Windows Telnet and the Mystery Nulls

 
Post new topic   Reply to topic    mudlab.org Forum Index -> Coding
View previous topic :: View next topic  
Author Message
eiz



Joined: 11 May 2005
Posts: 152
Location: Florida

PostPosted: Sun Aug 21, 2005 1:19 pm    Post subject: Windows Telnet and the Mystery Nulls Reply with quote

So I'm investigating a problem with our telnet server today and I got a rather interesting Ethereal dump (server lines are indented):

Code:

    00000000  ff fd 1f ff fd 18 ff fd  27 ff fb 56 57 65 6c 63 ........ '..VWelc
    00000010  6f 6d 65 20 74 6f 20 41  65 74 61 73 2e 0d 0a 0d ome to A etas....
    00000020  0a 57 68 61 74 20 69 73  20 79 6f 75 72 20 6e 61 .What is  your na
    00000030  6d 65 3f 20                                      me?
00000000  ff fb 1f                                         ...
00000003  ff fa 1f 00 50 00 19 ff  f0 ff fb 18 ff fb 27 ff ....P... ......'.
00000013  fe 56                                            .V
    00000034  ff fa 18 01 ff f0 ff fa  27 01 ff f0             ........ '...
00000015  ff fa 18 00 41 4e 53 49  ff f0                   ....ANSI ..
    00000040  ff fa 18 01 ff f0                                ......
0000001F  ff fa 27 00 ff f0                                ..'...
00000025  ff fa 18 00 56 54 31 30  30 ff f0                ....VT10 0..
00000030  75                                               u
    00000046  ff fa 18 01 ff f0                                ......
00000031  ff fa 18 00 56 54 35 32  ff f0 6e                ....VT52 ..n
0000003C  69                                               i
    0000004C  ff fa 18 01 ff f0                                ......
0000003D  ff fa 18 00 56 54 4e 54  ff f0 01 00 00 00 00 00 ....VTNT ........    ## This is where things start getting wacky!
0000004D  00 00 01 00 49 00 17 00  69 00 00 00 00 00 01 00 ....I... i.......
0000005D  00 00 01 00 00 00 01 00  46 00 21 00 66 00 00 00 ........ F.!.f...
0000006D  00 00                                            ..
0000006F  01 00 00 00 01 00 00 00  01 00 45 00 12 00 65 00 ........ ..E...e.
0000007F  00 00 00 00                                      ....
    00000052  ff fa 18 01 ff f0                                ......
00000083  ff fa 18 00 56 54 4e 54  ff f0 01 00 00 00 00 00 ....VTNT ........
00000093  00 00 01 00 46 00 21 00  66 00 00 00 00 00 01 00 ....F.!. f.......
000000A3  00 00 00 00 00 00 01 00  45 00 12 00 65 00 00 00 ........ E...e...
000000B3  00 00                                            ..
000000B5  01 00 00 00 01 00 00 00  01 00 58 00 2d 00 78 00 ........ ..X.-.x.
000000C5  00 00 00 00                                      ....
    00000058  0d 0a 1b 5b 31 3b 33 31  6d 57 41 52 4e 49 4e 47 ...[1;31 mWARNING
    00000068  3a 1b 5b 30 6d 20 59 6f  75 20 61 72 65 20 75 73 :.[0m Yo u are us
    00000078  69 6e 67 20 61 20 62 72  6f 6b 65 6e 20 74 65 6c ing a br oken tel
    00000088  6e 65 74 20 63 6c 69 65  6e 74 2e 20 45 6e 61 62 net clie nt. Enab
    00000098  6c 69 6e 67 20 73 65 72  76 65 72 2d 73 69 64 65 ling ser ver-side
    000000A8  20 65 63 68 6f 2e 0d 0a                           echo...
000000C9  0d 0a                                            ..
    000000B0  ff fb 01                                         ...
000000CB  ff fd 01                                         ...
    000000B3  54 68 65 20 6e 61 6d 65  20 27 75 6e 69 01 00 00 The name  'uni...
    000000C3  00 00 00 00 00 01 00 49  00 17 00 69 00 00 00 00 .......I ...i....
    000000D3  00 01 00 00 00 01 00 00  00 01 00 46 00 21 00 66 ........ ...F.!.f
    000000E3  00 00 00 00 00 01 00 00  00 01 00 00 00 01 00 45 ........ .......E
    000000F3  00 12 00 65 00 00 00 00  00 01 00 00 00 00 00 00 ...e.... ........
    00000103  00 01 00 46 00 21 00 66  00 00 00 00 00 01 00 00 ...F.!.f ........
    00000113  00 00 00 00 00 01 00 45  00 12 00 65 00 00 00 00 .......E ...e....
    00000123  00 01 00 00 00 01 00 00  00 01 00 58 00 2d 00 78 ........ ...X.-.x
    00000133  00 00 00 00 00 27 20 77  61 73 20 69 6e 76 61 6c .....' w as inval
    00000143  69 64 20 62 65 63 61 75  73 65 3a 20 4e 61 6d 65 id becau se: Name
    00000153  20 6d 75 73 74 20 63 6f  6e 74 61 69 6e 20 6f 6e  must co ntain on
    00000163  6c 79 20 61 6c 70 68 61  6e 75 6d 65 72 69 63 20 ly alpha numeric
    00000173  63 68 61 72 61 63 74 65  72 73 2e 0d 0a 0d 0a 57 characte rs.....W
    00000183  68 61 74 20 69 73 20 79  6f 75 72 20 6e 61 6d 65 hat is y our name
    00000193  3f 20                                            ?


