initial

186 files changed, 38932 insertions, 0 deletions

diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/BUGS b/exploits/7350855-netkit/netkit-telnet-0.16/BUGS
new file mode 100644
index 0000000..484d00d
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/BUGS
@@ -0,0 +1,24 @@
+telnet:
+        - will apparently sometimes assert in ungetch. I think I've
+          fixed this, so if you still see it let me know.
+        - hangs if you telnet to chargen port and push ^Z 
+          (due to bogus protocol negotiation attempts)
+        - binary mode doesn't handle crlf right
+        - should warn if the connection isn't encrypted
+
+telnetd:
+        - hangs if you do the following:
+                telnet
+                log in
+                cat >/dev/null
+                type 256 'a's with no CRs
+            *THIS IS A KERNEL BUG*  Patch enclosed.
+        
+        - crashes in ncurses if the terminal type is undefined,
+          with some versions of ncurses.
+        - should allow passing random user envs as "TELNET_*"
+        - should set REMOTEHOST to the remote hostname
+        - passes login the -p flag instead of sending envs explicitly
+        - should only use included logout() et al. if real ones aren't 
+          available in system libs.
+        - addarg() in sys_term.c does some very questionable casts.
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/ChangeLog b/exploits/7350855-netkit/netkit-telnet-0.16/ChangeLog
new file mode 100644
index 0000000..01b552e
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/ChangeLog
@@ -0,0 +1,152 @@
+13-Dec-1999:
+        Per recommendation of the linux-security-audit list, don't bother
+          (in telnetd) to ask termcap/ncurses if a terminal type is good;
+        assume it is. This means telnetd no longer links against termcap.
+
+12-Dec-1999:
+        Massive buffer cleanup in telnetd; minor cleanup to telnet.
+
+5-Dec-1999:
+        Remove some more bogus #ifdefs in telnet.
+
+29-Oct-1999:
+        Fix latent bug in the array classes used in telnet.
+
+14-Sep-1999:
+        Merge old fix to keep telnet from hanging up when under heavy load
+          (Olaf Kirch, okir@caldera.de)
+
+19-Aug-1999:
+        Patches for compiling with gcc 2.95. (Jeremy Buhler,
+          jbuhler@cs.washington.edu)
+
+18-Aug-1999:
+        netkit-telnet-0.14 released.
+
+17-Aug-1999:
+        telnetd patch from Chris Evans to reject termcap entries with 
+          '/' in them, as libtermcap will treat them as paths and open
+          them as root, with various interesting consequences...
+          Issue found by Tymm Twillman (tymm@coe.missouri.edu).
+
+1-Aug-1999:
+        Massive cleanup of telnetd. Changed telnetd to use openpty() from
+          libutil, so we can let libc deal with changes in pty management.
+
+1-Aug-1999:
+        Did complete y2k and y2038 audit. 
+
+31-Jul-1999:
+        Redid makefiles/config stuff for new confgen version.
+
+15-Jul-1999:
+        Set the process title (visible with ps) to show the remote host name.
+        Also filter control characters from the remote host name, just in case.
+        Set environment variable REMOTEHOST also.
+
+16-Oct-1997:
+        Added OPOST to the terminal stuff a la NCSA telnet fixup
+
+23-Sep-1997:
+        Assorted signed/unsigned character fixes and hacking in telnet.
+        (Martin Mares, mj@mj.gts.cz)
+        Fix various crashes in telnet arising from undefining environment
+        variables.
+        "telnet h" no longer prints a usage message.
+
+12-Jun-1997:
+        netkit-telnet-0.10 released.
+
+08-Jun-1997:
+        More adjustments for glibc.
+        Include kernel patch to fix hang on long input; thanks to Bill
+          Hawes (whawes@star.net).
+
+19-May-1997:
+        Fix some nonsense with ayt and signals, since glibc has SIGINFO.
+
+13-May-1997:
+        8-bit fix to telnet. (Lukas Wunner, lukas@design.de)
+        Set ut_type correctly in telnetd's logout. (Steve Coile, 
+          steve@patriot.net)
+
+05-Apr-1997:
+        Added configure script to generate MCONFIG.
+        Better utmp handling in telnetd.
+
+08-Mar-1997: 
+        Split from full NetKit package. 
+        Generated this change log from NetKit's.
+
+29-Dec-1996
+        NetKit-0.09 released.
+        Assorted alpha/glibc patches. (Erik Troan, ewt@redhat.com)
+        Assorted bug fixes from Debian. (Peter Tobias, 
+          tobias@et-inf.fho-emden.de)
+        Telnetd supports -L option for alternate login program. (Peter Tobias)
+        Hardened programs against DNS h_length spoofing attacks.
+        Use inet_aton() everywhere instead of inet_addr().
+        Fixed crash in telnet caused by ^C or ^Z or ^\ under 
+          certain circumstances.
+        Rewrote telnet and telnetd man pages.
+
+22-Aug-1996
+        NetKit-B-0.08 released.
+        (almost) everything now compiles with lots of warnings turned on.
+        Massive hacking on telnet.
+        telnet honors the -E flag (was broken in .07, .07A)
+        telnetd intercepts ENV environment variable.
+        Merged libtelnet into telnet and telnetd dirs.
+        telnetd now sets idle tty devices to root.root mode 600.
+
+25-Jul-1996
+        NetKit-B-0.07A released.
+        Fixed a bug in telnet where the escape character was being ignored.
+        Fixed a bug in telnetd; now uses the correct names for the last ptys
+          (that is, ptya0-ptyef, not ptyA0-ptyEf.)
+
+23-Jul-1996
+        NetKit-B-0.07 released.
+        Integrated a collection of patches that had been lurking on the net,
+          including the 256-ptys support for telnetd and passive mode ftp.
+        Major security fixes, including to fingerd, lpr, rlogin, rsh, talkd, 
+          and telnetd. Do *not* use the sliplogin from earlier versions of this
+          package, either.
+        Much of the code builds without libbsd.a or bsd includes.
+        Massive code cleanup. Almost everything compiles clean with gcc
+          -Wall now. rusers and rusersd do not; patches to rpcgen to fix
+          this would be appreciated if anyone feels like it.
+        Kerberos support has been removed. It didn't work anyway, and
+          proper Kerberos tools come with Kerberos.
+        New maintainer:  David A. Holland, dholland@hcs.harvard.edu
+
+date not known
+        NetKit-B-0.06 released.
+
+date not known
+        NetKit-B-0.05 released.
+        Fixed writing entries to /var/adm/wtmp by ftpd, rlogind and
+          telnetd. (logwtmp.c) Florian
+          This is only necessary for the GNU last, not for the one 
+          in util-linux...
+
+date not known
+        NetKit-B-0.04 released.
+        Did some nasty changes to telnet/extern.h. I should really take
+          the current version from NetBSD again and make a clean port of
+          it. (signals).
+
+date not known
+        NetKit-B-0.03 released.
+        telnetd: changed the default 'etc/issue.net' to not output the
+          hostname and then the domainname (that should be the fqdn, but
+          is wrong!) Changed also the man page issue.net.5
+        changed telnetd to get the fqdn and not only use what
+          'gethostname' returns
+        telnetd: changed some code back to original form to properly
+          enable binary mode negotiation (outgoing data wasn't binary)
+          Please test this out: do "telnet some_other_not_linux_host" and
+          then do "vi TEST_FILE" and test some strange characters >127
+          like ° or §.
+        telnetd: added issue.net.5 to "make install"
+
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/MCONFIG b/exploits/7350855-netkit/netkit-telnet-0.16/MCONFIG
new file mode 100644
index 0000000..2e529ea
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/MCONFIG
@@ -0,0 +1,20 @@
+# Generated by configure (confgen version 2) on Tue Aug 14 21:32:08 CEST 2001
+#
+
+BINDIR=/usr/bin
+SBINDIR=/usr/sbin
+MANDIR=/usr/man
+BINMODE=755
+DAEMONMODE=755
+MANMODE=644
+PREFIX=/usr
+EXECPREFIX=/usr
+INSTALLROOT=
+CC=gcc
+CXX=gcc
+CFLAGS=-O2 -Wall -W -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -Winline 
+CXXFLAGS=-O2 -fno-rtti -fno-exceptions -Wall -W -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -Winline 
+LDFLAGS=
+LIBS=-lutil -lutil
+LIBTERMCAP=-lncurses
+USE_GLIBC=1
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/MCONFIG.in b/exploits/7350855-netkit/netkit-telnet-0.16/MCONFIG.in
new file mode 100644
index 0000000..cedb9d1
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/MCONFIG.in
@@ -0,0 +1,30 @@
+# Dirs
+INSTALLROOT
+BINDIR
+MANDIR
+SBINDIR
+
+# Modes
+BINMODE
+DAEMONMODE
+MANMODE
+
+# Compiling
+ALLWARNINGS
+CC
+CXX
+CFLAGS
+CXXFLAGS
+LDFLAGS
+LIBS
+
+# Features
+FN(snprintf)
+FN(logwtmp)
+LIBTERMCAP
+GLIBC
+BSDSIGNAL
+
+# We actually use openpty, but they come from the same place on all systems
+# I know.
+FN(forkpty)
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/MRULES b/exploits/7350855-netkit/netkit-telnet-0.16/MRULES
new file mode 100644
index 0000000..6d8015e
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/MRULES
@@ -0,0 +1,8 @@
+# Standard compilation rules (don't use make builtins)
+
+%.o: %.c
+        $(CC) $(CFLAGS) $< -c
+
+%.o: %.cc
+        $(CXX) $(CXXFLAGS) $< -c
+
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/Makefile b/exploits/7350855-netkit/netkit-telnet-0.16/Makefile
new file mode 100644
index 0000000..1942aee
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/Makefile
@@ -0,0 +1,20 @@
+# You can do "make SUB=blah" to make only a few, or edit here, or both
+# You can also run make directly in the subdirs you want.
+
+SUB =   telnet telnetd
+
+%.build:
+        (cd $(patsubst %.build, %, $@) && $(MAKE))
+
+%.install:
+        (cd $(patsubst %.install, %, $@) && $(MAKE) install)
+
+%.clean:
+        (cd $(patsubst %.clean, %, $@) && $(MAKE) clean)
+
+all:     $(patsubst %, %.build, $(SUB))
+install: $(patsubst %, %.install, $(SUB))
+clean:   $(patsubst %, %.clean, $(SUB))
+
+distclean: clean
+        rm -f MCONFIG
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/README b/exploits/7350855-netkit/netkit-telnet-0.16/README
new file mode 100644
index 0000000..c9b4f49
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/README
@@ -0,0 +1,102 @@
+This is netkit-telnet-0.16.
+
+This package updates netkit-telnet-0.14.
+
+If you're reading this off a CD, go right away and check the net
+archives for later versions and security fixes.
+
+Contents:
+        telnet          Client for telnet protocol
+        telnetd         Daemon for telnet protocol
+
+Note: These programs do not provide encryption or strong
+authentication of network connections. As such, their use for remote
+logins is discouraged. The "ssh" protocol and package can be used
+instead.
+
+Requires:
+        Working compiler, libc, and kernel, and a recent version of
+        ncurses or libtermcap.
+
+Security:
+        This release probably does not contain new security fixes. On
+        the other hand, vast amounts of suspicious pointer manipulation
+        in telnetd were cleaned up, so it is quite likely that this
+        version is less dangerous than previous ones.
+
+        In any event, telnetd is evil legacy code and is not
+        trustworthy - do not run it unless you absolutely need it.
+
+
+        netkit-telnet-0.14 contained a fix for a set of remote (and
+        possibly serious) denial of service attacks possible against
+        older versions of the telnet daemon.
+
+        Do not under any circumstances use telnetd older than
+        NetKit-0.09!
+
+DEC Alpha:
+        The currently available Compaq C compiler does not provide
+        a C++ compiler, so it cannot compile telnet. Compiling
+        telnetd it may produce a few warnings, but they should be
+        harmless.
+
+Installation:
+        Do "./configure --help" and decide what options you want. The
+        defaults should be suitable for most Linux systems. Then run
+        the configure script.
+
+        Do "make" to compile.
+        Then (as root) do "make install".
+
+        Save a backup copy of any mission-critical program in case the
+        new one doesn't work, and so forth. We warned you.
+
+  ***   If you have an old kernel, you may need to apply the enclosed
+        pty-hang patch to it. I don't unfortunately know at the moment 
+        which kernel versions need the patch, but current 2.0.x and
+        2.2.x should be ok without it.
+
+        The following test will tell you if you need the patch: telnet
+        to localhost, do "cat >/dev/null", and type 256 characters
+        without any newlines. If you need the patch, telnetd will hang
+        completely at this point. If it refuses to accept more input,
+        but does not hang, you do not need the patch.
+
+Bugs:
+        Please make sure the header files in /usr/include match the
+        libc version installed in /lib and /usr/lib. If you have weird
+        problems this is the most likely culprit.
+
+        Also, before reporting a bug, be sure you're working with the
+        latest version.
+
+        If something doesn't compile for you, fix it and send diffs.
+        If you can't, send the compiler's error output.
+
+        If it compiles but doesn't work, send as complete a bug report as 
+        you can. Patches and fixes are welcome, as long as you describe 
+        adequately what they're supposed to fix. Please, one patch per
+        distinct fix. Please do NOT send the whole archive back or
+        reindent the source.
+
+        Be sure to send all correspondence in e-mail. Postings to netnews 
+        will not be seen due to the enormous volume.
+
+        Please don't report known bugs (see the BUGS file(s)) unless you
+        are including fixes. :-)
+
+        Mail should be sent to: netbug@ftp.uk.linux.org
+
+
+Note: please see http://www.hcs.harvard.edu/~dholland/computers/netkit.html
+if you are curious why it's been so long since the last NetKit release.
+(The short version is that I gave things to some other people, who let
+them kind of slide.)
+
+I do not currently plan to continue maintaining NetKit; I am doing this
+release and perhaps one or two more, and then I intend to give the source
+tree to Red Hat or some similar organization for long-term maintenance.
+
+David A. Holland
+12 December 1999
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/configure b/exploits/7350855-netkit/netkit-telnet-0.16/configure
new file mode 100644
index 0000000..a17f8f5
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/configure
@@ -0,0 +1,571 @@
+#!/bin/sh
+#
+# This file was generated by confgen version 2.
+# Do not edit.
+#
+
+PREFIX='/usr'
+#EXECPREFIX='$PREFIX'
+INSTALLROOT=''
+BINMODE='755'
+#DAEMONMODE='$BINMODE'
+MANMODE='644'
+
+while [ x$1 != x ]; do case $1 in
+
+        --help)
+        cat <<EOF
+Usage: configure [options]
+    --help                Show this message
+    --with-debug          Enable debugging
+    --prefix=path         Prefix for location of files [/usr]
+    --exec-prefix=path    Location for arch-depedent files [prefix]
+    --installroot=root    Top of filesystem tree to install in [/]
+    --binmode=mode        Mode for binaries [755]
+    --daemonmode=mode     Mode for daemon binaries [same as binmode]
+    --manmode=mode        Mode for manual pages [644]
+    --with-c-compiler=cc  Program for compiling C source [guessed]
+    --with-c++-compiler=cc Program for compiling C++ source [guessed]
+EOF
+        exit 0;;
+        --verbose) ;;
+        --quiet) ;;
+
+        --subdir) . ../configure.defs;;
+
+        --with-debug|--debug) DEBUG=1;;
+        --prefix=*) PREFIX=`echo $1 | sed 's/^[^=]*=//'` ;;
+        --exec-prefix=*) EXECPREFIX=`echo $1 | sed 's/^[^=]*=//'` ;;
+        --installroot=*) INSTALLROOT=`echo $1 | sed 's/^[^=]*=//'` ;;
+        --binmode=*) BINMODE=`echo $1 | sed 's/^[^=]*=//'` ;;
+        --daemonmode=*) DAEMONMODE=`echo $1 | sed 's/^[^=]*=//'` ;;
+        --manmode=*) MANMODE=`echo $1 | sed 's/^[^=]*=//'` ;;
+        --with-c-compiler=*) CC=`echo $1 | sed 's/^[^=]*=//'` ;;
+        --with-c++-compiler=*) CXX=`echo $1 | sed 's/^[^=]*=//'` ;;
+        --without-pam|--disable-pam) WITHOUT_PAM=1;;
+        --without-readline|--disable-readline) WITHOUT_READLINE=1;;
+        --without-shadow|--disable-shadow) WITHOUT_SHADOW=1;;
+        *) echo "Unrecognized option: $1"; exit 1;;
+esac 
+shift
+done
+
+if [ x$EXECPREFIX = x ]; then 
+        EXECPREFIX="$PREFIX"
+fi
+
+if [ x$DAEMONMODE = x ]; then 
+        DAEMONMODE="$BINMODE"
+fi
+
+BINDIR="$EXECPREFIX/bin"
+SBINDIR="$EXECPREFIX/sbin"
+MANDIR="$PREFIX/man"
+
+echo "Directories: $BINDIR $SBINDIR $MANDIR "
+
+if [ x$INSTALLROOT != x ]; then
+    echo "Installing in chroot tree rooted at $INSTALLROOT"
+fi
+
+##################################################
+
+WARNINGS='-Wall -W -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -Winline '
+
+cat << EOF > __conftest.c
+    int main() { int class=0; return class; }
+EOF
+
+if [ x"$CC" = x ]; then
+    echo -n 'Looking for a C compiler... '
+    for TRY in egcs gcc g++ CC c++ cc; do
+       (
+           $TRY __conftest.c -o __conftest || exit 1;
+           ./__conftest || exit 1;
+       ) >/dev/null 2>&1 || continue;
+       CC=$TRY
+       break;
+    done
+    if [ x"$CC" = x ]; then
+        echo 'failed.'
+        echo 'Cannot find a C compiler. Run configure with --with-c-compiler.'
+        rm -f __conftest*
+        exit
+    fi
+    echo "$CC"
+else
+    echo -n 'Checking if C compiler works... '
+    if (
+          $CC __conftest.c -o __conftest || exit 1
+          ./__conftest || exit 1
+       ) >/dev/null 2>&1; then
+         echo 'yes'
+     else
+         echo 'no'
+         echo 'Compiler '"$CC"' does not exist or cannot compile C; try another.'
+         rm -f __conftest*
+         exit
+     fi
+fi
+
+echo -n "Checking if $CC accepts gcc warnings... "
+if (
+    $CC $WARNINGS __conftest.c -o __conftest || exit 1
+   ) >/dev/null 2>&1; then
+     echo 'yes'
+     CC_WARNINGS=1
+else
+     echo 'no'
+fi
+
+cat << EOF > __conftest.cc
+    template <class T> class fnord { public: T x; fnord(T y) { x=y; }};
+    int main() { fnord<int> a(0); return a.x; }
+EOF
+
+if [ x"$CXX" = x ]; then
+    echo -n 'Looking for a C++ compiler... '
+    for TRY in egcs gcc g++ CC c++ cc; do
+       (
+           $TRY __conftest.cc -o __conftest || exit 1;
+           ./__conftest || exit 1;
+       ) >/dev/null 2>&1 || continue;
+       CXX=$TRY
+       break;
+    done
+    if [ x"$CXX" = x ]; then
+        echo 'failed.'
+        echo 'Cannot find a C++ compiler. Run configure with --with-cpp-compiler.'
+        rm -f __conftest*
+        exit
+    fi
+    echo "$CXX"
+else
+    echo -n 'Checking if C++ compiler works... '
+    if (
+          $CXX __conftest.cc -o __conftest || exit 1
+          ./__conftest || exit 1
+       ) >/dev/null 2>&1; then
+         echo 'yes'
+     else
+         echo 'no'
+         echo 'Compiler '"$CXX"' does not exist or cannot compile C++; try another.'
+         rm -f __conftest*
+         exit
+     fi
+fi
+
+echo -n "Checking if $CXX accepts gcc warnings... "
+if (
+    $CXX $WARNINGS __conftest.cc -o __conftest || exit 1
+   ) >/dev/null 2>&1; then
+     echo 'yes'
+     CXX_WARNINGS=1
+else
+     echo 'no'
+fi
+
+if [ x$DEBUG != x ]; then
+    echo -n "Checking if $CC accepts -g... "
+    if (
+         $CC -g __conftest.c -o __conftest
+       ) >/dev/null 2>&1; then
+         echo 'yes'
+         CFLAGS="$CFLAGS -g"
+    else
+         echo 'no'
+    fi
+fi
+
+echo -n "Checking if $CC accepts -O2... "
+if (
+     $CC -O2 __conftest.c -o __conftest
+   ) >/dev/null 2>&1; then
+     echo 'yes'
+     CFLAGS="$CFLAGS -O2"
+else
+     echo 'no'
+     echo -n "Checking if $CC accepts -O... "
+     if (
+          $CC -O __conftest.c -o __conftest
+        ) >/dev/null 2>&1; then
+          echo 'yes'
+          CFLAGS="$CFLAGS -O"
+     else
+          echo 'no'
+     fi
+fi
+
+if [ x"$CC" != x"$CXX" ]; then
+    if [ x$DEBUG != x ]; then
+        echo -n "Checking if $CXX accepts -g... "
+        if (
+             $CXX -g __conftest.cc -o __conftest
+           ) >/dev/null 2>&1; then
+             echo 'yes'
+             CXXFLAGS="$CXXFLAGS -g"
+        else
+             echo 'no'
+        fi
+
+    fi
+    echo -n "Checking if $CXX accepts -O2... "
+    if (
+         $CXX -O2 __conftest.cc -o __conftest
+       ) >/dev/null 2>&1; then
+        echo 'yes'
+        CXXFLAGS="$CXXFLAGS -O2"
+    else
+        echo 'no'
+        echo -n "Checking if $CXX accepts -O... "
+        if (
+             $CXX -O __conftest.cc -o __conftest
+           ) >/dev/null 2>&1; then
+             echo 'yes'
+             CXXFLAGS="$CXXFLAGS -O"
+        else
+             echo 'no'
+        fi
+    fi
+else
+    CXXFLAGS="$CFLAGS"
+fi
+echo -n "Checking if $CXX accepts -fno-rtti... "
+if (
+     $CXX -fno-rtti __conftest.cc -o __conftest
+   ) >/dev/null 2>&1; then
+     echo 'yes'
+     CXXFLAGS="$CXXFLAGS -fno-rtti"
+else
+     echo 'no'
+fi
+
+echo -n "Checking if $CXX accepts -fno-exceptions... "
+if (
+     $CXX -fno-exceptions __conftest.cc -o __conftest
+   ) >/dev/null 2>&1; then
+     echo 'yes'
+     CXXFLAGS="$CXXFLAGS -fno-exceptions"
+else
+     echo 'no'
+fi
+
+
+LDFLAGS=
+LIBS=
+
+rm -f __conftest*
+
+##################################################
+
+echo -n 'Checking for BSD signal semantics... '
+cat <<EOF >__conftest.cc
+#include <unistd.h>
+#include <signal.h>
+int count=0;
+void handle(int foo) { count++; }
+int main() {
+    int pid=getpid();
+    signal(SIGINT, handle);
+    kill(pid,SIGINT);
+    kill(pid,SIGINT);
+    kill(pid,SIGINT);
+    if (count!=3) return 1;
+    return 0;
+}
+
+EOF
+if (
+      $CXX $CXXFLAGS  __conftest.cc  -o __conftest || exit 1
+      ./__conftest || exit 1
+   ) >/dev/null 2>&1; then
+    echo 'yes'
+else
+    if (
+          $CXX $CXXFLAGS -D__USE_BSD_SIGNAL __conftest.cc  -o __conftest || exit 1
+          ./__conftest || exit 1
+       ) >/dev/null 2>&1; then
+        echo '-D__USE_BSD_SIGNAL'
+        CFLAGS="$CFLAGS -D__USE_BSD_SIGNAL"
+        CXXFLAGS="$CXXFLAGS -D__USE_BSD_SIGNAL"
+    else
+        echo 'no'
+        echo 'This package needs BSD signal semantics to run.'
+        rm -f __conftest*
+        exit
+    fi
+fi
+rm -f __conftest*
+
+##################################################
+
+echo -n 'Checking for ncurses... '
+cat <<EOF >__conftest.cc
+#include <stdio.h>
+#include <curses.h>
+#ifndef KEY_DOWN
+syntax error. /* not ncurses */
+#endif
+int main() {
+    endwin();
+    return 0;
+}
+
+EOF
+if (
+      $CXX $CXXFLAGS  __conftest.cc -lncurses -o __conftest || exit 1
+   ) >/dev/null 2>&1; then
+    echo 'yes'
+    NCURSES=1
+else
+    if (
+          $CXX $CXXFLAGS -I/usr/include/ncurses __conftest.cc -lncurses -o __conftest || exit 1
+       ) >/dev/null 2>&1; then
+        echo '-I/usr/include/ncurses'
+        CFLAGS="$CFLAGS -I/usr/include/ncurses"
+        CXXFLAGS="$CXXFLAGS -I/usr/include/ncurses"
+        NCURSES=1
+    else
+        echo 'no'
+    fi
+fi
+
+if [ x$NCURSES != x ]; then
+    LIBTERMCAP=-lncurses
+else
+    echo -n 'Checking for traditional termcap... '
+cat <<EOF >__conftest.cc
+#include <stdio.h>
+#include <termcap.h>
+int main() {
+    tgetent(NULL, NULL); return 0;
+}
+
+EOF
+    if (
+          $CXX $CXXFLAGS  __conftest.cc -ltermcap -o __conftest || exit 1
+       ) >/dev/null 2>&1; then
+        echo '-ltermcap'
+        LIBTERMCAP=-ltermcap
+    else
+        echo 'not found'
+        echo 'This package needs termcap to run.'
+        rm -f __conftest*
+        exit
+    fi
+fi
+rm -f __conftest*
+
+##################################################
+
+echo -n 'Checking for GNU libc... '
+cat <<EOF >__conftest.cc
+#include <stdio.h>
+#if defined(__GLIBC__) && (__GLIBC__ >= 2)
+int tester;
+#endif
+int main() { tester=6; return 0; }
+
+EOF
+if (
+      $CXX $CXXFLAGS  __conftest.cc  -o __conftest || exit 1
+   ) >/dev/null 2>&1; then
+    echo 'yes'
+    USE_GLIBC=1
+else
+    echo 'no'
+fi
+rm -f __conftest*
+
+##################################################
+
+echo -n 'Checking for forkpty... '
+cat <<EOF >__conftest.cc
+#include <pty.h>
+int main() { forkpty(0, 0, 0, 0); }
+
+EOF
+if (
+      $CXX $CXXFLAGS  __conftest.cc  -o __conftest || exit 1
+   ) >/dev/null 2>&1; then
+    echo 'yes'
+else
+    if (
+          $CXX $CXXFLAGS  __conftest.cc -lutil -o __conftest || exit 1
+       ) >/dev/null 2>&1; then
+        echo '-lutil'
+        LIBS="$LIBS -lutil"
+    else
+        if (
+              $CXX $CXXFLAGS  __conftest.cc -lbsd -o __conftest || exit 1
+           ) >/dev/null 2>&1; then
+            echo '-lbsd'
+            LIBBSD="-lbsd"
+        else
+            echo 'no'
+            echo 'This package requires forkpty.'
+            rm -f __conftest*
+            exit
+        fi
+    fi
+fi
+rm -f __conftest*
+
+##################################################
+
+echo -n 'Checking for logwtmp... '
+cat <<EOF >__conftest.cc
+#ifdef __cplusplus
+extern "C"
+#endif
+void logwtmp(const char *, const char *, const char *);
+int main() { logwtmp(0, 0, 0); }
+
+EOF
+if (
+      $CXX $CXXFLAGS  __conftest.cc  -o __conftest || exit 1
+   ) >/dev/null 2>&1; then
+    echo 'yes'
+else
+    if (
+          $CXX $CXXFLAGS  __conftest.cc -lutil -o __conftest || exit 1
+       ) >/dev/null 2>&1; then
+        echo '-lutil'
+        LIBS="$LIBS -lutil"
+    else
+        if (
+              $CXX $CXXFLAGS  __conftest.cc -lbsd -o __conftest || exit 1
+           ) >/dev/null 2>&1; then
+            echo '-lbsd'
+            LIBBSD="-lbsd"
+        else
+            echo 'no'
+            echo 'This package requires logwtmp.'
+            rm -f __conftest*
+            exit
+        fi
+    fi
+fi
+rm -f __conftest*
+
+##################################################
+
+echo -n 'Checking for snprintf declaration... '
+cat <<EOF >__conftest.cc
+#include <stdio.h>
+int main() {
+    void *x = (void *)snprintf;
+    printf("%lx", (long)x);
+    return 0;
+}
+
+EOF
+if (
+      $CXX $CXXFLAGS  __conftest.cc  -o __conftest || exit 1
+   ) >/dev/null 2>&1; then
+    echo 'ok'
+else
+    if (
+          $CXX $CXXFLAGS -D_GNU_SOURCE __conftest.cc  -o __conftest || exit 1
+          ./__conftest || exit 1
+       ) >/dev/null 2>&1; then
+        echo '-D_GNU_SOURCE'
+        CFLAGS="$CFLAGS -D_GNU_SOURCE"
+        CXXFLAGS="$CXXFLAGS -D_GNU_SOURCE"
+    else
+        echo 'manual'
+        CFLAGS="$CFLAGS -DDECLARE_SNPRINTF"
+        CXXFLAGS="$CXXFLAGS -DDECLARE_SNPRINTF"
+    fi
+fi
+rm -f __conftest*
+
+echo -n 'Checking for snprintf implementation... '
+cat <<EOF >__conftest.cc
+#include <stdio.h>
+#include <string.h>
+#ifdef DECLARE_SNPRINTF
+#ifdef __cplusplus
+extern "C"
+#endif /*__cplusplus*/
+int snprintf(char *, int, const char *, ...);
+#endif /*DECLARE_SNPRINTF*/
+int main() {
+    char buf[32];
+    snprintf(buf, 8, "%s", "1234567890");
+    if (strlen(buf)!=7) return 1;
+    return 0;
+}
+
+EOF
+if (
+      $CXX $CXXFLAGS  __conftest.cc $(LIBBSD) -o __conftest || exit 1
+      ./__conftest || exit 1
+   ) >/dev/null 2>&1; then
+    echo 'ok'
+else
+    if (
+          $CXX $CXXFLAGS  __conftest.cc -lsnprintf $(LIBBSD) -o __conftest || exit 1
+          ./__conftest || exit 1
+       ) >/dev/null 2>&1; then
+        echo '-lsnprintf'
+        LIBS="$LIBS -lsnprintf"
+    else
+        if (
+              $CXX $CXXFLAGS  __conftest.cc -ldb $(LIBBSD) -o __conftest || exit 1
+              ./__conftest || exit 1
+           ) >/dev/null 2>&1; then
+            echo '-ldb'
+            LIBS="$LIBS -ldb"
+        else
+            echo 'missing'
+            echo 'This package requires snprintf.'
+            rm -f __conftest*
+            exit
+        fi
+    fi
+fi
+rm -f __conftest*
+
+##################################################
+
+## libbsd should go last in case it's broken
+if [ "x$LIBBSD" != x ]; then
+    LIBS="$LIBS $LIBBSD"
+fi
+
+echo 'Generating MCONFIG...'
+(
+    echo -n '# Generated by configure (confgen version 2) on '
+    date
+    echo '#'
+    echo
+
+    echo "BINDIR=$BINDIR"
+    echo "SBINDIR=$SBINDIR"
+    echo "MANDIR=$MANDIR"
+    echo "BINMODE=$BINMODE"
+    echo "DAEMONMODE=$DAEMONMODE"
+    echo "MANMODE=$MANMODE"
+    echo "PREFIX=$PREFIX"
+    echo "EXECPREFIX=$EXECPREFIX"
+    echo "INSTALLROOT=$INSTALLROOT"
+    echo "CC=$CC"
+    echo "CXX=$CXX"
+    if [ x$CC_WARNINGS != x ]; then
+        CFLAGS="$CFLAGS $WARNINGS"
+    fi
+
+    if [ x$CXX_WARNINGS != x ]; then
+        CXXFLAGS="$CXXFLAGS $WARNINGS"
+    fi
+
+    echo "CFLAGS=$CFLAGS" | sed 's/= */=/'
+    echo "CXXFLAGS=$CXXFLAGS" | sed 's/= */=/'
+    echo "LDFLAGS=$LDFLAGS" | sed 's/= */=/'
+    echo "LIBS=$LIBS" | sed 's/= */=/'
+
+    echo "LIBTERMCAP=$LIBTERMCAP"
+    echo "USE_GLIBC=$USE_GLIBC"
+) > MCONFIG
+
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/debian/changelog b/exploits/7350855-netkit/netkit-telnet-0.16/debian/changelog
new file mode 100644
index 0000000..a15309b
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/debian/changelog
@@ -0,0 +1,139 @@
+netkit-telnet (0.16-4potato.1) stable; urgency=low
+
+  * Fixed a memory allocation bug.
+
+ -- Herbert Xu <herbert@debian.org>  Fri, 22 Sep 2000 23:30:18 +1100
+
+netkit-telnet (0.16-4) frozen unstable; urgency=low
+
+  * Disabled signal handling that does not work (closes: #62388).  Patches
+    that provide correct signal handling are welcome.
+
+ -- Herbert Xu <herbert@debian.org>  Mon, 24 Apr 2000 16:58:22 +1000
+
+netkit-telnet (0.16-3) frozen unstable; urgency=medium
+
+  * Restored the default to not being 8-bit clean since it breaks SunOS
+    (closes: #60352, #60386).  People who need 8-bit cleanness should use -8.
+  * Made FHS compliant.
+
+ -- Herbert Xu <herbert@debian.org>  Wed, 15 Mar 2000 10:39:00 +1100
+
+netkit-telnet (0.16-2) frozen unstable; urgency=low
+
+  * Recompiled with libncurses5.
+  * Changed the permission of /usr/lib/telnetd/login to 4754 (closes: #58786).
+  * telnet is now 8-bit clean by default since it appeared to be so in slink,
+    albeit unintentionally (closes: #57685).
+
+ -- Herbert Xu <herbert@debian.org>  Sun, 12 Mar 2000 21:10:47 +1100
+
+netkit-telnet (0.16-1) frozen unstable; urgency=low
+
+  * New upstream release with security fixes.
+  * Run as root if devpts is not present.
+
+ -- Herbert Xu <herbert@debian.org>  Thu,  3 Feb 2000 13:42:29 +1100
+
+netkit-telnet (0.14-9) unstable; urgency=low
+
+  * Compile login with -g -O2 -Wall.
+  * Fixed path to default login in in.telnetd(8).
+  * Fixed usage() output (closes: #51498).
+
+ -- Herbert Xu <herbert@debian.org>  Tue, 30 Nov 1999 22:43:39 +1100
+
+netkit-telnet (0.14-8) unstable; urgency=low
+
+  * Call fatalperror() instead of fatal() when getpty() fails.
+  * Delete telnetd group before creating telnetd (closes: #46659).
+
+ -- Herbert Xu <herbert@debian.org>  Tue,  5 Oct 1999 17:52:36 +1000
+
+netkit-telnet (0.14-7) unstable; urgency=low
+
+  * Redirect stderr for group existence check to /dev/null.
+
+ -- Herbert Xu <herbert@debian.org>  Sat, 25 Sep 1999 22:00:31 +1000
+
+netkit-telnet (0.14-6) unstable; urgency=low
+
+  * Check for existence of user/group before removing (fixes #45651).
+
+ -- Herbert Xu <herbert@debian.org>  Tue, 21 Sep 1999 21:07:18 +1000
+
+netkit-telnet (0.14-5) unstable; urgency=low
+
+  * Depend on base-files (>= 2.1.8) for group utmp (fixes #44687).
+
+ -- Herbert Xu <herbert@debian.org>  Sat, 11 Sep 1999 12:53:08 +1000
+
+netkit-telnet (0.14-4) unstable; urgency=low
+
+  * Rebuilt with working fakeroot (fixes #44043, #44044).
+
+ -- Herbert Xu <herbert@debian.org>  Fri,  3 Sep 1999 20:32:28 +1000
+
+netkit-telnet (0.14-3) unstable; urgency=medium
+
+  * telnetd is now a member of utmp (fixes #43543).
+  * Call adduser with --quiet (fixes #43587).
+  * configure now works with egcs 2.95 (fixes #43580, #43747)
+
+ -- Herbert Xu <herbert@debian.org>  Thu,  2 Sep 1999 21:18:06 +1000
+
+netkit-telnet (0.14-2) unstable; urgency=low
+
+  * telnetd now depends on adduser and passwd (fixes #43515).
+
+ -- Herbert Xu <herbert@debian.org>  Thu, 26 Aug 1999 14:49:25 +1000
+
+netkit-telnet (0.14-1) unstable; urgency=low
+
+  * New upstream release.
+  * Installed the login wrapper (fixes #42092).
+  * Reopen logging if necessary (fixes #36149).
+
+ -- Herbert Xu <herbert@debian.org>  Tue, 24 Aug 1999 09:17:24 +1000
+
+netkit-telnet (0.12-6) unstable; urgency=low
+
+  * Applied patch from Matt McLean for openpty support (fixes #35629).
+  * Use glibc versions of logout/logwtmp.
+
+ -- Herbert Xu <herbert@debian.org>  Tue, 29 Jun 1999 14:16:14 +1000
+
+netkit-telnet (0.12-5) unstable; urgency=low
+
+  * Fixed a bug with hostnames longer than 64 characters (fixes #33559).
+
+ -- Herbert Xu <herbert@debian.org>  Tue, 16 Mar 1999 15:24:36 +1100
+
+netkit-telnet (0.12-4) frozen unstable; urgency=low
+
+  * Uploaded to slink.
+
+ -- Herbert Xu <herbert@debian.org>  Sun, 15 Nov 1998 15:04:40 +1100
+
+netkit-telnet (0.12-3) unstable; urgency=low
+
+  * Rebuilt with libncurses4.
+
+ -- Herbert Xu <herbert@debian.org>  Sun,  1 Nov 1998 19:38:49 +1100
+
+netkit-telnet (0.12-2) unstable; urgency=low
+
+  * Rebuilt with libstdc++2.9 (fixes #27789).
+
+ -- Herbert Xu <herbert@debian.org>  Thu, 15 Oct 1998 22:32:04 +1000
+
+netkit-telnet (0.12-1) unstable; urgency=low
+
+  * Initial Release.
+
+ -- Herbert Xu <herbert@debian.org>  Mon, 28 Sep 1998 16:50:43 +1000
+
+Local variables:
+mode: debian-changelog
+add-log-mailing-address: "herbert@debian.org"
+End:
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/debian/control b/exploits/7350855-netkit/netkit-telnet-0.16/debian/control
new file mode 100644
index 0000000..fe25130
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/debian/control
@@ -0,0 +1,21 @@
+Source: netkit-telnet
+Section: net
+Priority: standard
+Maintainer: Herbert Xu <herbert@debian.org>
+Standards-Version: 3.0.1
+
+Package: telnet
+Architecture: any
+Depends: ${shlibs:Depends}
+Replaces: netstd
+Description: The telnet client.
+ The telnet command is used for interactive communication with another host
+ using the TELNET protocol.
+
+Package: telnetd
+Architecture: any
+Depends: netbase, adduser, base-files (>= 2.1.8), ${shlibs:Depends}
+Replaces: netstd
+Description: The telnet server.
+ The in.telnetd program is a server which supports the DARPA telnet interactive
+ communication protocol.
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/debian/copyright b/exploits/7350855-netkit/netkit-telnet-0.16/debian/copyright
new file mode 100644
index 0000000..94881eb
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/debian/copyright
@@ -0,0 +1,18 @@
+This package was split from netstd by Herbert Xu herbert@debian.org on
+Mon, 28 Sep 1998 16:50:43 +1000.
+
+netstd was created by Peter Tobias tobias@et-inf.fho-emden.de on
+Wed, 20 Jul 1994 17:23:21 +0200.
+
+It was downloaded from ftp://ftp.uk.linux.org/pub/linux/Networking/telnet+ftp/.
+
+Copyright:
+
+Copyright (c) 1988, 1993 The Regents of the University of California.
+Copyright (c) 1995 David A. Holland
+Copyright (c) 1994 Peter Tobias (issue.net(5))
+Copyright (c) 1983, 1995 Eric P. Allman (setproctitle.[ch])
+
+The license can be found at /usr/doc/copyright/BSD.
+
+$Id: copyright,v 1.2 2000/03/08 01:14:59 herbert Exp $
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/debian/dirs b/exploits/7350855-netkit/netkit-telnet-0.16/debian/dirs
new file mode 100644
index 0000000..98d1583
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/debian/dirs
@@ -0,0 +1,2 @@
+usr/bin
+usr/share/man/man1
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/debian/docs b/exploits/7350855-netkit/netkit-telnet-0.16/debian/docs
new file mode 100644
index 0000000..9632452
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/debian/docs
@@ -0,0 +1,2 @@
+BUGS
+README 
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/debian/login.c b/exploits/7350855-netkit/netkit-telnet-0.16/debian/login.c
new file mode 100644
index 0000000..653129e
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/debian/login.c
@@ -0,0 +1,23 @@
+#include <unistd.h>
+#include <paths.h>
+#include <syslog.h>
+
+#ifndef _PATH_LOGIN
+#define _PATH_LOGIN     "/bin/login"
+#endif
+
+int main(int argc, char **argv)
+{
+        while(argc--) {
+                if((argv[argc][0] == '-')
+                && (argv[argc][1] == 'f')) {
+                        openlog("login.telnetd", LOG_PID, LOG_AUTHPRIV);
+                        syslog(LOG_CRIT, "login.telnetd tried to use \"-f\"");
+                        closelog();
+                        return 1;
+                }
+        }
+        setuid(geteuid());
+        argv[0] = _PATH_LOGIN;
+        return execv(argv[0], argv);
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/debian/rules b/exploits/7350855-netkit/netkit-telnet-0.16/debian/rules
new file mode 100644
index 0000000..ef60a05
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/debian/rules
@@ -0,0 +1,77 @@
+#!/usr/bin/make -f
+# $Id: rules,v 1.6 2000/03/14 23:43:29 herbert Exp $
+# Sample debian/rules that uses debhelper. GNU copyright 1997 by Joey Hess.
