================================================================
// VTNT PROTOCOL
//
// Note: the protocol itself is undocumented, so this represents a work in
// progress about how the protocol actually works.
//
// A VTNT packet it 20 bytes long, and can be split into 5 words of 4 bytes.
// Byte 0, the header byte, contains the sequence 0x01, 0x00, 0xFF, 0xFF.
// Byte 1, the event byte, contains 0x<EV>, 0x00, 0x00, 0x00, where EV
// is either 0x01 for the key being pressed, or 0x00 for the key being
// released
// Byte 2, the upchar byte, contains 0x01, 0x00, 0x<UP>, 0x00, where UP
// is the upper-case representation of the character being received.
// Byte 3, the char byte, contains 0x<CV>, 0x00, 0x<CH>, 0x00, where
// CP indicates the control value of a character, and CH indicates the
// character value of a character.
// Byte 4, the trailer byte, contains 0x<M0>, 0x<M1>, 0x00, 0x00, where M0
// and M1 are the masks for the control keys being pressed. Here's what
// I've worked out so far for M0:
//
// 7 6 5 4 3 2 1 0
// +====+====+====+====+====+====+====+==>
// | | | | | | | |
// | | | | | | | +--- AltGr -+
// | | | | | | +-------- Alt |
// | | | | | +------------- RCtrl |
// | | | | +------------------ AltGr -+ / LCtrl
// | | | +----------------------- Shift
// | | +---------------------------- Num Lock
// | +--------------------------------- Scroll Lock
// +-------------------------------------- Caps Lock
//
// And M1:
//
//
// 7 6 5 4 3 2 1 0
// +====+====+====+====+====+====+====+==>
// | | | | | | | |
// | | | | | | | +--- Extended Key (Windows, etc.)
// | | | | | | +--------
// | | | | | +-------------
// | | | | +------------------
// | | | +-----------------------
// | | +----------------------------
// | +---------------------------------
// +--------------------------------------
// Here are the values for control keys:
// KEY UP CV CH M0 M1
// L-Shift 0x10 0x2A 0x00 0x10 0x00
// R-Shift 0x10 0x36 0x00 0x10 0x00
// L-Ctrl 0x11 0x1D 0x00 0x08 0x00
// R-Ctrl 0x11 0x1D 0x00 0x04 0x01
// L-Alt 0x12 0x38 0x00 0x02 0x00
// AltGr 0x12 0x38 0x00 0x09 0x01
// L-Windows 0x5B 0x5B 0x00 0x00 0x01
// R-Windows 0x5C 0x5C 0x00 0x00 0x01
// R-Popup 0x5D 0x5D 0x00 0x00 0x01
// F1 0x70 0x3B 0x00 0x00 0x00
// F2 0x71 0x3C 0x00 0x00 0x00
// ...
// F10 0x79 0x44 0x00 0x20 0x00
// F11 0x7A 0x57 0x00 0x20 0x00
// F12 0x7B 0x58 0x00 0x20 0x00
// CapsLock 0x14 0x3A 0x00 0x80 0x00 -> On
// CapsLock 0x14 0x3A 0x00 0x00 0x00 -> Off
// ScrollLock 0xAC 0x46 0x00 0x40 0x00 -> On
// ScrollLock 0xAC 0x46 0x00 0x20 0x00 -> Off
// NumLock 0x
// Break 0x13 0x45 0x00 0x00 0x01
// Insert 0x2D 0x52 0x00 0x00 0x01
// Delete 0x2E 0x53 0x00 0x00 0x01
// Page Up 0x21 0x49 0x00 0x00 0x01
// Page Down 0x22 0x51 0x00 0x00 0x01
// End 0x23 0x4F 0x00 0x00 0x01
// Home 0x24 0x47 0x00 0x00 0x01
// Left 0x25 0x4B 0x00 0x00 0x01
// Up 0x26 0x48 0x00 0x00 0x01
// Right 0x27 0x4D 0x00 0x00 0x01
// Down 0x28 0x50 0x00 0x00 0x01
// a 0x41 0x1E 0x61 0x00 0x00
// b 0x42 0x30 0x62 0x00 0x00
// ...
// y 0x59 0x15 0x79 0x00 0x00
// z 0x5A 0x2C 0x7A 0x00 0x00
// A 0x41 0x1E 0x41 0x00 0x00
// B 0x42 0x30 0x42 0x00 0x00
// ...
// Y 0x59 0x15 0x59 0x00 0x00
// Z 0x5A 0x2C 0x5A 0x00 0x00
// Return 0x0D 0x1C 0x0D 0x00 0x00
// Enter 0x0D 0x1C 0x0D 0x00 0x01
// Number 0 0x30 0x0B 0x30 0x00 0x00
// Number 1 0x31 0x02 0x31 0x00 0x00
// Number 2 0x32 0x03 0x32 0x00 0x00
// Keypad 0 0x60 0x52 0x30 0x20 0x00 (NumLock, of course)
// Keypad 1 0x61 0x4F 0x31 0x20 0x00 ( " )
// Keypad 2 0x62 0x50 0x32 0x20 0x00 ( " )
//
// 0x35 0x37 0x4A / * - (Keypad Layout of CV)
// 0x47 0x48 0x49 7 8 9
// 0x4B 0x4C 0x4D 0x4E 4 5 6 +
// 0x4F 0x50 0x51 1 2 3
// 0x52 0x53 0 .
//
// --- Internet Keys
// Back 0xFF> 0x25 0x00 0x00 0x01 (UP byte 2 is 0xFF too)
// Forward 0xFF> 0x1E 0x00 0x00 0x01 ( " )
//
//
// Additional Info:
// * http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/input_record_str.asp
// Lists other event types.:
// 0x0001 = KEY_EVENT
// 0x0002 = MOUSE_EVENT
// 0x0004 = WINDOW_BUFFER_SIZE_EVENT
// 0x0008 = MENU_EVENT
// 0x0010 = FOCUS_EVENT
//
// Only KEY_EVENT seems to occur with Windows Telnet.
//
// * http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/WindowsUserInterface/UserInput/VirtualKeyCodes.asp
// Lists the "Virtual Key-codes", which corresponds to the CV entry.
// ==========================================================================
|
|
|
| Back to top |
|
|
|
|
|
|
|
|
|
|
|
| Author |
Message |
eiz
Joined: 11 May 2005
Posts: 152
Location: Florida
|
| Posted: Wed Aug 24, 2005 5:42 pm Post subject: |
|
|
Thanks a lot! I think you need to double check your protocol information, though: as far as I can tell, it's just a direct dump of the INPUT_RECORD structure (all too familiar... I hate the Windows console), padding and all, which is a bit different from what you have listed.
I get this:
2 bytes - event type
2 bytes - padding
4 bytes - bKeyDown (BOOL is an int not a char as you might expect)
2 bytes - wRepeatCount
2 bytes - wVirtualKeyCode
2 bytes - wVirtualScanCode
2 bytes - uChar
4 bytes - dwControlKeyState |
|
| Back to top |
|
|
|
|
|
|
|
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
|
|
|
|