This bug is triggered on windows telnet when the user is already entering their name on the prompt while telnet negotiation is happening. For some reason, the client is sending us a bunch of junk characters, and I don't really have any idea why.

Has anyone else encountered a problem like this?
Back to top
View user's profile Send private message Visit poster's website
Author Message
Kaz



Joined: 05 Jun 2005
Posts: 24
Location: Hampshire, UK

PostPosted: Wed Aug 24, 2005 2:37 pm    Post subject: Reply with quote

Yes, I came across this recently. It happens (briefly, in my experience) when activating the VTNT terminal type in Windows Telnet. It starts spitting out the proprietary VTNT protocol, which I managed to decode a little. Here's the small comment in my source code on the issue:

Code:

// ==========================================================================
// VTNT PROTOCOL
//
// Note: the protocol itself is undocumented, so this represents a work in
//       progress about how the protocol actually works.
//
// A VTNT packet it 20 bytes long, and can be split into 5 words of 4 bytes.
// Byte 0, the header byte, contains the sequence 0x01, 0x00, 0xFF, 0xFF.
// Byte 1, the event byte, contains 0x<EV>, 0x00, 0x00, 0x00, where EV
//     is either 0x01 for the key being pressed, or 0x00 for the key being
//     released
// Byte 2, the upchar byte, contains 0x01, 0x00, 0x<UP>, 0x00, where UP
//     is the upper-case representation of the character being received.
// Byte 3, the char byte, contains 0x<CV>, 0x00, 0x<CH>, 0x00, where
//     CP indicates the control value of a character, and CH indicates the
//     character value of a character.
// Byte 4, the trailer byte, contains 0x<M0>, 0x<M1>, 0x00, 0x00, where M0
//     and M1 are the masks for the control keys being pressed.  Here's what
//     I've worked out so far for M0:
//
//     7    6    5    4    3    2    1    0
//     +====+====+====+====+====+====+====+==>
//     |    |    |    |    |    |    |    |       
//     |    |    |    |    |    |    |    +--- AltGr -+
//     |    |    |    |    |    |    +-------- Alt    |
//     |    |    |    |    |    +------------- RCtrl  |
//     |    |    |    |    +------------------ AltGr -+ / LCtrl
//     |    |    |    +----------------------- Shift
//     |    |    +---------------------------- Num Lock
//     |    +--------------------------------- Scroll Lock
//     +-------------------------------------- Caps Lock
//
//     And M1:
//
//
//     7    6    5    4    3    2    1    0
//     +====+====+====+====+====+====+====+==>
//     |    |    |    |    |    |    |    |       
//     |    |    |    |    |    |    |    +--- Extended Key (Windows, etc.)
//     |    |    |    |    |    |    +--------
//     |    |    |    |    |    +-------------
//     |    |    |    |    +------------------
//     |    |    |    +-----------------------
//     |    |    +----------------------------
//     |    +---------------------------------
//     +--------------------------------------