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+CFLAGS=-g -O2 -Wall
+
+build: build-stamp
+build-stamp: debian/login
+        dh_testdir
+
+        if [ ! -f MCONFIG ]; then ./configure --debug; fi
+        $(MAKE)
+
+        touch build-stamp
+
+clean:
+        dh_testdir
+        dh_testroot
+        rm -f build-stamp install-stamp
+
+        -$(MAKE) distclean
+        rm -f debian/login debian/login.o
+
+        dh_clean
+
+install: install-stamp
+install-stamp: build-stamp
+        dh_testdir
+        dh_testroot
+        dh_clean -k
+        dh_installdirs
+
+        $(MAKE) -C telnet INSTALLROOT=`pwd`/debian/tmp MANDIR=/usr/share/man \
+                install
+        $(MAKE) -C telnetd INSTALLROOT=`pwd`/debian/telnetd \
+                MANDIR=/usr/share/man install
+        cp debian/login debian/telnetd/usr/lib/telnetd
+
+        touch install-stamp
+
+# Build architecture-independent files here.
+binary-indep: build install
+# We have nothing to do by default.
+
+# Build architecture-dependent files here.
+binary-arch: build install
+#       dh_testversion
+        dh_testdir
+        dh_testroot
+        dh_installdocs
+        dh_installexamples
+        dh_installmenu
+#       dh_installemacsen
+#       dh_installinit
+        dh_installcron
+#       dh_installmanpages
+#       dh_undocumented
+        dh_installchangelogs ChangeLog
+        dh_strip
+        dh_compress
+        dh_fixperms
+        dh_suidregister
+        dh_installdeb
+        dh_shlibdeps
+        dh_gencontrol
+#       dh_makeshlibs
+        dh_md5sums
+        dh_builddeb
+
+source diff:                                                                  
+        @echo >&2 'source and diff are obsolete - use dpkg-source -b'; false
+
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.dirs b/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.dirs
new file mode 100644
index 0000000..8759ade
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.dirs
@@ -0,0 +1,4 @@
+usr/lib/telnetd
+usr/share/man/man5
+usr/share/man/man8
+usr/sbin
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.postinst b/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.postinst
new file mode 100644
index 0000000..6ff8f5c
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.postinst
@@ -0,0 +1,45 @@
+#!/bin/sh -e
+# $Id: telnetd.postinst,v 1.9 2000/03/08 01:13:20 herbert Exp $
+
+if ! id -u telnetd >/dev/null 2>&1; then
+        if sg telnetd -c true 2>/dev/null; then
+                groupdel telnetd
+        fi
+        adduser --quiet --system --group --home /usr/lib/telnetd telnetd
+fi
+adduser --quiet telnetd utmp
+if [ -e /etc/suid.conf -a -x /usr/sbin/suidregister ]; then
+        suidregister -s telnetd /usr/lib/telnetd/login root telnetd 4754
+else
+        chown root.telnetd /usr/lib/telnetd/login
+        chmod 4754 /usr/lib/telnetd/login
+fi
+
+if grep -q "^devpts " /proc/mounts; then
+        REMOVE="telnet          stream  tcp     nowait  root    /usr/sbin/tcpd  /usr/sbin/in.telnetd"
+        ADD="telnet             stream  tcp     nowait  telnetd.telnetd /usr/sbin/tcpd  /usr/sbin/in.telnetd"
+else
+        REMOVE="telnet          stream  tcp     nowait  telnetd.telnetd /usr/sbin/tcpd  /usr/sbin/in.telnetd"
+        ADD="telnet             stream  tcp     nowait  root    /usr/sbin/tcpd  /usr/sbin/in.telnetd"
+fi
+
+case "$1" in
+abort-upgrade | abort-deconfigure | abort-remove)
+        update-inetd --enable telnet
+        ;;
+configure)
+        if [ -n "$2" ] && dpkg --compare-versions "$2" ge 0.14-1 &&
+           ! grep -q "^$REMOVE" /etc/inetd.conf; then
+                update-inetd --enable telnet
+        else
+                update-inetd --remove "$REMOVE"
+                update-inetd --group STANDARD --add "$ADD"
+        fi
+        ;;
+*)
+        printf "$0: incorrect arguments: $*\n" >&2
+        exit 1
+        ;;
+esac
+
+#DEBHELPER#
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.postrm b/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.postrm
new file mode 100644
index 0000000..cc0531c
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.postrm
@@ -0,0 +1,29 @@
+#!/bin/sh -e
+# $Id: telnetd.postrm,v 1.6 1999/11/25 21:27:08 herbert Exp $
+
+if [ -e /etc/suid.conf -a -x /usr/sbin/suidunregister ]; then
+        suidunregister -s telnetd /usr/lib/telnetd/login
+fi
+
+case "$1" in
+abort-install | remove | abort-upgrade | upgrade | failed-upgrade | disappear)
+        ;;
+purge)
+        if id telnetd >/dev/null 2>&1; then
+                userdel telnetd
+        fi
+        if sg telnetd -c true 2>/dev/null; then
+                groupdel telnetd
+        fi
+        # If netbase is not installed, then we don't need to do the remove.
+        if command -v update-inetd >/dev/null 2>&1; then
+                update-inetd --remove "telnet   .*      /usr/sbin/in.telnetd"
+        fi
+        ;;
+*)
+        echo "$0: incorrect arguments: $*" >&2
+        exit 1
+        ;;
+esac
+
+#DEBHELPER#
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.prerm b/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.prerm
new file mode 100644
index 0000000..47a26d2
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/debian/telnetd.prerm
@@ -0,0 +1,9 @@
+#!/bin/sh -e
+# $Id: telnetd.prerm,v 1.2 1999/08/27 10:45:45 herbert Exp $
+
+# If netbase is not installed, then we don't need to do the remove.
+if command -v update-inetd >/dev/null 2>&1; then
+        update-inetd --disable telnet
+fi
+
+#DEBHELPER#
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/pty-hang.patch b/exploits/7350855-netkit/netkit-telnet-0.16/pty-hang.patch
new file mode 100644
index 0000000..850f4b9
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/pty-hang.patch
@@ -0,0 +1,99 @@
+From whawes@star.net Sun May 25 11:17:36 1997
+Received: from venus.star.net (root@venus.star.net [199.232.114.5]) by hcs.harvard.edu (8.8.5/8.8.3) with ESMTP id LAA15293 for <dholland@hcs.harvard.edu>; Sun, 25 May 1997 11:17:35 -0400 (EDT)
+Received: from hawes (bos221p.star.net [199.232.112.221]) by venus.star.net (8.8.5/8.7.3) with ESMTP id LAA29775; Sun, 25 May 1997 11:17:08 -0400
+Message-ID: <33885894.B2043F5E@star.net>
+Date: Sun, 25 May 1997 11:19:48 -0400
+From: Bill Hawes <whawes@star.net>
+X-Mailer: Mozilla 4.0b3 [en] (WinNT; I)
+MIME-Version: 1.0
+To: David Holland <dholland@hcs.harvard.edu>,
+        Alan Cox <net-patches@lxorguk.ukuu.org.uk>,
+        Peter Tobias <tobias@server.et-inf.fho-emden.de>,
+        "Theodore Ts'o" <tytso@MIT.EDU>
+Subject: kernel patch to fix telnetd deadlock
+X-Priority: 3 (Normal)
+Content-Type: multipart/mixed; boundary="------------B47A35BD86775A5D9DA0F308"
+Status: RO
+
+This is a multi-part message in MIME format.
+--------------B47A35BD86775A5D9DA0F308
+Content-Type: text/plain; charset=us-ascii
+Content-Transfer-Encoding: 7bit
+
+Attached is a patch for drivers/char/n_tty.c that fixes the telnetd
+deadlock when more than 256 chars are typed without a newline.  With
+this patch in place, the total of typed-ahead and entered commands is
+still limited to 256 chars, but telnetd comes back to life when the
+buffer is emptied.
+
+Here's what the problem was:
+telnetd does a select() on the master side of a pty to see when it's
+safe to write a character without blocking.
+
+The N_TTY line discipline select() calls the pty driver's
+chars_in_buffer() function to see how many characters are buffered.
+If there are more than 256, the caller has to wait.
+
+The pty driver.chars_in_buffer calls the other side's ldisc
+chars_in_buffer() function.  Here's where the problem arises: the slave
+pty is in canonical mode, so that no characters can be read until a
+newline is entered.  But the n_tty_chars_in_buffer was returning the
+full number of characters entered, even if no newline had been entered. 
+Hence after 256 characters were typed, select() makes telnetd wait, and
+the newline can never arrive.
+
+The patch corrects n_tty_chars_in_buffer() by checking for canonical
+mode and returning 0 if no data is available to be read.
+
+I've tested this on 2.0.30, and it should apply to 2.1.40 as well.
+Please check it out and forward it as you see wish.
+
+I'm working on a patch for pty.c to allow a greater amount of type-ahead
+while still avoiding a deadlock.
+
+Regards,
+Bill Hawes
+--------------B47A35BD86775A5D9DA0F308
+Content-Type: text/plain; charset=us-ascii; name="n_tty-chars-patch"
+Content-Transfer-Encoding: 7bit
+Content-Disposition: inline; filename="n_tty-chars-patch"
+
+--- drivers/char/n_tty.c.old    Mon Sep  2 08:18:26 1996
++++ drivers/char/n_tty.c        Sun May 25 10:10:29 1997
+@@ -86,10 +86,31 @@
+ 
+ /*
+  * Return number of characters buffered to be delivered to user
++ *     WSH 05/20/97: Added check for canonical mode
++ *     In canonical mode, no characters are available to be read until 
++ *     the first newline has been entered.  (Any characters in the buffer
++ *     may yet be erased ...)
++ *
++ *     This was causing a deadlock in telnetd: select() thought the buffer
++ *      was already too full, so telnetd couldn't send a newline, but the
++ *      slave PTY couldn't read anything because there was no newline.
+  */
+ int n_tty_chars_in_buffer(struct tty_struct *tty)
+ {
+-       return tty->read_cnt;
++       /* Check first for canonical mode ... */
++       if (tty->icanon) {
++               if (!tty->canon_data) return 0;
++
++               /* Would prefer to just fall through and return the true
++                * count, but that could still cause deadlocks until some
++                * other routines are patched.  For now, calculate the
++                * characters actually available for reading.
++                */
++               return (tty->canon_head > tty->read_tail) ?
++                       tty->canon_head - tty->read_tail :
++                       tty->canon_head + (N_TTY_BUF_SIZE - tty->read_tail);
++       }
++       return tty->read_cnt; /* all characters available */ 
+ }
+ 
+ /*
+
+--------------B47A35BD86775A5D9DA0F308--
+
+
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/Makefile b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/Makefile
new file mode 100644
index 0000000..cef866f
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/Makefile
@@ -0,0 +1,30 @@
+all: telnet
+
+include ../MCONFIG
+include ../MRULES
+
+#CXXFLAGS:=$(patsubst -O2, -g, $(CXXFLAGS))
+
+# -DAUTHENTICATE
+CXXFLAGS += -DUSE_TERMIO -DKLUDGELINEMODE
+LIBS += $(LIBTERMCAP)
+
+SRCS = commands.cc main.cc network.cc ring.cc sys_bsd.cc telnet.cc \
+        terminal.cc tn3270.cc utilities.cc genget.cc environ.cc netlink.cc
+
+OBJS = $(patsubst %.cc, %.o, $(SRCS))
+
+telnet: $(OBJS)
+        $(CXX) $(LDFLAGS) $^ $(LIBS) -o $@
+
+include depend.mk
+depend:
+        $(CXX) $(CXXFLAGS) -MM $(SRCS) >depend.mk
+
+install: telnet
+        install -s -m$(BINMODE) telnet $(INSTALLROOT)$(BINDIR)
+        install -m$(MANMODE) telnet.1 $(INSTALLROOT)$(MANDIR)/man1
+
+clean:
+        rm -f *.o telnet
+
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/NetKit-B-0.06-telnet.patch b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/NetKit-B-0.06-telnet.patch
new file mode 100644
index 0000000..892423b
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/NetKit-B-0.06-telnet.patch
@@ -0,0 +1,27 @@
+diff -ur NetKit-B-0.06.orig/telnet/defines.h NetKit-B-0.06/telnet/defines.h
+--- NetKit-B-0.06.orig/telnet/defines.h Fri Dec 17 07:18:16 1993
++++ NetKit-B-0.06/telnet/defines.h      Mon Jun  5 15:34:51 1995
+@@ -34,6 +34,10 @@
+  *     $Id: NetKit-B-0.06-telnet.patch,v 1.1 1996/07/16 05:17:22 dholland Exp $
+  */
+ 
++#define ENV_VAR NEW_ENV_VAR
++#define ENV_VALUE NEW_ENV_VALUE
++#define TELOPT_ENVIRON TELOPT_NEW_ENVIRON
++
+ #define        settimer(x)     clocks.x = clocks.system++
+ 
+ #if    !defined(TN3270)
+diff -ur NetKit-B-0.06.orig/telnetd/defs.h NetKit-B-0.06/telnetd/defs.h
+--- NetKit-B-0.06.orig/telnetd/defs.h   Mon May 23 09:11:57 1994
++++ NetKit-B-0.06/telnetd/defs.h        Mon Jun  5 15:34:39 1995
+@@ -40,6 +40,9 @@
+ #include <sys/types.h>
+ #include <sys/param.h>
+ 
++#define ENV_VAR NEW_ENV_VAR
++#define ENV_VALUE NEW_ENV_VALUE
++#define TELOPT_ENVIRON TELOPT_NEW_ENVIRON
+ 
+ #ifndef        BSD
+ # define       BSD 43
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/README b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/README
new file mode 100644
index 0000000..cd18f9a
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/README
@@ -0,0 +1,26 @@
+
+Telnet has been massively hacked up for this release. 
+
+It presently requires a C++ compiler (gcc 2.7.2 or higher
+recommended), but not libg++ or libstdc++. That is, unless you went to
+special effort to not install the C++ compiler when you installed gcc,
+you'll be fine.
+
+Large amounts of further hacking are expected. If you're interested in
+working on it, please contact me, as diffs are likely to become
+useless very quickly.
+
+Support for assorted old/broken systems has been dropped.  Some such
+support may be reinstated in the future once the code has been cleaned
+up sufficiently. On the other hand, it may not.
+
+Known bugs/shortcomings at this point:
+
+        - Under some circumstances it can theoretically encounter a
+          buffer overflow condition and drop data on the floor. If
+          anyone actually observes this ``in the wild'' I'd appreciate
+          knowing the circumstances. I'm also not convinced the old
+          behavior was any better.
+        - Various of the debug/trace modes don't work. This probably
+          doesn't matter to anyone not actually coding on it.
+
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/README.old b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/README.old
new file mode 100644
index 0000000..086c88f
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/README.old
@@ -0,0 +1,566 @@
+
+
+This is a distribution of both client and server telnet.  These programs
+have been compiled on:
+                        telnet  telnetd
+        BSD 4.3 Reno      X       X
+        UNICOS 5.1        X       X
+        UNICOS 6.0        X       X
+        UNICOS 6.1        X       X
+        UNICOS 7.0        X       X
+        SunOs 3.5         X       X (no linemode in server)
+        SunOs 4.1         X       X (no linemode in server)
+        DYNIX V3.0.17.9   X       X (no linemode in server)
+        Ultrix 3.1        X       X (no linemode in server)
+        Ultrix 4.0        X       X (no linemode in server)
+
+In addition, previous versions have been compiled on the following
+machines, but were not available for testing this version.
+                        telnet  telnetd
+        SunOs 4.0.3c      X       X (no linemode in server)
+        BSD 4.3           X       X (no linemode in server)
+        DYNIX V3.0.12     X       X (no linemode in server)
+
+Februrary 22, 1991:
+
+    Features:
+
+        This version of telnet/telnetd has support for both
+        the AUTHENTICATION and ENCRYPTION options.  The
+        AUTHENTICATION option is fairly well defined, and
+        an option number has been assigned to it.  The
+        ENCRYPTION option is still in a state of flux; an
+        option number has NOT been assigned to it yet.
+        The code is provided in this release for experimental
+        and testing purposes.
+
+        The telnet "send" command can now be used to send
+        do/dont/will/wont commands, with any telnet option
+        name.  The rules for when do/dont/will/wont are sent
+        are still followed, so just because the user requests
+        that one of these be sent doesn't mean that it will
+        be sent...
+
+        The telnet "getstatus" command no longer requires
+        that option printing be enabled to see the response
+        to the "DO STATUS" command.
+
+        A -n flag has been added to telnetd to disable
+        keepalives.
+
+        A new telnet command, "auth" has been added (if
+        AUTHENTICATE is defined).  It has four sub-commands,
+        "status", "debug", "disable", "enable" and "help".
+
+        A new telnet command, "encrypt" has been added (if
+        ENCRYPT is defined).  It has many sub-commands:
+        "enable", "type", "start", "stop", "input",
+        "-input", "output", "-output", "status", "auto",
+        "verbose", "debug", and "help".
+
+        An "rlogin" interface has been added.  If the program
+        is named "rlogin", or the "-r" flag is given, then
+        an rlogin type of interface will be used.
+                ~.      Terminates the session
+                ~<susp> Suspend the session
+                ~^]     Escape to telnet command mode
+                ~~      Pass through the ~.
+            BUG: If you type the rlogin escape character
+                 in the middle of a line while in rlogin
+                 mode, you cannot erase it or any characters
+                 before it.  Hopefully this can be fixed
+                 in a future release...
+
+    General changes:
+
+        A "libtelnet.a" has now been created.  This libraray
+        contains code that is common to both telnet and
+        telnetd.  This is also where library routines that
+        are needed, but are not in the standard C library,
+        are placed.
+
+        The makefiles have been re-done.  All of the site
+        specific configuration information has now been put
+        into a single "Config.generic" file, in the top level
+        directory.  Changing this one file will take care of
+        all three subdirectories.  Also, to add a new/local
+        definition, a "Config.local" file may be created
+        at the top level; if that file exists, the subdirectories
+        will use that file instead of "Config.generic".
+
+        Many 1-2 line functions in commands.c have been
+        removed, and just inserted in-line, or replaced
+        with a macro.
+
+    Bug Fixes:
+
+        The non-termio code in both telnet and telnetd was
+        setting/clearing CTLECH in the sg_flags word.  This
+        was incorrect, and has been changed to set/clear the
+        LCTLECH bit in the local mode word.
+
+        The SRCRT #define has been removed.  If IP_OPTIONS
+        and IPPROTO_IP are defined on the system, then the
+        source route code is automatically enabled.
+
+        The NO_GETTYTAB #define has been removed; there
+        is a compatability routine that can be built into
+        libtelnet to achive the same results.
+
+        The server, telnetd, has been switched to use getopt()
+        for parsing the argument list.
+
+        The code for getting the input/output speeds via
+        cfgetispeed()/cfgetospeed() was still not quite
+        right in telnet.  Posix says if the ispeed is 0,
+        then it is really equal to the ospeed.
+
+        The suboption processing code in telnet now has
+        explicit checks to make sure that we received
+        the entire suboption (telnetd was already doing this).
+
+        The telnet code for processing the terminal type
+        could cause a core dump if an existing connection
+        was closed, and a new connection opened without
+        exiting telnet.
+
+        Telnetd was doing a TCSADRAIN when setting the new
+        terminal settings;  This is not good, because it means
+        that the tcsetattr() will hang waiting for output to
+        drain, and telnetd is the only one that will drain
+        the output...  The fix is to use TCSANOW which does
+        not wait.
+
+        Telnetd was improperly setting/clearing the ISTRIP
+        flag in the c_lflag field, it should be using the
+        c_iflag field. 
+
+        When the child process of telnetd was opening the
+        slave side of the pty, it was re-setting the EXTPROC
+        bit too early, and some of the other initialization
+        code was wiping it out.  This would cause telnetd
+        to go out of linemode and into single character mode.
+
+        One instance of leaving linemode in telnetd forgot
+        to send a WILL ECHO to the client, the net result
+        would be that the user would see double character
+        echo.
+
+        If the MODE was being changed several times very
+        quickly, telnetd could get out of sync with the
+        state changes and the returning acks; and wind up
+        being left in the wrong state.
+
+September 14, 1990:
+
+        Switch the client to use getopt() for parsing the
+        argument list.  The 4.3Reno getopt.c is included for
+        systems that don't have getopt().
+
+        Use the posix _POSIX_VDISABLE value for what value
+        to use when disabling special characters.  If this
+        is undefined, it defaults to 0x3ff.
+
+        For non-termio systems, TIOCSETP was being used to
+        change the state of the terminal.  This causes the
+        input queue to be flushed, which we don't want.  This
+        is now changed to TIOCSETN.
+
+        Take out the "#ifdef notdef" around the code in the
+        server that generates a "sync" when the pty oputput
+        is flushed.  The potential problem is that some older
+        telnet clients may go into an infinate loop when they
+        receive a "sync", if so, the server can be compiled
+        with "NO_URGENT" defined.
+
+        Fix the client where it was setting/clearing the OPOST
+        bit in the c_lflag field, not the c_oflag field.
+
+        Fix the client where it was setting/clearing the ISTRIP
+        bit in the c_lflag field, not the c_iflag field.  (On
+        4.3Reno, this is the ECHOPRT bit in the c_lflag field.)
+        The client also had its interpretation of WILL BINARY
+        and DO BINARY reversed.
+
+        Fix a bug in client that would cause a core dump when
+        attempting to remove the last environment variable.
+
+        In the client, there were a few places were switch()
+        was being passed a character, and if it was a negative
+        value, it could get sign extended, and not match
+        the 8 bit case statements.  The fix is to and the
+        switch value with 0xff.
+
+        Add a couple more printoption() calls in the client, I
+        don't think there are any more places were a telnet
+        command can be received and not printed out when
+        "options" is on.
+
+        A new flag has been added to the client, "-a".  Currently,
+        this just causes the USER name to be sent across, in
+        the future this may be used to signify that automatic
+        authentication is requested.
+
+        The USER variable is now only sent by the client if
+        the "-a" or "-l user" options are explicity used, or
+        if the user explicitly asks for the "USER" environment
+        variable to be exported.  In the server, if it receives
+        the "USER" environment variable, it won't print out the
+        banner message, so that only "Password:" will be printed.
+        This makes the symantics more like rlogin, and should be
+        more familiar to the user.  (People are not used to
+        getting a banner message, and then getting just a
+        "Password:" prompt.)
+
+        Re-vamp the code for starting up the child login
+        process.  The code was getting ugly, and it was
+        hard to tell what was really going on.  What we
+        do now is after the fork(), in the child:
+                1) make sure we have no controlling tty
+                2) open and initialize the tty
+                3) do a setsid()/setpgrp()
+                4) makes the tty our controlling tty.
+        On some systems, #2 makes the tty our controlling
+        tty, and #4 is a no-op.  The parent process does
+        a gets rid of any controlling tty after the child
+        is fork()ed.
+
+        Use the strdup() library routine in telnet, instead
+        of the local savestr() routine.  If you don't have
+        strdup(), you need to define NO_STRDUP.
+
+        Add support for ^T (SIGINFO/VSTATUS), found in the
+        4.3Reno distribution.  This maps to the AYT character.
+        You need a 4-line bugfix in the kernel to get this
+        to work properly:
+
+        > *** tty_pty.c.ORG     Tue Sep 11 09:41:53 1990
+        > --- tty_pty.c Tue Sep 11 17:48:03 1990
+        > ***************
+        > *** 609,613 ****
+        >                       if ((tp->t_lflag&NOFLSH) == 0)
+        >                               ttyflush(tp, FREAD|FWRITE);
+        > !                     pgsignal(tp->t_pgrp, *(unsigned int *)data);
+        >                       return(0);
+        >               }
+        > --- 609,616 ----
+        >                       if ((tp->t_lflag&NOFLSH) == 0)
+        >                               ttyflush(tp, FREAD|FWRITE);
+        > !                     pgsignal(tp->t_pgrp, *(unsigned int *)data, 1);
+        > !                     if ((*(unsigned int *)data == SIGINFO) &&
+        > !                         ((tp->t_lflag&NOKERNINFO) == 0))
+        > !                             ttyinfo(tp);
+        >                       return(0);
+        >               }
+
+        The client is now smarter when setting the telnet escape
+        character; it only sets it to one of VEOL and VEOL2 if
+        one of them is undefined, and the other one is not already
+        defined to the telnet escape character.
+
+        Handle TERMIOS systems that have seperate input and output
+        line speed settings imbedded in the flags.
+
+        Many other minor bug fixes.
+
+June 20, 1990:
+        Re-organize makefiles and source tree.  The telnet/Source
+        directory is now gone, and all the source that was in
+        telnet/Source is now just in the telnet directory.
+
+        Seperate makefile for each system are now gone.  There
+        are two makefiles, Makefile and Makefile.generic.
+        The "Makefile" has the definitions for the various
+        system, and "Makefile.generic" does all the work.
+        There is a variable called "WHAT" that is used to
+        specify what to make.  For example, in the telnet
+        directory, you might say:
+                make 4.4bsd WHAT=clean
+        to clean out the directory.
+
+        Add support for the ENVIRON and XDISPLOC options.
+        In order for the server to work, login has to have
+        the "-p" option to preserve environment variables.
+
+        Add the SOFT_TAB and LIT_ECHO modes in the LINEMODE support.
+
+        Add the "-l user" option to command line and open command
+        (This is passed through the ENVIRON option).
+
+        Add the "-e" command line option, for setting the escape
+        character.
+
+        Add the "-D", diagnostic, option to the server.  This allows
+        the server to print out debug information, which is very
+        useful when trying to debug a telnet that doesn't have any
+        debugging ability.
+
+        Turn off the literal next character when not in LINEMODE.
+
+        Don't recognize ^Y locally, just pass it through.
+
+        Make minor modifications for Sun4.0 and Sun4.1
+
+        Add support for both FORW1 and FORW2 characters.  The
+        telnet escpape character is set to whichever of the
+        two is not being used.  If both are in use, the escape
+        character is not set, so when in linemode the user will
+        have to follow the escape character with a <CR> or <EOF)
+        to get it passed through.
+
+        Commands can now be put in single and double quotes, and
+        a backslash is now an escape character.  This is needed
+        for allowing arbitrary strings to be assigned to environment
+        variables.
+
+        Switch telnetd to use macros like telnet for keeping
+        track of the state of all the options.
+
+        Fix telnetd's processing of options so that we always do
+        the right processing of the LINEMODE option, regardless
+        of who initiates the request to turn it on.  Also, make
+        sure that if the other side went "WILL ECHO" in response
+        to our "DO ECHO", that we send a "DONT ECHO" to get the
+        option turned back off!
+
+        Fix the TERMIOS setting of the terminal speed to handle both
+        BSD's seperate fields, and the SYSV method of CBAUD bits.
+
+        Change how we deal with the other side refusing to enable
+        an option.  The sequence used to be: send DO option; receive
+        WONT option; send DONT option.  Now, the sequence is: send
+        DO option; receive WONT option.  Both should be valid
+        according to the spec, but there has been at least one
+        client implementation of telnet identified that can get
+        really confused by this.  (The exact sequence, from a trace
+        on the server side, is (numbers are number of responses that
+        we expect to get after that line...):
+
+                send WILL ECHO  1 (initial request)
+                send WONT ECHO  2 (server is changing state)
+                recv DO ECHO    1 (first reply, ok.  expect DONT ECHO next)
+                send WILL ECHO  2 (server changes state again)
+                recv DONT ECHO  1 (second reply, ok.  expect DO ECHO next)
+                recv DONT ECHO  0 (third reply, wrong answer. got DONT!!!)
+        ***     send WONT ECHO    (send WONT to acknowledge the DONT)
+                send WILL ECHO  1 (ask again to enable option)
+                recv DO ECHO    0
+
+                recv DONT ECHO  0
+                send WONT ECHO  1
+                recv DONT ECHO  0
+                recv DO ECHO    1
+                send WILL ECHO  0
+                (and the last 5 lines loop forever)
+
+        The line with the "***" is last of the WILL/DONT/WONT sequence.
+        The change to the server to not generate that makes this same
+        example become:
+
+                send will ECHO  1
+                send wont ECHO  2
+                recv do ECHO    1
+                send will ECHO  2
+                recv dont ECHO  1
+                recv dont ECHO  0
+                recv do ECHO    1
+                send will ECHO  0
+
+        There is other option negotiation going on, and not sending
+        the third part changes some of the timings, but this specific
+        example no longer gets stuck in a loop.  The "telnet.state"
+        file has been modified to reflect this change to the algorithm.
+
+        A bunch of miscellaneous bug fixes and changes to make
+        lint happier.
+
+        This version of telnet also has some KERBEROS stuff in
+        it. This has not been tested, it uses an un-authorized
+        telnet option number, and uses an out-of-date version
+        of the (still being defined) AUTHENTICATION option.
+        There is no support for this code, do not enable it.
+
+
+March 1, 1990:
+CHANGES/BUGFIXES SINCE LAST RELEASE:
+        Some support for IP TOS has been added.  Requires that the
+        kernel support the IP_TOS socket option (currently this
+        is only in UNICOS 6.0).
+
+        Both telnet and telnetd now use the cc_t typedef.  typedefs are
+        included for systems that don't have it (in termios.h).
+
+        SLC_SUSP was not supported properly before.  It is now.
+
+        IAC EOF was not translated  properly in telnetd for SYSV_TERMIO
+        when not in linemode.  It now saves a copy of the VEOF character,
+        so that when ICANON is turned off and we can't trust it anymore
+        (because it is now the VMIN character) we use the saved value.
+
+        There were two missing "break" commands in the linemode
+        processing code in telnetd.
+
+        Telnetd wasn't setting the kernel window size information
+        properly.  It was using the rows for both rows and columns...
+
+Questions/comments go to
+                David Borman
+                Cray Research, Inc.
+                655F Lone Oak Drive
+                Eagan, MN 55123
+                dab@cray.com.
+
+README: You are reading it.
+
+Config.generic:
+        This file contains all the OS specific definitions.  It
+        has pre-definitions for many common system types, and is
+        in standard makefile fromat.  See the comments at the top
+        of the file for more information.
+
+Config.local:
+        This is not part of the distribution, but if this file exists,
+        it is used instead of "Config.generic".  This allows site
+        specific configuration without having to modify the distributed
+        "Config.generic" file.
+
+kern.diff:
+        This file contains the diffs for the changes needed for the
+        kernel to support LINEMODE is the server.  These changes are
+        for a 4.3BSD system.  You may need to make some changes for
+        your particular system.
+
+        There is a new bit in the terminal state word, TS_EXTPROC.
+        When this bit is set, several aspects of the terminal driver
+        are disabled.  Input line editing, character echo, and
+        mapping of signals are all disabled.  This allows the telnetd
+        to turn of these functions when in linemode, but still keep
+        track of what state the user wants the terminal to be in.
+
+        New ioctl()s:
+
+                TIOCEXT         Turn on/off the TS_EXTPROC bit
+                TIOCGSTATE      Get t_state of tty to look at TS_EXTPROC bit
+                TIOCSIG         Generate a signal to processes in the
+                                current process group of the pty.
+
+        There is a new mode for packet driver, the TIOCPKT_IOCTL bit.
+        When packet mode is turned on in the pty, and the TS_EXTPROC
+        bit is set, then whenever the state of the pty is changed, the
+        next read on the master side of the pty will have the TIOCPKT_IOCTL
+        bit set, and the data will contain the following:
+                struct xx {
+                        struct sgttyb a;
+                        struct tchars b;
+                        struct ltchars c;
+                        int t_state;
+                        int t_flags;
+                }
+        This allows the process on the server side of the pty to know
+        when the state of the terminal has changed, and what the new
+        state is.
+
+        However, if you define USE_TERMIO or SYSV_TERMIO, the code will
+        expect that the structure returned in the TIOCPKT_IOCTL is
+        the termio/termios structure.
+
+stty.diff:
+        This file contains the changes needed for the stty(1) program
+        to report on the current status of the TS_EXTPROC bit.  It also
+        allows the user to turn on/off the TS_EXTPROC bit.  This is useful
+        because it allows the user to say "stty -extproc", and the
+        LINEMODE option will be automatically disabled, and saying "stty
+        extproc" will re-enable the LINEMODE option.
+
+telnet.state:
+        Both the client and server have code in them to deal
+        with option negotiation loops.  The algorithm that is
+        used is described in this file.
+
+tmac.doc:
+        Macros for use in formatting the man pages on non-4.3Reno
+        systems.
+
+telnet:
+        This directory contains the client code.  No kernel changes are
+        needed to use this code.
+
+telnetd:
+        This directory contains the server code.  If LINEMODE or KLUDGELINEMODE
+        are defined, then the kernel modifications listed above are needed.
+
+libtelnet:
+        This directory contains code that is common to both the client
+        and the server.
+
+arpa:
+        This directory has a new <arpa/telnet.h>
+
+
+The following TELNET options are supported:
+        
+        LINEMODE:
+                The LINEMODE option is supported as per RFC1116.  The
+                FORWARDMASK option is not currently supported.
+
+        BINARY: The client has the ability to turn on/off the BINARY
+                option in each direction.  Turning on BINARY from
+                server to client causes the LITOUT bit to get set in
+                the terminal driver on both ends,  turning on BINARY
+                from the client to the server causes the PASS8 bit
+                to get set in the terminal driver on both ends.
+
+        TERMINAL-TYPE:
+                This is supported as per RFC1091.  On the server side,
+                when a terminal type is received, termcap/terminfo
+                is consulted to determine if it is a known terminal
+                type.  It keeps requesting terminal types until it
+                gets one that it recongnizes, or hits the end of the
+                list.  The server side looks up the entry in the
+                termcap/terminfo data base, and generates a list of
+                names which it then passes one at a time to each
+                request for a terminal type, duplicating the last
+                entry in the list before cycling back to the beginning.
+
+        NAWS:   The Negotiate about Window Size, as per RFC 1073.
+
+        TERMINAL-SPEED:
+                Implemented as per RFC 1079
+
+        TOGGLE-FLOW-CONTROL:
+                Implemented as per RFC 1080
+
+        TIMING-MARK:
+                As per RFC 860
+
+        SGA:    As per RFC 858
+
+        ECHO:   As per RFC 857
+
+        STATUS:
+                The server will send its current status upon
+                request.  It does not ask for the clients status.
+                The client will request the servers current status
+                from the "send getstatus" command.
+
+        ENVIRON:
+                This option is currently being defined by the IETF
+                Telnet Working Group, and an RFC has not yet been
+                issued, but should be in the near future...
+
+        X-DISPLAY-LOCATION:
+                This functionality can be done through the ENVIRON
+                option, it is added here for completeness.
+
+        AUTHENTICATION:
+                This option is currently being defined by the IETF
+                Telnet Working Group, and an RFC has not yet been
+                issued.  The basic framework is pretty much decided,
+                but the definitions for the specific authentication
+                schemes is still in a state of flux.
+
+        ENCRYPT:
+                This option is currently being defined by the IETF
+                Telnet Working Group, and an RFC has not yet been
+                issued.  The draft RFC is still in a state of flux,
+                so this code may change in the future.
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/TODO b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/TODO
new file mode 100644
index 0000000..f67f253
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/TODO
@@ -0,0 +1,13 @@
+eliminate global variables
+        clean up command processing
+                fix "send" command
+        clean up option processing
+
+add empty encrypt hooks (layer over ring buffers)
+flushout --> use nullsink
+
+fix ring buffer so it allocates more buf instead of overflowing
+
+put tracing back in
+
+authentication?
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/array.h b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/array.h
new file mode 100644
index 0000000..56f1123
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/array.h
@@ -0,0 +1,97 @@
+//
+//      File:        array.h
+//      Date:        16-Jul-95
+//      Description: array template
+//
+/*
+ * Copyright (c) 1995 David A. Holland.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the Author nor the names of any contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef ARRAY_H
+#define ARRAY_H
+
+#ifndef assert
+#include <assert.h>
+#endif
+
+#ifndef NULL
+#define NULL 0
+#endif
+
+inline void *operator new(size_t, void *v) { return v; }
+
+template <class T>
+class array {
+  protected:
+    T *v;
+    int n, max;
+
+    void reallocto(int newsize) {
+      while (max<newsize) max += 16;
+      char *x = new char[max*sizeof(T)];
+      memcpy(x,v,n*sizeof(T));
+      delete []((char *)v);
+      v = (T *) x;
+    }
+  public:
+    array() { v=NULL; n=max=0; }
+    ~array() { setsize(0); delete []((char *)v); }
+
+    int num() const { return n; }
+
+    void setsize(int newsize) {
+      if (newsize>max) reallocto(newsize);
+      if (newsize>n) {
+        // call default constructors
+        for (int i=n; i<newsize; i++) (void) new(&v[i]) T;
+      }
+      else {
+        // call destructors
+        for (int i=newsize; i<n; i++) v[i].~T();
+      }
+      n = newsize;
+    }
+
+    T &operator [] (int ix) const {
+      assert(ix>=0 && ix<n);
+      return v[ix];
+    }
+
+    int add(const T &val) {
+      int ix = n;
+      setsize(n+1);
+      v[ix] = val;
+      return ix;
+    }
+
+    void push(const T &val) { add(val); }
+
+    T pop() { T t = (*this)[n-1]; setsize(n-1); return t; }
+};
+
+#endif
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/authenc.cc b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/authenc.cc
new file mode 100644
index 0000000..5a12a11
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/authenc.cc
@@ -0,0 +1,114 @@
+/*-
+ * Copyright (c) 1991 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)authenc.c  5.1 (Berkeley) 3/1/91
+ */
+char au_rcsid[] = 
+  "$Id: authenc.cc,v 1.5 1996/08/02 01:06:31 dholland Exp $";
+
+#if     defined(ENCRYPT) || defined(AUTHENTICATE)
+#include <sys/types.h>
+#include <arpa/telnet.h>
+#include <libtelnet/encrypt.h>
+#include <libtelnet/misc.h>
+
+#include "ring.h"
+#include "externs.h"
+#include "defines.h"
+#include "types.h"
+#include "proto.h"
+
+        int
+net_write(str, len)
+        unsigned char *str;
+        int len;
+{
+        if (NETROOM() > len) {
+                netoring.supply_data(str, len);
+                if (str[0] == IAC && str[1] == SE)
+                        printsub('>', &str[2], len-2);
+                return(len);
+        }
+        return(0);
+}
+
+        void
+net_encrypt()
+{
+#if     defined(ENCRYPT)
+        if (encrypt_output)
+                ring_encrypt(&netoring, encrypt_output);
+        else
+                ring_clearto(&netoring);
+#endif
+}
+
+        int
+telnet_spin()
+{
+        return(-1);
+}
+
+        char *
+telnet_getenv(val)
+        char *val;
+{
+        return((char *)env_getvalue((unsigned char *)val));
+}
+
+        char *
+telnet_gets(prompt, result, length, echo)
+        char *prompt;
+        char *result;
+        int length;
+        int echo;
+{
+        extern char *getpass();
+        extern int globalmode;
+        int om = globalmode;
+        char *res;
+
+        TerminalNewMode(-1);
+        if (echo) {
+                printf("%s", prompt);
+                res = fgets(result, length, stdin);
+        } 
+        else if ((res = getpass(prompt))!=NULL) {
+                strncpy(result, res, length);
+                res = result;
+        }
+        TerminalNewMode(om);
+        return(res);
+}
+#endif
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/commands.cc b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/commands.cc
new file mode 100644
index 0000000..b3a2a3c
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/commands.cc
@@ -0,0 +1,2233 @@
+/*
+ * Copyright (c) 1988, 1990 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)commands.c 5.5 (Berkeley) 3/22/91
+ */
+char cmd_rcsid[] = 
+  "$Id: commands.cc,v 1.32 1999/09/28 16:29:24 dholland Exp $";
+
+#include <string.h>
+
+#include <sys/param.h>
+#include <sys/file.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+
+#ifdef  CRAY
+#include <fcntl.h>
+#endif  /* CRAY */
+
+#include <sys/wait.h>
+#include <signal.h>
+#include <netdb.h>
+#include <ctype.h>
+#include <pwd.h>
+#include <stdarg.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <arpa/inet.h>
+#include <arpa/telnet.h>
+
+#include "ring.h"
+
+#include "externs.h"
+#include "defines.h"
+#include "types.h"
+#include "genget.h"
+#include "environ.h"
+#include "proto.h"
+#include "ptrarray.h"
+#include "netlink.h"
+
+#ifdef __linux__
+#define HAS_IPPROTO_IP
+#endif
+
+#ifdef IPPROTO_IP
+#define HAS_IPPROTO_IP
+#endif
+
+#ifndef CRAY
+#if (defined(vax) || defined(tahoe) || defined(hp300)) && !defined(ultrix)
+#include <machine/endian.h>
+#endif /* vax */
+#endif /* CRAY */
+
+#define HELPINDENT ((int) sizeof ("connect"))
+
+#if     defined(HAS_IPPROTO_IP) && defined(IP_TOS)
+int tos = -1;
+#endif  /* defined(HAS_IPPROTO_IP) && defined(IP_TOS) */
+
+static unsigned long sourceroute(char *arg, char **cpp, int *lenp);
+
+
+char    *hostname;
+static char *_hostname;
+
+//typedef int (*intrtn_t)(int argc, const char *argv[]);
+
+class command_entry;
+typedef ptrarray<command_entry> command_table;
+
+static int process_command(command_table *tab, int argc, const char **argv);
+
+
+class command_entry {
+ protected:
+    const char *name;    /* command name */
+    const char *help;    /* help string (NULL for no help) */
+
+    int nargs;
+    union {             /* routine which executes command */
+        command_table *subhandler;
+        int (*handlern)(int, const char **);
+        int (*handler0)(void);
+        int (*handler1)(const char *);
+        int (*handler2)(const char *, const char *);
+    };
+ public:
+    command_entry(const char *n, const char *e, 
+                  int (*h)(int, const char **)) 
+    { 
+        name = n; 
+        help = e;
+        nargs = -1; handlern = h; 
+    }
+    command_entry(const char *n, const char *e,
+                  int (*h)(void)) 
+    { 
+        name = n; 
+        help = e;
+        nargs = 0; handler0 = h; 
+    }
+    command_entry(const char *n, const char *e,
+                  int (*h)(const char *)) 
+    { 
+        name = n; 
+        help = e;
+        nargs = 1; handler1 = h; 
+    }
+    command_entry(const char *n, const char *e,
+                  int (*h)(const char *, const char *)) 
+    { 
+        name = n; 
+        help = e;
+        nargs = 2; handler2 = h; 
+    }
+    command_entry(const char *n, const char *e, command_table *sub) {
+        name = n;
+        help = e;
+        nargs = -2;
+        subhandler = sub;
+    }
+    
+    int call(int argc, const char *argv[]) {
+        assert(argc>=1);
+        if (nargs>=0 && argc!=nargs+1) {
+            fprintf(stderr, "Wrong number of arguments for command.\n");
+            fprintf(stderr, "Try %s ? for help\n", argv[0]);
+            return 0;    /* is this right? */
+        }
+        if (nargs==-2) {
+            if (argc<2) {
+                fprintf(stderr, "`%s' requires a subcommand.\n", argv[0]);
+                fprintf(stderr, "Try %s ? for help\n", argv[0]);
+                return 0;    /* is this right? */
+            }
+            return process_command(subhandler, argc-1, argv+1);
+        }
+        else if (nargs==-1) return handlern(argc, argv);
+        else if (nargs==0) return handler0();
+        else if (nargs==1) return handler1(argv[1]);
+        else if (nargs==2) return handler2(argv[1], argv[2]);
+        return 0;
+    }
+
+    void describe() {
+        if (help) printf("%-*s\t%s\n", HELPINDENT, name, help);
+    }
+    void gethelp() {
+        if (help) printf("%s\n", help);
+        else printf("No help available\n");
+    }
+
+    const char *getname() const { return name; }
+};
+
+static char line[256];
+static char saveline[256];
+static int margc;
+static const char *margv[20];
+
+static void makeargv(void) {
+    register char *cp, *cp2, c;
+    register const char **argp = margv;
+
+    margc = 0;
+    cp = line;
+    if (*cp == '!') {           /* Special case shell escape */
+        strcpy(saveline, line); /* save for shell command */
+        *argp++ = "!";          /* No room in string to get this */
+        margc++;
+        cp++;
+    }
+    while ((c = *cp)!=0) {
+        register int inquote = 0;
+        while (isspace(c))
+            c = *++cp;
+        if (c == '\0')
+            break;
+        *argp++ = cp;
+        margc += 1;
+        for (cp2 = cp; c != '\0'; c = *++cp) {
+            if (inquote) {
+                if (c == inquote) {
+                    inquote = 0;
+                    continue;
+                }
+            } else {
+                if (c == '\\') {
+                    if ((c = *++cp) == '\0')
+                        break;
+                } else if (c == '"') {
+                    inquote = '"';
+                    continue;
+                } else if (c == '\'') {
+                    inquote = '\'';
+                    continue;
+                } else if (isspace(c))
+                    break;
+            }
+            *cp2++ = c;
+        }
+        *cp2 = '\0';
+        if (c == '\0')
+            break;
+        cp++;
+    }
+    *argp++ = 0;
+}
+
+/*
+ * Make a character string into a number.
