For those of you who have a desire to crash Microsoft's PPTP stack, I
have a pptp .spk script linked off of
http://www.immunitysec.com/spike.html.

It would probably be good to run against other PPTP stacks as well.
(Likewise, SPIKE's msrpcfuzzer takes down free software dce-rpc stacks
just as fast as it takes down the non-free stacks.)

It's not a bad demonstration of how to use SPIKE scripts either, if
you're inclined to learn. Finding this bug took less than thirty
minutes…(</marketing>)

To run it:

first enable the shared library fun

bash$ . ./ls.sh

now run the script against 192.168.1.100 after setting up PPTP on that

machine. It's a good idea to set up SoftIce as well.
bash$ ./generic_send_tcp 192.168.1.100 1723 ./pptp.spk 0 0
#wait for crash. It's in the second packet, I believe.

Dave Aitel
Immunity, Inc.

References

[1] phion Information Technologies
http://www.phion.com/

Exploit

phion Information Technologies will not provide an exploit for this
issue.

:>