// Here are the values for control keys:
// KEY        UP    CV    CH    M0    M1
// L-Shift    0x10  0x2A  0x00  0x10  0x00
// R-Shift    0x10  0x36  0x00  0x10  0x00   
// L-Ctrl     0x11  0x1D  0x00  0x08  0x00
// R-Ctrl     0x11  0x1D  0x00  0x04  0x01     
// L-Alt      0x12  0x38  0x00  0x02  0x00
// AltGr      0x12  0x38  0x00  0x09  0x01
// L-Windows  0x5B  0x5B  0x00  0x00  0x01
// R-Windows  0x5C  0x5C  0x00  0x00  0x01
// R-Popup    0x5D  0x5D  0x00  0x00  0x01
// F1         0x70  0x3B  0x00  0x00  0x00
// F2         0x71  0x3C  0x00  0x00  0x00
// ...
// F10        0x79  0x44  0x00  0x20  0x00
// F11        0x7A  0x57  0x00  0x20  0x00
// F12        0x7B  0x58  0x00  0x20  0x00
// CapsLock   0x14  0x3A  0x00  0x80  0x00 -> On
// CapsLock   0x14  0x3A  0x00  0x00  0x00 -> Off
// ScrollLock 0xAC  0x46  0x00  0x40  0x00 -> On
// ScrollLock 0xAC  0x46  0x00  0x20  0x00 -> Off
// NumLock    0x
// Break      0x13  0x45  0x00  0x00  0x01
// Insert     0x2D  0x52  0x00  0x00  0x01
// Delete     0x2E  0x53  0x00  0x00  0x01
// Page Up    0x21  0x49  0x00  0x00  0x01
// Page Down  0x22  0x51  0x00  0x00  0x01 
// End        0x23  0x4F  0x00  0x00  0x01
// Home       0x24  0x47  0x00  0x00  0x01
// Left       0x25  0x4B  0x00  0x00  0x01
// Up         0x26  0x48  0x00  0x00  0x01
// Right      0x27  0x4D  0x00  0x00  0x01
// Down       0x28  0x50  0x00  0x00  0x01
// a          0x41  0x1E  0x61  0x00  0x00
// b          0x42  0x30  0x62  0x00  0x00
// ...
// y          0x59  0x15  0x79  0x00  0x00
// z          0x5A  0x2C  0x7A  0x00  0x00
// A          0x41  0x1E  0x41  0x00  0x00
// B          0x42  0x30  0x42  0x00  0x00
// ...
// Y          0x59  0x15  0x59  0x00  0x00
// Z          0x5A  0x2C  0x5A  0x00  0x00
// Return     0x0D  0x1C  0x0D  0x00  0x00
// Enter      0x0D  0x1C  0x0D  0x00  0x01
// Number 0   0x30  0x0B  0x30  0x00  0x00
// Number 1   0x31  0x02  0x31  0x00  0x00
// Number 2   0x32  0x03  0x32  0x00  0x00
// Keypad 0   0x60  0x52  0x30  0x20  0x00 (NumLock, of course)
// Keypad 1   0x61  0x4F  0x31  0x20  0x00 (        "         )
// Keypad 2   0x62  0x50  0x32  0x20  0x00 (        "         )
//
//         0x35 0x37 0x4A           /     *     -     (Keypad Layout of CV)
//    0x47 0x48 0x49           7    8     9     
//    0x4B 0x4C 0x4D 0x4E      4    5     6     +
//    0x4F 0x50 0x51           1    2     3
//    0x52 0x53                0    .
//
// --- Internet Keys
// Back       0xFF> 0x25  0x00  0x00  0x01 (UP byte 2 is 0xFF too)
// Forward    0xFF> 0x1E  0x00  0x00  0x01 (          "          )
// 
//
// Additional Info:
// * http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/input_record_str.asp
// Lists other event types.:
//  0x0001 = KEY_EVENT
//  0x0002 = MOUSE_EVENT
//  0x0004 = WINDOW_BUFFER_SIZE_EVENT
//  0x0008 = MENU_EVENT
//  0x0010 = FOCUS_EVENT
//
// Only KEY_EVENT seems to occur with Windows Telnet.
// 
// * http://msdn.microsoft.com/library/default.asp?url=/library/en-us/winui/winui/WindowsUserInterface/UserInput/VirtualKeyCodes.asp
// Lists the "Virtual Key-codes", which corresponds to the CV entry.
// ==========================================================================
Back to top
View user's profile Send private message
Author Message
eiz



Joined: 11 May 2005
Posts: 152
Location: Florida

PostPosted: Wed Aug 24, 2005 5:42 pm    Post subject: Reply with quote

Thanks a lot! I think you need to double check your protocol information, though: as far as I can tell, it's just a direct dump of the INPUT_RECORD structure (all too familiar... I hate the Windows console), padding and all, which is a bit different from what you have listed.

I get this:

2 bytes - event type
2 bytes - padding
4 bytes - bKeyDown (BOOL is an int not a char as you might expect)
2 bytes - wRepeatCount
2 bytes - wVirtualKeyCode
2 bytes - wVirtualScanCode
2 bytes - uChar
4 bytes - dwControlKeyState
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    mudlab.org Forum Index -> Coding All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Powered by phpBB © 2001, 2002 phpBB Group
BBTech Template by © 2003-04 MDesign