+ *
+ * Todo:  1.  Could take random integers (12, 0x12, 012, 0b1).
+ */
+
+static int special(const char *s) {
+    char c;
+    char b;
+    
+    switch (*s) {
+     case '^':
+         b = *++s;
+         if (b == '?') {
+             c = b | 0x40;              /* DEL */
+         } 
+         else {
+             c = b & 0x1f;
+         }
+         break;
+     default:
+         c = *s;
+         break;
+    }
+    return c;
+}
+
+/*
+ * Construct a control character sequence
+ * for a special character.
+ */
+static const char *control(cc_t c)
+{
+        static char buf[5];
+        /*
+         * The only way I could get the Sun 3.5 compiler
+         * to shut up about
+         *      if ((unsigned int)c >= 0x80)
+         * was to assign "c" to an unsigned int variable...
+         * Arggg....
+         */
+        register unsigned int uic = (unsigned int)c;
+
+        if (uic == 0x7f)
+                return ("^?");
+        if (c == (cc_t)_POSIX_VDISABLE) {
+                return "off";
+        }
+        if (uic >= 0x80) {
+                buf[0] = '\\';
+                buf[1] = ((c>>6)&07) + '0';
+                buf[2] = ((c>>3)&07) + '0';
+                buf[3] = (c&07) + '0';
+                buf[4] = 0;
+        } else if (uic >= 0x20) {
+                buf[0] = c;
+                buf[1] = 0;
+        } else {
+                buf[0] = '^';
+                buf[1] = '@'+c;
+                buf[2] = 0;
+        }
+        return (buf);
+}
+
+
+
+/*
+ *      The following are data structures and routines for
+ *      the "send" command.
+ *
+ */
+ 
+struct sendlist {
+    const char *name;           /* How user refers to it (case independent) */
+    const char *help;           /* Help information (0 ==> no help) */
+    int needconnect;            /* Need to be connected */
+    int narg;                   /* Number of arguments */
+    int (*handler)(const char *, const char *); 
+                                /* Routine to perform (for special ops) */
+    int nbyte;                  /* Number of bytes to send this command */
+    int what;                   /* Character to be sent (<0 ==> special) */
+};
+
+static int send_esc(const char *, const char *);
+static int send_help(const char *, const char *);
+static int send_docmd(const char *, const char *);
+static int send_dontcmd(const char *, const char *);
+static int send_willcmd(const char *, const char *);
+static int send_wontcmd(const char *, const char *);
+
+extern int send_do(int, int);
+extern int send_dont(int, int);
+extern int send_will(int, int);
+extern int send_wont(int, int);
+
+static int dosynch1(const char *, const char *) { return dosynch(); }
+
+static struct sendlist Sendlist[] = {
+    { "ao",     "Send Telnet Abort output",             1, 0, 0, 2, AO },
+    { "ayt",    "Send Telnet 'Are You There'",          1, 0, 0, 2, AYT },
+    { "brk",    "Send Telnet Break",                    1, 0, 0, 2, BREAK },
+    { "break",  0,                                      1, 0, 0, 2, BREAK },
+    { "ec",     "Send Telnet Erase Character",          1, 0, 0, 2, EC },
+    { "el",     "Send Telnet Erase Line",               1, 0, 0, 2, EL },
+    { "escape", "Send current escape character",        1, 0, send_esc, 1, 0 },
+    { "ga",     "Send Telnet 'Go Ahead' sequence",      1, 0, 0, 2, GA },
+    { "ip",     "Send Telnet Interrupt Process",        1, 0, 0, 2, IP },
+    { "intp",   0,                                      1, 0, 0, 2, IP },
+    { "interrupt", 0,                                   1, 0, 0, 2, IP },
+    { "intr",   0,                                      1, 0, 0, 2, IP },
+    { "nop",    "Send Telnet 'No operation'",           1, 0, 0, 2, NOP },
+    { "eor",    "Send Telnet 'End of Record'",          1, 0, 0, 2, EOR },
+    { "abort",  "Send Telnet 'Abort Process'",          1, 0, 0, 2, ABORT },
+    { "susp",   "Send Telnet 'Suspend Process'",        1, 0, 0, 2, SUSP },
+    { "eof",    "Send Telnet End of File Character",    1, 0, 0, 2, xEOF },
+    { "synch",  "Perform Telnet 'Synch operation'",     1, 0, dosynch1, 2, 0 },
+    { "getstatus", "Send request for STATUS",   1, 0, get_status, 6, 0 },
+    { "?",      "Display send options",         0, 0, send_help, 0, 0 },
+    { "help",   0,                              0, 0, send_help, 0, 0 },
+    { "do",     0,                              0, 1, send_docmd, 3, 0 },
+    { "dont",   0,                              0, 1, send_dontcmd, 3, 0 },
+    { "will",   0,                              0, 1, send_willcmd, 3, 0 },
+    { "wont",   0,                              0, 1, send_wontcmd, 3, 0 },
+    { 0, 0, 0, 0, 0, 0, 0 }
+};
+
+#define GETSEND(name) ((struct sendlist *) genget(name, (char **) Sendlist, \
+                                sizeof(struct sendlist)))
+
+static int sendcmd(int argc, const char *argv[]) {
+    int count;          /* how many bytes we are going to need to send */
+    int i;
+/*    int question = 0;*/       /* was at least one argument a question */
+    struct sendlist *s; /* pointer to current command */
+    int success = 0;
+    int needconnect = 0;
+
+    if (argc < 2) {
+        printf("need at least one argument for 'send' command\n");
+        printf("'send ?' for help\n");
+        return 0;
+    }
+    /*
+     * First, validate all the send arguments.
+     * In addition, we see how much space we are going to need, and
+     * whether or not we will be doing a "SYNCH" operation (which
+     * flushes the network queue).
+     */
+    count = 0;
+    for (i = 1; i < argc; i++) {
+        s = GETSEND(argv[i]);
+        if (s == 0) {
+            printf("Unknown send argument '%s'\n'send ?' for help.\n",
+                        argv[i]);
+            return 0;
+        } 
+        else if (s == AMBIGUOUS) {
+            printf("Ambiguous send argument '%s'\n'send ?' for help.\n",
+                        argv[i]);
+            return 0;
+        }
+        if (i + s->narg >= argc) {
+            fprintf(stderr,
+            "Need %d argument%s to 'send %s' command.  'send %s ?' for help.\n",
+                s->narg, s->narg == 1 ? "" : "s", s->name, s->name);
+            return 0;
+        }
+        count += s->nbyte;
+        if (s->handler == send_help) {
+            send_help(NULL, NULL);
+            return 0;
+        }
+
+        i += s->narg;
+        needconnect += s->needconnect;
+    }
+    if (!connected && needconnect) {
+        printf("?Need to be connected first.\n");
+        printf("'send ?' for help\n");
+        return 0;
+    }
+    /* Now, do we have enough room? */
+    if (netoring.empty_count() < count) {
+        printf("There is not enough room in the buffer TO the network\n");
+        printf("to process your request.  Nothing will be done.\n");
+        printf("('send synch' will throw away most data in the network\n");
+        printf("buffer, if this might help.)\n");
+        return 0;
+    }
+    /* OK, they are all OK, now go through again and actually send */
+    count = 0;
+    for (i = 1; i < argc; i++) {
+        if ((s = GETSEND(argv[i])) == 0) {
+            fprintf(stderr, "Telnet 'send' error - argument disappeared!\n");
+            quit();
+            /*NOTREACHED*/
+        }
+        if (s->handler) {
+            count++;
+            success += (*s->handler)((s->narg > 0) ? argv[i+1] : 0,
+                                     (s->narg > 1) ? argv[i+2] : 0);
+            i += s->narg;
+        } 
+        else {
+            NET2ADD(IAC, s->what);
+            printoption("SENT", IAC, s->what);
+        }
+    }
+    return (count == success);
+}
+
+static int send_esc(const char *, const char *) {
+    NETADD(escapechar);
+    return 1;
+}
+
+static int send_docmd(const char *name, const char *) {
+    return send_tncmd(send_do, "do", name);
+}
+
+static int send_dontcmd(const char *name, const char *) {
+    return(send_tncmd(send_dont, "dont", name));
+}
+
+static int send_willcmd(const char *name, const char *) {
+    return(send_tncmd(send_will, "will", name));
+}
+
+static int send_wontcmd(const char *name, const char *) {
+    return(send_tncmd(send_wont, "wont", name));
+}
+
+int send_tncmd(int (*func)(int, int), const char *cmd, const char *name) {
+    char **cpp;
+    extern char *telopts[];
+
+    if (isprefix(name, "help") || isprefix(name, "?")) {
+        register int col, len;
+
+        printf("Usage: send %s <option>\n", cmd);
+        printf("Valid options are:\n\t");
+
+        col = 8;
+        for (cpp = telopts; *cpp; cpp++) {
+            len = strlen(*cpp) + 1;
+            if (col + len > 65) {
+                printf("\n\t");
+                col = 8;
+            }
+            printf(" %s", *cpp);
+            col += len;
+        }
+        printf("\n");
+        return 0;
+    }
+    cpp = genget(name, telopts, sizeof(char *));
+    if (cpp == AMBIGUOUS) {
+        fprintf(stderr,"'%s': ambiguous argument ('send %s ?' for help).\n",
+                                        name, cmd);
+        return 0;
+    }
+    if (cpp == 0) {
+        fprintf(stderr, "'%s': unknown argument ('send %s ?' for help).\n",
+                                        name, cmd);
+        return 0;
+    }
+    if (!connected) {
+        printf("?Need to be connected first.\n");
+        return 0;
+    }
+    (*func)(cpp - telopts, 1);
+    return 1;
+}
+
+static int send_help(const char *, const char *) {
+    struct sendlist *s; /* pointer to current command */
+    for (s = Sendlist; s->name; s++) {
+        if (s->help)
+            printf("%-15s %s\n", s->name, s->help);
+    }
+    return(0);
+}
+
+/*
+ * The following are the routines and data structures referred
+ * to by the arguments to the "toggle" command.
+ */
+
+static int lclchars(int) {
+    donelclchars = 1;
+    return 1;
+}
+
+static int togdebug(int) {
+    return nlink.setdebug(debug);
+}
+
+
+static int togcrlf(int) {
+    if (crlf) {
+        printf("Will send carriage returns as telnet <CR><LF>.\n");
+    } 
+    else {
+        printf("Will send carriage returns as telnet <CR><NUL>.\n");
+    }
+    return 1;
+}
+
+int binmode;
+
+static int togbinary(int val) {
+    donebinarytoggle = 1;
+
+    if (val >= 0) {
+        binmode = val;
+    } else {
+        if (my_want_state_is_will(TELOPT_BINARY) &&
+                                my_want_state_is_do(TELOPT_BINARY)) {
+            binmode = 1;
+        } else if (my_want_state_is_wont(TELOPT_BINARY) &&
+                                my_want_state_is_dont(TELOPT_BINARY)) {
+            binmode = 0;
+        }
+        val = binmode ? 0 : 1;
+    }
+
+    if (val == 1) {
+        if (my_want_state_is_will(TELOPT_BINARY) &&
+                                        my_want_state_is_do(TELOPT_BINARY)) {
+            printf("Already operating in binary mode with remote host.\n");
+        } else {
+            printf("Negotiating binary mode with remote host.\n");
+            tel_enter_binary(3);
+        }
+    } else {
+        if (my_want_state_is_wont(TELOPT_BINARY) &&
+                                        my_want_state_is_dont(TELOPT_BINARY)) {
+            printf("Already in network ascii mode with remote host.\n");
+        } else {
+            printf("Negotiating network ascii mode with remote host.\n");
+            tel_leave_binary(3);
+        }
+    }
+    return 1;
+}
+
+static int togrbinary(int val) {
+    donebinarytoggle = 1;
+
+    if (val == -1)
+        val = my_want_state_is_do(TELOPT_BINARY) ? 0 : 1;
+
+    if (val == 1) {
+        if (my_want_state_is_do(TELOPT_BINARY)) {
+            printf("Already receiving in binary mode.\n");
+        } 
+        else {
+            printf("Negotiating binary mode on input.\n");
+            tel_enter_binary(1);
+        }
+    } 
+    else {
+        if (my_want_state_is_dont(TELOPT_BINARY)) {
+            printf("Already receiving in network ascii mode.\n");
+        } else {
+            printf("Negotiating network ascii mode on input.\n");
+            tel_leave_binary(1);
+        }
+    }
+    return 1;
+}
+
+static int togxbinary(int val) {
+    donebinarytoggle = 1;
+
+    if (val == -1)
+        val = my_want_state_is_will(TELOPT_BINARY) ? 0 : 1;
+
+    if (val == 1) {
+        if (my_want_state_is_will(TELOPT_BINARY)) {
+            printf("Already transmitting in binary mode.\n");
+        } 
+        else {
+            printf("Negotiating binary mode on output.\n");
+            tel_enter_binary(2);
+        }
+    } 
+    else {
+        if (my_want_state_is_wont(TELOPT_BINARY)) {
+            printf("Already transmitting in network ascii mode.\n");
+        } 
+        else {
+            printf("Negotiating network ascii mode on output.\n");
+            tel_leave_binary(2);
+        }
+    }
+    return 1;
+}
+
+
+static int netdata;             /* Print out network data flow */
+static int prettydump;  /* Print "netdata" output in user readable format */
+static int termdata;    /* Print out terminal data flow */
+
+static int togglehelp(int);
+
+struct togglelist {
+    const char *name;                   /* name of toggle */
+    const char *help;                   /* help message */
+    int (*handler)(int);        /* routine to do actual setting */
+    int *variable;
+    const char *actionexplanation;
+};
+
+static struct togglelist Togglelist[] = {
+    { "autoflush", "flushing of output when sending interrupt characters",
+      NULL, &autoflush,
+      "flush output when sending interrupt characters" },
+
+    { "autosynch", "automatic sending of interrupt characters in urgent mode",
+      NULL, &autosynch,
+      "send interrupt characters in urgent mode" },
+
+#if 0
+    { "autologin", "automatic sending of login and/or authentication info",
+      NULL, &autologin,
+      "send login name and/or authentication information" },
+    { "authdebug", "Toggle authentication debugging",
+      auth_togdebug, NULL,
+      "print authentication debugging information" },
+    { "autoencrypt", "automatic encryption of data stream",
+      EncryptAutoEnc, NULL,
+      "automatically encrypt output" },
+    { "autodecrypt", "automatic decryption of data stream",
+      EncryptAutoDec, NULL,
+      "automatically decrypt input" },
+    { "verbose_encrypt", "Toggle verbose encryption output",
+      EncryptVerbose, NULL,
+      "print verbose encryption output" },
+    { "encdebug", "Toggle encryption debugging",
+      EncryptDebug, NULL,
+      "print encryption debugging information" },
+#endif
+
+    { "skiprc", "don't read ~/.telnetrc file",
+      NULL, &skiprc,
+      "read ~/.telnetrc file" },
+    { "binary",
+      "sending and receiving of binary data",
+      togbinary, NULL,
+      NULL },
+    { "inbinary", "receiving of binary data",
+      togrbinary, NULL,
+      NULL },
+    { "outbinary", "sending of binary data",
+      togxbinary, 0,
+      NULL },
+    { "crlf", "sending carriage returns as telnet <CR><LF>",
+      togcrlf, &crlf,
+      NULL },
+    { "crmod", "mapping of received carriage returns",
+      NULL, &crmod,
+      "map carriage return on output" },
+    { "localchars", "local recognition of certain control characters",
+      lclchars, &localchars,
+      "recognize certain control characters" },
+
+    { " ", "", 0, 0, 0 },               /* empty line */
+
+#if defined(TN3270) && !defined(__linux__)
+    { "apitrace", "(debugging) toggle tracing of API transactions",
+      NULL, &apitrace,
+      "trace API transactions" },
+    { "cursesdata", "(debugging) toggle printing of hexadecimal curses data",
+      NULL, &cursesdata,
+      "print hexadecimal representation of curses data" },
+#endif  /* TN3270 and not linux */
+
+    { "debug", "debugging",
+      togdebug, &debug,
+      "turn on socket level debugging" },
+    { "netdata", "printing of hexadecimal network data (debugging)",
+      NULL, &netdata,
+      "print hexadecimal representation of network traffic" },
+    { "prettydump","output of \"netdata\" to user readable format (debugging)",
+      NULL, &prettydump,
+      "print user readable output for \"netdata\"" },
+    { "options", "viewing of options processing (debugging)",
+      NULL, &showoptions,
+      "show option processing" },
+
+    { "termdata", "(debugging) toggle printing of hexadecimal terminal data",
+      NULL, &termdata,
+      "print hexadecimal representation of terminal traffic" },
+
+    { "?", NULL, togglehelp, 0, 0 },
+    { "help", NULL, togglehelp, 0, 0 },
+    { 0, 0, 0, 0, 0 }
+};
+
+static int togglehelp(int) {
+    struct togglelist *c;
+
+    for (c = Togglelist; c->name; c++) {
+        if (c->help) {
+            if (*c->help)
+                printf("%-15s toggle %s\n", c->name, c->help);
+            else
+                printf("\n");
+        }
+    }
+    printf("\n");
+    printf("%-15s %s\n", "?", "display help information");
+    return 0;
+}
+
+static void settogglehelp(int set) {
+    struct togglelist *c;
+
+    for (c = Togglelist; c->name; c++) {
+        if (c->help) {
+            if (*c->help)
+                printf("%-15s %s %s\n", c->name, set ? "enable" : "disable",
+                                                c->help);
+            else
+                printf("\n");
+        }
+    }
+}
+
+#define GETTOGGLE(name) (struct togglelist *) \
+                genget(name, (char **) Togglelist, sizeof(struct togglelist))
+
+static int toggle(int argc, const char *argv[]) {
+    int retval = 1;
+    const char *name;
+    struct togglelist *c;
+
+    if (argc < 2) {
+        fprintf(stderr,
+            "Need an argument to 'toggle' command.  'toggle ?' for help.\n");
+        return 0;
+    }
+    argc--;
+    argv++;
+    while (argc--) {
+        name = *argv++;
+        c = GETTOGGLE(name);
+        if (c == AMBIGUOUS) {
+            fprintf(stderr, "'%s': ambiguous argument ('toggle ?' for help).\n",
+                                        name);
+            return 0;
+        } 
+        else if (c == 0) {
+            fprintf(stderr, "'%s': unknown argument ('toggle ?' for help).\n",
+                                        name);
+            return 0;
+        } 
+        else {
+            if (c->variable) {
+                *c->variable = !*c->variable;           /* invert it */
+                if (c->actionexplanation) {
+                    printf("%s %s.\n", *c->variable? "Will" : "Won't",
+                                                        c->actionexplanation);
+                }
+            }
+            if (c->handler) {
+                retval &= (*c->handler)(-1);
+            }
+        }
+    }
+    return retval;
+}
+
+/*
+ * The following perform the "set" command.
+ */
+
+struct setlist {
+    const char *name;                           /* name */
+    const char *help;                           /* help information */
+    void (*handler)(const char *);
+    cc_t *charp;                        /* where it is located at */
+};
+
+static struct setlist Setlist[] = {
+#ifdef  KLUDGELINEMODE
+    { "echo",   "character to toggle local echoing on/off", 0, &echoc },
+#endif
+    { "escape", "character to escape back to telnet command mode", 0, &escapechar },
+    { "rlogin", "rlogin escape character", 0, &rlogin },
+    { "tracefile", "file to write trace information to", SetNetTrace, (cc_t *)NetTraceFile},
+    { " ", "", 0, 0 },
+    { " ", "The following need 'localchars' to be toggled true", 0, 0 },
+    { "flushoutput", "character to cause an Abort Output", 0, termFlushCharp },
+    { "interrupt", "character to cause an Interrupt Process", 0, termIntCharp },
+    { "quit",   "character to cause an Abort process", 0, termQuitCharp },
+    { "eof",    "character to cause an EOF ", 0, termEofCharp },
+    { " ", "", 0, 0 },
+    { " ", "The following are for local editing in linemode", 0, 0 },
+    { "erase",  "character to use to erase a character", 0, termEraseCharp },
+    { "kill",   "character to use to erase a line", 0, termKillCharp },
+    { "lnext",  "character to use for literal next", 0, termLiteralNextCharp },
+    { "susp",   "character to cause a Suspend Process", 0, termSuspCharp },
+    { "reprint", "character to use for line reprint", 0, termRprntCharp },
+    { "worderase", "character to use to erase a word", 0, termWerasCharp },
+    { "start",  "character to use for XON", 0, termStartCharp },
+    { "stop",   "character to use for XOFF", 0, termStopCharp },
+    { "forw1",  "alternate end of line character", 0, termForw1Charp },
+    { "forw2",  "alternate end of line character", 0, termForw2Charp },
+    { "ayt",    "alternate AYT character", 0, termAytCharp },
+    { 0, 0, 0, 0 }
+};
+
+#if     defined(CRAY) && !defined(__STDC__)
+/* Work around compiler bug in pcc 4.1.5 */
+    void
+_setlist_init()
+{
+#ifndef KLUDGELINEMODE
+#define N 5
+#else
+#define N 6
+#endif
+        Setlist[N+0].charp = &termFlushChar;
+        Setlist[N+1].charp = &termIntChar;
+        Setlist[N+2].charp = &termQuitChar;
+        Setlist[N+3].charp = &termEofChar;
+        Setlist[N+6].charp = &termEraseChar;
+        Setlist[N+7].charp = &termKillChar;
+        Setlist[N+8].charp = &termLiteralNextChar;
+        Setlist[N+9].charp = &termSuspChar;
+        Setlist[N+10].charp = &termRprntChar;
+        Setlist[N+11].charp = &termWerasChar;
+        Setlist[N+12].charp = &termStartChar;
+        Setlist[N+13].charp = &termStopChar;
+        Setlist[N+14].charp = &termForw1Char;
+        Setlist[N+15].charp = &termForw2Char;
+        Setlist[N+16].charp = &termAytChar;
+#undef  N
+}
+#endif  /* defined(CRAY) && !defined(__STDC__) */
+
+static struct setlist *
+getset(const char *name)
+{
+    return (struct setlist *)
+                genget(name, (char **) Setlist, sizeof(struct setlist));
+}
+
+void set_escape_char(char *s) {
+    if (rlogin != _POSIX_VDISABLE) {
+        rlogin = (s && *s) ? special(s) : _POSIX_VDISABLE;
+        printf("Telnet rlogin escape character is '%s'.\n",
+               control(rlogin));
+    } 
+    else {
+        escapechar = (s && *s) ? special(s) : _POSIX_VDISABLE;
+        printf("Telnet escape character is '%s'.\n", control(escapechar));
+    }
+}
+
+static int setcmd(int argc, const char *argv[]) {
+    int value;
+    struct setlist *ct;
+    struct togglelist *c;
+
+    if (argc < 2 || argc > 3) {
+        printf("Format is 'set Name Value'\n'set ?' for help.\n");
+        return 0;
+    }
+    if ((argc == 2) && (isprefix(argv[1], "?") || isprefix(argv[1], "help"))) {
+        for (ct = Setlist; ct->name; ct++)
+            printf("%-15s %s\n", ct->name, ct->help);
+        printf("\n");
+        settogglehelp(1);
+        printf("%-15s %s\n", "?", "display help information");
+        return 0;
+    }
+
+    ct = getset(argv[1]);
+    if (ct == 0) {
+        c = GETTOGGLE(argv[1]);
+        if (c == 0) {
+            fprintf(stderr, "'%s': unknown argument ('set ?' for help).\n",
+                        argv[1]);
+            return 0;
+        } 
+        else if (c == AMBIGUOUS) {
+            fprintf(stderr, "'%s': ambiguous argument ('set ?' for help).\n",
+                        argv[1]);
+            return 0;
+        }
+        if (c->variable) {
+            if ((argc == 2) || (strcmp("on", argv[2]) == 0))
+                *c->variable = 1;
+            else if (strcmp("off", argv[2]) == 0)
+                *c->variable = 0;
+            else {
+                printf("Format is 'set togglename [on|off]'\n'set ?' for help.\n");
+                return 0;
+            }
+            if (c->actionexplanation) {
+                printf("%s %s.\n", *c->variable? "Will" : "Won't",
+                                                        c->actionexplanation);
+            }
+        }
+        if (c->handler)
+            (*c->handler)(1);
+    } 
+    else if (argc != 3) {
+        printf("Format is 'set Name Value'\n'set ?' for help.\n");
+        return 0;
+    } 
+    else if (ct == AMBIGUOUS) {
+        fprintf(stderr, "'%s': ambiguous argument ('set ?' for help).\n",
+                        argv[1]);
+        return 0;
+    } 
+    else if (ct->handler) {
+        (*ct->handler)(argv[2]);
+        printf("%s set to \"%s\".\n", ct->name, (char *)ct->charp);
+    } 
+    else {
+        if (strcmp("off", argv[2])) {
+            value = special(argv[2]);
+        } else {
+            value = _POSIX_VDISABLE;
+        }
+        *(ct->charp) = (cc_t)value;
+        printf("%s character is '%s'.\n", ct->name, control(*(ct->charp)));
+    }
+    slc_check();
+    return 1;
+}
+
+static int unsetcmd(int argc, const char *argv[]) {
+    struct setlist *ct;
+    struct togglelist *c;
+    const char *name;
+
+    if (argc < 2) {
+        fprintf(stderr,
+            "Need an argument to 'unset' command.  'unset ?' for help.\n");
+        return 0;
+    }
+    if (isprefix(argv[1], "?") || isprefix(argv[1], "help")) {
+        for (ct = Setlist; ct->name; ct++)
+            printf("%-15s %s\n", ct->name, ct->help);
+        printf("\n");
+        settogglehelp(0);
+        printf("%-15s %s\n", "?", "display help information");
+        return 0;
+    }
+
+    argc--;
+    argv++;
+    while (argc--) {
+        name = *argv++;
+        ct = getset(name);
+        if (ct == 0) {
+            c = GETTOGGLE(name);
+            if (c == 0) {
+                fprintf(stderr, "'%s': unknown argument ('unset ?' for help).\n",
+                        name);
+                return 0;
+            } 
+            else if (c == AMBIGUOUS) {
+                fprintf(stderr, "'%s': ambiguous argument ('unset ?' for help).\n",
+                        name);
+                return 0;
+            }
+            if (c->variable) {
+                *c->variable = 0;
+                if (c->actionexplanation) {
+                    printf("%s %s.\n", *c->variable? "Will" : "Won't",
+                                                        c->actionexplanation);
+                }
+            }
+            if (c->handler)
+                (*c->handler)(0);
+        } 
+        else if (ct == AMBIGUOUS) {
+            fprintf(stderr, "'%s': ambiguous argument ('unset ?' for help).\n",
+                        name);
+            return 0;
+        } 
+        else if (ct->handler) {
+            (*ct->handler)(0);
+            printf("%s reset to \"%s\".\n", ct->name, (char *)ct->charp);
+        } 
+        else {
+            *(ct->charp) = _POSIX_VDISABLE;
+            printf("%s character is '%s'.\n", ct->name, control(*(ct->charp)));
+        }
+    }
+    return 1;
+}
+
+/*
+ * The following are the data structures and routines for the
+ * 'mode' command.
+ */
+#ifdef  KLUDGELINEMODE
+extern int kludgelinemode;
+
+static int dokludgemode(int) {
+    kludgelinemode = 1;
+    send_wont(TELOPT_LINEMODE, 1);
+    send_dont(TELOPT_SGA, 1);
+    send_dont(TELOPT_ECHO, 1);
+    return 0;
+}
+#endif
+
+static int dolinemode(int) {
+#ifdef  KLUDGELINEMODE
+    if (kludgelinemode)
+        send_dont(TELOPT_SGA, 1);
+#endif
+    send_will(TELOPT_LINEMODE, 1);
+    send_dont(TELOPT_ECHO, 1);
+    return 1;
+}
+
+static int docharmode(int) {
+#ifdef  KLUDGELINEMODE
+    if (kludgelinemode)
+        send_do(TELOPT_SGA, 1);
+    else
+#endif
+    send_wont(TELOPT_LINEMODE, 1);
+    send_do(TELOPT_ECHO, 1);
+    return 1;
+}
+
+static int dolmmode(int bit, int on) {
+    unsigned char c;
+    extern int linemode;
+
+    if (my_want_state_is_wont(TELOPT_LINEMODE)) {
+        printf("?Need to have LINEMODE option enabled first.\n");
+        printf("'mode ?' for help.\n");
+        return 0;
+    }
+
+    if (on)
+        c = (linemode | bit);
+    else
+        c = (linemode & ~bit);
+    lm_mode(&c, 1, 1);
+    return 1;
+}
+
+int setmode(int bit) {
+    return dolmmode(bit, 1);
+}
+
+int clearmode(int bit) {
+    return dolmmode(bit, 0);
+}
+
+struct modelist {
+        const char      *name;          /* command name */
+        const char      *help;          /* help string */
+        int     (*handler)(int);        /* routine which executes command */
+        int     needconnect;    /* Do we need to be connected to execute? */
+        int     arg1;
+};
+
+extern int modehelp(int);
+
+static struct modelist ModeList[] = {
+    { "character", "Disable LINEMODE option",                 docharmode, 1,0},
+#ifdef  KLUDGELINEMODE
+    { "",          "(or disable obsolete line-by-line mode)", NULL, 0,0 },
+#endif
+    { "line",      "Enable LINEMODE option",                  dolinemode, 1,0},
+#ifdef  KLUDGELINEMODE
+    { "",          "(or enable obsolete line-by-line mode)",  NULL, 0,0 },
+#endif
+    { "",          "",                                        NULL, 0, 0 },
+    { "",       "These require the LINEMODE option to be enabled", NULL, 0, 0},
+    { "isig",   "Enable signal trapping",       setmode, 1, MODE_TRAPSIG },
+    { "+isig",  0,                              setmode, 1, MODE_TRAPSIG },
+    { "-isig",  "Disable signal trapping",      clearmode, 1, MODE_TRAPSIG },
+    { "edit",   "Enable character editing",     setmode, 1, MODE_EDIT },
+    { "+edit",  0,                              setmode, 1, MODE_EDIT },
+    { "-edit",  "Disable character editing",    clearmode, 1, MODE_EDIT },
+    { "softtabs", "Enable tab expansion",       setmode, 1, MODE_SOFT_TAB },
+    { "+softtabs", 0,                           setmode, 1, MODE_SOFT_TAB },
+    { "-softtabs", "Disable character editing", clearmode, 1, MODE_SOFT_TAB },
+    { "litecho", "Enable literal character echo", setmode, 1, MODE_LIT_ECHO },
+    { "+litecho", 0,                            setmode, 1, MODE_LIT_ECHO },
+    { "-litecho", "Disable literal character echo", clearmode, 1, MODE_LIT_ECHO },
+    { "help",   0,                              modehelp, 0, 0 },
+#ifdef  KLUDGELINEMODE
+    { "kludgeline", 0,                          dokludgemode, 1, 0 },
+#endif
+    { "", "", 0, 0, 0 },
+    { "?",      "Print help information",       modehelp, 0, 0 },
+    { 0, 0, 0, 0, 0 },
+};
+
+
+int modehelp(int) {
+    struct modelist *mt;
+
+    printf("format is:  'mode Mode', where 'Mode' is one of:\n\n");
+    for (mt = ModeList; mt->name; mt++) {
+        if (mt->help) {
+            if (*mt->help)
+                printf("%-15s %s\n", mt->name, mt->help);
+            else
+                printf("\n");
+        }
+    }
+    return 0;
+}
+
+#define GETMODECMD(name) (struct modelist *) \
+                genget(name, (char **) ModeList, sizeof(struct modelist))
+
+static int modecmd(const char *arg) {
+    struct modelist *mt;
+
+    mt = GETMODECMD(arg);
+    if (mt == 0) {
+        fprintf(stderr, "Unknown mode '%s' ('mode ?' for help).\n", arg);
+    } 
+    else if (mt == AMBIGUOUS) {
+        fprintf(stderr, "Ambiguous mode '%s' ('mode ?' for help).\n", arg);
+    } 
+    else if (mt->needconnect && !connected) {
+        printf("?Need to be connected first.\n");
+        printf("'mode ?' for help.\n");
+    }
+    else if (mt->handler) {
+        return (*mt->handler)(mt->arg1);
+    }
+    return 0;
+}
+
+/*
+ * The following data structures and routines implement the
+ * "display" command.
+ */
+
+static void dotog(struct togglelist *tl) {
+    if (tl->variable && tl->actionexplanation) {
+        if (*tl->variable) {
+            printf("will");
+        } 
+        else {
+            printf("won't");
+        }
+        printf(" %s.\n", tl->actionexplanation);
+    }
+}
+
+static void doset(struct setlist *sl) {
+    if (sl->name && *sl->name != ' ') {
+        if (sl->handler == 0) {
+            printf("%-15s [%s]\n", sl->name, control(*sl->charp));
+        }
+        else {
+            printf("%-15s \"%s\"\n", sl->name, (char *)sl->charp);
+        }
+    }
+}
+
+static int display(int argc, const char *argv[]) {
+    struct togglelist *tl;
+    struct setlist *sl;
+
+    if (argc == 1) {
+        for (tl = Togglelist; tl->name; tl++) {
+            dotog(tl);
+        }
+        printf("\n");
+        for (sl = Setlist; sl->name; sl++) {
+            doset(sl);
+        }
+    } 
+    else {
+        int i;
+
+        for (i = 1; i < argc; i++) {
+            sl = getset(argv[i]);
+            tl = GETTOGGLE(argv[i]);
+            if (sl == AMBIGUOUS || tl == AMBIGUOUS) {
+                printf("?Ambiguous argument '%s'.\n", argv[i]);
+                return 0;
+            } 
+            else if (!sl && !tl) {
+                printf("?Unknown argument '%s'.\n", argv[i]);
+                return 0;
+            } 
+            else {
+                if (tl) {
+                    dotog(tl);
+                }
+                if (sl) {
+                    doset(sl);
+                }
+            }
+        }
+    }
+    optionstatus();
+    return 1;
+}
+
+/*
+ * The following are the data structures, and many of the routines,
+ * relating to command processing.
+ */
+
+/*
+ * Set the escape character.
+ */
+static int setescape(int argc, const char *argv[]) {
+        const char *arg;
+        char buf[50];
+
+        printf(
+            "Deprecated usage - please use 'set escape%s%s' in the future.\n",
+                                (argc > 2)? " ":"", (argc > 2)? argv[1]: "");
+        if (argc > 2) {
+                arg = argv[1];
+        }
+        else {
+                printf("new escape character: ");
+                (void) fgets(buf, sizeof(buf), stdin);
+                arg = buf;
+        }
+        if (arg[0] != '\0')
+                escapechar = arg[0];
+        if (!In3270) {
+                printf("Escape character is '%s'.\n", control(escapechar));
+        }
+        (void) fflush(stdout);
+        return 1;
+}
+
+static int togcrmod(void) {
+    crmod = !crmod;
+    printf("Deprecated usage - please use 'toggle crmod' in the future.\n");
+    printf("%s map carriage return on output.\n", crmod ? "Will" : "Won't");
+    fflush(stdout);
+    return 1;
+}
+
+int suspend(void) {
+#ifdef  SIGTSTP
+    setcommandmode();
+    {
+        long oldrows, oldcols, newrows, newcols, err;
+
+        err = TerminalWindowSize(&oldrows, &oldcols);
+        (void) kill(0, SIGTSTP);
+        err += TerminalWindowSize(&newrows, &newcols);
+        if (connected && !err &&
+            ((oldrows != newrows) || (oldcols != newcols))) {
+                sendnaws();
+        }
+    }
+    /* reget parameters in case they were changed */
+    TerminalSaveState();
+    setconnmode(0);
+#else
+    printf("Suspend is not supported.  Try the '!' command instead\n");
+#endif
+    return 1;
+}
+
+#if !defined(TN3270)
+int shell(int argc, const char **) {
+    setcommandmode();
+    switch(vfork()) {
+    case -1:
+        perror("Fork failed\n");
+        break;
+
+    case 0:
+        {
+            /*
+             * Fire up the shell in the child.
+             */
+            const char *shellp, *shellname;
+
+            shellp = getenv("SHELL");
+            if (shellp == NULL)
+                shellp = "/bin/sh";
+            if ((shellname = rindex(shellp, '/')) == 0)
+                shellname = shellp;
+            else
+                shellname++;
+            if (argc > 1)
+                execl(shellp, shellname, "-c", &saveline[1], 0);
+            else
+                execl(shellp, shellname, 0);
+            perror("Execl");
+            _exit(1);
+        }
+    default:
+            wait(NULL); /* Wait for the shell to complete */
+    }
+    return 1;
+}
+#endif  /* !defined(TN3270) */
+
+static int dobye(int isfromquit) {
+    extern int resettermname;
+
+    if (connected) {
+        nlink.close(1);
+        printf("Connection closed.\n");
+        connected = 0;
+        resettermname = 1;
+
+        /* reset options */
+        tninit();
+#if     defined(TN3270)
+        SetIn3270();            /* Get out of 3270 mode */
+#endif  /* defined(TN3270) */
+    }
+    if (!isfromquit) {
+        siglongjmp(toplevel, 1);
+        /* NOTREACHED */
+    }
+    return 1;                   /* Keep lint, etc., happy */
+}
+
+static int bye(void) {
+    if (!connected) {
+        printf("Need to be connected first for `bye'.\n");
+        return 0;
+    }
+    return dobye(0);
+}
+
+void quit(void) {
+    dobye(1);
+    Exit(0);
+}
+
+int logout(void) {
+    if (!connected) {
+        printf("Need to be connected first for `logout'.\n");
+        return 0;
+    }
+    send_do(TELOPT_LOGOUT, 1);
+    netflush();
+    return 1;
+}
+
+/*
+ * The ENVIRON command.
+ */
+
+struct envcmd {
+        const char      *name;
+        const char      *help;
+        void    (*handler)(const char *, const char *);
+        int     narg;
+};
+
+static void env_help(const char *, const char *);
+
+typedef void (*envfunc)(const char *, const char *);
+
+struct envcmd EnvList[] = {
+    { "define", "Define an environment variable",
+                                                env_define,     2 },
+    { "undefine", "Undefine an environment variable",
+                                                (envfunc) env_undefine, 1 },
+    { "export", "Mark an environment variable for automatic export",
+                                                (envfunc) env_export,   1 },
+    { "unexport", "Don't mark an environment variable for automatic export",
+                                                (envfunc) env_unexport, 1 },
+    { "send",   "Send an environment variable", (envfunc) env_send,     1 },
+    { "list",   "List the current environment variables",
+                                                (envfunc) env_list,     0 },
+    { "help",   0,                              env_help,               0 },
+    { "?",      "Print help information",       env_help,               0 },
+    { 0, 0, 0, 0 },
+};
+
+static void env_help(const char *, const char *) {
+    struct envcmd *c;
+
+    for (c = EnvList; c->name; c++) {
+        if (c->help) {
+            if (*c->help)
+                printf("%-15s %s\n", c->name, c->help);
+            else
+                printf("\n");
+        }
+    }
+}
+
+static struct envcmd *getenvcmd(const char *name) {
+    return (struct envcmd *)
+                genget(name, (char **) EnvList, sizeof(struct envcmd));
+}
+
+int env_cmd(int argc, const char *argv[]) {
+    struct envcmd *c;
+
+    if (argc < 2) {
+        fprintf(stderr,
+            "Need an argument to 'environ' command.  'environ ?' for help.\n");
+        return 0;
+    }
+    c = getenvcmd(argv[1]);
+    if (c == 0) {
+        fprintf(stderr, "'%s': unknown argument ('environ ?' for help).\n",
+                                argv[1]);
+        return 0;
+    }
+    if (c == AMBIGUOUS) {
+        fprintf(stderr, "'%s': ambiguous argument ('environ ?' for help).\n",
+                                argv[1]);
+        return 0;
+    }
+    if (c->narg + 2 != argc) {
+        fprintf(stderr,
+            "Need %s%d argument%s to 'environ %s' command.  'environ ?' for help.\n",
+                c->narg < argc + 2 ? "only " : "",
+                c->narg, c->narg == 1 ? "" : "s", c->name);
+        return 0;
+    }
+    (*c->handler)(argv[2], argv[3]);
+    return 1;
+}
+
+
+/*
+ * The AUTHENTICATE command.
+ *
+ *    auth status      Display status
+ *    auth disable     Disable an authentication type
+ *    auth enable      Enable an authentication type
+ *
+ * The ENCRYPT command.
+ *
+ *   encrypt enable     Enable encryption
+ *   encrypt disable    Disable encryption
+ *   encrypt type foo   Set encryption type
+ *   encrypt start      Start encryption
+ *   encrypt stop       Stop encryption
+ *   encrypt input      Start encrypting input stream
+ *   encrypt -input     Stop encrypting input stream
+ *   encrypt output     Start encrypting output stream
+ *   encrypt -output    Stop encrypting output stream
+ *   encrypt status     Print status
+ */
+
+
+#ifdef TN3270
+char *oflgs[] = { "read-only", "write-only", "read-write" };
+    
+static void filestuff(int fd) {
+    int res;
+
+#ifdef  F_GETOWN
+    setconnmode(0);
+    res = fcntl(fd, F_GETOWN, 0);
+    setcommandmode();
+
+    if (res == -1) {
+        perror("fcntl");
+        return;
+    }
+    printf("\tOwner is %d.\n", res);
+#endif
+
+    setconnmode(0);
+    res = fcntl(fd, F_GETFL, 0);
+    setcommandmode();
+
+    if (res == -1) {
+        perror("fcntl");
+        return;
+    }
+    printf("\tFlags are 0x%x: %s\n", res, oflgs[res]);
+}
+#endif /* TN3270 */
+
+/*
+ * Print status about the connection.
+ */
+static int dostatus(int notmuch) {
+    if (connected) {
+        printf("Connected to %s.\n", hostname);
+        if (!notmuch) {
+            int mode = getconnmode();
+
+            if (my_want_state_is_will(TELOPT_LINEMODE)) {
+                printf("Operating with LINEMODE option\n");
+                printf("%s line editing\n", (mode&MODE_EDIT) ? "Local" : "No");
+                printf("%s catching of signals\n",
+                                        (mode&MODE_TRAPSIG) ? "Local" : "No");
+                slcstate();
+#ifdef  KLUDGELINEMODE
+            } 
+            else if (kludgelinemode && my_want_state_is_dont(TELOPT_SGA)) {
+                printf("Operating in obsolete linemode\n");
+#endif
+            } 
+            else {
+                printf("Operating in single character mode\n");
+                if (localchars)
+                    printf("Catching signals locally\n");
+            }
+            printf("%s character echo\n", (mode&MODE_ECHO) ? "Local" : "Remote");
+            if (my_want_state_is_will(TELOPT_LFLOW))
+                printf("%s flow control\n", (mode&MODE_FLOW) ? "Local" : "No");
+        }
+    } 
+    else {
+        printf("No connection.\n");
+    }
+#if !defined(TN3270)
+    printf("Escape character is '%s'.\n", control(escapechar));
+    (void) fflush(stdout);
+#else /* !defined(TN3270) */
+    if ((!In3270) && !notmuch) {
+        printf("Escape character is '%s'.\n", control(escape));
+    }
+    if ((argc >= 2) && !strcmp(argv[1], "everything")) {
+        printf("SIGIO received %d time%s.\n",
+                                sigiocount, (sigiocount == 1)? "":"s");
+        if (In3270) {
+            printf("Process ID %d, process group %d.\n",
+                                            getpid(), getpgrp(getpid()));
+            printf("Terminal input:\n");
+            filestuff(tin);
+            printf("Terminal output:\n");
+            filestuff(tout);
+            printf("Network socket:\n");
+            filestuff(net);
+        }
+    }
+    if (In3270 && transcom) {
+       printf("Transparent mode command is '%s'.\n", transcom);
+    }
+    fflush(stdout);
+    if (In3270) {
+        return 0;
+    }
+#endif /* TN3270 */
+    return 1;
+}
+
+static int status(void) {
+    int notmuch = 1;
+    return dostatus(notmuch);
+}
+
+#ifdef  SIGINFO
+/*
+ * Function that gets called when SIGINFO is received.
+ */
+void ayt_status(int) {
+    dostatus(1);
+}
+#endif
+
+int tn(int argc, const char *argv[]) {
+    register struct hostent *host = 0;
+    struct sockaddr_in sn;
+    struct servent *sp = 0;
+    char *srp = NULL;
+    int srlen;
+
+    const char *cmd, *volatile user = 0;
+    const char *portp = NULL;
+    char *hostp = NULL;
+
+    /* clear the socket address prior to use */
+    memset(&sn, 0, sizeof(sn));
+
+    if (connected) {
+        printf("?Already connected to %s\n", hostname);
+        setuid(getuid());
+        return 0;
+    }
+    if (_hostname) {
+        delete[] _hostname;
+        _hostname = 0;
+    }
+    if (argc < 2) {
+        (void) strcpy(line, "open ");
+        printf("(to) ");
+        (void) fgets(&line[strlen(line)], sizeof(line) - strlen(line), stdin);
+        makeargv();
+        argc = margc;
+        argv = margv;
+    }
+    cmd = *argv;
+    --argc; ++argv;
+    while (argc) {
+        /* 
+         * Having "telnet h" print usage is really stupid... 
+         * suppose your hostname is h?
+         */
+        if (/*isprefix(*argv, "help") ||*/ isprefix(*argv, "?"))
+            goto usage;
+        if (strcmp(*argv, "-l") == 0) {
+            --argc; ++argv;
+            if (argc == 0)
+                goto usage;
+            user = *argv++;
+            --argc;
+            continue;
+        }
+        if (strcmp(*argv, "-a") == 0) {
+            --argc; ++argv;
+            autologin = 1;
+            continue;
+        }
+        if (hostp == 0) {
+            /* this leaks memory - FIXME */
+            hostp = strdup(*argv++);
+            --argc;
+            continue;
+        }
+        if (portp == 0) {
+            portp = *argv++;
+            --argc;
+            continue;
+        }
+    usage:
+        printf("usage: %s [-l user] [-a] host-name [port]\n", cmd);
+        setuid(getuid());
+        return 0;
+    }
+    if (hostp == 0)
+        goto usage;
+
+#if defined(IP_OPTIONS) && defined(HAS_IPPROTO_IP)
+    if (hostp[0] == '@' || hostp[0] == '!') {
+        if ((hostname = strrchr(hostp, ':')) == NULL)
+            hostname = strrchr(hostp, '@');
+        hostname++;
+        srp = 0;
+        int temp = sourceroute(hostp, &srp, &srlen);
+        if (temp == 0) {
+            herror(srp);
+            setuid(getuid());
+            return 0;
+        } else if (temp == -1) {
+            printf("Bad source route option: %s\n", hostp);
+            setuid(getuid());
+            return 0;
+        } else {
+            sn.sin_addr.s_addr = temp;
+            sn.sin_family = AF_INET;
+        }
+    } 
+    else {
+#endif
+        if (inet_aton(hostp, &sn.sin_addr)) {
+            sn.sin_family = AF_INET;
+            _hostname = new char[strlen(hostp) + 1];
+            strcpy(_hostname, hostp);
+            hostname = _hostname;
+        } 
+        else {
+            host = gethostbyname(hostp);
+            if (host) {
+                sn.sin_family = host->h_addrtype;
+                if (host->h_length > (int)sizeof(sn.sin_addr)) {
+                    host->h_length = sizeof(sn.sin_addr);
+                }
+#if     defined(h_addr)         /* In 4.3, this is a #define */
+                memcpy((caddr_t)&sn.sin_addr,
+                                host->h_addr_list[0], host->h_length);
+#else   /* defined(h_addr) */
+                memcpy((caddr_t)&sn.sin_addr, host->h_addr, host->h_length);
+#endif  /* defined(h_addr) */
+                _hostname = new char [strlen(host->h_name) + 1];
+                strcpy(_hostname, host->h_name);
+                hostname = _hostname;
+            } else {
+                herror(hostp);
+                setuid(getuid());
+                return 0;
+            }
+        }
+#if defined(IP_OPTIONS) && defined(HAS_IPPROTO_IP)
+    }
+#endif
+    if (portp) {
+        if (*portp == '-') {
+            portp++;
+            telnetport = 1;
+        } else
+            telnetport = 0;
+        sn.sin_port = atoi(portp);
+        if (sn.sin_port == 0) {
+            sp = getservbyname(portp, "tcp");
+            if (sp)
+                sn.sin_port = sp->s_port;
+            else {
+                printf("%s: bad port number\n", portp);
+                setuid(getuid());
+                return 0;
+            }
+        } 
+        else {
+            sn.sin_port = htons(sn.sin_port);
+        }
+    } 
+    else {
+        if (sp == 0) {
+            sp = getservbyname("telnet", "tcp");
+            if (sp == 0) {
+                fprintf(stderr, "telnet: tcp/telnet: unknown service\n");
+                setuid(getuid());
+                return 0;
+            }
+            sn.sin_port = sp->s_port;
+        }
+        telnetport = 1;
+    }
+    printf("Trying %s...\n", inet_ntoa(sn.sin_addr));
+    do {
+        int x = nlink.connect(debug, host, &sn, srp, srlen, tos);
+        if (!x) return 0;
+        else if (x==1) continue;
+        connected++;
+    } while (connected == 0);
+    cmdrc(hostp, hostname);
+    if (autologin && user == NULL) {
+        struct passwd *pw;
+
+        user = getenv("USER");
+        if (user == NULL ||
+            ((pw = getpwnam(user))!=NULL && pw->pw_uid != getuid())) {
+                if ((pw = getpwuid(getuid()))!=NULL)
+                        user = pw->pw_name;
+                else
+                        user = NULL;
+        }
+    }
+    if (user) {
+        env_define("USER", user);
+        env_export("USER");
+    }
+    dostatus(1);
+    if (sigsetjmp(peerdied, 1) == 0)
+        telnet(user);
+    nlink.close(0);
+    ExitString("Connection closed by foreign host.\n",1);
+    /*NOTREACHED*/
+    return 0;
+}
+
+static char
+        openhelp[] =    "connect to a site",
+        closehelp[] =   "close current connection",
+        logouthelp[] =  "forcibly logout remote user and close the connection",
+        quithelp[] =    "exit telnet",
+        statushelp[] =  "print status information",
+        sendhelp[] =    "transmit special characters ('send ?' for more)",
+        sethelp[] =     "set operating parameters ('set ?' for more)",
+        unsethelp[] =   "unset operating parameters ('unset ?' for more)",
+        togglestring[] ="toggle operating parameters ('toggle ?' for more)",
+        displayhelp[] = "display operating parameters",
+#ifdef TN3270
+        transcomhelp[] = "specify Unix command for transparent mode pipe",
+#endif /* TN3270 */
+        zhelp[] =       "suspend telnet",
+/*      shellhelp[] =   "invoke a subshell", */
+        envhelp[] =     "change environment variables ('environ ?' for more)",
+        modestring[] = "try to enter line or character mode ('mode ?' for more)";
+
+static char     crmodhelp[] =   "deprecated command -- use 'toggle crmod' instead";
+static char     escapehelp[] =  "deprecated command -- use 'set escape' instead";
+
+static int help(command_table *, int, const char **);
+
+static int doquit(void) {
+    quit();
+    return 0;
+}
+
+static int slc_mode_import_0(void) {
+    slc_mode_import(0);
+    return 1;
+}
+
+static int slc_mode_import_1(void) {
+    slc_mode_import(1);
+    return 1;
+}
+
+static int do_slc_mode_export(void) {
+    slc_mode_export();
+    return 1;
+}
+
+static ptrarray<command_entry> cmdtab;
+static ptrarray<command_entry> cmdtab2;
+static ptrarray<command_entry> slctab;
+
+#define BIND(a,b,c) cmdtab.add(new command_entry(a,b,c))
+#define BIND2(a,b,c) cmdtab2.add(new command_entry(a,b,c))
+#define BINDS(a,b,c) slctab.add(new command_entry(a,b,c))
+
+
+void cmdtab_init(void) {
+    BIND("close",   closehelp,    bye);
+    BIND("logout",  logouthelp,   logout);
+    BIND("display", displayhelp,  display);
+    BIND("mode",    modestring,   modecmd);
+    BIND("open",    openhelp,     tn);
+    BIND("quit",    quithelp,     doquit);
+    BIND("send",    sendhelp,     sendcmd);
+    BIND("set",     sethelp,      setcmd);
+    BIND("unset",   unsethelp,    unsetcmd);
+    BIND("status",  statushelp,   status);
+    BIND("toggle",  togglestring, toggle);
+    BIND("slc", "set treatment of special characters\n", &slctab);
+
+#ifdef TN3270
+    BIND("transcom", transcomhelp, settranscom);
+#endif /* TN3270 */
+
+    // BIND("auth", authhelp, auth_cmd);
+    // BIND("encrypt", encrypthelp, encrypt_cmd);
+
+    BIND("z", zhelp, suspend);
+
+#if defined(TN3270)   /* why?! */
+    BIND("!", shellhelp, shell);
+#endif
+
+    BIND("environ", envhelp, env_cmd);
+
+    BINDS("export", "Use local special character definitions",
+         do_slc_mode_export);
+    BINDS("import", "Use remote special character definitions",
+         slc_mode_import_1);
+    BINDS("check", "Verify remote special character definitions",
+         slc_mode_import_0);
+
+    BIND2("escape", escapehelp, setescape);
+    BIND2("crmod", crmodhelp, togcrmod);
+}
+
+
+static command_entry *getcmd(command_table *tab, const char *name) {
+    if (!strcasecmp(name, "?") || 
+        !strcasecmp(name, "h") ||
+        !strcasecmp(name, "help")) return (command_entry *)HELP;
+
+    command_entry *found = NULL;
+
+    for (int i=0; i<tab->num(); i++) {
+        command_entry *c = (*tab)[i];
+        if (!strcasecmp(c->getname(), name)) return c;
+        if (!strncasecmp(c->getname(), name, strlen(name))) {
+            if (found) return (command_entry *)AMBIGUOUS;
+            found = c;
+        }
+    }
+    if (tab==&cmdtab && !found) return getcmd(&cmdtab2, name);
+
+    return found;
+}
+
+static int process_command(command_table *tab, int argc, const char **argv) {
+    command_entry *c;
+    c = getcmd(tab, argv[0]);
+    if (c == HELP) {
+        help(tab, argc, argv);
+    }
+    else if (c == AMBIGUOUS) {
+        printf("?Ambiguous command\n");
+    }
+    else if (c == NULL) {
+        printf("?Invalid command\n");
+    }
+    else {
+        if (c->call(argc, argv)) return 1;
+    }
+    return 0;
+}
+
+void command(int top, const char *tbuf, int cnt) {
+
+    setcommandmode();
+    if (!top) {
+        putchar('\n');
+    } 
+    else {
+        signal(SIGINT, SIG_DFL);
+        signal(SIGQUIT, SIG_DFL);
+    }
+    for (;;) {
+        if (rlogin == _POSIX_VDISABLE)
+                printf("%s> ", prompt);
+        if (tbuf) {
+            char *cp = line;
+            while (cnt > 0 && (*cp++ = *tbuf++) != '\n')
+                cnt--;
+            tbuf = 0;
+            if (cp == line || *--cp != '\n' || cp == line)
+                goto getline;
+            *cp = '\0';
+            if (rlogin == _POSIX_VDISABLE)
+                printf("%s\n", line);
+        } 
+        else {
+         getline:
+            if (rlogin != _POSIX_VDISABLE)
+                printf("%s> ", prompt);
+            if (fgets(line, sizeof(line), stdin) == NULL) {
+                if (feof(stdin) || ferror(stdin)) {
+                    quit();
+                    /*NOTREACHED*/
+                }
+                break;
+            }
+        }
+        if (line[0] == 0)
+            break;
+        makeargv();
+        if (margv[0] == 0) {
+            break;
+        }
+        if (process_command(&cmdtab, margc, margv)) break;
+    }
+    if (!top) {
+        if (!connected) {
+            siglongjmp(toplevel, 1);
+            /*NOTREACHED*/
+        }
+#if     defined(TN3270)
+        if (shell_active == 0) {
+            setconnmode(0);
+        }
+#else   /* defined(TN3270) */
+        setconnmode(0);
+#endif  /* defined(TN3270) */
+    }
+}
+
+/*
+ * Help command.
+ */
+static int help(command_table *tab, int argc, const char *argv[]) {
+    int i;
+    
+    if (argc == 1) {
+        printf("Commands may be abbreviated.  Commands are:\n\n");
+        for (i = 0; i<tab->num(); i++) (*tab)[i]->describe();
+        return 0;
+    }
+    for (i=1; i<argc; i++) {
+        command_entry *c = getcmd(tab, argv[i]);
+        if (c == HELP) {
+            printf("Print help information\n");
+        }
+        else if (c == AMBIGUOUS) {
+            printf("?Ambiguous help command %s\n", argv[i]);
+        }
+        else if (c == NULL) {
+            printf("?Invalid help command %s\n", argv[i]);
+        }
+        else {
+            c->gethelp();
+        }
+    }
+    return 0;
+}
+
+static char *rcname = 0;
+static char rcbuf[128];
+
+void cmdrc(const char *m1, const char *m2) {
+    FILE *rcfile;
+    int gotmachine = 0;
+    int l1 = strlen(m1);
+    int l2 = strlen(m2);
+    char m1save[strlen(m1) + 1];
+
+    if (skiprc) return;
+
+    strcpy(m1save, m1);
+    m1 = m1save;
+
+    if (rcname == 0) {
+        rcname = getenv("HOME");
+        if (rcname)
+            strcpy(rcbuf, rcname);
+        else
+            rcbuf[0] = '\0';
+        strcat(rcbuf, "/.telnetrc");
+        rcname = rcbuf;
+    }
+
+    rcfile = fopen(rcname, "r");
+    if (!rcfile) return;
+
+    while (fgets(line, sizeof(line), rcfile)) {
+        if (line[0] == 0)
+            break;
+        if (line[0] == '#')
+            continue;
+        if (gotmachine) {
+            if (!isspace(line[0]))
+                gotmachine = 0;
+        }
+        if (gotmachine == 0) {
+            if (isspace(line[0]))
+                continue;
+            if (strncasecmp(line, m1, l1) == 0)
+                strncpy(line, &line[l1], sizeof(line) - l1);
+            else if (strncasecmp(line, m2, l2) == 0)
+                strncpy(line, &line[l2], sizeof(line) - l2);
+            else if (strncasecmp(line, "DEFAULT", 7) == 0)
+                strncpy(line, &line[7], sizeof(line) - 7);
+            else
+                continue;
+            if (line[0] != ' ' && line[0] != '\t' && line[0] != '\n')
+                continue;
+            gotmachine = 1;
+        }
+        makeargv();
+        if (margv[0] == 0)
+            continue;
+        process_command(&cmdtab, margc, margv);
+    }
+    fclose(rcfile);
+}
+
+#if defined(IP_OPTIONS) && defined(HAS_IPPROTO_IP)
+
+/*
+ * Source route is handed in as
+ *      [!]@hop1@hop2...[@|:]dst
+ * If the leading ! is present, it is a
+ * strict source route, otherwise it is
+ * assmed to be a loose source route.
+ *
+ * We fill in the source route option as
+ *      hop1,hop2,hop3...dest
+ * and return a pointer to hop1, which will
+ * be the address to connect() to.
+ *
+ * Arguments:
+ *      arg:    pointer to route list to decipher
+ *
+ *      cpp:    If *cpp is not equal to NULL, this is a
+ *              pointer to a pointer to a character array
+ *              that should be filled in with the option.
+ *
+ *      lenp:   pointer to an integer that contains the
+ *              length of *cpp if *cpp != NULL.
+ *
+ * Return values:
+ *
+ *      Returns the address of the host to connect to.  If the
+ *      return value is -1, there was a syntax error in the
+ *      option, either unknown characters, or too many hosts.
+ *      If the return value is 0, one of the hostnames in the
+ *      path is unknown, and *cpp is set to point to the bad
+ *      hostname.
+ *
+ *      *cpp:   If *cpp was equal to NULL, it will be filled
+ *              in with a pointer to our static area that has
+ *              the option filled in.  This will be 32bit aligned.
+ * 
+ *      *lenp:  This will be filled in with how long the option
+ *              pointed to by *cpp is.
+ *      
+ */
+static unsigned long sourceroute(char *arg, char **cpp, int *lenp) {
+        static char lsr[44];
+        char *cp, *cp2, *lsrp, *lsrep;
+        struct in_addr sin_addr;
+        register struct hostent *host = 0;
+        register char c;
+
+        /*
+         * Verify the arguments, and make sure we have
+         * at least 7 bytes for the option.
+         */
+        if (cpp == NULL || lenp == NULL)
+                return((unsigned long)-1);
+        if (*cpp != NULL && *lenp < 7)
+                return((unsigned long)-1);
+        /*
+         * Decide whether we have a buffer passed to us,
+         * or if we need to use our own static buffer.
+         */
+        if (*cpp) {
+                lsrp = *cpp;
+                lsrep = lsrp + *lenp;
+        } 
+        else {
+                *cpp = lsrp = lsr;
+                lsrep = lsrp + 44;
+        }
+
+        cp = arg;
+
+        /*
+         * Next, decide whether we have a loose source
+         * route or a strict source route, and fill in
+         * the begining of the option.
+         */
+        if (*cp == '!') {
+                cp++;
+                *lsrp++ = IPOPT_SSRR;
+        } 
+        else *lsrp++ = IPOPT_LSRR;
+
+        if (*cp != '@')
+                return((unsigned long)-1);
+
+        lsrp++;         /* skip over length, we'll fill it in later */
+        *lsrp++ = 4;
+
+        cp++;
+
+        sin_addr.s_addr = 0;
+
+        for (c = 0;;) {
+                if (c == ':')
+                        cp2 = 0;
+                else for (cp2 = cp; (c = *cp2) != 0; cp2++) {
+                        if (c == ',') {
+                                *cp2++ = '\0';
+                                if (*cp2 == '@')
+                                        cp2++;
+                        } else if (c == '@') {
+                                *cp2++ = '\0';
+                        } else if (c == ':') {
+                                *cp2++ = '\0';
+                        } else
+                                continue;
+                        break;
+                }
+                if (!c)
+                        cp2 = 0;
+
+                if (inet_aton(cp, &sin_addr)) ;  /* nothing */
+                else if ((host = gethostbyname(cp))!=NULL) {
+                    if (host->h_length > (int)sizeof(sin_addr)) {
+                        host->h_length = sizeof(sin_addr);
+                    }
+#if defined(h_addr)
+                    memcpy(&sin_addr, host->h_addr_list[0], host->h_length);
+#else
+                    memcpy(&sin_addr, host->h_addr, host->h_length);
+#endif
+                } else {
+                        *cpp = cp;
+                        return(0);
+                }
+                memcpy(lsrp, (char *)&sin_addr, 4);
+                lsrp += 4;
+                if (cp2)
+                        cp = cp2;
+                else
+                        break;
+                /*
+                 * Check to make sure there is space for next address
+                 */
+                if (lsrp + 4 > lsrep)
+                        return((unsigned long)-1);
+        }
+        if ((*(*cpp+IPOPT_OLEN) = lsrp - *cpp) <= 7) {
+                *cpp = 0;
+                *lenp = 0;
+                return((unsigned long)-1);
+        }
+        *lsrp++ = IPOPT_NOP; /* 32 bit word align it */
+        *lenp = lsrp - *cpp;
+        return(sin_addr.s_addr);
+}
+#endif
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/commands.o b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/commands.o
new file mode 100644
index 0000000..d02baf8
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/commands.o
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/defines.h b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/defines.h
new file mode 100644
index 0000000..2784400
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/defines.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1988 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *      from: @(#)defines.h     5.1 (Berkeley) 9/14/90
+ *      $Id: defines.h,v 1.5 1996/08/04 23:44:43 dholland Exp $
+ */
+
+#define ENV_VAR NEW_ENV_VAR
+#define ENV_VALUE NEW_ENV_VALUE
+#define TELOPT_ENVIRON TELOPT_NEW_ENVIRON
+
+#define settimer(x)     clocks.x = clocks.system++
+
+#if !defined(TN3270)
+#define SetIn3270()
+#endif
+
+/* Various modes */
+#define MODE_LOCAL_CHARS(m)     ((m)&(MODE_EDIT|MODE_TRAPSIG))
+#define MODE_LOCAL_ECHO(m)      ((m)&MODE_ECHO)
+#define MODE_COMMAND_LINE(m)    ((m)==-1)
+
+#define CONTROL(x)      ((x)&0x1f)              /* CTRL(x) is not portable */
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/depend.mk b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/depend.mk
new file mode 100644
index 0000000..fe6eaa0
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/depend.mk
@@ -0,0 +1,17 @@
+commands.o: commands.cc ring.h externs.h defines.h types.h genget.h \
+ environ.h proto.h ptrarray.h netlink.h
+main.o: main.cc ../version.h ring.h externs.h defines.h proto.h
+network.o: network.cc ring.h defines.h externs.h proto.h netlink.h
+ring.o: ring.cc ring.h
+sys_bsd.o: sys_bsd.cc ring.h defines.h externs.h types.h proto.h \
+ netlink.h terminal.h
+telnet.o: telnet.cc ring.h defines.h externs.h types.h environ.h \
+ proto.h ptrarray.h netlink.h terminal.h
+terminal.o: terminal.cc ring.h defines.h externs.h types.h proto.h \
+ terminal.h
+tn3270.o: tn3270.cc defines.h ring.h externs.h proto.h
+utilities.o: utilities.cc ring.h defines.h externs.h proto.h \
+ terminal.h
+genget.o: genget.cc genget.h
+environ.o: environ.cc ring.h defines.h externs.h environ.h array.h
+netlink.o: netlink.cc netlink.h proto.h ring.h
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/environ.cc b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/environ.cc
new file mode 100644
index 0000000..3950f04
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/environ.cc
@@ -0,0 +1,200 @@
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <netdb.h>
+#include <arpa/telnet.h>
+#include "ring.h"
+#include "defines.h"
+#include "externs.h"
+#include "environ.h"
+#include "array.h"
+
+class enviro {
+ protected:
+    char *var;          /* pointer to variable name */
+    char *value;        /* pointer to variable's value */
+    int doexport;       /* 1 -> export with default list of variables */
+
+    void clean() { if (var) delete []var; if (value) delete []value; }
+ public:
+    enviro() { var = value = NULL; doexport = 0; }
+    ~enviro() { clean(); }
+
+    const char *getname() const { return var; }
+    const char *getval() const { return value; }
+
+    void define(const char *vr, const char *vl) {
+        clean();
+        var = strcpy(new char[strlen(vr)+1], vr);
+        value = strcpy(new char[strlen(vl)+1], vl);
+    }
+
+    void clear() { clean(); var = value = NULL; }
+
+    void setexport(int ex) { doexport = ex; }
+    int getexport() const { return doexport; }
+};
+
+static array<enviro> vars;
+
+static enviro *env_find(const char *var) {
+    for (int i=0; i<vars.num(); i++) if (vars[i].getname()) {
+        if (!strcmp(vars[i].getname(), var))
+            return &vars[i];
+    }
+    return NULL;
+}
+
+static void env_put(const char *var, const char *val, int exp) {
+    enviro *ep = env_find(var);
+    if (!ep) {
+        int x = vars.num();
+        vars.setsize(x+1);
+        ep = &vars[x];
+    }   
+    ep->define(var, val);
+    ep->setexport(exp);
+}
+
+static void env_copy(void) {
+    extern char **environ;
+
+    char *s;
+    int i;
+    
+    for (i=0; environ[i]; i++) {
+        s = strchr(environ[i], '=');
+        if (s) {
+            *s=0;
+            env_put(environ[i], s+1, 0);
+            *s='=';
+        }
+    }
+}
+
+/*
+ * Special case for DISPLAY variable.  If it is ":0.0" or
+ * "unix:0.0", we have to get rid of "unix" and insert our
+ * hostname.
+ */
+static void env_fix_display(void) {
+    enviro *ep = env_find("DISPLAY");
+    if (!ep) return;
+    ep->setexport(1);
+
+    if (strncmp(ep->getval(), ":", 1) && strncmp(ep->getval(), "unix:", 5)) {
+        return;
+    }
+    char hbuf[256];
+    const char *cp2 = strrchr(ep->getval(), ':');
+    int maxlen = sizeof(hbuf)-strlen(cp2)-1;
+    gethostname(hbuf, maxlen);
+    hbuf[maxlen] = 0;  /* ensure null termination */
+
+    /*
+     * dholland 7/30/96 if not a FQDN ask DNS
+     */
+    if (!strchr(hbuf, '.')) {
+        struct hostent *h = gethostbyname(hbuf);
+        if (h) {
+            strncpy(hbuf, h->h_name, maxlen);
+            hbuf[maxlen] = 0; /* ensure null termination */
+        }
+    }
+
+    strcat(hbuf, cp2);
+
+    ep->define("DISPLAY", hbuf);
+}
+
+/*********************************************** interface ***********/
+
+void env_init(void) {
+    env_copy();
+    env_fix_display();
+
+    /*
+     * If USER is not defined, but LOGNAME is, then add
+     * USER with the value from LOGNAME.  By default, we
+     * don't export the USER variable.
+     */
+    if (!env_find("USER")) {
+        enviro *ep = env_find("LOGNAME");
+        if (ep) env_put("USER", ep->getval(), 0);
+    }
+
+    enviro *ep = env_find("PRINTER");
+    if (ep) ep->setexport(1);
+}
+
+void env_define(const char *var, const char *value) {
+    env_put(var, value, 1);
+}
+
+void env_undefine(const char *var) {
+    enviro *ep = env_find(var);
+    if (ep) {
+        /*
+         * We don't make any effort to reuse cleared environment spaces.
+         * It's highly unlikely to be worth the trouble.
+         */
+        ep->clear();
+    }
+}
+
+void env_export(const char *var) {
+    enviro *ep = env_find(var);
+    if (ep) ep->setexport(1);
+}
+
+void env_unexport(const char *var) {
+    enviro *ep = env_find(var);
+    if (ep) ep->setexport(0);
+}
+
+void env_send(const char *var) {
+    if (my_state_is_wont(TELOPT_ENVIRON)) {
+        fprintf(stderr, "Cannot send '%s': Telnet ENVIRON option disabled\n",
+                var);
+        return;
+    }
+
+    enviro *ep = env_find(var);
+    if (!ep) {
+        fprintf(stderr, "Cannot send '%s': variable not defined\n", var);
+        return;
+    }
+    env_opt_start_info();
+    env_opt_add(ep->getname());
+    env_opt_end(0);
+}
+
+void env_list(void) {
+    for (int i=0; i<vars.num(); i++) if (vars[i].getname()) {
+        printf("%c %-20s %s\n", vars[i].getexport() ? '*' : ' ',
+               vars[i].getname(), vars[i].getval());
+    }
+}
+
+void env_iterate(int *iter, int /*exported_only*/) {
+    *iter = 0;
+}
+
+const char *env_next(int *iter, int exported_only) {
+    while (*iter>=0 && *iter<vars.num()) {
+        int k = (*iter)++;
+
+        if (!vars[k].getname()) continue; // deleted variable
+
+        if (vars[k].getexport() || !exported_only) {
+            return vars[k].getname();
+        }
+    }
+    return NULL;
+}
+
+const char *env_getvalue(const char *var) {
+    enviro *ep = env_find(var);
+    if (ep) return ep->getval();
+    return NULL;
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/environ.h b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/environ.h
new file mode 100644
index 0000000..bc45c08
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/environ.h
@@ -0,0 +1,10 @@
+void env_define(const char *var, const char *val);
+void env_undefine(const char *var);
+void env_export(const char *var);
+void env_unexport(const char *);
+void env_send(const char *);
+void env_list(void);
+const char *env_getvalue(const char *);
+
+void env_iterate(int *, int exported_only);
+const char *env_next(int *, int exported_only);
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/environ.o b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/environ.o
new file mode 100644
index 0000000..b506e8a
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/environ.o
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/externs.h b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/externs.h
new file mode 100644
index 0000000..955df79
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/externs.h
@@ -0,0 +1,365 @@
+/*
+ * Copyright (c) 1988, 1990 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *      from: @(#)externs.h     5.3 (Berkeley) 3/22/91
+ *      $Id: externs.h,v 1.20 1999/08/19 09:34:15 dholland Exp $
+ */
+
+#ifndef BSD
+#define BSD 43
+#endif
+
+#include <stdio.h>
+#include <setjmp.h>
+#include <sys/ioctl.h>
+#include <features.h>
+#include <termios.h>
+
+#if defined(NO_CC_T)
+typedef unsigned char cc_t;
+#endif
+
+#ifdef __linux__
+#include <unistd.h>   /* get _POSIX_VDISABLE */
+#endif
+
+#ifndef _POSIX_VDISABLE
+#error "Please fix externs.h to define _POSIX_VDISABLE"
+#endif
+
+#define SUBBUFSIZE      256
+
+extern int autologin;           /* Autologin enabled */
+extern int skiprc;              /* Don't process the ~/.telnetrc file */
+extern int eight;               /* use eight bit mode (binary in and/or out */
+extern int flushout;            /* flush output */
+extern int connected;           /* Are we connected to the other side? */
+extern int globalmode;          /* Mode tty should be in */
+extern int In3270;                      /* Are we in 3270 mode? */
+extern int telnetport;          /* Are we connected to the telnet port? */
+extern int localflow;           /* Flow control handled locally */
+extern int localchars;          /* we recognize interrupt/quit */
+extern int donelclchars;                /* the user has set "localchars" */
+extern int showoptions;
+
+extern int crlf;        /* Should '\r' be mapped to <CR><LF> (or <CR><NUL>)? */
+extern int autoflush;           /* flush output when interrupting? */
+extern int autosynch;           /* send interrupt characters with SYNCH? */
+extern int SYNCHing;            /* Is the stream in telnet SYNCH mode? */
+extern int donebinarytoggle;    /* the user has put us in binary */
+extern int dontlecho;           /* do we suppress local echoing right now? */
+extern int crmod;
+//extern int netdata;           /* Print out network data flow */
+//extern int prettydump;        /* Print "netdata" output in user readable format */
+extern int debug;                       /* Debug level */
+
+#ifdef TN3270
+extern int cursesdata;          /* Print out curses data flow */
+#endif /* unix and TN3270 */
+
+extern cc_t escapechar;  /* Escape to command mode */
+extern cc_t rlogin;      /* Rlogin mode escape character */
+#ifdef  KLUDGELINEMODE
+extern cc_t echoc;      /* Toggle local echoing */
+#endif
+
+extern char *prompt;            /* Prompt for command. */
+
+extern char doopt[];
+extern char dont[];
+extern char will[];
+extern char wont[];
+extern char options[];          /* All the little options */
+extern char *hostname;          /* Who are we connected to? */
+
+/*
+ * We keep track of each side of the option negotiation.
+ */
+
+#define MY_STATE_WILL           0x01
+#define MY_WANT_STATE_WILL      0x02
+#define MY_STATE_DO             0x04
+#define MY_WANT_STATE_DO        0x08
+
+/*
+ * Macros to check the current state of things
+ */
+
+#define my_state_is_do(opt)             (options[opt]&MY_STATE_DO)
+#define my_state_is_will(opt)           (options[opt]&MY_STATE_WILL)
+#define my_want_state_is_do(opt)        (options[opt]&MY_WANT_STATE_DO)
+#define my_want_state_is_will(opt)      (options[opt]&MY_WANT_STATE_WILL)
+
+#define my_state_is_dont(opt)           (!my_state_is_do(opt))
+#define my_state_is_wont(opt)           (!my_state_is_will(opt))
+#define my_want_state_is_dont(opt)      (!my_want_state_is_do(opt))
+#define my_want_state_is_wont(opt)      (!my_want_state_is_will(opt))
+
+#define set_my_state_do(opt)            {options[opt] |= MY_STATE_DO;}
+#define set_my_state_will(opt)          {options[opt] |= MY_STATE_WILL;}
+#define set_my_want_state_do(opt)       {options[opt] |= MY_WANT_STATE_DO;}
+#define set_my_want_state_will(opt)     {options[opt] |= MY_WANT_STATE_WILL;}
+
+#define set_my_state_dont(opt)          {options[opt] &= ~MY_STATE_DO;}
+#define set_my_state_wont(opt)          {options[opt] &= ~MY_STATE_WILL;}
+#define set_my_want_state_dont(opt)     {options[opt] &= ~MY_WANT_STATE_DO;}
+#define set_my_want_state_wont(opt)     {options[opt] &= ~MY_WANT_STATE_WILL;}
+
+/*
+ * Make everything symmetric
+ */
+
+#define HIS_STATE_WILL                  MY_STATE_DO
+#define HIS_WANT_STATE_WILL             MY_WANT_STATE_DO
+#define HIS_STATE_DO                    MY_STATE_WILL
+#define HIS_WANT_STATE_DO               MY_WANT_STATE_WILL
+
+#define his_state_is_do                 my_state_is_will
+#define his_state_is_will               my_state_is_do
+#define his_want_state_is_do            my_want_state_is_will
+#define his_want_state_is_will          my_want_state_is_do
+
+#define his_state_is_dont               my_state_is_wont
+#define his_state_is_wont               my_state_is_dont
+#define his_want_state_is_dont          my_want_state_is_wont
+#define his_want_state_is_wont          my_want_state_is_dont
+
+#define set_his_state_do                set_my_state_will
+#define set_his_state_will              set_my_state_do
+#define set_his_want_state_do           set_my_want_state_will
+#define set_his_want_state_will         set_my_want_state_do
+
+#define set_his_state_dont              set_my_state_wont
+#define set_his_state_wont              set_my_state_dont
+#define set_his_want_state_dont         set_my_want_state_wont
+#define set_his_want_state_wont         set_my_want_state_dont
+
+
+extern FILE *NetTrace;          /* Where debugging output goes */
+extern char NetTraceFile[];     /* Name of file where debugging output goes */
+
+void SetNetTrace(const char *); /* Function to change where debugging goes */
+
+extern sigjmp_buf peerdied;
+extern sigjmp_buf toplevel;             /* For error conditions. */
+
+void command(int, const char *, int);
+void Dump (int, char *, int);
+void init_3270 (void);
+void printoption(const char *, int, int);
+void printsub (int, unsigned char *, int);
+void sendnaws (void);
+void setconnmode(int);
+void setcommandmode (void);
+void setneturg (void);
+void sys_telnet_init (void);
+void telnet(const char *);
+void tel_enter_binary(int);
+void TerminalFlushOutput(void);
+void TerminalNewMode(int);
+void TerminalRestoreState(void);
+void TerminalSaveState(void);
+void tninit(void);
+void upcase(char *);
+void willoption(int);
+void wontoption(int);
+
+void lm_will(unsigned char *, int);
+void lm_wont(unsigned char *, int);
+void lm_do(unsigned char *, int);
+void lm_dont(unsigned char *, int);
+void lm_mode(unsigned char *, int, int);
+
+void slc_init(void);
+void slcstate(void);
+void slc_mode_export(void);
+void slc_mode_import(int);
+void slc_import(int);
+void slc_export(void);
+void slc(unsigned char *, int);
+void slc_check(void);
+void slc_start_reply(void);
+void slc_add_reply(int, int, int);
+void slc_end_reply(void);
+int slc_update(void);
+
+void env_opt(unsigned char *, int);
+void env_opt_start(void);
+void env_opt_start_info(void);
+void env_opt_add(const char *);
+void env_opt_end(int);
+
+int get_status(const char *, const char *);
+int dosynch(void);
+
+cc_t *tcval(int);
+
+//#if 0
+extern struct termios new_tc;
+
+#define termEofChar             new_tc.c_cc[VEOF]
+#define termEraseChar           new_tc.c_cc[VERASE]
+#define termIntChar             new_tc.c_cc[VINTR]
+#define termKillChar            new_tc.c_cc[VKILL]
+#define termQuitChar            new_tc.c_cc[VQUIT]
+
+#ifndef VSUSP
+extern cc_t termSuspChar;
+#else
+#define termSuspChar            new_tc.c_cc[VSUSP]
+#endif
+
+#if defined(VFLUSHO) && !defined(VDISCARD)
+#define VDISCARD VFLUSHO
+#endif
+#ifndef VDISCARD
+extern cc_t termFlushChar;
+#else
+#define termFlushChar           new_tc.c_cc[VDISCARD]
+#endif
+
+#ifndef VWERASE
+extern cc_t termWerasChar;
+#else
+#define termWerasChar           new_tc.c_cc[VWERASE]
+#endif
+
+#ifndef VREPRINT
+extern cc_t termRprntChar;
+#else
+#define termRprntChar           new_tc.c_cc[VREPRINT]
+#endif
+
+#ifndef VLNEXT
+extern cc_t termLiteralNextChar;
+#else
+#define termLiteralNextChar     new_tc.c_cc[VLNEXT]
+#endif
+
+#ifndef VSTART
+extern cc_t termStartChar;
+#else
+#define termStartChar           new_tc.c_cc[VSTART]
+#endif
+
+#ifndef VSTOP
+extern cc_t termStopChar;
+#else
+#define termStopChar            new_tc.c_cc[VSTOP]
+#endif
+
+#ifndef VEOL
+extern cc_t termForw1Char;
+#else
+#define termForw1Char           new_tc.c_cc[VEOL]
+#endif
+
+#ifndef VEOL2
+extern cc_t termForw2Char;
+#else
+#define termForw2Char           new_tc.c_cc[VEOL]
+#endif
+
+#ifndef VSTATUS
+extern cc_t termAytChar;
+#else
+#define termAytChar             new_tc.c_cc[VSTATUS]
+#endif
+
+//#endif /* 0 */
+
+//#if 0
+#if !defined(CRAY) || defined(__STDC__)
+#define termEofCharp    &termEofChar
+#define termEraseCharp  &termEraseChar
+#define termIntCharp    &termIntChar
+#define termKillCharp   &termKillChar
+#define termQuitCharp   &termQuitChar
+#define termSuspCharp   &termSuspChar
+#define termFlushCharp  &termFlushChar
+#define termWerasCharp  &termWerasChar
+#define termRprntCharp  &termRprntChar
+#define termLiteralNextCharp    &termLiteralNextChar
+#define termStartCharp  &termStartChar
+#define termStopCharp   &termStopChar
+#define termForw1Charp  &termForw1Char
+#define termForw2Charp  &termForw2Char
+#define termAytCharp    &termAytChar
+#else
+        /* Work around a compiler bug */
+#define termEofCharp            0
+#define termEraseCharp          0
+#define termIntCharp            0
+#define termKillCharp           0
+#define termQuitCharp           0
+#define termSuspCharp           0
+#define termFlushCharp          0
+#define termWerasCharp          0
+#define termRprntCharp          0
+#define termLiteralNextCharp    0
+#define termStartCharp          0
+#define termStopCharp           0
+#define termForw1Charp          0
+#define termForw2Charp          0
+#define termAytCharp            0
+#endif
+
+//#endif /* 0 */
+
+
+/* Ring buffer structures which are shared */
+
+extern ringbuf netoring;
+extern ringbuf netiring;
+extern ringbuf ttyoring;
+extern ringbuf ttyiring;
+
+/* Tn3270 section */
+#if defined(TN3270)
+
+extern int HaveInput;   /* Whether an asynchronous I/O indication came in */
+extern int noasynchtty; /* Don't do signals on I/O (SIGURG, SIGIO) */
+extern int noasynchnet; /* Don't do signals on I/O (SIGURG, SIGIO) */
+extern int sigiocount;          /* Count of SIGIO receptions */
+extern int shell_active;        /* Subshell is active */
+
+extern char *Ibackp;            /* Oldest byte of 3270 data */
+extern char Ibuf[];             /* 3270 buffer */
+extern char *Ifrontp;           /* Where next 3270 byte goes */
+extern char tline[];
+extern char *transcom;          /* Transparent command */
+
+void settranscom(int, char**);
+int shell(int, char**);
+void inputAvailable(void);
+
+#endif  /* defined(TN3270) */
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/fdset.h b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/fdset.h
new file mode 100644
index 0000000..7542166
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/fdset.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 1988 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *      from: @(#)fdset.h       5.1 (Berkeley) 9/14/90
+ *      $Id: fdset.h,v 1.1 1996/07/16 05:17:22 dholland Exp $
+ */
+
+/*
+ * The following is defined just in case someone should want to run
+ * this telnet on a 4.2 system.
+ *
+ */
+
+#ifndef FD_SETSIZE
+
+#define FD_SET(n, p)    ((p)->fds_bits[0] |= (1<<(n)))
+#define FD_CLR(n, p)    ((p)->fds_bits[0] &= ~(1<<(n)))
+#define FD_ISSET(n, p)  ((p)->fds_bits[0] & (1<<(n)))
+#define FD_ZERO(p)      ((p)->fds_bits[0] = 0)
+
+#endif
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/general.h b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/general.h
new file mode 100644
index 0000000..1d9df66
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/general.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 1988 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *      from: @(#)general.h     5.2 (Berkeley) 3/1/91
+ *      $Id: general.h,v 1.1 1996/07/16 05:17:22 dholland Exp $
+ */
+
+/*
+ * Some general definitions.
+ */
+
+
+#define numberof(x)     (sizeof x/sizeof x[0])
+#define highestof(x)    (numberof(x)-1)
+
+#define ClearElement(x)         memset((char *)&x, 0, sizeof x)
+#define ClearArray(x)           memset((char *)x, 0, sizeof x)
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/genget.cc b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/genget.cc
new file mode 100644
index 0000000..3f835b3
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/genget.cc
@@ -0,0 +1,91 @@
+/*-
+ * Copyright (c) 1991 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)genget.c   5.1 (Berkeley) 2/28/91
+ */
+char gg_rcsid[] = 
+  "$Id: genget.cc,v 1.3 1996/07/26 09:54:09 dholland Exp $";
+
+#include <string.h>
+#include <ctype.h>
+
+#include "genget.h"
+
+#define LOWER(x) (isupper(x) ? tolower(x) : (x))
+/*
+ * The prefix function returns 0 if *s1 is not a prefix
+ * of *s2.  If *s1 exactly matches *s2, the negative of
+ * the length is returned.  If *s1 is a prefix of *s2,
+ * the length of *s1 is returned.
+ */
+int isprefix(const char *s1, const char *s2) {
+        const char *os1;
+        char c1, c2;
+
+        if (*s1 == 0) return -1;
+
+        os1 = s1;
+        c1 = *s1;
+        c2 = *s2;
+
+        while (LOWER(c1) == LOWER(c2)) {
+                if (c1 == 0) break;
+                c1 = *++s1;
+                c2 = *++s2;
+        }
+        if (*s1) return 0;
+        return *s2 ? (s1 - os1) : (os1 - s1);
+}
+
+/*
+ * name: name to match
+ * table: name entry in table
+ */
+char **genget(const char *name, char **table, int stlen) {
+        char **c, **found;
+        int n;
+
+        if (!name) return NULL;
+
+        found = NULL;
+        for (c = table; *c; c = (char **)((char *)c + stlen)) {
+                n = isprefix(name, *c);
+                if (n == 0) continue;
+                if (n < 0) return c;    /* exact match */
+                if (found) return (char **)AMBIGUOUS;
+                found = c;
+        }
+        return found;
+}
+
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/genget.h b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/genget.h
new file mode 100644
index 0000000..891a42f
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/genget.h
@@ -0,0 +1,5 @@
+int isprefix(const char *, const char *);
+char **genget(const char *, char **, int);
+
+#define AMBIGUOUS ((void *)1)
+#define HELP ((void *)2)
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/genget.o b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/genget.o
new file mode 100644
index 0000000..b35bb1b
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/genget.o
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/main.cc b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/main.cc
new file mode 100644
index 0000000..b67f2ce
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/main.cc
@@ -0,0 +1,257 @@
+/*
+ * Copyright (c) 1988, 1990 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+char copyright[] =
+  "@(#) Copyright (c) 1988, 1990 Regents of the University of California.\n"
+  "All rights reserved.\n";
+
+/*
+ * From: @(#)main.c     5.4 (Berkeley) 3/22/91
+ */
+char main_rcsid[] = 
+  "$Id: main.cc,v 1.14 1999/08/01 05:06:37 dholland Exp $";
+
+#include "../version.h"
+
+#include <sys/types.h>
+#include <getopt.h>
+#include <string.h>
+
+#include "ring.h"
+#include "externs.h"
+#include "defines.h"
+#include "proto.h"
+
+/*
+ * Initialize variables.
+ */
+void
+tninit(void)
+{
+    init_terminal();
+
+    init_network();
+    
+    init_telnet();
+
+    init_sys();
+
+#if defined(TN3270)
+    init_3270();
+#endif
+}
+
+/*
+ * note: -x should mean use encryption
+ *       -k <realm> to set kerberos realm
+ *       -K don't auto-login
+ *       -X <atype> disable specified auth type
+ */ 
+void usage(void) {
+    fprintf(stderr, "Usage: %s %s%s%s%s\n",
+            prompt,
+            " [-8] [-E] [-L] [-a] [-d] [-e char] [-l user] [-n tracefile]",
+            "\n\t",
+#ifdef TN3270
+            "[-noasynch] [-noasynctty] [-noasyncnet] [-r] [-t transcom]\n\t",
+#else
+            "[-r] ",
+#endif
+            "[host-name [port]]"
+        );
+        exit(1);
+}
+
+/*
+ * main.  Parse arguments, invoke the protocol or command parser.
+ */
+
+int
+main(int argc, char *argv[])
+{
+        extern char *optarg;
+        extern int optind;
+        int ch;
+        char *user;
+
+        tninit();               /* Clear out things */
+#if     defined(CRAY) && !defined(__STDC__)
+        _setlist_init();        /* Work around compiler bug */
+#endif
+
+        TerminalSaveState();
+
+        if ((prompt = strrchr(argv[0], '/'))!=NULL)
+                ++prompt;
+        else
+                prompt = argv[0];
+
+        user = NULL;
+
+        rlogin = (strncmp(prompt, "rlog", 4) == 0) ? '~' : _POSIX_VDISABLE;
+        autologin = -1;
+
+        while ((ch = getopt(argc, argv, "8EKLS:X:ade:k:l:n:rt:x")) != EOF) {
+                switch(ch) {
+                case '8':
+                        eight = 3;      /* binary output and input */
+                        break;
+                case 'E':
+                        rlogin = escapechar = _POSIX_VDISABLE;
+                        break;
+                case 'K':
+                        //autologin = 0;
+                        break;
+                case 'L':
+                        eight |= 2;     /* binary output only */
+                        break;
+                case 'S':
+                    {
+#ifdef  HAS_GETTOS
+                        extern int tos;
+
+                        if ((tos = parsetos(optarg, "tcp")) < 0)
+                                fprintf(stderr, "%s%s%s%s\n",
+                                        prompt, ": Bad TOS argument '",
+                                        optarg,
+                                        "; will try to use default TOS");
+#else
+                        fprintf(stderr,
+                           "%s: Warning: -S ignored, no parsetos() support.\n",
+                                                                prompt);
+#endif
+                    }
+                        break;
+                case 'X':
+                        // disable authentication type "optarg"
+                        break;
+                case 'a':
+                        autologin = 1;
+                        break;
+                case 'c':
+                        skiprc = 1;
+                        break;
+                case 'd':
+                        debug = 1;
+                        break;
+                case 'e':
+                        set_escape_char(optarg);
+                        break;
+                case 'k':
+                        fprintf(stderr,
+                                "%s: -k ignored, no Kerberos V4 support.\n",
+                                prompt);
+                        break;
+                case 'l':
+                        autologin = 1;
+                        user = optarg;
+                        break;
+                case 'n':
+#ifdef TN3270
+                        /* distinguish between "-n oasynch" and "-noasynch" */
+                        if (argv[optind - 1][0] == '-' && argv[optind - 1][1]
+                            == 'n' && argv[optind - 1][2] == 'o') {
+                                if (!strcmp(optarg, "oasynch")) {
+                                        noasynchtty = 1;
+                                        noasynchnet = 1;
+                                } else if (!strcmp(optarg, "oasynchtty"))
+                                        noasynchtty = 1;
+                                else if (!strcmp(optarg, "oasynchnet"))
+                                        noasynchnet = 1;
+                        } else
+#endif  /* TN3270 */
+                                SetNetTrace(optarg);
+                        break;
+                case 'r':
+                        rlogin = '~';
+                        break;
+                case 't':
+#ifdef TN3270
+                        transcom = tline;
+                        (void)strcpy(transcom, optarg);
+#else
+                        fprintf(stderr,
+                           "%s: Warning: -t ignored, no TN3270 support.\n",
+                                                                prompt);
+#endif
+                        break;
+                case 'x':
+                        fprintf(stderr,
+                                "%s: -x ignored, no encryption support.\n",
+                                prompt);
+                        break;
+                case '?':
+                default:
+                        usage();
+                        /* NOTREACHED */
+                }
+        }
+        if (autologin == -1)
+                autologin = (rlogin == _POSIX_VDISABLE) ? 0 : 1;
+
+        argc -= optind;
+        argv += optind;
+
+        if (argc) {
+                const char *args[7];
+                const char **volatile argp = args;
+
+                if (argc > 2)
+                        usage();
+                *argp++ = prompt;
+                if (user) {
+                        *argp++ = "-l";
+                        *argp++ = user;
+                }
+                *argp++ = argv[0];              /* host */
+                if (argc > 1)
+                        *argp++ = argv[1];      /* port */
+                *argp = 0;
+
+                if (sigsetjmp(toplevel, 1) != 0)
+                        Exit(0);
+                if (tn(argp - args, args) == 1)
+                        return (0);
+                else
+                        return (1);
+        }
+        (void)sigsetjmp(toplevel, 1);
+        for (;;) {
+#ifdef TN3270
+                if (shell_active)
+                        shell_continue();
+                else
+#endif
+                        command(1, 0, 0);
+        }
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/main.o b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/main.o
new file mode 100644
index 0000000..2e602f9
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/main.o
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/netlink.cc b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/netlink.cc
new file mode 100644
index 0000000..c418993
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/netlink.cc
@@ -0,0 +1,199 @@
+#include <errno.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/ioctl.h>
+#include <sys/time.h>
+#include <netdb.h>
+#include "netlink.h"
+#include "proto.h"
+#include "ring.h"
+
+/* In linux, this is an enum */
+#ifdef __linux__
+#define HAS_IPPROTO_IP
+#endif
+
+#ifdef IPPROTO_IP
+#define HAS_IPPROTO_IP
+#endif
+
+
+netlink nlink;
+
+class netchannel : public ringbuf::source {
+  public:
+    virtual int read(char *buf, int maxlen) {
+        int net = nlink.getfd();
+        int l = recv(net, buf, maxlen, 0);
+        if (l<0 && errno == EWOULDBLOCK) l = 0;
+        return l;
+    }
+};
+
+class netchannel2 : public datasink {
+  public:
+    virtual int write(const char *buf, int len) {
+        int r = nlink.send(buf, len, 0);
+        if (r==-1 && (errno==ENOBUFS || errno==EWOULDBLOCK)) return 0;
+        return r;
+    }
+    virtual int writeurg(const char *buf, int len) {
+            /*
+             * In 4.2 (and 4.3) systems, there is some question about
+             * what byte in a sendOOB operation is the "OOB" data.
+             * To make ourselves compatible, we only send ONE byte
+             * out of band, the one WE THINK should be OOB (though
+             * we really have more the TCP philosophy of urgent data
+             * rather than the Unix philosophy of OOB data).
+             */
+        if (len==0) return 0;
+        int r = nlink.send(buf, 1, MSG_OOB);
+        if (r==-1 && (errno==ENOBUFS || errno==EWOULDBLOCK)) r = 0;
+        if (r<=0) return r;
+        int rr = nlink.send(buf+1, len-r, 0);
+        if (rr==-1 && (errno==ENOBUFS || errno==EWOULDBLOCK)) rr = 0;
+        if (rr<=0) return r;   /* less than ideal */
+        return r+rr;
+    }
+};
+
+static netchannel chan;
+static netchannel2 chan2;
+datasink *netsink = &chan2;
+ringbuf::source *netsrc = &chan;
+
+
+netlink::netlink() { net = -1; }
+netlink::~netlink() { ::close(net); }
+
+
+int netlink::setdebug(int debug) {
+    if (net > 0 &&
+        (setsockopt(net, SOL_SOCKET, SO_DEBUG, &debug, sizeof(debug))) < 0) {
+        perror("setsockopt (SO_DEBUG)");
+    }
+    return 1;
+}
+
+void netlink::close(int doshutdown) {
+    if (doshutdown) {
+        shutdown(net, 2);
+    }
+    ::close(net);
+}
+
+int netlink::connect(int debug, struct hostent *host, 
+                     struct sockaddr_in *sn, 
+                     char *srcroute, int srlen, int tos) 
+{
+    int on=1;
+
+    net = socket(AF_INET, SOCK_STREAM, 0);
+    setuid(getuid());
+    if (net < 0) {
+        perror("telnet: socket");
+        return 0;
+    }
+
+#if defined(IP_OPTIONS) && defined(HAS_IPPROTO_IP)
+    if (srcroute) {
+        if (setsockopt(net, IPPROTO_IP, IP_OPTIONS, srcroute, srlen) < 0)
+            perror("setsockopt (IP_OPTIONS)");
+    }
+#endif
+
+#if defined(HAS_IPPROTO_IP) && defined(IP_TOS)
+#if defined(HAS_GETTOS)
+    struct tosent *tp;
+    if (tos < 0 && (tp = gettosbyname("telnet", "tcp")))
+        tos = tp->t_tos;
+#endif
+    if (tos < 0) tos = 020;     /* Low Delay bit */
+    if (tos && (setsockopt(net, IPPROTO_IP, IP_TOS, &tos, sizeof(int)) < 0)
+        && (errno != ENOPROTOOPT))
+        perror("telnet: setsockopt (IP_TOS) (ignored)");
+#endif  /* defined(IPPROTO_IP) && defined(IP_TOS) */
+
+    if (debug && setsockopt(net, SOL_SOCKET, SO_DEBUG, &on, sizeof(on)) < 0) {
+        perror("setsockopt (SO_DEBUG)");
+    }
+    
+    if (::connect(net, (struct sockaddr *)sn, sizeof(*sn)) < 0) {
+#if defined(h_addr)             /* In 4.3, this is a #define */
+        if (host && host->h_addr_list[1]) {
+            int oerrno = errno;
+            
+            fprintf(stderr, "telnet: connect to address %s: ",
+                    inet_ntoa(sn->sin_addr));
+            errno = oerrno;
+            perror(NULL);
+            host->h_addr_list++;
+            if (host->h_length > (int)sizeof(sn->sin_addr)) {
+                host->h_length = sizeof(sn->sin_addr);
+            }
+            memcpy(&sn->sin_addr, host->h_addr_list[0], host->h_length);
+            close(net);
+            return 1;
+        }
+#endif  /* defined(h_addr) */
+
+        perror("telnet: Unable to connect to remote host");
+        return 0;
+    }
+    return 2;
+}
+
+
+void netlink::oobinline() {
+    int on=1;
+
+    /* Systems without SO_OOBINLINE probably won't work */
+    if (setsockopt(net, SOL_SOCKET, SO_OOBINLINE, &on, sizeof(on)) == -1) {
+        perror("setsockopt");
+    }
+}
+
+
+/*
+ * Check to see if any out-of-band data exists on a socket (for
+ * Telnet "synch" processing).
+ */
+
+int netlink::stilloob(void) {
+    static struct timeval timeout = { 0, 0 };
+    fd_set excepts;
+    int value;
+
+    do {
+        FD_ZERO(&excepts);
+        FD_SET(net, &excepts);
+        value = select(net+1, NULL, NULL, &excepts, &timeout);
+    } while ((value == -1) && (errno == EINTR));
+
+    if (value < 0) {
+        perror("select");
+        quit();
+        /* NOTREACHED */
+    }
+    if (FD_ISSET(net, &excepts)) {
+        return 1;
+    } else {
+        return 0;
+    }
+}
+
+int netlink::send(const char *s, int n, int f) {
+    return ::send(net, s, n, f);
+}
+
+void netlink::nonblock(int onoff) {
+    ioctl(net, FIONBIO, &onoff);
+}
+
+int netlink::getfd() {
+    return net;
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/netlink.h b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/netlink.h
new file mode 100644
index 0000000..9852b30
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/netlink.h
@@ -0,0 +1,26 @@
+
+class netlink {
+ protected:
+    int net;
+ public:
+    netlink();
+    ~netlink();
+
+    int connect(int debug, struct hostent *host, 
+                struct sockaddr_in *sin, 
+                char *srcroute, int srlen,
+                int tos);
+    void close(int doshutdown);
+
+    int setdebug(int debug);
+    void oobinline();
+    void nonblock(int onoff);
+
+    int stilloob();
+
+    int send(const char *buf, int len, int flags);
+
+    int getfd();
+};
+
+extern netlink nlink;
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/netlink.o b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/netlink.o
new file mode 100644
index 0000000..9d45f84
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/netlink.o
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/network.cc b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/network.cc
new file mode 100644
index 0000000..6a2c374
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/network.cc
@@ -0,0 +1,91 @@
+/*
+ * Copyright (c) 1988 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)network.c  5.2 (Berkeley) 3/1/91
+ */
+char net_rcsid[] = 
+  "$Id: network.cc,v 1.15 1996/08/13 08:09:58 dholland Exp $";
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <errno.h>
+#include <arpa/telnet.h>
+
+#include "ring.h"
+#include "defines.h"
+#include "externs.h"
+#include "proto.h"
+#include "netlink.h"
+
+ringbuf netoring;
+ringbuf netiring;
+
+/*
+ * Initialize internal network data structures.
+ */
+
+void init_network(void) {
+    if (netoring.init(2*BUFSIZ, netsink, NULL) != 1) {
+        exit(1);
+    }
+    if (netiring.init(BUFSIZ, NULL, netsrc) != 1) {
+        exit(1);
+    }
+    NetTrace = stdout;
+}
+
+
+/*
+ *  netflush
+ *              Send as much data as possible to the network,
+ *      handling requests for urgent data.
+ *
+ *              The return value indicates whether we did any
+ *      useful work.
+ */
+
+
+int netflush(void) {
+    int r = netoring.flush();
+    if (r < -1) {
+        setcommandmode();
+        perror(hostname);
+        nlink.close(0);
+        netoring.clear_mark();
+        siglongjmp(peerdied, -1);
+        /*NOTREACHED*/
+    }
+    return r>0;
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/network.o b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/network.o
new file mode 100644
index 0000000..98df4b4
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/network.o
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/proto.h b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/proto.h
new file mode 100644
index 0000000..8be4a39
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/proto.h
@@ -0,0 +1,41 @@
+#if 0
+void auth_encrypt_connect(void);
+void auth_encrypt_init(void);
+#endif
+
+void Exit(int);
+void ExitString(const char *, int);
+int TerminalAutoFlush(void);
+void TerminalDefaultChars(void);
+int TerminalSpecialChars(int);
+void TerminalSpeeds(long *ispeed, long *ospeed);
+int TerminalWindowSize(long *rows, long *cols);
+void auth_encrypt_user(char *);
+void auth_name(unsigned char *, int);
+void auth_printsub(unsigned char *, int, unsigned char *, int);
+void cmdrc(const char *m1, const char *m2);
+void env_init(void);
+int getconnmode(void);
+void init_network(void);
+void init_sys(void);
+void init_telnet(void);
+void init_terminal(void);
+int netflush(void);
+void optionstatus(void);
+int process_rings(int, int, int, int, int, int);
+void quit(void);
+int rlogin_susp(void);
+int send_tncmd(int (*func)(int, int), const char *cmd, const char *name);
+void sendeof(void);
+void sendsusp(void);
+void set_escape_char(char *);
+void tel_leave_binary(int);
+int telrcv(void);
+int tn(int argc, const char *argv[]);
+int ttyflush(int);
+void sendayt(void);
+void ayt_status(int);
+void ayt(int sig);
+
+/* commands.c */
+void cmdtab_init(void);
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/ptrarray.h b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/ptrarray.h
new file mode 100644
index 0000000..3a5d12f
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/ptrarray.h
@@ -0,0 +1,92 @@
+//
+//      File:        ptrarray.h
+//      Date:        16-Jul-95
+//      Description: Array of pointers
+//
+/*
+ * Copyright (c) 1995 David A. Holland.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the Author nor the names of any contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef PTRARRAY_H
+#define PTRARRAY_H
+
+#ifndef assert
+#include <assert.h>
+#endif
+
+#ifndef NULL
+#define NULL 0
+#endif
+
+template <class T>
+class ptrarray {
+  protected:
+    T **v;
+    int n, max;
+    void reallocto(int x) {
+        while (max<x) max += 16;
+        T **q = new T* [max];
+        for (int i=0; i<n; i++) q[i] = v[i];
+        delete []v;
+        v = q;
+    }
+  public:
+    ptrarray() { v=NULL; n=max=0; }
+    ~ptrarray() { delete []v; }
+
+    int num() const { return n; }
+
+    void setsize(int newsize) {
+      if (newsize>max) reallocto(newsize);
+      if (newsize>n) {
+        for (int i=n; i<newsize; i++) v[i] = NULL;
+      }
+      else {
+        // do nothing
+      }
+      n = newsize;
+    }
+
+    T *&operator [] (int ix) const {
+      assert(ix>=0 && ix<n);
+      return v[ix];
+    }
+
+    int add(T *val) {
+      int ix = n;
+      setsize(n+1);
+      v[ix] = val;
+      return ix;
+    }
+
+    void push(T *val) { add(val); }
+
+    void pop() { setsize(n-1); }
+};
+
+#endif
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/ring.cc b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/ring.cc
new file mode 100644
index 0000000..fdff63e
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/ring.cc
@@ -0,0 +1,209 @@
+/*
+ * Copyright (c) 1988 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)ring.c     5.2 (Berkeley) 3/1/91
+ */
+char ring_rcsid[] =
+  "$Id: ring.cc,v 1.22 1997/09/23 11:33:16 dholland Exp $";
+
+/*
+ * This defines a structure for a ring buffer. 
+ */
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <assert.h>
+#include "ring.h"
+
+class devnull : public datasink {
+    virtual int write(const char *, int n) { return n; }
+    virtual int writeurg(const char *, int n) { return n; }
+};
+static devnull nullsink_obj;
+datasink *nullsink = &nullsink_obj;
+
+
+
+int ringbuf::init(int sz, datasink *sink, source *src) {
+    buf = new char[sz];
+    size = sz;
+    head = tail = 0;
+    count = 0;
+    marked = -1;
+
+    binding = sink;
+    srcbinding = src;
+
+    return 1;
+}
+
+/////////////////////////////////////////////////// consume //////////////
+
+int ringbuf::gets(char *rbuf, int max) {
+    int i=0, ch;
+    assert(max>0);
+    while (getch(&ch)>0 && i<max-1) rbuf[i++] = ch;
+    rbuf[i]=0;
+    return i;
+}
+
+int ringbuf::getch(int *ch) {
+    int rv = 0;
+    if (count > 0) {
+        if (tail==marked) {
+            rv = 2;
+            marked = -1;
+        }
+        else rv = 1;
+        *ch = (unsigned char) buf[tail++];
+        if (tail>=size) tail -= size;
+        count--;
+    }
+    return rv;   /* 0 = no more chars available */
+}
+
+void ringbuf::ungetch(int ch) {
+    int x = tail;
+    x--;
+    if (x<0) x += size;
+    int och = buf[x];   /* avoid sign-extension and other such problems */
+    if ((och&0xff) == (ch&0xff)) {
+        tail = x;
+        count++;
+    }
+    else {
+        //assert(!"Bad ungetch");
+        tail = x;
+        count++;
+    }
+}
+
+/*
+ * Return value:
+ *   -2: Significant error occurred.
+ *   -1: No useful work done, data waiting to go out.
+ *    0: No data was waiting, so nothing was done.
+ *    1: All waiting data was written out.
+ *    n: Some data written, n-1 bytes left.
+ */
+int ringbuf::flush() {
+    assert(binding);
+    assert(count>=0);
+    if (count==0) return 0;
+    
+    static int busy=0;
+    if (busy) {
+        return -1;
+    }
+    busy=1;
+
+    /* should always be true */
+    assert(((size+head-tail)%size)==count);
+
+    while (count > 0) {
+        int bot = tail;
+        int top = head;
+        if (top < bot) top = size;
+        if (marked > bot) top = marked;
+        assert(top-bot > 0 && top-bot <= count);
+
+        int n;
+        if (marked==bot) n = binding->writeurg(buf+bot, top-bot);
+        else n = binding->write(buf+bot, top-bot);
+        if (n < 0) { busy=0; return -2; }
+        else if (n==0) { busy=0; return -1; }
+        
+        if (marked==bot) marked = -1;
+        tail += n;
+        if (tail >= size) tail -= size;
+        count -= n;
+        assert(((size+head-tail)%size)==count);
+        
+        if (n > 0 && n < top-bot) { busy=0; return n+1; }
+        /* otherwise (if we wrote all data) loop */
+    }
+    assert(((size+head-tail)%size)==count);
+    busy=0;
+    return 1;
+}
+
+
+/////////////////////////////////////////////////// supply //////////////
+
+void ringbuf::printf(const char *format, ...) {
+    char xbuf[256];
+    va_list ap;
+    va_start(ap, format);
+    int l = vsnprintf(xbuf, sizeof(xbuf), format, ap);
+    va_end(ap);
+    write(xbuf, l);
+}
+
+void ringbuf::write(const char *buffer, int ct) {
+    if (ct > size - count) {
+        // Oops. We're about to overflow our buffer.
+        // In practice this shouldn't ever actually happen.
+        // We could return a short count, but then we'd have to check
+        // and retry every call, which ranges somewhere between painful
+        // and impossible.
+        // Instead, we drop the data on the floor. This should only happen 
+        // if (1) the tty hangs, (2) the network hangs while we're trying 
+        // to send large volumes of data, or (3) massive internal logic errors.
+        fprintf(stderr, "\n\ntelnet: buffer overflow, losing data, sorry\n");
+        ct = size - count;
+    }
+    for (int i=0; i<ct; i++) {
+        buf[head++] = buffer[i];
+        if (head>=size) head -= size;
+        count++;
+    }
+}
+
+int ringbuf::read_source() {
+    int bot = head;
+    int top = tail-1; /* leave room for an ungetc */
+    if (top<0) top += size;
+    if (top < bot) top = size;
+
+    if (top==bot) return 0;
+
+    int l = srcbinding->read(buf+bot, top-bot);
+    if (l>=0) {
+        head += l;
+        if (head>=size) head -= size;
+        count += l;
+    }
+    if (l==0) l = -1;
+    return l;
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/ring.h b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/ring.h
new file mode 100644
index 0000000..15d3f3f
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/ring.h
@@ -0,0 +1,111 @@
+/*
+ * Copyright (c) 1988 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *      from: @(#)ring.h        5.2 (Berkeley) 3/1/91
+ *      $Id: ring.h,v 1.13 1996/08/13 08:43:28 dholland Exp $
+ */
+
+class datasink {
+ public:
+    virtual ~datasink() {}
+    virtual int write(const char *buf, int len) = 0;
+    virtual int writeurg(const char *buf, int len) = 0;
+};
+
+/*
+ * This defines a structure for a ring buffer.
+ */
+class ringbuf {
+ public:
+    class source {
+     public:
+        virtual ~source() {}
+        virtual int read(char *buf, int len) = 0;
+    };
+ protected:
+    datasink *binding;
+    source *srcbinding;
+
+    char *buf;
+    int size;   /* total size of buffer */
+    int head;   /* next input character goes here */
+    int tail;   /* next output character comes from here */
+    int count;  /* chars presently stored in buffer */
+    // The buffer is empty when head==tail.
+
+    int marked;   /* this character is marked */
+
+ public:
+    /////// consume end
+
+    // manual consume
+    int gets(char *buf, int max);
+    int getch(int *ch);
+    void ungetch(int ch);
+    int full_count() {
+        return count;
+    }
+
+    // automatic consume
+    int flush();
+
+    /////// supply end
+
+    // manual supply
+    void putch(char c) { write(&c, 1); }
+    void write(const char *buffer, int ct);
+    void printf(const char *format, ...);
+    int empty_count() { return size - count; }
+
+    // automatic supply
+    int read_source();
+
+    /////// others
+    void clear_mark() { marked = -1; }
+    void set_mark() { marked = head; }
+
+    int init(int size, datasink *sink, source *src);
+
+    datasink *setsink(datasink *nu) {
+        datasink *old = binding;
+        binding = nu;
+        return old;
+    }
+
+};
+
+extern datasink *netsink, *ttysink, *nullsink;
+extern ringbuf::source *netsrc, *ttysrc;
+
+#define NETADD(c)       { netoring.putch(c); }
+#define NET2ADD(c1,c2)  { NETADD(c1); NETADD(c2); }
+
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/ring.o b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/ring.o
new file mode 100644
index 0000000..65d6c92
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/ring.o
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/sys_bsd.cc b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/sys_bsd.cc
new file mode 100644
index 0000000..63f89e9
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/sys_bsd.cc
@@ -0,0 +1,406 @@
+/*
+ * Copyright (c) 1988, 1990 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)sys_bsd.c  5.2 (Berkeley) 3/1/91
+ */
+char bsd_rcsid[] = 
+  "$Id: sys_bsd.cc,v 1.24 1999/09/28 16:29:24 dholland Exp $";
+
+/*
+ * The following routines try to encapsulate what is system dependent
+ * (at least between 4.x and dos) which is used in telnet.c.
+ */
+
+#include <fcntl.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <signal.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <arpa/telnet.h>
+
+#include "ring.h"
+
+#include "defines.h"
+#include "externs.h"
+#include "types.h"
+#include "proto.h"
+#include "netlink.h"
+#include "terminal.h"
+
+static fd_set ibits, obits, xbits;
+
+void init_sys(void)
+{
+    tlink_init();
+    FD_ZERO(&ibits);
+    FD_ZERO(&obits);
+    FD_ZERO(&xbits);
+
+    errno = 0;
+}
+
+
+#ifdef  KLUDGELINEMODE
+extern int kludgelinemode;
+#endif
+/*
+ * TerminalSpecialChars()
+ *
+ * Look at an input character to see if it is a special character
+ * and decide what to do.
+ *
+ * Output:
+ *
+ *      0       Don't add this character.
+ *      1       Do add this character
+ */
+
+void intp(), sendbrk(), sendabort();
+
+int
+TerminalSpecialChars(int c)
+{
+    void xmitAO(), xmitEL(), xmitEC();
+
+    if (c == termIntChar) {
+        intp();
+        return 0;
+    } else if (c == termQuitChar) {
+#ifdef  KLUDGELINEMODE
+        if (kludgelinemode)
+            sendbrk();
+        else
+#endif
+            sendabort();
+        return 0;
+    } else if (c == termEofChar) {
+        if (my_want_state_is_will(TELOPT_LINEMODE)) {
+            sendeof();
+            return 0;
+        }
+        return 1;
+    } else if (c == termSuspChar) {
+        sendsusp();
+        return(0);
+    } else if (c == termFlushChar) {
+        xmitAO();               /* Transmit Abort Output */
+        return 0;
+    } else if (!MODE_LOCAL_CHARS(globalmode)) {
+        if (c == termKillChar) {
+            xmitEL();
+            return 0;
+        } else if (c == termEraseChar) {
+            xmitEC();           /* Transmit Erase Character */
+            return 0;
+        }
+    }
+    return 1;
+}
+
+
+
+cc_t *tcval(int func) {
+    switch(func) {
+    case SLC_IP:        return(&termIntChar);
+    case SLC_ABORT:     return(&termQuitChar);
+    case SLC_EOF:       return(&termEofChar);
+    case SLC_EC:        return(&termEraseChar);
+    case SLC_EL:        return(&termKillChar);
+    case SLC_XON:       return(&termStartChar);
+    case SLC_XOFF:      return(&termStopChar);
+    case SLC_FORW1:     return(&termForw1Char);
+    case SLC_FORW2:     return(&termForw2Char);
+#ifdef  VDISCARD
+    case SLC_AO:        return(&termFlushChar);
+#endif
+#ifdef  VSUSP
+    case SLC_SUSP:      return(&termSuspChar);
+#endif
+#ifdef  VWERASE
+    case SLC_EW:        return(&termWerasChar);
+#endif
+#ifdef  VREPRINT
+    case SLC_RP:        return(&termRprntChar);
+#endif
+#ifdef  VLNEXT
+    case SLC_LNEXT:     return(&termLiteralNextChar);
+#endif
+#ifdef  VSTATUS
+    case SLC_AYT:       return(&termAytChar);
+#endif
+
+    case SLC_SYNCH:
+    case SLC_BRK:
+    case SLC_EOR:
+    default:
+        return NULL;
+    }
+}
+
+#if defined(TN3270)
+void NetSigIO(int fd, int onoff) {
+    ioctl(fd, FIOASYNC, (char *)&onoff);        /* hear about input */
+}
+
+void NetSetPgrp(int fd) {
+    int myPid;
+
+    myPid = getpid();
+    fcntl(fd, F_SETOWN, myPid);
+}
+#endif  /*defined(TN3270)*/
+
+/*
+ * Various signal handling routines.
+ */
+
+#if 0
+static void deadpeer(int /*sig*/) {
+    setcommandmode();
+    siglongjmp(peerdied, -1);
+}
+
+static void intr(int /*sig*/) {
+    if (localchars) {
+        intp();
+    }
+    else {
+        setcommandmode();
+        siglongjmp(toplevel, -1);
+    }
+}
+
+static void intr2(int /*sig*/) {
+    if (localchars) {
+#ifdef  KLUDGELINEMODE
+        if (kludgelinemode)
+            sendbrk();
+        else
+#endif
+            sendabort();
+        return;
+    }
+}
+#endif
+
+#ifdef  SIGWINCH
+static void sendwin(int /*sig*/) {
+    if (connected) {
+        sendnaws();
+    }
+}
+#endif
+
+#ifdef  SIGINFO
+void ayt(int sig) {
+    (void)sig;
+
+    if (connected)
+        sendayt();
+    else
+        ayt_status(0);
+}
+#endif
+
+void sys_telnet_init(void) {
+#if 0
+    signal(SIGINT, intr);
+    signal(SIGQUIT, intr2);
+    signal(SIGPIPE, deadpeer);
+#endif
+#ifdef  SIGWINCH
+    signal(SIGWINCH, sendwin);
+#endif
+#ifdef  SIGINFO
+    signal(SIGINFO, ayt);
+#endif
+
+    setconnmode(0);
+
+    nlink.nonblock(1);
+
+#if defined(TN3270)
+    if (noasynchnet == 0) {                     /* DBX can't handle! */
+        NetSigIO(net, 1);
+        NetSetPgrp(net);
+    }
+#endif  /* defined(TN3270) */
+
+    nlink.oobinline();
+}
+
+/*
+ * Process rings -
+ *
+ *      This routine tries to fill up/empty our various rings.
+ *
+ *      The parameter specifies whether this is a poll operation,
+ *      or a block-until-something-happens operation.
+ *
+ *      The return value is 1 if something happened, 0 if not.
+ */
+
+int process_rings(int netin, int netout, int netex, int ttyin, int ttyout, 
+                  int poll /* If 0, then block until something to do */)
+{
+    register int c, maxfd;
+                /* One wants to be a bit careful about setting returnValue
+                 * to one, since a one implies we did some useful work,
+                 * and therefore probably won't be called to block next
+                 * time (TN3270 mode only).
+                 */
+    int returnValue = 0;
+    static struct timeval TimeValue = { 0, 0 };
+    
+    int net = nlink.getfd();
+    int tin = tlink_getifd();
+    int tout = tlink_getofd();
+
+    if (netout) {
+        FD_SET(net, &obits);
+    } 
+    if (ttyout) {
+        FD_SET(tout, &obits);
+    }
+    if (ttyin) {
+        FD_SET(tin, &ibits);
+    }
+    if (netin) {
+        FD_SET(net, &ibits);
+    }
+    if (netex) {
+        FD_SET(net, &xbits);
+    }
+
+    maxfd = net;
+    if (maxfd < tin) maxfd=tin;
+    if (maxfd < tout) maxfd=tout;
+
+    if ((c = select(maxfd+1, &ibits, &obits, &xbits,
+                        (poll == 0)? (struct timeval *)0 : &TimeValue)) < 0) {
+        if (c == -1) {
+                    /*
+                     * we can get EINTR if we are in line mode,
+                     * and the user does an escape (TSTP), or
+                     * some other signal generator.
+                     */
+            if (errno == EINTR) {
+                return 0;
+            }
+#if defined(TN3270)
+                    /*
+                     * we can get EBADF if we were in transparent
+                     * mode, and the transcom process died.
+                    */
+            if (errno == EBADF) {
+                        /*
+                         * zero the bits (even though kernel does it)
+                         * to make sure we are selecting on the right
+                         * ones.
+                        */
+                FD_ZERO(&ibits);
+                FD_ZERO(&obits);
+                FD_ZERO(&xbits);
+                return 0;
+            }
+#endif /* TN3270 */
+                    /* I don't like this, does it ever happen? */
+            printf("sleep(5) from telnet, after select\r\n");
+            sleep(5);
+        }
+        return 0;
+    }
+
+    /*
+     * Any urgent data?
+     */
+    if (FD_ISSET(net, &xbits)) {
+        FD_CLR(net, &xbits);
+        SYNCHing = 1;
+        (void) ttyflush(1);     /* flush already enqueued data */
+    }
+
+    /*
+     * Should flush output buffers first to make room for new input. --okir
+     */
+    if (FD_ISSET(net, &obits)) {
+        FD_CLR(net, &obits);
+        returnValue |= netflush();
+    }
+    if (FD_ISSET(tout, &obits)) {
+        FD_CLR(tout, &obits);
+        returnValue |= (ttyflush(SYNCHing|flushout) > 0);
+    }
+
+    /*
+     * Something to read from the network...
+     */
+    if (FD_ISSET(net, &ibits)) {
+        /* hacks for systems without SO_OOBINLINE removed */
+
+        FD_CLR(net, &ibits);
+        /* Only call network input routine if there is room. Otherwise
+         * we will try a 0 byte read, which we happily interpret as the
+         * server having dropped the connection...
+         * NB the input routine reserves 1 byte for ungetc.
+         *                              12.3.97 --okir */
+        returnValue = 1;
+        if (netiring.empty_count() > 1) {
+                c = netiring.read_source();
+                if (c <= 0)
+                    return -1;
+                else if (c == 0)
+                    returnValue = 0;
+        }
+    }
+
+    /*
+     * Something to read from the tty...
+     */
+    if (FD_ISSET(tin, &ibits)) {
+        FD_CLR(tin, &ibits);
+        c = ttyiring.read_source();
+        if (c < 0) {
+            return -1;
+        }
+        else if (c==0) returnValue = 0;
+        else returnValue = 1;           /* did something useful */
+    }
+
+    return returnValue;
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/sys_bsd.o b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/sys_bsd.o
new file mode 100644
index 0000000..3542c01
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/sys_bsd.o
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/telnet b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/telnet
new file mode 100644
index 0000000..fb88784
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/telnet
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/telnet.1 b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/telnet.1
new file mode 100644
index 0000000..543d794
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/telnet.1
@@ -0,0 +1,1263 @@
+.\" Copyright (c) 1983, 1990 The Regents of the University of California.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"     This product includes software developed by the University of
+.\"     California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"     from: @(#)telnet.1      6.16 (Berkeley) 7/27/91
+.\"     $Id: telnet.1,v 1.10 1999/12/14 12:53:02 dholland Exp $
+.\"
+.Dd August 15, 1999
+.Dt TELNET 1
+.Os "Linux NetKit (0.16)"
+.Sh NAME
+.Nm telnet
+.Nd user interface to the 
+.Tn TELNET
+protocol
+.Sh SYNOPSIS
+.Nm telnet
+.Op Fl 8ELadr
+.Op Fl S Ar tos
+.Op Fl e Ar escapechar
+.Op Fl l Ar user
+.Op Fl n Ar tracefile
+.Oo
+.Ar host
+.Op Ar port
+.Oc
+.Sh DESCRIPTION
+The
+.Nm telnet
+command
+is used for interactive communication with another host using the 
+.Tn TELNET
+protocol. It begins in command mode, where it prints a telnet prompt 
+("telnet\&> "). If
+.Nm telnet
+is invoked with a
+.Ar host
+argument, it performs an
+.Ic open
+command implicitly; see the description below.
+.Pp
+Options:
+.Bl -tag -width indent
+.It Fl 8
+Request 8-bit operation. This causes an attempt to negotiate the
+.Dv TELNET BINARY
+option for both input and output. By default telnet is not 8-bit
+clean. 
+.It Fl E
+Disables the escape character functionality; that is, sets the escape
+character to ``no character''.
+.It Fl L
+Specifies an 8-bit data path on output.  This causes the 
+.Dv TELNET BINARY 
+option to be negotiated on just output.
+.It Fl a
+Attempt automatic login.  Currently, this sends the user name via the
+.Ev USER
+variable
+of the
+.Ev ENVIRON
+option if supported by the remote system. The username is retrieved
+via
+.Xr getlogin 3 .
+.It Fl d
+Sets the initial value of the
+.Ic debug
+toggle to
+.Dv TRUE.
+.It Fl r
+Emulate 
+.Xr rlogin 1 .
+In this mode, the default escape character is a tilde. Also, the
+interpretation of the escape character is changed: an escape character
+followed by a dot causes
+.Nm telnet 
+to disconnect from the remote host. A ^Z instead of a dot suspends
+.Nm telnet ,
+and a ^] (the default
+.Nm telnet
+escape character) generates a normal telnet prompt. These codes are
+accepted only at the beginning of a line. 
+.It Fl S Ar tos
+Sets the IP type-of-service (TOS) option for the telnet
+connection to the value
+.Ar tos .
+.It Fl e Ar escapechar
+Sets the escape character to
+.Ar escapechar.
+If no character is supplied, no escape character will be used.
+Entering the escape character while connected causes telnet to drop to
+command mode.
+.It Fl l Ar user
+Specify 
+.Ar user
+as the user to log in as on the remote system. This is accomplished by
+sending the specified name as the 
+.Dv USER
+environment variable, so it requires that the remote system support the
+.Ev TELNET ENVIRON
+option. This option implies the
+.Fl a
+option, and may also be used with the
+.Ic open
+command.
+.It Fl n Ar tracefile
+Opens
+.Ar tracefile
+for recording trace information.
+See the
+.Ic set tracefile
+command below.
+.It Ar host
+Specifies a host to contact over the network.
+.It Ar port
+Specifies a port number or service name to contact. If not specified,
+the 
+.Nm telnet
+port (23) is used.
+.El
+.Pp
+Protocol:
+.Pp
+Once a connection has been opened,
+.Nm telnet
+will attempt to enable the
+.Dv TELNET LINEMODE
+option.
+If this fails, then
+.Nm telnet
+will revert to one of two input modes:
+either \*(Lqcharacter at a time\*(Rq
+or \*(Lqold line by line\*(Rq
+depending on what the remote system supports.
+.Pp
+When 
+.Dv LINEMODE
+is enabled, character processing is done on the
+local system, under the control of the remote system.  When input
+editing or character echoing is to be disabled, the remote system
+will relay that information.  The remote system will also relay
+changes to any special characters that happen on the remote
+system, so that they can take effect on the local system.
+.Pp
+In \*(Lqcharacter at a time\*(Rq mode, most
+text typed is immediately sent to the remote host for processing.
+.Pp
+In \*(Lqold line by line\*(Rq mode, all text is echoed locally,
+and (normally) only completed lines are sent to the remote host.
+The \*(Lqlocal echo character\*(Rq (initially \*(Lq^E\*(Rq) may be used
+to turn off and on the local echo
+(this would mostly be used to enter passwords
+without the password being echoed).
+.Pp
+If the 
+.Dv LINEMODE
+option is enabled, or if the
+.Ic localchars
+toggle is
+.Dv TRUE
+(the default for \*(Lqold line by line\*(Lq; see below),
+the user's
+.Ic quit  ,
+.Ic intr ,
+and
+.Ic flush
+characters are trapped locally, and sent as
+.Tn TELNET
+protocol sequences to the remote side.
+If 
+.Dv LINEMODE
+has ever been enabled, then the user's
+.Ic susp
+and
+.Ic eof
+are also sent as
+.Tn TELNET
+protocol sequences,
+and
+.Ic quit
+is sent as a 
+.Dv TELNET ABORT
+instead of 
+.Dv BREAK
+There are options (see
+.Ic toggle
+.Ic autoflush
+and
+.Ic toggle
+.Ic autosynch
+below)
+which cause this action to flush subsequent output to the terminal
+(until the remote host acknowledges the
+.Tn TELNET
+sequence) and flush previous terminal input
+(in the case of
+.Ic quit
+and
+.Ic intr  ) .
+.Pp
+Commands:
+.Pp
+The following
+.Nm telnet
+commands are available. Unique prefixes are understood as abbreviations.
+.Pp
+.Bl -tag -width "mode type"
+.It Ic auth Ar argument ... 
+The
+.Ic auth
+command controls the
+.Dv TELNET AUTHENTICATE
+protocol option.  If 
+.Nm telnet
+was compiled without authentication, the 
+.Ic auth
+command will not be supported. 
+Valid arguments are as follows:
+.Bl -tag -width "disable type"
+.It Ic disable Ar type
+Disable the specified type of authentication.  To
+obtain a list of available types, use the
+.Ic auth disable \&?
+command.
+.It Ic enable Ar type
+Enable the specified type of authentication.  To
+obtain a list of available types, use the
+.Ic auth enable \&?
+command.
+.It Ic status
+List the current status of the various types of
+authentication.
+.El
+.Pp
+Note that the current version of 
+.Nm telnet
+does not support authentication.
+.It Ic close
+Close the connection to the remote host, if any, and return to command
+mode.
+.It Ic display Ar argument ... 
+Display all, or some, of the
+.Ic set
+and
+.Ic toggle
+values (see below).
+.It Ic encrypt Ar argument ...
+The encrypt command controls the
+.Dv TELNET ENCRYPT
+protocol option. If 
+.Nm telnet
+was compiled without encryption, the
+.Ic encrypt
+command will not be supported. 
+.Pp
+Valid arguments are as follows:
+.Bl -tag -width Ar
+.It Ic disable Ar type Ic [input|output]
+Disable the specified type of encryption.  If you do not specify input
+or output, encryption of both is disabled.  To obtain a list of
+available types, use ``encrypt disable \&?''.
+.It Ic enable Ar type Ic [input|output]
+Enable the specified type of encryption.  If you do not specify input
+or output, encryption of both is enabled.  To obtain a list of
+available types, use ``encrypt enable \&?''.
+.It Ic input
+This is the same as ``encrypt start input''.
+.It Ic -input
+This is the same as ``encrypt stop input''.
+.It Ic output
+This is the same as ``encrypt start output''.
+.It Ic -output
+This is the same as ``encrypt stop output''.
+.It Ic start Ic [input|output]
+Attempt to begin encrypting.  If you do not specify input or output, 
+encryption of both input and output is started. 
+.It Ic status
+Display the current status of the encryption module.
+.It Ic stop Ic [input|output]
+Stop encrypting.  If you do not specify input or output, encryption of
+both is stopped.
+.It Ic type Ar type
+Sets the default type of encryption to be used with later ``encrypt start''
+or ``encrypt stop'' commands.
+.El
+.Pp
+Note that the current version of 
+.Nm telnet
+does not support encryption.
+.It Ic environ Ar arguments... 
+The
+.Ic environ
+command is used to propagate environment variables across the 
+.Nm telnet
+link using the
+.Dv TELNET ENVIRON
+protocol option.
+All variables exported from the shell are defined, but only the 
+.Ev DISPLAY
+and
+.Ev PRINTER
+variables are marked to be sent by default.  The
+.Ev USER
+variable is marked to be sent if the
+.Fl a
+or 
+.Fl l
+command-line options were used.
+.Pp
+Valid arguments for the
+.Ic environ
+command are:
+.Bl -tag -width Fl
+.It Ic define Ar variable value 
+Define the variable
+.Ar variable
+to have a value of
+.Ar value.
+Any variables defined by this command are automatically marked for
+propagation (``exported'').
+The
+.Ar value
+may be enclosed in single or double quotes so
+that tabs and spaces may be included.
+.It Ic undefine Ar variable 
+Remove any existing definition of
+.Ar variable .
+.It Ic export Ar variable 
+Mark the specified variable for propagation to the remote host.
+.It Ic unexport Ar variable 
+Do not mark the specified variable for propagation to the remote
+host. The remote host may still ask explicitly for variables that are
+not exported.
+.It Ic list
+List the current set of environment variables.
+Those marked with a
+.Cm *
+will be propagated to the remote host. The remote host may still ask
+explicitly for the rest.
+.It Ic \&?
+Prints out help information for the
+.Ic environ
+command.
+.El
+.It Ic logout
+Send the
+.Dv TELNET LOGOUT
+protocol option to the remote host.
+This command is similar to a
+.Ic close
+command. If the remote host does not support the
+.Dv LOGOUT
+option, nothing happens.  But if it does, this command should cause it
+to close the connection.  If the remote side also supports the concept
+of suspending a user's session for later reattachment, the logout
+command indicates that the session should be terminated immediately.
+.It Ic mode Ar type 
+.Ar Type
+is one of several options, depending on the state of the session.
+.Tn Telnet
+asks the remote host to go into the requested mode. If the remote host
+says it can, that mode takes effect.
+.Bl -tag -width Ar
+.It Ic character
+Disable the
+.Dv TELNET LINEMODE
+option, or, if the remote side does not understand the
+.Dv LINEMODE
+option, then enter \*(Lqcharacter at a time\*(Lq mode.
+.It Ic line
+Enable the
+.Dv TELNET LINEMODE
+option, or, if the remote side does not understand the
+.Dv LINEMODE
+option, then attempt to enter \*(Lqold-line-by-line\*(Lq mode.
+.It Ic isig Pq Ic \-isig 
+Attempt to enable (disable) the 
+.Dv TRAPSIG
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic edit Pq Ic \-edit 
+Attempt to enable (disable) the 
+.Dv EDIT
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic softtabs Pq Ic \-softtabs 
+Attempt to enable (disable) the 
+.Dv SOFT_TAB
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic litecho Pq Ic \-litecho 
+Attempt to enable (disable) the 
+.Dv LIT_ECHO
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic \&?
+Prints out help information for the
+.Ic mode
+command.
+.El
+.It Xo
+.Ic open Ar host
+.Oo Op Fl l
+.Ar user
+.Oc Ns Oo Fl
+.Ar port Oc
+.Xc
+Open a connection to the named host.  If no port number is specified,
+.Nm telnet
+will attempt to contact a
+.Tn telnet
+daemon at the standard port (23).
+The host specification may be a host name or IP address.
+The
+.Fl l
+option may be used to specify a user name to be passed to the remote
+system, like the
+.Fl l
+command-line option.
+.Pp
+When connecting to ports other than the 
+.Nm telnet
+port,
+.Nm telnet
+does not attempt 
+.Tn telnet
+protocol negotiations. This makes it possible to connect to services
+that do not support the
+.Tn telnet
+protocol without making a mess. Protocol negotiation can be forced by
+placing a dash before the port number.
+.Pp
+After establishing a connection, any commands associated with the
+remote host in the user's
+.Pa .telnetrc
+file are executed.
+.Pp
+The format of the .telnetrc file is as follows: Lines beginning with a
+#, and blank lines, are ignored.  The rest of the file should consist
+of hostnames and sequences of
+.Nm telnet
+commands to use with that host. Commands should be one per line,
+indented by whitespace; lines beginning without whitespace are
+interpreted as hostnames. Upon connecting to a particular host, the
+commands associated with that host are executed.
+.It Ic quit
+Close any open session and exit
+.Nm telnet .
+An end of file condition on input, when in command mode, will trigger
+this operation as well.
+.It Ic send Ar arguments 
+Send one or more special 
+.Tn telnet
+protocol character sequences to the remote host.  The following are
+the codes which may be specified (more than one may be used in one
+command):
+.Pp
+.Bl -tag -width escape
+.It Ic abort
+Sends the
+.Dv TELNET ABORT
+(Abort Processes) sequence.
+.It Ic ao
+Sends the
+.Dv TELNET AO
+(Abort Output) sequence, which should cause the remote system to flush
+all output
+.Em from
+the remote system
+.Em to
+the user's terminal.
+.It Ic ayt
+Sends the
+.Dv TELNET AYT
+(Are You There?) sequence, to which the remote system may or may not
+choose to respond.
+.It Ic brk
+Sends the
+.Dv TELNET BRK
+(Break) sequence, which may have significance to the remote
+system.
+.It Ic ec
+Sends the
+.Dv TELNET EC
+(Erase Character)
+sequence, which should cause the remote system to erase the last character
+entered.
+.It Ic el
+Sends the
+.Dv TELNET EL
+(Erase Line)
+sequence, which should cause the remote system to erase the line currently
+being entered.
+.It Ic eof
+Sends the
+.Dv TELNET EOF
+(End Of File)
+sequence.
+.It Ic eor
+Sends the
+.Dv TELNET EOR
+(End of Record)
+sequence.
+.It Ic escape
+Sends the current
+.Nm telnet
+escape character.
+.It Ic ga
+Sends the
+.Dv TELNET GA
+(Go Ahead)
+sequence, which likely has no significance to the remote system.
+.It Ic getstatus
+If the remote side supports the
+.Dv TELNET STATUS
+command,
+.Ic getstatus
+will send the subnegotiation to request that the server send
+its current option status.
+.It Ic ip
+Sends the
+.Dv TELNET IP
+(Interrupt Process) sequence, which should cause the remote
+system to abort the currently running process.
+.It Ic nop
+Sends the
+.Dv TELNET NOP
+(No Operation)
+sequence.
+.It Ic susp
+Sends the
+.Dv TELNET SUSP
+(Suspend Process)
+sequence.
+.It Ic synch
+Sends the
+.Dv TELNET SYNCH
+sequence.
+This sequence causes the remote system to discard all previously typed
+(but not yet read) input.
+This sequence is sent as
+.Tn TCP
+urgent
+data (and may not work if the remote system is a
+.Bx 4.2
+system -- if
+it doesn't work, a lower case \*(Lqr\*(Rq may be echoed on the terminal).
+.It Ic do Ar cmd
+.It Ic dont Ar cmd
+.It Ic will Ar cmd
+.It Ic wont Ar cmd
+Sends the
+.Dv TELNET DO
+.Ar cmd
+sequence.
+.Ar cmd
+can be either a decimal number between 0 and 255,
+or a symbolic name for a specific
+.Dv TELNET
+command.
+.Ar cmd
+can also be either
+.Ic help
+or
+.Ic \&?
+to print out help information, including
+a list of known symbolic names.
+.It Ic \&?
+Prints out help information for the
+.Ic send
+command.
+.El
+.It Ic set Ar argument value 
+.It Ic unset Ar argument value 
+The
+.Ic set
+command will set any one of a number of
+.Nm telnet
+variables to a specific value or to
+.Dv TRUE .
+The special value
+.Ic off
+turns off the function associated with
+the variable. This is equivalent to using the
+.Ic unset
+command.
+The
+.Ic unset
+command will disable or set to
+.Dv FALSE
+any of the specified variables.
+The values of variables may be interrogated with the
+.Ic display
+command.
+The variables which may be set or unset, but not toggled, are
+listed here.  In addition, any of the variables for the
+.Ic toggle
+command may be explicitly set or unset.
+.Bl -tag -width escape
+.It Ic ayt
+If
+.Tn telnet
+is in localchars mode, or
+.Dv LINEMODE
+is enabled, and the status character is typed, a
+.Dv TELNET AYT
+sequence is sent to the remote host.  The initial value for the "Are
+You There" character is the terminal's status character.
+.It Ic echo
+This is the value (initially \*(Lq^E\*(Rq) which, when in
+\*(Lqline by line\*(Rq mode, toggles between doing local echoing
+of entered characters (for normal processing), and suppressing
+echoing of entered characters (for entering, say, a password).
+.It Ic eof
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Rq mode, entering this character
+as the first character on a line will cause this character to be
+sent to the remote system.
+The initial value of the eof character is taken to be the terminal's
+.Ic eof
+character.
+.It Ic erase
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below),
+.Sy and
+if
+.Nm telnet
+is operating in \*(Lqcharacter at a time\*(Rq mode, then when this
+character is typed, a
+.Dv TELNET EC
+sequence (see
+.Ic send
+.Ic ec
+above)
+is sent to the remote system.
+The initial value for the erase character is taken to be
+the terminal's
+.Ic erase
+character.
+.It Ic escape
+This is the
+.Nm telnet
+escape character (initially \*(Lq^[\*(Rq) which causes entry
+into
+.Nm telnet
+command mode (when connected to a remote system).
+.It Ic flushoutput
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below)
+and the
+.Ic flushoutput
+character is typed, a
+.Dv TELNET AO
+sequence (see
+.Ic send
+.Ic ao
+above)
+is sent to the remote host.
+The initial value for the flush character is taken to be
+the terminal's
+.Ic flush
+character.
+.It Ic forw1
+.It Ic forw2
+If
+.Tn TELNET
+is operating in
+.Dv LINEMODE ,
+these are the
+characters that, when typed, cause partial lines to be
+forwarded to the remote system.  The initial value for
+the forwarding characters are taken from the terminal's
+eol and eol2 characters.
+.It Ic interrupt
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below)
+and the
+.Ic interrupt
+character is typed, a
+.Dv TELNET IP
+sequence (see
+.Ic send
+.Ic ip
+above)
+is sent to the remote host.
+The initial value for the interrupt character is taken to be
+the terminal's
+.Ic intr
+character.
+.It Ic kill
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below),
+.Ic and
+if
+.Nm telnet
+is operating in \*(Lqcharacter at a time\*(Rq mode, then when this
+character is typed, a
+.Dv TELNET EL
+sequence (see
+.Ic send
+.Ic el
+above)
+is sent to the remote system.
+The initial value for the kill character is taken to be
+the terminal's
+.Ic kill
+character.
+.It Ic lnext
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Lq mode, then this character is taken to
+be the terminal's
+.Ic lnext
+character.
+The initial value for the lnext character is taken to be
+the terminal's
+.Ic lnext
+character.
+.It Ic quit
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below)
+and the
+.Ic quit
+character is typed, a
+.Dv TELNET BRK
+sequence (see
+.Ic send
+.Ic brk
+above)
+is sent to the remote host.
+The initial value for the quit character is taken to be
+the terminal's
+.Ic quit
+character.
+.It Ic reprint
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Lq mode, then this character is taken to
+be the terminal's
+.Ic reprint
+character.
+The initial value for the reprint character is taken to be
+the terminal's
+.Ic reprint
+character.
+.It Ic rlogin
+This is the rlogin mode escape character. Setting it enables rlogin
+mode, as with the
+.Ar r
+command-line option (q.v.)
+.It Ic start
+If the
+.Dv TELNET TOGGLE-FLOW-CONTROL
+option has been enabled,
+then this character is taken to
+be the terminal's
+.Ic start
+character.
+The initial value for the kill character is taken to be
+the terminal's
+.Ic start
+character.
+.It Ic stop
+If the
+.Dv TELNET TOGGLE-FLOW-CONTROL
+option has been enabled,
+then this character is taken to
+be the terminal's
+.Ic stop
+character.
+The initial value for the kill character is taken to be
+the terminal's
+.Ic stop
+character.
+.It Ic susp
+If
+.Nm telnet
+is in
+.Ic localchars
+mode, or
+.Dv LINEMODE
+is enabled, and the
+.Ic suspend
+character is typed, a
+.Dv TELNET SUSP
+sequence (see
+.Ic send
+.Ic susp
+above)
+is sent to the remote host.
+The initial value for the suspend character is taken to be
+the terminal's
+.Ic suspend
+character.
+.It Ic tracefile
+This is the file to which the output, caused by
+.Ic netdata
+or
+.Ic option
+tracing being
+.Dv TRUE ,
+will be written.  If it is set to
+.Dq Fl ,
+then tracing information will be written to standard output (the default).
+.It Ic worderase
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Lq mode, then this character is taken to
+be the terminal's
+.Ic worderase
+character.
+The initial value for the worderase character is taken to be
+the terminal's
+.Ic worderase
+character.
+.It Ic \&?
+Displays the legal
+.Ic set
+.Pq Ic unset
+commands.
+.El
+.It Ic slc Ar state 
+The
+.Ic slc
+command (Set Local Characters) is used to set
+or change the state of the the special
+characters when the 
+.Dv TELNET LINEMODE
+option has
+been enabled.  Special characters are characters that get
+mapped to 
+.Tn TELNET
+commands sequences (like
+.Ic ip
+or
+.Ic quit  )
+or line editing characters (like
+.Ic erase
+and
+.Ic kill  ) .
+By default, the local special characters are exported.
+.Bl -tag -width Fl
+.It Ic check
+Verify the current settings for the current special characters.
+The remote side is requested to send all the current special
+character settings, and if there are any discrepancies with
+the local side, the local side will switch to the remote value.
+.It Ic export
+Switch to the local defaults for the special characters.  The
+local default characters are those of the local terminal at
+the time when
+.Nm telnet
+was started.
+.It Ic import
+Switch to the remote defaults for the special characters.
+The remote default characters are those of the remote system
+at the time when the 
+.Tn TELNET
+connection was established.
+.It Ic \&?
+Prints out help information for the
+.Ic slc
+command.
+.El
+.It Ic status
+Show the current status of
+.Nm telnet .
+This includes the name of the remote host, if any, as well as the
+current mode.
+.It Ic toggle Ar arguments ... 
+Toggle (between
+.Dv TRUE
+and
+.Dv FALSE )
+various flags that control how
+.Nm telnet
+responds to events.
+These flags may be set explicitly to
+.Dv TRUE
+or
+.Dv FALSE
+using the
+.Ic set
+and
+.Ic unset
+commands.
+More than one flag may be toggled at once.
+The state of these flags may be examined with the
+.Ic display
+command.
+Valid flags are:
+.Bl -tag -width Ar
+.It Ic authdebug
+Turns on debugging for the authentication code. This flag only exists
+if authentication support is enabled.
+.It Ic autoflush
+If
+.Ic autoflush
+and
+.Ic localchars
+are both
+.Dv TRUE ,
+then when the
+.Ic ao  ,
+or
+.Ic quit
+characters are recognized (and transformed into
+.Tn TELNET
+sequences; see
+.Ic set
+above for details),
+.Nm telnet
+refuses to display any data on the user's terminal
+until the remote system acknowledges (via a
+.Dv TELNET TIMING MARK
+option)
+that it has processed those
+.Tn TELNET
+sequences.
+The initial value for this toggle is
+.Dv TRUE
+if the terminal user had not
+done an "stty noflsh", otherwise
+.Dv FALSE
+(see
+.Xr stty  1  ) .
+.It Ic autodecrypt
+When the
+.Dv TELNET ENCRYPT
+option is negotiated, by
+default the actual encryption (decryption) of the data
+stream does not start automatically.  The autoencrypt
+(autodecrypt) command states that encryption of the
+output (input) stream should be enabled as soon as
+possible.
+.Pp
+Note that this flag exists only if encryption support is enabled.
+.It Ic autologin
+If the remote side supports the
+.Dv TELNET AUTHENTICATION
+option,
+.Tn telnet
+attempts to use it to perform automatic authentication.  If the
+.Dv TELNET AUTHENTICATION
+option is not supported, the user's login name is propagated using the
+.Dv TELNET ENVIRON
+option.
+Setting this flag is the same as specifying the
+.Ar a
+option to the
+.Ic open
+command or on the command line.
+.It Ic autosynch
+If
+.Ic autosynch
+and
+.Ic localchars
+are both
+.Dv TRUE ,
+then when either the
+.Ic intr
+or
+.Ic quit
+characters is typed (see
+.Ic set
+above for descriptions of the
+.Ic intr
+and
+.Ic quit
+characters), the resulting
+.Tn telnet
+sequence sent is followed by the
+.Dv TELNET SYNCH
+sequence.
+This procedure
+.Ic should
+cause the remote system to begin throwing away all previously
+typed input until both of the
+.Tn telnet
+sequences have been read and acted upon.
+The initial value of this toggle is
+.Dv FALSE .
+.It Ic binary
+Enable or disable the
+.Dv TELNET BINARY
+option on both input and output.
+.It Ic inbinary
+Enable or disable the
+.Dv TELNET BINARY
+option on input.
+.It Ic outbinary
+Enable or disable the
+.Dv TELNET BINARY
+option on output.
+.It Ic crlf
+If this is
+.Dv TRUE ,
+then carriage returns will be sent as
+.Li <CR><LF> .
+If this is
+.Dv FALSE ,
+then carriage returns will be send as
+.Li <CR><NUL> .
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic crmod
+Toggle carriage return mode.
+When this mode is enabled, most carriage return characters received from
+the remote host will be mapped into a carriage return followed by
+a line feed.
+This mode does not affect those characters typed by the user, only
+those received from the remote host.
+This mode is not very useful unless the remote host
+only sends carriage return, but never line feed.
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic debug
+Toggles socket level debugging (useful only to the
+.Ic super user ) .
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic encdebug
+Turns on debugging information for the encryption code.
+Note that this flag only exists if encryption support is available.
+.It Ic localchars
+If this is
+.Dv TRUE ,
+then the
+.Ic flush  ,
+.Ic interrupt ,
+.Ic quit  ,
+.Ic erase ,
+and
+.Ic kill
+characters (see
+.Ic set
+above) are recognized locally, and transformed into (hopefully) appropriate
+.Tn TELNET
+control sequences
+(respectively
+.Ic ao  ,
+.Ic ip ,
+.Ic brk  ,
+.Ic ec ,
+and
+.Ic el  ;
+see
+.Ic send
+above).
+The initial value for this toggle is
+.Dv TRUE
+in \*(Lqold line by line\*(Rq mode,
+and
+.Dv FALSE
+in \*(Lqcharacter at a time\*(Rq mode.
+When the
+.Dv LINEMODE
+option is enabled, the value of
+.Ic localchars
+is ignored, and assumed to always be
+.Dv TRUE .
+If
+.Dv LINEMODE
+has ever been enabled, then
+.Ic quit
+is sent as
+.Ic abort  ,
+and
+.Ic eof and
+.B suspend
+are sent as
+.Ic eof and
+.Ic susp ,
+see
+.Ic send
+above).
+.It Ic netdata
+Toggles the display of all network data (in hexadecimal format).
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic options
+Toggles the display of some internal
+.Nm telnet
+protocol processing (having to do with
+.Tn telnet
+options).
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic prettydump
+When the
+.Ic netdata
+toggle is enabled, if
+.Ic prettydump
+is enabled the output from the
+.Ic netdata
+command will be formatted in a more user-readable format.
+Spaces are put between each character in the output, and the
+beginning of
+.Tn telnet
+escape sequences are preceded by a '*' to aid in locating them.
+.It Ic skiprc
+When the skiprc toggle is
+.Dv TRUE ,
+.Tn telnet
+does not read the 
+.Pa \&.telnetrc
+file.  The initial value for this toggle is
+.Dv FALSE.
+.It Ic termdata
+Toggles the display of all terminal data (in hexadecimal format).
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic verbose_encrypt
+When the
+.Ic verbose_encrypt
+toggle is
+.Dv TRUE ,
+.Tn TELNET
+prints out a message each time encryption is enabled or
+disabled.  The initial value for this toggle is
+.Dv FALSE.
+This flag only exists if encryption support is available.
+.It Ic \&?
+Displays the legal
+.Ic toggle
+commands.
+.El
+.It Ic z
+Suspend
+.Nm telnet  .
+This command only works when the user is using the
+.Xr csh  1  .
+.It Ic \&! Op Ar command 
+Execute a single command in a subshell on the local
+system.  If
+.Ic command
+is omitted, then an interactive subshell is invoked.
+.It Ic \&? Op Ar command 
+Get help.  With no arguments,
+.Nm telnet
+prints a help summary.
+If a command is specified,
+.Nm telnet
+will print the help information for just that command.
+.El
+.Sh ENVIRONMENT
+.Nm Telnet
+uses at least the
+.Ev HOME ,
+.Ev SHELL ,
+.Ev DISPLAY ,
+and
+.Ev TERM
+environment variables.
+Other environment variables may be propagated
+to the other side via the
+.Dv TELNET ENVIRON
+option.
+.Sh FILES
+.Bl -tag -width ~/.telnetrc -compact
+.It Pa ~/.telnetrc
+user customized telnet startup values
+.El
+.Sh HISTORY
+The
+.Nm Telnet
+command appeared in
+.Bx 4.2 .
+.Sh NOTES
+.Pp
+On some remote systems, echo has to be turned off manually when in
+\*(Lqold line by line\*(Rq mode.
+.Pp
+In \*(Lqold line by line\*(Rq mode or 
+.Dv LINEMODE
+the terminal's
+.Ic eof
+character is only recognized (and sent to the remote system)
+when it is the first character on a line.
+.Sh BUGS
+The source code is not comprehensible.
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/telnet.cc b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/telnet.cc
new file mode 100644
index 0000000..7a68259
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/telnet.cc
@@ -0,0 +1,2069 @@
+/*
+ * Copyright (c) 1988, 1990 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)telnet.c   5.53 (Berkeley) 3/22/91
+ */
+char telnet_rcsid[] = 
+"$Id: telnet.cc,v 1.34 1999/08/19 09:34:15 dholland Exp $";
+
+#include <string.h>
+#include <sys/types.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+
+#include <arpa/telnet.h>
+
+#include <ctype.h>
+
+#include "ring.h"
+#include "defines.h"
+#include "externs.h"
+#include "types.h"
+#include "environ.h"
+#include "proto.h"
+#include "ptrarray.h"
+#include "netlink.h"
+#include "terminal.h"
+
+/*
+ * Due to lossage in some linux distributions/kernel releases/libc versions
+ * this must come *after* termios.h (which is included in externs.h)
+ */
+#include <termcap.h>
+
+#ifdef USE_NCURSES
+#include <term.h>
+#endif
+
+
+#define strip(x)        ((x)&0x7f)
+
+static unsigned char subbuffer[SUBBUFSIZE];
+static unsigned char *subpointer, *subend;       /* buffer for sub-options */
+#define SB_CLEAR()      subpointer = subbuffer;
+#define SB_TERM()       { subend = subpointer; SB_CLEAR(); }
+#define SB_ACCUM(c)     if (subpointer < (subbuffer+sizeof subbuffer)) { \
+  *subpointer++ = (c); \
+                         }
+
+#define SB_GET()        (*subpointer++)
+#define SB_PEEK()       (*subpointer)
+#define SB_EOF()        (subpointer >= subend)
+#define SB_LEN()        (subend - subpointer)
+
+char    options[256];           /* The combined options */
+char    do_dont_resp[256];
+char    will_wont_resp[256];
+
+int
+eight = 0,
+  autologin = 0,        /* Autologin anyone? */
+  skiprc = 0,
+  connected,
+  showoptions,
+  In3270,               /* Are we in 3270 mode? */
+  ISend,                /* trying to send network data in */
+  debug = 0,
+  crmod,
+  crlf,         /* Should '\r' be mapped to <CR><LF> (or <CR><NUL>)? */
+#if     defined(TN3270)
+  noasynchtty = 0,/* User specified "-noasynch" on command line */
+  noasynchnet = 0,/* User specified "-noasynch" on command line */
+  askedSGA = 0, /* We have talked about suppress go ahead */
+#endif  /* defined(TN3270) */
+  telnetport,
+  SYNCHing,     /* we are in TELNET SYNCH mode */
+  flushout,     /* flush output */
+  autoflush = 0,        /* flush output when interrupting? */
+  autosynch,    /* send interrupt characters with SYNCH? */
+  localflow,    /* we handle flow control locally */
+  localchars,   /* we recognize interrupt/quit */
+  donelclchars, /* the user has set "localchars" */
+  donebinarytoggle,     /* the user has put us in binary */
+  dontlecho,    /* do we suppress local echoing right now? */
+  globalmode;
+
+char *prompt = 0;
+
+cc_t escapechar;
+cc_t rlogin;
+#ifdef  KLUDGELINEMODE
+cc_t echoc;
+#endif
+
+/*
+ * Telnet receiver states for fsm
+ */
+#define TS_DATA         0
+#define TS_IAC          1
+#define TS_WILL         2
+#define TS_WONT         3
+#define TS_DO           4
+#define TS_DONT         5
+#define TS_CR           6
+#define TS_SB           7               /* sub-option collection */
+#define TS_SE           8               /* looking for sub-option end */
+
+static int telrcv_state;
+
+sigjmp_buf toplevel;
+sigjmp_buf peerdied;
+
+int flushline;
+int linemode;
+
+#ifdef  KLUDGELINEMODE
+int kludgelinemode = 1;
+#endif
+
+/*
+ * The following are some clocks used to decide how to interpret
+ * the relationship between various variables.
+ */
+
+Clocks clocks;
+
+#ifdef  notdef
+Modelist modelist[] = {
+  { "telnet command mode", COMMAND_LINE },
+  { "character-at-a-time mode", 0 },
+  { "character-at-a-time mode (local echo)", LOCAL_ECHO|LOCAL_CHARS },
+  { "line-by-line mode (remote echo)", LINE | LOCAL_CHARS },
+  { "line-by-line mode", LINE | LOCAL_ECHO | LOCAL_CHARS },
+  { "line-by-line mode (local echoing suppressed)", LINE | LOCAL_CHARS },
+  { "3270 mode", 0 },
+};
+#endif
+
+/*
+ * Initialize telnet environment.
+ */
+void init_telnet(void) {
+  env_init();
+  cmdtab_init();
+  
+  SB_CLEAR();
+  memset(options, 0, sizeof(options));
+  
+  connected = In3270 = ISend = localflow = donebinarytoggle = 0;
+  
+  SYNCHing = 0;
+  
+  /* Don't change NetTrace */
+  
+  escapechar = CONTROL(']');
+  rlogin = _POSIX_VDISABLE;
+#ifdef  KLUDGELINEMODE
+  echoc = CONTROL('E');
+#endif
+  
+  flushline = 1;
+  telrcv_state = TS_DATA;
+}
+
+
+#if 0
+#include <stdarg.h>
+
+static void printring(Ring *ring, const char *format, ...) {
+  va_list ap;
+  char buffer[100];             /* where things go */
+  char *ptr;
+  char *string;
+  int i;
+  
+  va_start(ap, format);
+  
+  ptr = buffer;
+  
+  while ((i = *format++) != 0) {
+    if (i == '%') {
+      i = *format++;
+      switch (i) {
+      case 'c':
+        *ptr++ = va_arg(ap, int);
+        break;
+      case 's':
+        string = va_arg(ap, char *);
+        ring->supply_data(buffer, ptr-buffer);
+        ring->supply_data(string, strlen(string));
+        ptr = buffer;
+        break;
+      case 0:
+        ExitString("printring: trailing %%.\n", 1);
+        /*NOTREACHED*/
+      default:
+        ExitString("printring: unknown format character.\n", 1);
+        /*NOTREACHED*/
+      }
+    } 
+    else {
+      *ptr++ = i;
+    }
+  }
+  ring->supply_data(buffer, ptr-buffer);
+}
+#endif
+
+/*
+ * These routines are in charge of sending option negotiations
+ * to the other side.
+ *
+ * The basic idea is that we send the negotiation if either side
+ * is in disagreement as to what the current state should be.
+ */
+
+void send_do(int c, int init) {
+  if (init) {
+    if (((do_dont_resp[c] == 0) && my_state_is_do(c)) ||
+        my_want_state_is_do(c))
+      return;
+    set_my_want_state_do(c);
+    do_dont_resp[c]++;
+  }
+  NET2ADD(IAC, DO);
+  NETADD(c);
+  printoption("SENT", DO, c);
+}
+
+void send_dont(int c, int init) {
+  if (init) {
+    if (((do_dont_resp[c] == 0) && my_state_is_dont(c)) ||
+        my_want_state_is_dont(c))
+      return;
+    set_my_want_state_dont(c);
+    do_dont_resp[c]++;
+  }
+  NET2ADD(IAC, DONT);
+  NETADD(c);
+  printoption("SENT", DONT, c);
+}
+
+void send_will(int c, int init) {
+  if (init) {
+    if (((will_wont_resp[c] == 0) && my_state_is_will(c)) ||
+        my_want_state_is_will(c))
+      return;
+    set_my_want_state_will(c);
+    will_wont_resp[c]++;
+  }
+  NET2ADD(IAC, WILL);
+  NETADD(c);
+  printoption("SENT", WILL, c);
+}
+
+void send_wont(int c, int init) {
+  if (init) {
+    if (((will_wont_resp[c] == 0) && my_state_is_wont(c)) ||
+        my_want_state_is_wont(c))
+      return;
+    set_my_want_state_wont(c);
+    will_wont_resp[c]++;
+  }
+  NET2ADD(IAC, WONT);
+  NETADD(c);
+  printoption("SENT", WONT, c);
+}
+
+
+void willoption(int option) {
+  int new_state_ok = 0;
+  
+  if (do_dont_resp[option]) {
+    --do_dont_resp[option];
+    if (do_dont_resp[option] && my_state_is_do(option))
+      --do_dont_resp[option];
+  }
+  
+  if ((do_dont_resp[option] == 0) && my_want_state_is_dont(option)) {
+    switch (option) {
+    case TELOPT_ECHO:
+#if defined(TN3270)
+      /*
+       * The following is a pain in the rear-end.
+       * Various IBM servers (some versions of Wiscnet,
+       * possibly Fibronics/Spartacus, and who knows who
+       * else) will NOT allow us to send "DO SGA" too early
+       * in the setup proceedings.  On the other hand,
+       * 4.2 servers (telnetd) won't set SGA correctly.
+       * So, we are stuck.  Empirically (but, based on
+       * a VERY small sample), the IBM servers don't send
+       * out anything about ECHO, so we postpone our sending
+       * "DO SGA" until we see "WILL ECHO" (which 4.2 servers
+       * DO send).
+       */
+      {
+        if (askedSGA == 0) {
+          askedSGA = 1;
+          if (my_want_state_is_dont(TELOPT_SGA))
+            send_do(TELOPT_SGA, 1);
+        }
+      }
+      /* Fall through */
+    case TELOPT_EOR:
+#endif /* TN3270 */
+    case TELOPT_BINARY:
+    case TELOPT_SGA:
+      settimer(modenegotiated);
+      /* FALL THROUGH */
+    case TELOPT_STATUS:
+      new_state_ok = 1;
+      break;
+      
+    case TELOPT_TM:
+      if (flushout)
+        flushout = 0;
+      /*
+       * Special case for TM.  If we get back a WILL,
+       * pretend we got back a WONT.
+       */
+      set_my_want_state_dont(option);
+      set_my_state_dont(option);
+      return;                   /* Never reply to TM will's/wont's */
+      
+    case TELOPT_LINEMODE:
+    default:
+      break;
+    }
+    
+    if (new_state_ok) {
+      set_my_want_state_do(option);
+      send_do(option, 0);
+      setconnmode(0);           /* possibly set new tty mode */
+    } 
+    else {
+      do_dont_resp[option]++;
+      send_dont(option, 0);
+    }
+  }
+  set_my_state_do(option);
+}
+
+void wontoption(int option) {
+  if (do_dont_resp[option]) {
+    --do_dont_resp[option];
+    if (do_dont_resp[option] && my_state_is_dont(option))
+      --do_dont_resp[option];
+  }
+  
+  if ((do_dont_resp[option] == 0) && my_want_state_is_do(option)) {
+    
+    switch (option) {
+      
+#ifdef  KLUDGELINEMODE
+    case TELOPT_SGA:
+      if (!kludgelinemode)
+        break;
+      /* FALL THROUGH */
+#endif
+    case TELOPT_ECHO:
+      settimer(modenegotiated);
+      break;
+      
+    case TELOPT_TM:
+      if (flushout)
+        flushout = 0;
+      set_my_want_state_dont(option);
+      set_my_state_dont(option);
+      return;           /* Never reply to TM will's/wont's */
+      
+    default:
+      break;
+    }
+    set_my_want_state_dont(option);
+    if (my_state_is_do(option))
+      send_dont(option, 0);
+    setconnmode(0);                     /* Set new tty mode */
+  } 
+  else if (option == TELOPT_TM) {
+    /*
+     * Special case for TM.
+     */
+    if (flushout)
+      flushout = 0;
+    set_my_want_state_dont(option);
+  }
+  set_my_state_dont(option);
+}
+
+static void dooption(int option) {
+  int new_state_ok = 0;
+  
+  if (will_wont_resp[option]) {
+    --will_wont_resp[option];
+    if (will_wont_resp[option] && my_state_is_will(option))
+      --will_wont_resp[option];
+  }
+  
+  if (will_wont_resp[option] == 0) {
+    if (my_want_state_is_wont(option)) {
+      
+      switch (option) {
+        
+      case TELOPT_TM:
+        /*
+         * Special case for TM.  We send a WILL, but pretend
+         * we sent WONT.
+         */
+        send_will(option, 0);
+        set_my_want_state_wont(TELOPT_TM);
+        set_my_state_wont(TELOPT_TM);
+        return;
+        
+#       if defined(TN3270)
+      case TELOPT_EOR:          /* end of record */
+#       endif   /* defined(TN3270) */
+      case TELOPT_BINARY:               /* binary mode */
+      case TELOPT_NAWS:         /* window size */
+      case TELOPT_TSPEED:               /* terminal speed */
+      case TELOPT_LFLOW:                /* local flow control */
+      case TELOPT_TTYPE:                /* terminal type option */
+      case TELOPT_SGA:          /* no big deal */
+      case TELOPT_ENVIRON:      /* environment variable option */
+        new_state_ok = 1;
+        break;
+        
+      case TELOPT_XDISPLOC:     /* X Display location */
+        if (env_getvalue("DISPLAY"))
+          new_state_ok = 1;
+        break;
+        
+      case TELOPT_LINEMODE:
+#ifdef  KLUDGELINEMODE
+        kludgelinemode = 0;
+        send_do(TELOPT_SGA, 1);
+#endif
+        set_my_want_state_will(TELOPT_LINEMODE);
+        send_will(option, 0);
+        set_my_state_will(TELOPT_LINEMODE);
+        slc_init();
+        return;
+        
+      case TELOPT_ECHO:         /* We're never going to echo... */
+      default:
+        break;
+      }
+      
+      if (new_state_ok) {
+        set_my_want_state_will(option);
+        send_will(option, 0);
+        setconnmode(0);                 /* Set new tty fmode */
+      } 
+      else {
+        will_wont_resp[option]++;
+        send_wont(option, 0);
+      }
+    } 
+    else {
+      /*
+       * Handle options that need more things done after the
+       * other side has acknowledged the option.
+       */
+      switch (option) {
+      case TELOPT_LINEMODE:
+#ifdef  KLUDGELINEMODE
+        kludgelinemode = 0;
+        send_do(TELOPT_SGA, 1);
+#endif
+        set_my_state_will(option);
+        slc_init();
+        send_do(TELOPT_SGA, 0);
+        return;
+      }
+    }
+  }
+  set_my_state_will(option);
+}
+
+static void dontoption(int option) {
+  if (will_wont_resp[option]) {
+    --will_wont_resp[option];
+    if (will_wont_resp[option] && my_state_is_wont(option))
+      --will_wont_resp[option];
+  }
+  
+  if ((will_wont_resp[option] == 0) && my_want_state_is_will(option)) {
+    switch (option) {
+    case TELOPT_LINEMODE:
+      linemode = 0;     /* put us back to the default state */
+      break;
+    }
+    /* we always accept a DONT */
+    set_my_want_state_wont(option);
+    if (my_state_is_will(option))
+      send_wont(option, 0);
+    setconnmode(0);                     /* Set new tty mode */
+  }
+  set_my_state_wont(option);
+}
+
+/*
+ * Given a buffer returned by tgetent(), this routine will turn
+ * the pipe seperated list of names in the buffer into an array
+ * of pointers to null terminated names.  We toss out any bad,
+ * duplicate, or verbose names (names with spaces).
+ */
+
+typedef ptrarray<const char> stringarray;
+
+static int is_unique(const char *name, const stringarray &ar) {
+  for (int i=0; i<ar.num(); i++) if (!strcasecmp(ar[i], name)) return 0;
+  return 1;
+}
+
+static void mklist(char *buf, const char *name, stringarray &fill) {
+  char *cp; 
+  
+  fill.setsize(0);
+  cp = strchr(buf, ':');
+  if (cp) *cp = 0;
+  for (cp = strtok(buf, "|:"); cp; cp = strtok(NULL, "|:")) {
+    /*
+     * Skip entries longer than 40 characters.
+     * Skip entries with spaces or non-ascii values.
+     * Convert lower case letters to upper case.
+     */
+    if (strlen(cp)>40) continue;
+    int bad = 0;
+    for (int i=0; cp[i]; i++) if (!isascii(cp[i]) || cp[i]==' ') bad=1;
+    if (bad) continue;
+    upcase(cp);
+    if (is_unique(cp, fill)) fill.add(cp);
+  }
+  
+  /*
+   * Move the name we were passed to the beginning if it's not already
+   * there.
+   */
+  for (int j=1; j<fill.num(); j++) if (!strcasecmp(name, fill[j])) {
+    const char *temp = fill[j];
+    fill[j] = fill[0];
+    fill[0] = temp;
+  }
+  
+  /*
+   * Check for an old V6 2 character name. If present,
+   * move it to the end of the array.
+   */
+  for (int k=1; k<fill.num()-1; k++) {
+    if (strlen(fill[k])==2 && fill[k]==buf) {
+      const char *temp = fill[fill.num()-1];
+      fill[fill.num()-1] = fill[k];
+      fill[k] = temp;
+    }
+  }
+  
+  /*
+   * If we got nothing, add in what we were passed
+   */
+  if (fill.num()==0) {
+    if (name && strlen(name)<40) fill.add(name);
+    else fill.add("UNKNOWN");
+  }
+  
+  /*
+   * Duplicate last name, for TTYPE option, and null
+   * terminate the array.  If we didn't find a match on
+   * our terminal name, put that name at the beginning.
+   */
+  
+  fill.add(fill[fill.num()-1]);
+  fill.add(NULL);
+}
+
+char termbuf[2048];
+
+static int my_setupterm(const char *tname, int /*fd*/, int *errp) {
+  if (tgetent(termbuf, tname) == 1) {
+    /* its Sun Mar 15 00:03:36 PST 1998 this could never have worked with
+     * ncurses.  The ncurses tgetent() ignores its first parameter
+     */
+    
+#ifndef USE_NCURSES
+    termbuf[1023] = '\0';
+#else
+    strncpy(termbuf, CUR term_names, sizeof(termbuf));
+#endif
+    
+    if (errp)
+      *errp = 1;
+    return 0;
+  }
+  if (errp) *errp = 0;
+  return -1;
+}
+
+int resettermname = 1;
+
+static const char *gettermname(void) {
+  static stringarray termtypes;
+  static int next;
+  
+  const char *tname;
+  int err;
+  
+  if (resettermname) {
+    resettermname = 0;
+    tname = env_getvalue("TERM");
+    if (!tname || my_setupterm(tname, 1, &err)) {
+      termbuf[0] = 0;
+      tname = "UNKNOWN";
+    }
+    mklist(termbuf, tname, termtypes);
+    next = 0;
+  }
+  if (next==termtypes.num()) next = 0;
+  return termtypes[next++];
+}
+/*
+ * suboption()
+ *
+ *      Look at the sub-option buffer, and try to be helpful to the other
+ * side.
+ *
+ *      Currently we recognize:
+ *
+ *              Terminal type, send request.
+ *              Terminal speed (send request).
+ *              Local flow control (is request).
+ *              Linemode
+ */
+
+static void suboption(void) {
+  printsub('<', subbuffer, SB_LEN()+2);
+  switch (SB_GET()) {
+  case TELOPT_TTYPE:
+    if (my_want_state_is_wont(TELOPT_TTYPE))
+      return;
+    if (SB_EOF() || SB_GET() != TELQUAL_SEND) {
+      return;
+    } 
+    else {
+      const char *name;
+      
+#if defined(TN3270)
+      if (tn3270_ttype()) {
+        return;
+      }
+#endif /* TN3270 */
+      name = gettermname();
+      netoring.printf("%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE,
+                      TELQUAL_IS, name, IAC, SE);
+    }
+    break;
+  case TELOPT_TSPEED:
+    if (my_want_state_is_wont(TELOPT_TSPEED))
+      return;
+    if (SB_EOF())
+      return;
+    if (SB_GET() == TELQUAL_SEND) {
+      long oospeed, iispeed;
+      TerminalSpeeds(&iispeed, &oospeed);
+      netoring.printf("%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED, 
+                      TELQUAL_IS, oospeed, iispeed, IAC, SE);
+    }
+    break;
+  case TELOPT_LFLOW:
+    if (my_want_state_is_wont(TELOPT_LFLOW))
+      return;
+    if (SB_EOF())
+      return;
+    switch(SB_GET()) {
+    case 1:
+      localflow = 1;
+      break;
+    case 0:
+      localflow = 0;
+      break;
+    default:
+      return;
+    }
+    setcommandmode();
+    setconnmode(0);
+    break;
+    
+  case TELOPT_LINEMODE:
+    if (my_want_state_is_wont(TELOPT_LINEMODE))
+      return;
+    if (SB_EOF())
+      return;
+    switch (SB_GET()) {
+    case WILL:
+      lm_will(subpointer, SB_LEN());
+      break;
+    case WONT:
+      lm_wont(subpointer, SB_LEN());
+      break;
+    case DO:
+      lm_do(subpointer, SB_LEN());
+      break;
+    case DONT:
+      lm_dont(subpointer, SB_LEN());
+      break;
+    case LM_SLC:
+      slc(subpointer, SB_LEN());
+      break;
+    case LM_MODE:
+      lm_mode(subpointer, SB_LEN(), 0);
+      break;
+    default:
+      break;
+    }
+    break;
+    
+  case TELOPT_ENVIRON:
+    if (SB_EOF())
+      return;
+    switch(SB_PEEK()) {
+    case TELQUAL_IS:
+    case TELQUAL_INFO:
+      if (my_want_state_is_dont(TELOPT_ENVIRON))
+        return;
+      break;
+    case TELQUAL_SEND:
+      if (my_want_state_is_wont(TELOPT_ENVIRON)) {
+        return;
+      }
+      break;
+    default:
+      return;
+    }
+    env_opt(subpointer, SB_LEN());
+    break;
+    
+  case TELOPT_XDISPLOC:
+    if (my_want_state_is_wont(TELOPT_XDISPLOC))
+      return;
+    if (SB_EOF())
+      return;
+    if (SB_GET() == TELQUAL_SEND) {
+      const char *dp = env_getvalue("DISPLAY");
+      if (dp == NULL) {
+        /*
+         * Something happened, we no longer have a DISPLAY
+         * variable.  So, turn off the option.
+         */
+        send_wont(TELOPT_XDISPLOC, 1);
+        break;
+      }
+      netoring.printf("%c%c%c%c%s%c%c", IAC, SB, TELOPT_XDISPLOC,
+                      TELQUAL_IS, dp, IAC, SE);
+    }
+    break;
+    
+  default:
+    break;
+  }
+}
+
+//static char str_lm[] = { IAC, SB, TELOPT_LINEMODE, 0, 0, IAC, SE };
+
+void lm_will(unsigned char *cmd, int len) {
+  if (len < 1) {
+    /*@*/       printf("lm_will: no command!!!\n");     /* Should not happen... */
+    return;
+  }
+  
+  netoring.printf("%c%c%c%c%c%c%c", IAC, SB, TELOPT_LINEMODE, 
+                  DONT, cmd[0], IAC, SE);
+}
+
+void lm_wont(unsigned char * /*cmd*/, int len) {
+  if (len < 1) {
+    /*@*/       printf("lm_wont: no command!!!\n");     /* Should not happen... */
+    return;
+  }
+  /* We are always DONT, so don't respond */
+}
+
+void lm_do(unsigned char *cmd, int len) {
+  if (len < 1) {
+    /*@*/       printf("lm_do: no command!!!\n");       /* Should not happen... */
+    return;
+  }
+  netoring.printf("%c%c%c%c%c%c%c", IAC, SB, TELOPT_LINEMODE, 
+                  WONT, cmd[0], IAC, SE);
+}
+
+void lm_dont(unsigned char * /*cmd*/, int len) {
+  if (len < 1) {
+    /*@*/       printf("lm_dont: no command!!!\n");     /* Should not happen... */
+    return;
+  }
+  /* we are always WONT, so don't respond */
+}
+
+void lm_mode(unsigned char *cmd, int len, int init) {
+  if (len != 1) return;
+  if ((linemode&MODE_MASK&~MODE_ACK) == *cmd) return;
+  if (*cmd&MODE_ACK) return;
+  
+  linemode = *cmd&(MODE_MASK&~MODE_ACK);
+  int k = linemode;
+  if (!init) {
+    k |= MODE_ACK;
+  }
+  
+  netoring.printf("%c%c%c%c%c%c%c", IAC, SB, TELOPT_LINEMODE, LM_MODE,
+                  k, IAC, SE);
+  
+  setconnmode(0);       /* set changed mode */
+}
+
+
+/*
+ * slc()
+ * Handle special character suboption of LINEMODE.
+ */
+
+struct spc {
+  cc_t val;
+  cc_t *valp;
+  char flags;   /* Current flags & level */
+  char mylevel; /* Maximum level & flags */
+} spc_data[NSLC+1];
+
+#define SLC_IMPORT      0
+#define SLC_EXPORT      1
+#define SLC_RVALUE      2
+static int slc_mode = SLC_EXPORT;
+
+void slc_init(void) {
+  register struct spc *spcp;
+  
+  localchars = 1;
+  for (spcp = spc_data; spcp < &spc_data[NSLC+1]; spcp++) {
+    spcp->val = 0;
+    spcp->valp = 0;
+    spcp->flags = spcp->mylevel = SLC_NOSUPPORT;
+  }
+  
+#define initfunc(func, flags) { \
+                                                            spcp = &spc_data[func]; \
+                                                                                      if ((spcp->valp = tcval(func))) { \
+                                                                                                                          spcp->val = *spcp->valp; \
+                                                                                                                                                     spcp->mylevel = SLC_VARIABLE|flags; \
+                                                                                                                                                                                           } else { \
+                                                                                                                                                                                                      spcp->val = 0; \
+                                                                                                                                                                                                                       spcp->mylevel = SLC_DEFAULT; \
+                                                                                                                                                                                                                                                      } \
+                                                                                                                                                                                                                                                          }
+  
+  initfunc(SLC_SYNCH, 0);
+  /* No BRK */
+  initfunc(SLC_AO, 0);
+  initfunc(SLC_AYT, 0);
+  /* No EOR */
+  initfunc(SLC_ABORT, SLC_FLUSHIN|SLC_FLUSHOUT);
+  initfunc(SLC_EOF, 0);
+  initfunc(SLC_SUSP, SLC_FLUSHIN);
+  
+  initfunc(SLC_EC, 0);
+  initfunc(SLC_EL, 0);
+  
+  initfunc(SLC_XON, 0);
+  initfunc(SLC_XOFF, 0);
+  
+  initfunc(SLC_FORW1, 0);
+  initfunc(SLC_FORW2, 0);
+  /* No FORW2 */
+  
+  initfunc(SLC_IP, SLC_FLUSHIN|SLC_FLUSHOUT);
+#undef  initfunc
+  
+  if (slc_mode == SLC_EXPORT)
+    slc_export();
+  else
+    slc_import(1);
+  
+}
+
+void slcstate(void) {
+  printf("Special characters are %s values\n",
+         slc_mode == SLC_IMPORT ? "remote default" :
+         slc_mode == SLC_EXPORT ? "local" :
+         "remote");
+}
+
+void slc_mode_export(void) {
+  slc_mode = SLC_EXPORT;
+  if (my_state_is_will(TELOPT_LINEMODE))
+    slc_export();
+}
+
+void slc_mode_import(int def) {
+  slc_mode = def ? SLC_IMPORT : SLC_RVALUE;
+  if (my_state_is_will(TELOPT_LINEMODE))
+    slc_import(def);
+}
+
+void slc_import(int def) {
+  if (def) {
+    netoring.printf("%c%c%c%c%c%c%c%c%c", IAC, SB, TELOPT_LINEMODE,
+                    LM_SLC, 0, SLC_DEFAULT, 0, IAC, SE);
+  }
+  else {
+    netoring.printf("%c%c%c%c%c%c%c%c%c", IAC, SB, TELOPT_LINEMODE,
+                    LM_SLC, 0, SLC_VARIABLE, 0, IAC, SE);
+  }
+}
+
+void slc_export(void) {
+  register struct spc *spcp;
+  
+  TerminalDefaultChars();
+  
+  slc_start_reply();
+  for (spcp = &spc_data[1]; spcp < &spc_data[NSLC+1]; spcp++) {
+    if (spcp->mylevel != SLC_NOSUPPORT) {
+      if (spcp->val == (cc_t)(_POSIX_VDISABLE))
+        spcp->flags = SLC_NOSUPPORT;
+      else
+        spcp->flags = spcp->mylevel;
+      if (spcp->valp)
+        spcp->val = *spcp->valp;
+      slc_add_reply(spcp - spc_data, spcp->flags, spcp->val);
+    }
+  }
+  slc_end_reply();
+  (void)slc_update();
+  setconnmode(1);       /* Make sure the character values are set */
+}
+
+void slc(unsigned char *cp, int len) {
+  register struct spc *spcp;
+  register int func,level;
+  
+  slc_start_reply();
+  
+  for (; len >= 3; len -=3, cp +=3) {
+    
+    func = cp[SLC_FUNC];
+    
+    if (func == 0) {
+      /*
+       * Client side: always ignore 0 function.
+       */
+      continue;
+    }
+    if (func > NSLC) {
+      if ((cp[SLC_FLAGS] & SLC_LEVELBITS) != SLC_NOSUPPORT)
+        slc_add_reply(func, SLC_NOSUPPORT, 0);
+      continue;
+    }
+    
+    spcp = &spc_data[func];
+    
+    level = cp[SLC_FLAGS]&(SLC_LEVELBITS|SLC_ACK);
+    
+    if ((cp[SLC_VALUE] == spcp->val) &&
+        ((level&SLC_LEVELBITS) == (spcp->flags&SLC_LEVELBITS))) {
+      continue;
+    }
+    
+    if (level == (SLC_DEFAULT|SLC_ACK)) {
+      /*
+       * This is an error condition, the SLC_ACK
+       * bit should never be set for the SLC_DEFAULT
+       * level.  Our best guess to recover is to
+       * ignore the SLC_ACK bit.
+       */
+      cp[SLC_FLAGS] &= ~SLC_ACK;
+    }
+    
+    if (level == ((spcp->flags&SLC_LEVELBITS)|SLC_ACK)) {
+      spcp->val = (cc_t)cp[SLC_VALUE];
+      spcp->flags = cp[SLC_FLAGS];      /* include SLC_ACK */
+      continue;
+    }
+    
+    level &= ~SLC_ACK;
+    
+    if (level <= (spcp->mylevel&SLC_LEVELBITS)) {
+      spcp->flags = cp[SLC_FLAGS]|SLC_ACK;
+      spcp->val = (cc_t)cp[SLC_VALUE];
+    }
+    if (level == SLC_DEFAULT) {
+      if ((spcp->mylevel&SLC_LEVELBITS) != SLC_DEFAULT)
+        spcp->flags = spcp->mylevel;
+      else
+        spcp->flags = SLC_NOSUPPORT;
+    }
+    slc_add_reply(func, spcp->flags, spcp->val);
+  }
+  slc_end_reply();
+  if (slc_update())
+    setconnmode(1);     /* set the  new character values */
+}
+
+void slc_check(void) {
+  register struct spc *spcp;
+  
+  slc_start_reply();
+  for (spcp = &spc_data[1]; spcp < &spc_data[NSLC+1]; spcp++) {
+    if (spcp->valp && spcp->val != *spcp->valp) {
+      spcp->val = *spcp->valp;
+      if (spcp->val == (cc_t)(_POSIX_VDISABLE))
+        spcp->flags = SLC_NOSUPPORT;
+      else
+        spcp->flags = spcp->mylevel;
+      slc_add_reply(spcp - spc_data, spcp->flags, spcp->val);
+    }
+  }
+  slc_end_reply();
+  setconnmode(1);
+}
+
+
+unsigned char slc_reply[128];
+unsigned char *slc_replyp;
+
+void slc_start_reply(void) {
+  slc_replyp = slc_reply;
+  *slc_replyp++ = IAC;
+  *slc_replyp++ = SB;
+  *slc_replyp++ = TELOPT_LINEMODE;
+  *slc_replyp++ = LM_SLC;
+}
+
+void slc_add_reply(int func, int flags, int value) {
+  if ((*slc_replyp++ = func) == IAC)
+    *slc_replyp++ = IAC;
+  if ((*slc_replyp++ = flags) == IAC)
+    *slc_replyp++ = IAC;
+  if ((*slc_replyp++ = value) == IAC)
+    *slc_replyp++ = IAC;
+}
+
+void slc_end_reply(void) {
+  register int len;
+  
+  *slc_replyp++ = IAC;
+  *slc_replyp++ = SE;
+  len = slc_replyp - slc_reply;
+  if (len <= 6) return;
+  
+  printsub('>', &slc_reply[2], len - 2);
+  netoring.write((char *)slc_reply, len);
+}
+
+int slc_update(void) {
+  struct spc *spcp;
+  int need_update = 0;
+  
+  for (spcp = &spc_data[1]; spcp < &spc_data[NSLC+1]; spcp++) {
+    if (!(spcp->flags&SLC_ACK))
+      continue;
+    spcp->flags &= ~SLC_ACK;
+    if (spcp->valp && (*spcp->valp != spcp->val)) {
+      *spcp->valp = spcp->val;
+      need_update = 1;
+    }
+  }
+  return(need_update);
+}
+
+void env_opt(unsigned char *buf, int len) {
+  unsigned char *ep = 0, *epc = 0;
+  int i;
+  
+  switch(buf[0]) {
+  case TELQUAL_SEND:
+    env_opt_start();
+    if (len == 1) {
+      env_opt_add(NULL);
+    } 
+    else for (i = 1; i < len; i++) {
+      switch (buf[i]) {
+      case ENV_VALUE:
+        if (ep) {
+          *epc = 0;
+          env_opt_add((const char *)ep);
+        }
+        ep = epc = &buf[i+1];
+        break;
+      case ENV_ESC:
+        i++;
+                                /*FALL THROUGH*/
+      default:
+        if (epc)
+          *epc++ = buf[i];
+        break;
+      }
+      if (ep) {
+        *epc = 0;
+        env_opt_add((const char *)ep);
+      }
+    }
+    env_opt_end(1);
+    break;
+    
+  case TELQUAL_IS:
+  case TELQUAL_INFO:
+    /* Ignore for now.  We shouldn't get it anyway. */
+    break;
+    
+  default:
+    break;
+  }
+}
+
+/* OPT_REPLY_SIZE must be a multiple of 2. */
+#define OPT_REPLY_SIZE  256
+unsigned char *opt_reply;
+unsigned char *opt_replyp;
+unsigned char *opt_replyend;
+
+void env_opt_start(void) {
+  if (opt_reply)
+    opt_reply = (unsigned char *)realloc(opt_reply, OPT_REPLY_SIZE);
+  else
+    opt_reply = (unsigned char *)malloc(OPT_REPLY_SIZE);
+  if (opt_reply == NULL) {
+    /*@*/               printf("env_opt_start: malloc()/realloc() failed!!!\n");
+    opt_reply = opt_replyp = opt_replyend = NULL;
+    return;
+  }
+  opt_replyp = opt_reply;
+  opt_replyend = opt_reply + OPT_REPLY_SIZE;
+  *opt_replyp++ = IAC;
+  *opt_replyp++ = SB;
+  *opt_replyp++ = TELOPT_ENVIRON;
+  *opt_replyp++ = TELQUAL_IS;
+}
+
+void env_opt_start_info(void) {
+  env_opt_start();
+  if (opt_replyp)
+    opt_replyp[-1] = TELQUAL_INFO;
+}
+
+void env_opt_add(const char *ep) {
+  const char *vp;
+  const unsigned char *tp;
+  unsigned char c;
+  
+  if (opt_reply == NULL)                /*XXX*/
+    return;                     /*XXX*/
+  
+  if (ep == NULL || *ep == '\0') {
+    int i;
+    env_iterate(&i, 1);
+    for (ep = env_next(&i,1); ep; ep = env_next(&i,1)) env_opt_add(ep);
+    return;
+  }
+  vp = env_getvalue(ep);
+  tp = opt_replyp + (vp ? strlen(vp) * 2 : 0) + strlen(ep) * 2 + 6;
+  if (tp > opt_replyend)
+    {
+      register int len;
+      len = ((tp - opt_reply) + OPT_REPLY_SIZE - 1) & ~(OPT_REPLY_SIZE - 1);
+      opt_replyend = opt_reply + len;
+      opt_reply = (unsigned char *)realloc(opt_reply, len);
+      if (opt_reply == NULL) {
+        /*@*/                   printf("env_opt_add: realloc() failed!!!\n");
+        opt_reply = opt_replyp = opt_replyend = NULL;
+        return;
+      }
+      opt_replyp = opt_reply + len - (opt_replyend - opt_replyp);
+      opt_replyend = opt_reply + len;
+    }
+  *opt_replyp++ = ENV_VAR;
+  for (;;) {
+    while ((c = *ep++)!=0) {
+      switch(c) {
+      case IAC:
+        *opt_replyp++ = IAC;
+        break;
+      case ENV_VALUE:
+      case ENV_VAR:
+      case ENV_ESC:
+        *opt_replyp++ = ENV_ESC;
+        break;
+      }
+      *opt_replyp++ = c;
+    }
+    if ((ep = vp)!=NULL) {
+      *opt_replyp++ = ENV_VALUE;
+      vp = NULL;
+    } else
+      break;
+  }
+}
+
+void env_opt_end(int emptyok) {
+  register int len;
+  
+  len = opt_replyp - opt_reply + 2;
+  if (emptyok || len > 6) {
+    *opt_replyp++ = IAC;
+    *opt_replyp++ = SE;
+    printsub('>', &opt_reply[2], len - 2);
+    netoring.write((char *)opt_reply, len);
+  }
+  if (opt_reply) {
+    free(opt_reply);
+    opt_reply = opt_replyp = opt_replyend = NULL;
+  }
+}
+
+
+int telrcv(void) {
+  int c;
+  int returnValue = 0;
+  
+  while (TTYROOM() > 2) {
+    if (!netiring.getch(&c)) {
+      /* No more data coming in */
+      break;
+    }
+    returnValue = 1;
+    
+    switch (telrcv_state) {
+    case TS_CR:
+      telrcv_state = TS_DATA;
+      if (c == '\0') {
+        break;  /* Ignore \0 after CR */
+      }
+      else if ((c == '\n') && 
+               my_want_state_is_dont(TELOPT_ECHO) && 
+               !crmod) 
+        {
+          TTYADD(c);
+          break;
+        }
+      /* Else, fall through */
+      
+    case TS_DATA:
+      if (c == IAC) {
+        telrcv_state = TS_IAC;
+        break;
+      }
+#if defined(TN3270)
+      if (In3270) {
+        *Ifrontp++ = c;
+        while (netiring.getch(&c)) {
+          if (c == IAC) {
+            telrcv_state = TS_IAC;
+            break;
+          }
+          *Ifrontp++ = c;
+        }
+      } else
+#endif /* defined(TN3270) */
+        /*
+         * The 'crmod' hack (see following) is needed
+         * since we can't * set CRMOD on output only.
+         * Machines like MULTICS like to send \r without
+         * \n; since we must turn off CRMOD to get proper
+         * input, the mapping is done here (sigh).
+         */
+        if ((c == '\r') && my_want_state_is_dont(TELOPT_BINARY)) {
+          if (netiring.getch(&c)) {
+            if (c == 0) {
+              /* a "true" CR */
+              TTYADD('\r');
+            } 
+            else if (my_want_state_is_dont(TELOPT_ECHO) &&
+                     (c == '\n')) {
+              TTYADD('\n');
+            } 
+            else {
+              netiring.ungetch(c);
+              TTYADD('\r');
+              if (crmod) TTYADD('\n');
+            }
+          } 
+          else {
+            telrcv_state = TS_CR;
+            TTYADD('\r');
+            if (crmod) TTYADD('\n');
+          }
+        } 
+        else {
+          TTYADD(c);
+        }
+      continue;
+      
+    case TS_IAC:
+    process_iac:
+    switch (c) {
+    case WILL:
+      telrcv_state = TS_WILL;
+      continue;
+    case WONT:
+      telrcv_state = TS_WONT;
+      continue;
+    case DO:
+      telrcv_state = TS_DO;
+      continue;
+    case DONT:
+      telrcv_state = TS_DONT;
+      continue;
+    case DM:
+      /*
+       * We may have missed an urgent notification,
+       * so make sure we flush whatever is in the
+       * buffer currently.
+       */
+      printoption("RCVD", IAC, DM);
+      SYNCHing = 1;
+      ttyflush(1);
+      SYNCHing = nlink.stilloob();
+      settimer(gotDM);
+      break;
+    case SB:
+      SB_CLEAR();
+      telrcv_state = TS_SB;
+      continue;
+      
+#if defined(TN3270)
+    case EOR:
+      if (In3270) {
+        if (Ibackp == Ifrontp) {
+          Ibackp = Ifrontp = Ibuf;
+          ISend = 0;    /* should have been! */
+        } 
+        else {
+          Ibackp += DataFromNetwork(Ibackp, Ifrontp-Ibackp, 1);
+          ISend = 1;
+        }
+      }
+      printoption("RCVD", IAC, EOR);
+      break;
+#endif /* defined(TN3270) */
+      
+    case IAC:
+#if !defined(TN3270)
+      TTYADD(IAC);
+#else /* !defined(TN3270) */
+      if (In3270) {
+        *Ifrontp++ = IAC;
+      } 
+      else {
+        TTYADD(IAC);
+      }
+#endif /* !defined(TN3270) */
+      break;
+      
+    case NOP:
+    case GA:
+    default:
+      printoption("RCVD", IAC, c);
+      break;
+    }
+    telrcv_state = TS_DATA;
+    continue;
+    
+    case TS_WILL:
+      printoption("RCVD", WILL, c);
+      willoption(c);
+      SetIn3270();
+      telrcv_state = TS_DATA;
+      continue;
+      
+    case TS_WONT:
+      printoption("RCVD", WONT, c);
+      wontoption(c);
+      SetIn3270();
+      telrcv_state = TS_DATA;
+      continue;
+      
+    case TS_DO:
+      printoption("RCVD", DO, c);
+      dooption(c);
+      SetIn3270();
+      if (c == TELOPT_NAWS) {
+        sendnaws();
+      } 
+      else if (c == TELOPT_LFLOW) {
+        localflow = 1;
+        setcommandmode();
+        setconnmode(0);
+      }
+      telrcv_state = TS_DATA;
+      continue;
+      
+    case TS_DONT:
+      printoption("RCVD", DONT, c);
+      dontoption(c);
+      flushline = 1;
+      setconnmode(0);   /* set new tty mode (maybe) */
+      SetIn3270();
+      telrcv_state = TS_DATA;
+      continue;
+      
+    case TS_SB:
+      if (c == IAC) {
+        telrcv_state = TS_SE;
+      } 
+      else {
+        SB_ACCUM(c);
+      }
+      continue;
+      
+    case TS_SE:
+      if (c != SE) {
+        if (c != IAC) {
+          /*
+           * This is an error.  We only expect to get
+           * "IAC IAC" or "IAC SE".  Several things may
+           * have happend.  An IAC was not doubled, the
+           * IAC SE was left off, or another option got
+           * inserted into the suboption are all possibilities.
+           * If we assume that the IAC was not doubled,
+           * and really the IAC SE was left off, we could
+           * get into an infinate loop here.  So, instead,
+           * we terminate the suboption, and process the
+           * partial suboption if we can.
+           */
+          SB_ACCUM(IAC);
+          SB_ACCUM(c);
+          subpointer -= 2;
+          SB_TERM();
+          
+          printoption("In SUBOPTION processing, RCVD", IAC, c);
+          suboption();  /* handle sub-option */
+          SetIn3270();
+          telrcv_state = TS_IAC;
+          goto process_iac;
+        }
+        SB_ACCUM(c);
+        telrcv_state = TS_SB;
+      } 
+      else {
+        SB_ACCUM(IAC);
+        SB_ACCUM(SE);
+        subpointer -= 2;
+        SB_TERM();
+        suboption();    /* handle sub-option */
+        SetIn3270();
+        telrcv_state = TS_DATA;
+      }
+    }
+    
+  }
+  return returnValue;
+}
+
+static int bol = 1, local = 0;
+
+int rlogin_susp(void) {
+  if (local) {
+    local = 0;
+    bol = 1;
+    command(0, "z\n", 2);
+    return(1);
+  }
+  return(0);
+}
+
+static int telsnd(void) {
+  //    int tcc;
+  //    int count;
+  int returnValue = 0;
+  //    const char *tbp = NULL;
+  
+  //    tcc = 0;
+  //    count = 0;
+  while (netoring.empty_count() > 2) {
+    int c, sc;
+    
+    if (!ttyiring.getch(&c)) {
+      break;
+    }
+    returnValue = 1;
+    
+    sc = strip(c);
+    
+    if (rlogin != _POSIX_VDISABLE) {
+      if (bol) {
+        bol = 0;
+        if (sc == rlogin) {
+          local = 1;
+          continue;
+        }
+      } 
+      else if (local) {
+        local = 0;
+        if (sc == '.' || c == termEofChar) {
+          bol = 1;
+          command(0, "close\n", 6);
+          continue;
+        }
+        if (sc == termSuspChar) {
+          bol = 1;
+          command(0, "z\n", 2);
+          continue;
+        }
+        if (sc == escapechar && escapechar !=_POSIX_VDISABLE) {
+          int l;
+          char buf[128];
+          l = ttyiring.gets(buf, sizeof(buf));
+          command(0, buf, l);
+          bol = 1;
+          flushline = 1;
+          break;
+        }
+        if (sc != rlogin) {
+          ttyiring.ungetch(c);
+          c = sc = rlogin;
+        }
+      }
+      if ((sc == '\n') || (sc == '\r'))
+        bol = 1;
+    } 
+    else if (sc == escapechar && escapechar != _POSIX_VDISABLE) {
+      int ignore = 0;
+      /*
+       * Double escape is a pass through of a single escape character.
+       */
+      if (ttyiring.getch(&c)) {
+        if (strip(c) != escapechar) ttyiring.ungetch(c);
+        else {
+          bol = 0;
+          ignore = 1;
+        }
+      } 
+      if (!ignore) {
+        int l;
+        char buf[128];
+        l = ttyiring.gets(buf, sizeof(buf));
+        command(0, buf, l);
+        bol = 1;
+        flushline = 1;
+        break;
+      }
+    } 
+    else {
+      bol = 0;
+    }
+#ifdef  KLUDGELINEMODE
+    if (kludgelinemode && (globalmode&MODE_EDIT) && (sc == echoc)) {
+      int ignore=0;
+      if (ttyiring.getch(&c) > 0) {
+        if (strip(c) != echoc) ttyiring.ungetch(c);
+        else ignore=1;
+      } 
+      if (!ignore) {
+        dontlecho = !dontlecho;
+        settimer(echotoggle);
+        setconnmode(0);
+        flushline = 1;
+        break;
+      }
+    }
+#endif
+    if (MODE_LOCAL_CHARS(globalmode)) {
+      if (TerminalSpecialChars(sc) == 0) {
+        bol = 1;
+        break;
+      }
+    }
+    if (my_want_state_is_wont(TELOPT_BINARY)) {
+      switch (c) {
+      case '\n':
+        /*
+         * If we are in CRMOD mode (\r ==> \n)
+         * on our local machine, then probably
+         * a newline (unix) is CRLF (TELNET).
+         */
+        if (MODE_LOCAL_CHARS(globalmode)) {
+          NETADD('\r');
+        }
+        NETADD('\n');
+        bol = flushline = 1;
+        break;
+      case '\r':
+        if (!crlf) {
+          NET2ADD('\r', '\0');
+        } 
+        else {
+          NET2ADD('\r', '\n');
+        }
+        bol = flushline = 1;
+        break;
+      case IAC:
+        NET2ADD(IAC, IAC);
+        break;
+      default:
+        NETADD(c);
+        break;
+      }
+    } 
+    else if (c == IAC) {
+      NET2ADD(IAC, IAC);
+    } 
+    else {
+      NETADD(c);
+    }
+  }
+  
+  return returnValue;           /* Non-zero if we did anything */
+}
+
+/*
+ * Scheduler()
+ *
+ * Try to do something.
+ *
+ * If we do something useful, return 1; else return 0.
+ *
+ */
+
+/* block: should we block in the select ? */
+int Scheduler(int block) {
+  /* One wants to be a bit careful about setting returnValue
+   * to one, since a one implies we did some useful work,
+   * and therefore probably won't be called to block next
+   * time (TN3270 mode only).
+   */
+  int returnValue;
+  int netin, netout, netex, ttyin, ttyout;
+  
+  /* Decide which rings should be processed */
+  
+  netout = netoring.full_count() &&
+    (flushline ||
+     (my_want_state_is_wont(TELOPT_LINEMODE)
+#ifdef  KLUDGELINEMODE
+      && (!kludgelinemode || my_want_state_is_do(TELOPT_SGA))
+#endif
+      ) ||
+     my_want_state_is_will(TELOPT_BINARY));
+  ttyout = ttyoring.full_count();
+  
+#if     defined(TN3270)
+  ttyin = ttyiring.empty_count() && (shell_active == 0);
+#else   /* defined(TN3270) */
+  ttyin = ttyiring.empty_count();
+#endif  /* defined(TN3270) */
+  
+#if defined(TN3270)
+  netin = netiring.empty_count();
+#else /* !defined(TN3270) */
+  netin = !ISend && netiring.empty_count();
+#endif /* !defined(TN3270) */
+  
+  netex = !SYNCHing;
+  
+  /* If we have seen a signal recently, reset things */
+#ifdef TN3270
+  if (HaveInput) {
+    HaveInput = 0;
+    (void) signal(SIGIO, inputAvailable);
+  }
+#endif  /* TN3270 */
+  
+  /* Call to system code to process rings */
+  
+  returnValue = process_rings(netin, netout, netex, ttyin, ttyout, !block);
+  
+  /* Now, look at the input rings, looking for work to do. */
+  
+  if (ttyiring.full_count()) {
+#if defined(TN3270)
+    if (In3270) {
+      int c;
+      
+      c = DataFromTerminal(ttyiring.consume,
+                           ring_full_consecutive(&ttyiring));
+      if (c) {
+        returnValue = 1;
+        ring_consumed(&ttyiring, c);
+      }
+    } else {
+#endif /* defined(TN3270) */
+      returnValue |= telsnd();
+#if defined(TN3270)
+    }
+#endif /* defined(TN3270) */
+  }
+  
+  if (netiring.full_count()) {
+#       if !defined(TN3270)
+    returnValue |= telrcv();
+#       else /* !defined(TN3270) */
+    returnValue = Push3270();
+#       endif /* !defined(TN3270) */
+  }
+  return returnValue;
+}
+
+/*
+ * Select from tty and network...
+ */
+void telnet(const char * /*user*/) {
+  sys_telnet_init();
+  
+  
+#if !defined(TN3270)
+  if (telnetport) {
+    send_do(TELOPT_SGA, 1);
+    send_will(TELOPT_TTYPE, 1);
+    send_will(TELOPT_NAWS, 1);
+    send_will(TELOPT_TSPEED, 1);
+    send_will(TELOPT_LFLOW, 1);
+    send_will(TELOPT_LINEMODE, 1);
+    send_will(TELOPT_ENVIRON, 1);
+    send_do(TELOPT_STATUS, 1);
+    if (env_getvalue("DISPLAY"))
+      send_will(TELOPT_XDISPLOC, 1);
+    if (eight)
+      tel_enter_binary(eight);
+  }
+#endif /* !defined(TN3270) */
+  
+#if !defined(TN3270)
+  for (;;) {
+    int schedValue;
+    
+    while ((schedValue = Scheduler(0)) != 0) {
+      if (schedValue == -1) {
+        setcommandmode();
+        return;
+      }
+    }
+    
+    if (Scheduler(1) == -1) {
+      setcommandmode();
+      return;
+    }
+  }
+#else /* !defined(TN3270) */
+  for (;;) {
+    int schedValue;
+    
+    while (!In3270 && !shell_active) {
+      if (Scheduler(1) == -1) {
+        setcommandmode();
+        return;
+      }
+    }
+    
+    while ((schedValue = Scheduler(0)) != 0) {
+      if (schedValue == -1) {
+        setcommandmode();
+        return;
+      }
+    }
+    /* If there is data waiting to go out to terminal, don't
+     * schedule any more data for the terminal.
+     */
+    if (ring_full_count(&ttyoring)) {
+      schedValue = 1;
+    } else {
+      if (shell_active) {
+        if (shell_continue() == 0) {
+          ConnectScreen();
+        }
+      } else if (In3270) {
+        schedValue = DoTerminalOutput();
+      }
+    }
+    if (schedValue && (shell_active == 0)) {
+      if (Scheduler(1) == -1) {
+        setcommandmode();
+        return;
+      }
+    }
+  }
+#endif /* !defined(TN3270) */
+}
+
+#if     0       /* XXX - this not being in is a bug */
+/*
+ * nextitem()
+ *
+ *      Return the address of the next "item" in the TELNET data
+ * stream.  This will be the address of the next character if
+ * the current address is a user data character, or it will
+ * be the address of the character following the TELNET command
+ * if the current address is a TELNET IAC ("I Am a Command")
+ * character.
+ */
+
+static unsigned char *nextitem(unsigned char *current) {
+  if (*current != IAC) {
+    return current+1;
+  }
+  switch (current[1]) {
+  case DO:
+  case DONT:
+  case WILL:
+  case WONT:
+    return current+3;
+  case SB:              /* loop forever looking for the SE */
+    {
+      unsigned char *look = current+2;
+      
+      for (;;) {
+        if (*look++ == IAC) {
+          if (*look++ == SE) {
+            return look;
+          }
+        }
+      }
+    }
+  default:
+    return current+2;
+  }
+}
+#endif  /* 0 */
+
+/*
+ * netclear()
+ *
+ *      We are about to do a TELNET SYNCH operation.  Clear
+ * the path to the network.
+ *
+ *      Things are a bit tricky since we may have sent the first
+ * byte or so of a previous TELNET command into the network.
+ * So, we have to scan the network buffer from the beginning
+ * until we are up to where we want to be.
+ *
+ *      A side effect of what we do, just to keep things
+ * simple, is to clear the urgent data pointer.  The principal
+ * caller should be setting the urgent data pointer AFTER calling
+ * us in any case.
+ */
+
+static void netclear(void) {
+#if     0       /* XXX */
+  register char *thisitem, *next;
+  char *good;
+#define wewant(p)       ((nfrontp > p) && (*p == IAC) && \
+                         (p[1] != EC) && (p[1] != EL))
+    
+    thisitem = netobuf;
+    
+    while ((next = nextitem(thisitem)) <= netobuf.send) {
+      thisitem = next;
+    }
+    
+    /* Now, thisitem is first before/at boundary. */
+    
+    good = netobuf;     /* where the good bytes go */
+    
+    while (netoring.add > thisitem) {
+      if (wewant(thisitem)) {
+        int length;
+        
+        next = thisitem;
+        do {
+          next = nextitem(next);
+        } while (wewant(next) && (nfrontp > next));
+        length = next-thisitem;
+        memcpy(good, thisitem, length);
+        good += length;
+        thisitem = next;
+      } else {
+        thisitem = nextitem(thisitem);
+      }
+    }
+    
+#endif  /* 0 */
+}
+
+/*
+ * These routines add various telnet commands to the data stream.
+ */
+
+static void doflush(void) {
+  NET2ADD(IAC, DO);
+  NETADD(TELOPT_TM);
+  flushline = 1;
+  flushout = 1;
+  (void) ttyflush(1);                   /* Flush/drop output */
+  /* do printoption AFTER flush, otherwise the output gets tossed... */
+  printoption("SENT", DO, TELOPT_TM);
+}
+
+void xmitAO(void) {
+  NET2ADD(IAC, AO);
+  printoption("SENT", IAC, AO);
+  if (autoflush) {
+    doflush();
+  }
+}
+
+
+void xmitEL(void) {
+  NET2ADD(IAC, EL);
+  printoption("SENT", IAC, EL);
+}
+
+void xmitEC(void) {
+  NET2ADD(IAC, EC);
+  printoption("SENT", IAC, EC);
+}
+
+
+int dosynch(void) {
+  netclear();                   /* clear the path to the network */
+  NETADD(IAC);
+  netoring.set_mark();
+  NETADD(DM);
+  printoption("SENT", IAC, DM);
+  return 1;
+}
+
+int want_status_response = 0;
+
+int get_status(const char *, const char *) {
+  unsigned char tmp[16];
+  unsigned char *cp;
+  
+  if (my_want_state_is_dont(TELOPT_STATUS)) {
+    printf("Remote side does not support STATUS option\n");
+    return 0;
+  }
+  cp = tmp;
+  
+  *cp++ = IAC;
+  *cp++ = SB;
+  *cp++ = TELOPT_STATUS;
+  *cp++ = TELQUAL_SEND;
+  *cp++ = IAC;
+  *cp++ = SE;
+  printsub('>', tmp+2, cp - tmp - 2);
+  netoring.write((char *)tmp, cp-tmp);
+  ++want_status_response;
+  return 1;
+}
+
+void intp(void) {
+  NET2ADD(IAC, IP);
+  printoption("SENT", IAC, IP);
+  flushline = 1;
+  if (autoflush) {
+    doflush();
+  }
+  if (autosynch) {
+    dosynch();
+  }
+}
+
+void sendbrk(void) {
+  NET2ADD(IAC, BREAK);
+  printoption("SENT", IAC, BREAK);
+  flushline = 1;
+  if (autoflush) {
+    doflush();
+  }
+  if (autosynch) {
+    dosynch();
+  }
+}
+
+void sendabort(void) {
+  NET2ADD(IAC, ABORT);
+  printoption("SENT", IAC, ABORT);
+  flushline = 1;
+  if (autoflush) {
+    doflush();
+  }
+  if (autosynch) {
+    dosynch();
+  }
+}
+
+void sendsusp(void) {
+  NET2ADD(IAC, SUSP);
+  printoption("SENT", IAC, SUSP);
+  flushline = 1;
+  if (autoflush) {
+    doflush();
+  }
+  if (autosynch) {
+    dosynch();
+  }
+}
+
+void sendeof(void) {
+  NET2ADD(IAC, xEOF);
+  printoption("SENT", IAC, xEOF);
+}
+
+void sendayt(void) {
+  NET2ADD(IAC, AYT);
+  printoption("SENT", IAC, AYT);
+}
+
+/*
+ * Send a window size update to the remote system.
+ */
+
+void sendnaws(void) {
+  long rows, cols;
+  unsigned char tmp[16];
+  unsigned char *cp;
+  
+  if (my_state_is_wont(TELOPT_NAWS))
+    return;
+  
+#define PUTSHORT(cp, x) { if ((*cp++ = ((x)>>8)&0xff) == IAC) *cp++ = IAC; \
+      if ((*cp++ = ((x))&0xff) == IAC) *cp++ = IAC; }
+  
+  if (TerminalWindowSize(&rows, &cols) == 0) {  /* Failed */
+    return;
+  }
+  
+  cp = tmp;
+  
+  *cp++ = IAC;
+  *cp++ = SB;
+  *cp++ = TELOPT_NAWS;
+  PUTSHORT(cp, cols);
+  PUTSHORT(cp, rows);
+  *cp++ = IAC;
+  *cp++ = SE;
+  printsub('>', tmp+2, cp - tmp - 2);
+  netoring.write((char *)tmp, cp-tmp);
+}
+
+void tel_enter_binary(int rw) {
+  if (rw&1)
+    send_do(TELOPT_BINARY, 1);
+  if (rw&2)
+    send_will(TELOPT_BINARY, 1);
+}
+
+void tel_leave_binary(int rw) {
+  if (rw&1)
+    send_dont(TELOPT_BINARY, 1);
+  if (rw&2)
+    send_wont(TELOPT_BINARY, 1);
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/telnet.o b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/telnet.o
new file mode 100644
index 0000000..a40a0f3
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/telnet.o
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/terminal.cc b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/terminal.cc
new file mode 100644
index 0000000..9eb47ae
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/terminal.cc
@@ -0,0 +1,718 @@
+/*
+ * Copyright (c) 1988, 1990 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)terminal.c 5.3 (Berkeley) 3/22/91
+ */
+char terminal_rcsid[] = 
+  "$Id: terminal.cc,v 1.25 1999/12/12 19:48:05 dholland Exp $";
+
+#include <arpa/telnet.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <termios.h>
+#include <unistd.h>
+#include <signal.h>
+#include <errno.h>
+#include <stdio.h>
+
+#include "ring.h"
+#include "defines.h"
+#include "externs.h"
+#include "types.h"
+#include "proto.h"
+#include "terminal.h"
+
+static int TerminalWrite(const char *buf, int n);
+static int TerminalRead(char *buf, int n);
+
+ringbuf ttyoring, ttyiring;
+
+#ifndef VDISCARD
+cc_t termFlushChar;
+#endif
+
+#ifndef VLNEXT
+cc_t termLiteralNextChar;
+#endif
+
+#ifndef VSUSP
+cc_t termSuspChar;
+#endif
+
+#ifndef VWERASE
+cc_t termWerasChar;
+#endif
+
+#ifndef VREPRINT
+cc_t termRprntChar;
+#endif
+
+#ifndef VSTART
+cc_t termStartChar;
+#endif
+
+#ifndef VSTOP
+cc_t termStopChar;
+#endif
+
+#ifndef VEOL
+cc_t termForw1Char;
+#endif
+
+#ifndef VEOL2
+cc_t termForw2Char;
+#endif
+
+#ifndef VSTATUS
+cc_t termAytChar;
+#endif
+
+/*
+ * initialize the terminal data structures.
+ */
+void init_terminal(void) {
+    if (ttyoring.init(2*BUFSIZ, ttysink, NULL) != 1) {
+        exit(1);
+    }
+    if (ttyiring.init(BUFSIZ, NULL, ttysrc) != 1) {
+        exit(1);
+    }
+    autoflush = TerminalAutoFlush();
+}
+
+
+/*
+ *              Send as much data as possible to the terminal.
+ *              if arg "drop" is nonzero, drop data on the floor instead.
+ *
+ *              Return value:
+ *                      -1: No useful work done, data waiting to go out.
+ *                       0: No data was waiting, so nothing was done.
+ *                       1: All waiting data was written out.
+ *                       n: All data - n was written out.
+ */
+int ttyflush(int drop) {
+    datasink *s = NULL;
+    if (drop) {
+        TerminalFlushOutput();
+        s = ttyoring.setsink(nullsink);
+    }
+    int rv = ttyoring.flush();
+    if (s) ttyoring.setsink(s);
+    return rv;
+}
+
+
+
+/*
+ * These routines decides on what the mode should be (based on the values
+ * of various global variables).
+ */
+int getconnmode(void) {
+    extern int linemode;
+    int mode = 0;
+#ifdef  KLUDGELINEMODE
+    extern int kludgelinemode;
+#endif
+
+    if (In3270)
+        return(MODE_FLOW);
+
+    if (my_want_state_is_dont(TELOPT_ECHO))
+        mode |= MODE_ECHO;
+
+    if (localflow)
+        mode |= MODE_FLOW;
+
+    if (my_want_state_is_will(TELOPT_BINARY))
+        mode |= MODE_INBIN;
+
+    if (his_want_state_is_will(TELOPT_BINARY))
+        mode |= MODE_OUTBIN;
+
+#ifdef  KLUDGELINEMODE
+    if (kludgelinemode) {
+        if (my_want_state_is_dont(TELOPT_SGA)) {
+            mode |= (MODE_TRAPSIG|MODE_EDIT);
+            if (dontlecho && (clocks.echotoggle > clocks.modenegotiated)) {
+                mode &= ~MODE_ECHO;
+            }
+        }
+        return(mode);
+    }
+#endif
+    if (my_want_state_is_will(TELOPT_LINEMODE))
+        mode |= linemode;
+    return(mode);
+}
+
+void setconnmode(int force) {
+    int newmode;
+
+    newmode = getconnmode()|(force?MODE_FORCE:0);
+
+    TerminalNewMode(newmode);
+
+}
+
+
+void setcommandmode(void) {
+    TerminalNewMode(-1);
+}
+
+
+/*********************/
+
+static int tout;                /* Output file descriptor */
+static int tin;                 /* Input file descriptor */
+
+
+class ttysynk : public datasink {
+  public:
+    virtual int write(const char *buf, int len) {
+        return TerminalWrite(buf, len);
+    }
+    virtual int writeurg(const char *buf, int len) {
+        return TerminalWrite(buf, len);
+    }
+};
+
+class ttysorc : public ringbuf::source {
+    virtual int read(char *buf, int maxlen) {
+        int l = TerminalRead(buf, maxlen);
+        if (l<0 && errno==EWOULDBLOCK) l = 0;
+        else if (l==0 && MODE_LOCAL_CHARS(globalmode) && isatty(tin)) {
+            /* EOF detection for line mode!!!! */
+            /* must be an EOF... */
+            *buf = termEofChar;
+            l = 1;
+        }
+        return l;
+    }
+};
+
+static ttysynk chan1;
+static ttysorc chan2;
+datasink *ttysink = &chan1;
+ringbuf::source *ttysrc = &chan2;
+
+
+struct termios old_tc;
+struct termios new_tc;
+
+#ifndef TCSANOW
+
+#if defined(TCSETS)
+#define TCSANOW         TCSETS
+#define TCSADRAIN       TCSETSW
+#define tcgetattr(f, t) ioctl(f, TCGETS, (char *)t)
+
+#elif defined(TCSETA)
+#define TCSANOW         TCSETA
+#define TCSADRAIN       TCSETAW
+#define tcgetattr(f, t) ioctl(f, TCGETA, (char *)t)
+
+#else
+#define TCSANOW         TIOCSETA
+#define TCSADRAIN       TIOCSETAW
+#define tcgetattr(f, t) ioctl(f, TIOCGETA, (char *)t)
+
+#endif
+
+#define tcsetattr(f, a, t) ioctl(f, a, (char *)t)
+#define cfgetospeed(ptr)        ((ptr)->c_cflag&CBAUD)
+#ifdef CIBAUD
+#define cfgetispeed(ptr)        (((ptr)->c_cflag&CIBAUD) >> IBSHIFT)
+#else
+#define cfgetispeed(ptr)        cfgetospeed(ptr)
+#endif
+
+#endif /* no TCSANOW */
+
+
+static void susp(int sig);
+
+void tlink_init(void) {
+#ifdef  SIGTSTP
+    signal(SIGTSTP, susp);
+#endif
+    tout = fileno(stdout);
+    tin = fileno(stdin);
+}
+
+int tlink_getifd(void) {
+    return tin;
+}
+
+int tlink_getofd(void) {
+    return tout;
+}
+
+static int TerminalWrite(const char *buf, int n) {
+    int r;
+    do {
+        r = write(tout, buf, n);
+    } while (r<0 && errno==EINTR);
+    if (r<0 && (errno==ENOBUFS || errno==EWOULDBLOCK)) r = 0;
+    return r;
+}
+
+static int TerminalRead(char *buf, int n) {
+    int r;
+    do {
+        r = read(tin, buf, n);
+    } while (r<0 && errno==EINTR);
+    return r;
+}
+
+#ifdef  SIGTSTP
+static void susp(int /*sig*/) {
+    if ((rlogin != _POSIX_VDISABLE) && rlogin_susp())
+        return;
+    if (localchars)
+        sendsusp();
+}
+#endif
+
+/*
+ * TerminalNewMode - set up terminal to a specific mode.
+ *      MODE_ECHO: do local terminal echo
+ *      MODE_FLOW: do local flow control
+ *      MODE_TRAPSIG: do local mapping to TELNET IAC sequences
+ *      MODE_EDIT: do local line editing
+ *
+ *      Command mode:
+ *              MODE_ECHO|MODE_EDIT|MODE_FLOW|MODE_TRAPSIG
+ *              local echo
+ *              local editing
+ *              local xon/xoff
+ *              local signal mapping
+ *
+ *      Linemode:
+ *              local/no editing
+ *      Both Linemode and Single Character mode:
+ *              local/remote echo
+ *              local/no xon/xoff
+ *              local/no signal mapping
+ */
+
+void TerminalNewMode(int f)
+{
+    static int prevmode = 0;
+    struct termios tmp_tc;
+
+    int onoff;
+    int old;
+    cc_t esc;
+
+    globalmode = f&~MODE_FORCE;
+    if (prevmode == f)
+        return;
+
+    /*
+     * Write any outstanding data before switching modes
+     * ttyflush() returns 0 only when there is no more data
+     * left to write out, it returns -1 if it couldn't do
+     * anything at all, otherwise it returns 1 + the number
+     * of characters left to write.
+     */
+    old = ttyflush(SYNCHing|flushout);
+    if (old < 0 || old > 1) {
+        tcgetattr(tin, &tmp_tc);
+        do {
+            /*
+             * Wait for data to drain, then flush again.
+             */
+            tcsetattr(tin, TCSADRAIN, &tmp_tc);
+            old = ttyflush(SYNCHing|flushout);
+        } while (old < 0 || old > 1);
+    }
+
+    old = prevmode;
+    prevmode = f&~MODE_FORCE;
+    tmp_tc = new_tc;
+
+    if (f&MODE_ECHO) {
+        tmp_tc.c_lflag |= ECHO;
+        tmp_tc.c_oflag |= ONLCR;
+        if (crlf)
+                tmp_tc.c_iflag |= ICRNL;
+    } 
+    else {
+        tmp_tc.c_lflag &= ~ECHO;
+        tmp_tc.c_oflag &= ~ONLCR;
+        if (crlf) tmp_tc.c_iflag &= ~ICRNL;
+    }
+
+    if ((f&MODE_FLOW) == 0) {
+        tmp_tc.c_iflag &= ~(IXANY|IXOFF|IXON);
+    } 
+    else {
+        tmp_tc.c_iflag |= IXANY|IXOFF|IXON;
+    }
+
+    if ((f&MODE_TRAPSIG) == 0) {
+        tmp_tc.c_lflag &= ~ISIG;
+        localchars = 0;
+    } 
+    else {
+        tmp_tc.c_lflag |= ISIG;
+        localchars = 1;
+    }
+
+    if (f&MODE_EDIT) {
+        tmp_tc.c_lflag |= ICANON;
+    } 
+    else {
+        tmp_tc.c_lflag &= ~ICANON;
+        tmp_tc.c_iflag &= ~ICRNL;
+        tmp_tc.c_cc[VMIN] = 1;
+        tmp_tc.c_cc[VTIME] = 0;
+    }
+
+    if ((f&(MODE_EDIT|MODE_TRAPSIG)) == 0) {
+#ifdef VLNEXT
+        tmp_tc.c_cc[VLNEXT] = (cc_t)(_POSIX_VDISABLE);
+#endif
+    }
+
+    if (f&MODE_SOFT_TAB) {
+#ifdef OXTABS
+        tmp_tc.c_oflag |= OXTABS;
+#endif
+#ifdef TABDLY
+        tmp_tc.c_oflag &= ~TABDLY;
+        tmp_tc.c_oflag |= TAB3;
+#endif
+    } 
+    else {
+#ifdef OXTABS
+        tmp_tc.c_oflag &= ~OXTABS;
+#endif
+#ifdef TABDLY
+        tmp_tc.c_oflag &= ~TABDLY;
+#endif
+    }
+
+    if (f&MODE_LIT_ECHO) {
+#ifdef ECHOCTL
+        tmp_tc.c_lflag &= ~ECHOCTL;
+#endif
+    } 
+    else {
+#ifdef ECHOCTL
+        tmp_tc.c_lflag |= ECHOCTL;
+#endif
+    }
+
+    if (f == -1) {
+        onoff = 0;
+    } 
+    else {
+        if (f & MODE_INBIN) {
+                tmp_tc.c_iflag &= ~ISTRIP;
+        }
+        else {
+                // Commented this out 5/97 so it works with 8-bit characters
+                // ...and put it back 12/99 because it violates the RFC and
+                // breaks SunOS.
+                tmp_tc.c_iflag |= ISTRIP;
+        }
+        if (f & MODE_OUTBIN) {
+                tmp_tc.c_cflag &= ~(CSIZE|PARENB);
+                tmp_tc.c_cflag |= CS8;
+                tmp_tc.c_oflag &= ~OPOST;
+        } else {
+                tmp_tc.c_cflag &= ~(CSIZE|PARENB);
+                tmp_tc.c_cflag |= old_tc.c_cflag & (CSIZE|PARENB);
+                tmp_tc.c_oflag |= OPOST;
+        }
+        onoff = 1;
+    }
+
+    if (f != -1) {
+#ifdef  SIGTSTP
+        signal(SIGTSTP, susp);
+#endif  /* SIGTSTP */
+
+#ifdef  SIGINFO
+        signal(SIGINFO, ayt);
+#endif  SIGINFO
+
+#if defined(NOKERNINFO)
+        tmp_tc.c_lflag |= NOKERNINFO;
+#endif
+        /*
+         * We don't want to process ^Y here.  It's just another
+         * character that we'll pass on to the back end.  It has
+         * to process it because it will be processed when the
+         * user attempts to read it, not when we send it.
+         */
+#ifdef VDSUSP
+        tmp_tc.c_cc[VDSUSP] = (cc_t)(_POSIX_VDISABLE);
+#endif
+        /*
+         * If the VEOL character is already set, then use VEOL2,
+         * otherwise use VEOL.
+         */
+        esc = (rlogin != _POSIX_VDISABLE) ? rlogin : escapechar;
+        if ((tmp_tc.c_cc[VEOL] != esc)
+#ifdef VEOL2
+            && (tmp_tc.c_cc[VEOL2] != esc)
+#endif
+            ) {
+                if (tmp_tc.c_cc[VEOL] == (cc_t)(_POSIX_VDISABLE))
+                    tmp_tc.c_cc[VEOL] = esc;
+#ifdef VEOL2
+                else if (tmp_tc.c_cc[VEOL2] == (cc_t)(_POSIX_VDISABLE))
+                    tmp_tc.c_cc[VEOL2] = esc;
+#endif
+        }
+    } 
+    else {
+
+#ifdef  SIGINFO
+        signal(SIGINFO, ayt_status);
+#endif  SIGINFO
+
+#ifdef  SIGTSTP
+        signal(SIGTSTP, SIG_DFL);
+/*      (void) sigsetmask(sigblock(0) & ~(1<<(SIGTSTP-1))); */
+#endif  /* SIGTSTP */
+
+        tmp_tc = old_tc;
+    }
+    if (tcsetattr(tin, TCSADRAIN, &tmp_tc) < 0)
+        tcsetattr(tin, TCSANOW, &tmp_tc);
+
+    ioctl(tin, FIONBIO, (char *)&onoff);
+    ioctl(tout, FIONBIO, (char *)&onoff);
+
+#if defined(TN3270)
+    if (noasynchtty == 0) {
+        ioctl(tin, FIOASYNC, (char *)&onoff);
+    }
+#endif  /* defined(TN3270) */
+
+}
+
+#ifndef B19200
+#define B19200 B9600
+#endif
+
+#ifndef B38400
+#define B38400 B19200
+#endif
+
+#ifndef B57600
+#define B57600 B38400
+#endif
+
+#ifndef B115200
+#define B115200 B57600
+#endif
+
+/*
+ * This code assumes that the values B0, B50, B75...
+ * are in ascending order.  They do not have to be
+ * contiguous.
+ */
+struct termspeeds {
+        long speed;
+        long value;
+} termspeeds[] = {
+        { 0,      B0 },      { 50,     B50 },    { 75,     B75 },
+        { 110,    B110 },    { 134,    B134 },   { 150,    B150 },
+        { 200,    B200 },    { 300,    B300 },   { 600,    B600 },
+        { 1200,   B1200 },   { 1800,   B1800 },  { 2400,   B2400 },
+        { 4800,   B4800 },   { 9600,   B9600 },  { 19200,  B19200 },
+        { 38400,  B38400 },  { 57600,  B57600 }, { 115200, B115200 },
+        { -1,     B115200 }
+};
+
+void TerminalSpeeds(long *ispeed, long *ospeed) {
+    register struct termspeeds *tp;
+    register long in, out;
+
+    out = cfgetospeed(&old_tc);
+    in = cfgetispeed(&old_tc);
+    if (in == 0)
+        in = out;
+
+    tp = termspeeds;
+    while ((tp->speed != -1) && (tp->value < in))
+        tp++;
+    *ispeed = tp->speed;
+
+    tp = termspeeds;
+    while ((tp->speed != -1) && (tp->value < out))
+        tp++;
+    *ospeed = tp->speed;
+}
+
+int TerminalWindowSize(long *rows, long *cols) {
+#ifdef  TIOCGWINSZ
+    struct winsize ws;
+
+    if (ioctl(fileno(stdin), TIOCGWINSZ, (char *)&ws) >= 0) {
+        *rows = ws.ws_row;
+        *cols = ws.ws_col;
+        return 1;
+    }
+#endif  /* TIOCGWINSZ */
+    return 0;
+}
+
+
+/*
+ * EmptyTerminal - called to make sure that the terminal buffer is 
+ * empty. Note that we consider the buffer to run all the way to the 
+ * kernel (thus the select).
+ */
+void EmptyTerminal(void) {
+    fd_set o;
+    FD_ZERO(&o);
+    
+    if (TTYBYTES() == 0) {
+        FD_SET(tout, &o);
+        select(tout+1, NULL, &o, NULL, NULL);   /* wait for TTLOWAT */
+    } 
+    else {
+        while (TTYBYTES()) {
+            ttyflush(0);
+            FD_SET(tout, &o);
+            select(tout+1, NULL, &o, NULL, NULL); /* wait for TTLOWAT */
+        }
+    }
+}
+
+int
+TerminalAutoFlush(void)
+{
+#if     defined(LNOFLSH)
+    int flush;
+
+    ioctl(tin, TIOCLGET, (char *)&flush);
+    return !(flush&LNOFLSH);    /* if LNOFLSH, no autoflush */
+#else   /* LNOFLSH */
+    return 1;
+#endif  /* LNOFLSH */
+}
+
+/*
+ * Flush output to the terminal
+ */
+    void
+TerminalFlushOutput()
+{
+#ifdef  TIOCFLUSH
+    (void) ioctl(fileno(stdout), TIOCFLUSH, (char *) 0);
+#else
+    (void) ioctl(fileno(stdout), TCFLSH, (char *) 0);
+#endif
+}
+
+    void
+TerminalSaveState()
+{
+#ifndef USE_TERMIO
+    ioctl(0, TIOCGETP, (char *)&ottyb);
+    ioctl(0, TIOCGETC, (char *)&otc);
+    ioctl(0, TIOCGLTC, (char *)&oltc);
+    ioctl(0, TIOCLGET, (char *)&olmode);
+
+    ntc = otc;
+    nltc = oltc;
+    nttyb = ottyb;
+
+#else   /* USE_TERMIO */
+    tcgetattr(0, &old_tc);
+
+    new_tc = old_tc;
+
+#ifndef VDISCARD
+    termFlushChar = CONTROL('O');
+#endif
+#ifndef VWERASE
+    termWerasChar = CONTROL('W');
+#endif
+#ifndef VREPRINT
+    termRprntChar = CONTROL('R');
+#endif
+#ifndef VLNEXT
+    termLiteralNextChar = CONTROL('V');
+#endif
+#ifndef VSTART
+    termStartChar = CONTROL('Q');
+#endif
+#ifndef VSTOP
+    termStopChar = CONTROL('S');
+#endif
+#ifndef VSTATUS
+    termAytChar = CONTROL('T');
+#endif
+#endif  /* USE_TERMIO */
+}
+
+void TerminalDefaultChars(void) {
+#ifndef USE_TERMIO
+    ntc = otc;
+    nltc = oltc;
+    nttyb.sg_kill = ottyb.sg_kill;
+    nttyb.sg_erase = ottyb.sg_erase;
+#else   /* USE_TERMIO */
+    memcpy(new_tc.c_cc, old_tc.c_cc, sizeof(old_tc.c_cc));
+#ifndef VDISCARD
+    termFlushChar = CONTROL('O');
+#endif
+#ifndef VWERASE
+    termWerasChar = CONTROL('W');
+#endif
+#ifndef VREPRINT
+    termRprntChar = CONTROL('R');
+#endif
+#ifndef VLNEXT
+    termLiteralNextChar = CONTROL('V');
+#endif
+#ifndef VSTART
+    termStartChar = CONTROL('Q');
+#endif
+#ifndef VSTOP
+    termStopChar = CONTROL('S');
+#endif
+#ifndef VSTATUS
+    termAytChar = CONTROL('T');
+#endif
+#endif  /* USE_TERMIO */
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/terminal.h b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/terminal.h
new file mode 100644
index 0000000..8fcfb83
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/terminal.h
@@ -0,0 +1,11 @@
+#define TTYADD(c)       { if (!(SYNCHing||flushout)) ttyoring.putch(c); }
+#define TTYBYTES()      (ttyoring.full_count())
+#define TTYROOM()       (ttyoring.empty_count())
+
+void tlink_init(void);
+
+void EmptyTerminal(void);
+
+
+int tlink_getifd(void);
+int tlink_getofd(void);
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/terminal.o b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/terminal.o
new file mode 100644
index 0000000..1d0c95a
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/terminal.o
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/tn3270.cc b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/tn3270.cc
new file mode 100644
index 0000000..19f13fe
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/tn3270.cc
@@ -0,0 +1,366 @@
+/*
+ * Copyright (c) 1988 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)tn3270.c   5.2 (Berkeley) 3/1/91
+ */
+char tn3270_rcsid[] = 
+  "$Id: tn3270.cc,v 1.9 1996/08/13 09:08:34 dholland Exp $";
+
+#include <sys/types.h>
+#include <arpa/telnet.h>
+
+#include "defines.h"
+#include "ring.h"
+#include "externs.h"
+#include "proto.h"
+
+#if defined(TN3270)
+
+#include "../tn3270/ctlr/screen.h"
+#include "../tn3270/general/globals.h"
+
+#include "../tn3270/telextrn.h"
+#include "../tn3270/ctlr/externs.h"
+
+int HaveInput;          /* There is input available to scan */
+int cursesdata;         /* Do we dump curses data? */
+int sigiocount;         /* Number of times we got a SIGIO */
+
+char tline[200];
+char *transcom = 0;     /* transparent mode command (default: none) */
+
+char Ibuf[8*BUFSIZ], *Ifrontp, *Ibackp;
+
+static char sb_terminal[] = { IAC, SB,
+                              TELOPT_TTYPE, TELQUAL_IS,
+                              'I', 'B', 'M', '-', '3', '2', '7', '8', '-', '2',
+                              IAC, SE };
+#define SBTERMMODEL     13
+
+static int Sent3270TerminalType;        /* Have we said we are a 3270? */
+
+#endif  /* defined(TN3270) */
+
+
+void init_3270(void) {
+#if defined(TN3270)
+    HaveInput = 0;
+    sigiocount = 0;
+    Sent3270TerminalType = 0;
+    Ifrontp = Ibackp = Ibuf;
+    init_ctlr();                /* Initialize some things */
+    init_keyboard();
+    init_screen();
+    init_system();
+#endif  /* TN3270 */
+}
+
+#if defined(TN3270)
+
+/*
+ * DataToNetwork - queue up some data to go to network.  If "done" is set,
+ * then when last byte is queued, we add on an IAC EOR sequence (so,
+ * don't call us with "done" until you want that done...)
+ *
+ * We actually do send all the data to the network buffer, since our
+ * only client needs for us to do that.
+ */
+
+/*
+ * buffer:      where the data is
+ * count:       how much to send
+ * done:        is this the last of a logical block
+ */
+int DataToNetwork(char *buffer, int count, int done) {
+    register int loop, c;
+    int origCount;
+    
+    origCount = count;
+
+    while (count) {
+        /* If not enough room for EORs, IACs, etc., wait */
+        if (NETROOM() < 6) {
+            fd_set o;
+            
+            FD_ZERO(&o);
+            netflush();
+            while (NETROOM() < 6) {
+                FD_SET(net, &o);
+                select(net+1, (fd_set *) 0, &o, (fd_set *) 0,
+                       (struct timeval *) 0);
+                netflush();
+            }
+        }
+        c = ring_empty_count(&netoring);
+        if (c > count) {
+            c = count;
+        }
+        loop = c;
+        while (loop) {
+            if (((unsigned char)*buffer) == IAC) {
+                break;
+            }
+            buffer++;
+            loop--;
+        }
+        if ((c = c-loop)) {
+            netoring.supply_data(buffer-c, c);
+            count -= c;
+        }
+        if (loop) {
+            NET2ADD(IAC, IAC);
+            count--;
+            buffer++;
+        }
+    }
+    
+    if (done) {
+        NET2ADD(IAC, EOR);
+        netflush();             /* try to move along as quickly as ... */
+    }
+    return(origCount - count);
+}
+
+void inputAvailable(void) {
+    HaveInput = 1;
+    sigiocount++;
+}
+
+void outputPurge(void) {
+    ttyflush(1);
+}
+
+
+/*
+ * The following routines are places where the various tn3270
+ * routines make calls into telnet.c.
+ */
+
+/*
+ * DataToTerminal - queue up some data to go to terminal.
+ *
+ * Note: there are people who call us and depend on our processing
+ * *all* the data at one time (thus the select).
+ */
+
+/*
+ * buffer:      where the data is
+ * count:       how much to send
+ */
+int DataToTerminal(char *buffer, int count) {
+    register int c;
+    int origCount;
+
+    origCount = count;
+
+    while (count) {
+        if (TTYROOM() == 0) {
+
+            fd_set o;
+            FD_ZERO(&o);
+            ttyflush(0);
+            while (TTYROOM() == 0) {
+                FD_SET(tout, &o);
+                select(tout+1, NULL, &o, NULL, NULL);
+                ttyflush(0);
+            }
+        }
+        c = TTYROOM();
+        if (c > count) {
+            c = count;
+        }
+        ttyoring.supply_data(buffer, c);
+        count -= c;
+        buffer += c;
+    }
+    return origCount;
+}
+
+
+/*
+ * Push3270 - Try to send data along the 3270 output (to screen) direction.
+ */
+int Push3270(void) {
+    int save = ring_full_count(&netiring);
+
+    if (save) {
+        if (Ifrontp+save > Ibuf+sizeof Ibuf) {
+            if (Ibackp != Ibuf) {
+                memcpy(Ibuf, Ibackp, Ifrontp-Ibackp);
+                Ifrontp -= (Ibackp-Ibuf);
+                Ibackp = Ibuf;
+            }
+        }
+        if (Ifrontp+save < Ibuf+sizeof Ibuf) {
+            (void)telrcv();
+        }
+    }
+    return save != ring_full_count(&netiring);
+}
+
+
+/*
+ * Finish3270 - get the last dregs of 3270 data out to the terminal
+ *              before quitting.
+ */
+void Finish3270(void) {
+    while (Push3270() || !DoTerminalOutput()) {
+        HaveInput = 0;
+    }
+}
+
+
+/* StringToTerminal - output a null terminated string to the terminal */
+void StringToTerminal(char *s) {
+    int count = strlen(s);
+    if (count) {
+        DataToTerminal(s, count);       /* we know it always goes... */
+    }
+}
+
+
+#if ((!defined(NOT43)) || defined(PUTCHAR))
+/* _putchar - output a single character to the terminal.  This name is so that
+ *      curses(3x) can call us to send out data.
+ */
+
+void _putchar(char c) {
+#if defined(sun)                /* SunOS 4.0 bug */
+    c &= 0x7f;
+#endif
+    if (cursesdata) {
+        Dump('>', &c, 1);
+    }
+    if (!TTYROOM()) {
+        DataToTerminal(&c, 1);
+    } 
+    else {
+        TTYADD(c);
+    }
+}
+#endif  /* ((!defined(NOT43)) || defined(PUTCHAR)) */
+
+void SetIn3270(void) {
+    if (Sent3270TerminalType && my_want_state_is_will(TELOPT_BINARY)
+        && my_want_state_is_do(TELOPT_BINARY) && !donebinarytoggle) 
+    {
+        if (!In3270) {
+            In3270 = 1;
+            Init3270();         /* Initialize 3270 functions */
+            /* initialize terminal key mapping */
+            InitTerminal();     /* Start terminal going */
+            setconnmode(0);
+        }
+    } 
+    else {
+        if (In3270) {
+            StopScreen(1);
+            In3270 = 0;
+            Stop3270();         /* Tell 3270 we aren't here anymore */
+            setconnmode(0);
+        }
+    }
+}
+
+/*
+ * tn3270_ttype()
+ *
+ *      Send a response to a terminal type negotiation.
+ *
+ *      Return '0' if no more responses to send; '1' if a response sent.
+ */
+
+int tn3270_ttype(void) {
+    /*
+     * Try to send a 3270 type terminal name.  Decide which one based
+     * on the format of our screen, and (in the future) color
+     * capaiblities.
+     */
+    InitTerminal();             /* Sets MaxNumberColumns, MaxNumberLines */
+    if ((MaxNumberLines >= 24) && (MaxNumberColumns >= 80)) {
+        Sent3270TerminalType = 1;
+        if ((MaxNumberLines >= 27) && (MaxNumberColumns >= 132)) {
+            MaxNumberLines = 27;
+            MaxNumberColumns = 132;
+            sb_terminal[SBTERMMODEL] = '5';
+        } 
+        else if (MaxNumberLines >= 43) {
+            MaxNumberLines = 43;
+            MaxNumberColumns = 80;
+            sb_terminal[SBTERMMODEL] = '4';
+        } 
+        else if (MaxNumberLines >= 32) {
+            MaxNumberLines = 32;
+            MaxNumberColumns = 80;
+            sb_terminal[SBTERMMODEL] = '3';
+        } 
+        else {
+            MaxNumberLines = 24;
+            MaxNumberColumns = 80;
+            sb_terminal[SBTERMMODEL] = '2';
+        }
+        NumberLines = 24;               /* before we start out... */
+        NumberColumns = 80;
+        ScreenSize = NumberLines*NumberColumns;
+        if ((MaxNumberLines*MaxNumberColumns) > MAXSCREENSIZE) {
+            ExitString("Programming error:  MAXSCREENSIZE too small.\n",
+                                                                1);
+            /*NOTREACHED*/
+        }
+        printsub('>', sb_terminal+2, sizeof sb_terminal-2);
+        netoring.supply_data(sb_terminal, sizeof(sb_terminal));
+        return 1;
+    } 
+    else {
+        return 0;
+    }
+}
+
+int settranscom(int argc, char *argv[]) {
+    int i;
+    if (argc == 1 && transcom) {
+        transcom = 0;
+    }
+    if (argc == 1) {
+        return;
+    }
+    transcom = tline;
+    strcpy(transcom, argv[1]);
+    for (i = 2; i < argc; ++i) {
+        strcat(transcom, " ");
+        strcat(transcom, argv[i]);
+    }
+}
+
+#endif  /* defined(TN3270) */
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/tn3270.o b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/tn3270.o
new file mode 100644
index 0000000..5dc7fab
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/tn3270.o
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/types.h b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/types.h
new file mode 100644
index 0000000..00cddfb
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/types.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1988 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *      from: @(#)types.h       5.1 (Berkeley) 9/14/90
+ *      $Id: types.h,v 1.2 1996/07/27 00:45:54 dholland Exp $
+ */
+
+typedef struct {
+    char *modedescriptions;
+    char modetype;
+} Modelist;
+
+extern Modelist modelist[];
+
+typedef struct {
+    int system;                 /* what the current time is */
+    int echotoggle;             /* last time user entered echo character */
+    int modenegotiated;         /* last time operating mode negotiated */
+    int didnetreceive;          /* last time we read data from network */
+    int gotDM;                  /* when did we last see a data mark */
+} Clocks;
+
+extern Clocks clocks;
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/utilities.cc b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/utilities.cc
new file mode 100644
index 0000000..0448f0a
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/utilities.cc
@@ -0,0 +1,673 @@
+/*
+ * Copyright (c) 1988 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)utilities.c        5.3 (Berkeley) 3/22/91
+ */
+char util_rcsid[] = 
+  "$Id: utilities.cc,v 1.19 1999/12/12 15:33:40 dholland Exp $";
+
+#define TELOPTS
+#define TELCMDS
+#define SLC_NAMES
+
+#include <arpa/telnet.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <unistd.h>
+#include <ctype.h>
+
+#include "ring.h"
+#include "defines.h"
+#include "externs.h"
+#include "proto.h"
+#include "terminal.h"
+
+FILE *NetTrace = 0;             /* Not in bss, since needs to stay */ /* ? */
+char NetTraceFile[256] = "(standard output)";
+
+/*
+ * upcase()
+ *
+ *      Upcase (in place) the argument.
+ */
+void upcase(char *str) {
+    for (int i=0; str[i]; i++) {
+        if (islower(str[i])) str[i] = toupper(str[i]);
+    }
+}
+
+/*
+ * The following are routines used to print out debugging information.
+ */
+
+void SetNetTrace(const char *file) {
+    if (NetTrace && NetTrace != stdout)
+        fclose(NetTrace);
+    if (file && strcmp(file, "-")) {
+        NetTrace = fopen(file, "w");
+        if (NetTrace) {
+            strcpy((char *)NetTraceFile, file);
+            return;
+        }
+        fprintf(stderr, "Cannot open %s.\n", file);
+    }
+    NetTrace = stdout;
+    strcpy((char *)NetTraceFile, "(standard output)");
+}
+
+#define BYTES_PER_LINE  32
+#define min(x,y) ((x<y)? x:y)
+
+void Dump(int direction, char *buffer, int length) {
+    char *pThis;
+    int offset;
+
+    offset = 0;
+
+    while (length) {
+        /* print one line */
+        fprintf(NetTrace, "%c 0x%x\t", direction, offset);
+        pThis = buffer;
+        if (0 /*prettydump*/) {
+            buffer = buffer + min(length, BYTES_PER_LINE/2);
+            while (pThis < buffer) {
+                fprintf(NetTrace, "%c%.2x",
+                        (((*pThis)&0xff) == 0xff) ? '*' : ' ',
+                        (*pThis)&0xff);
+                pThis++;
+            }
+            length -= BYTES_PER_LINE/2;
+            offset += BYTES_PER_LINE/2;
+        } 
+        else {
+            buffer = buffer + min(length, BYTES_PER_LINE);
+            while (pThis < buffer) {
+                fprintf(NetTrace, "%.2x", (*pThis)&0xff);
+                pThis++;
+            }
+            length -= BYTES_PER_LINE;
+            offset += BYTES_PER_LINE;
+        }
+        if (NetTrace == stdout) {
+            fprintf(NetTrace, "\r\n");
+        } 
+        else {
+            fprintf(NetTrace, "\n");
+        }
+        if (length < 0) {
+            fflush(NetTrace);
+            return;
+        }
+        /* find next unique line */
+    }
+    fflush(NetTrace);
+}
+
+
+void printoption(const char *direction, int cmd, int option) {
+    if (!showoptions)
+        return;
+    if (cmd == IAC) {
+        if (TELCMD_OK(option))
+            fprintf(NetTrace, "%s IAC %s", direction, TELCMD(option));
+        else
+            fprintf(NetTrace, "%s IAC %d", direction, option);
+    } 
+    else {
+        const char *fmt;
+        fmt = (cmd == WILL) ? "WILL" : (cmd == WONT) ? "WONT" :
+            (cmd == DO) ? "DO" : (cmd == DONT) ? "DONT" : 0;
+        if (fmt) {
+            fprintf(NetTrace, "%s %s ", direction, fmt);
+            if (TELOPT_OK(option))
+                fprintf(NetTrace, "%s", TELOPT(option));
+            else if (option == TELOPT_EXOPL)
+                fprintf(NetTrace, "EXOPL");
+            else
+                fprintf(NetTrace, "%d", option);
+        } 
+        else
+            fprintf(NetTrace, "%s %d %d", direction, cmd, option);
+    }
+    if (NetTrace == stdout)
+        fprintf(NetTrace, "\r\n");
+    else
+        fprintf(NetTrace, "\n");
+    return;
+}
+
+void optionstatus(void) {
+    int i;
+    extern char will_wont_resp[], do_dont_resp[];
+
+    for (i = 0; i < 256; i++) {
+        if (do_dont_resp[i]) {
+            if (TELOPT_OK(i))
+                printf("resp DO_DONT %s: %d\n", TELOPT(i), do_dont_resp[i]);
+            else if (TELCMD_OK(i))
+                printf("resp DO_DONT %s: %d\n", TELCMD(i), do_dont_resp[i]);
+            else
+                printf("resp DO_DONT %d: %d\n", i, do_dont_resp[i]);
+            if (my_want_state_is_do(i)) {
+                if (TELOPT_OK(i))
+                    printf("want DO   %s\n", TELOPT(i));
+                else if (TELCMD_OK(i))
+                    printf("want DO   %s\n", TELCMD(i));
+                else
+                    printf("want DO   %d\n", i);
+            } 
+            else {
+                if (TELOPT_OK(i))
+                    printf("want DONT %s\n", TELOPT(i));
+                else if (TELCMD_OK(i))
+                    printf("want DONT %s\n", TELCMD(i));
+                else
+                    printf("want DONT %d\n", i);
+            }
+        } 
+        else {
+            if (my_state_is_do(i)) {
+                if (TELOPT_OK(i))
+                    printf("     DO   %s\n", TELOPT(i));
+                else if (TELCMD_OK(i))
+                    printf("     DO   %s\n", TELCMD(i));
+                else
+                    printf("     DO   %d\n", i);
+            }
+        }
+        if (will_wont_resp[i]) {
+            if (TELOPT_OK(i))
+                printf("resp WILL_WONT %s: %d\n", TELOPT(i), will_wont_resp[i]);
+            else if (TELCMD_OK(i))
+                printf("resp WILL_WONT %s: %d\n", TELCMD(i), will_wont_resp[i]);
+            else
+                printf("resp WILL_WONT %d: %d\n",
+                                i, will_wont_resp[i]);
+            if (my_want_state_is_will(i)) {
+                if (TELOPT_OK(i))
+                    printf("want WILL %s\n", TELOPT(i));
+                else if (TELCMD_OK(i))
+                    printf("want WILL %s\n", TELCMD(i));
+                else
+                    printf("want WILL %d\n", i);
+            } 
+            else {
+                if (TELOPT_OK(i))
+                    printf("want WONT %s\n", TELOPT(i));
+                else if (TELCMD_OK(i))
+                    printf("want WONT %s\n", TELCMD(i));
+                else
+                    printf("want WONT %d\n", i);
+            }
+        } 
+        else {
+            if (my_state_is_will(i)) {
+                if (TELOPT_OK(i))
+                    printf("     WILL %s\n", TELOPT(i));
+                else if (TELCMD_OK(i))
+                    printf("     WILL %s\n", TELCMD(i));
+                else
+                    printf("     WILL %d\n", i);
+            }
+        }
+    }
+
+}
+
+/* direction: '<' or '>' */
+/* pointer: where suboption data sits */
+/* length: length of suboption data */
+void printsub(int direction, unsigned char *pointer, int length) {
+    register int i = 0;
+
+    extern int want_status_response;
+
+    if (showoptions || direction == 0 ||
+        (want_status_response && (pointer[0] == TELOPT_STATUS))) {
+        if (direction) {
+            fprintf(NetTrace, "%s IAC SB ",
+                                (direction == '<')? "RCVD":"SENT");
+            if (length >= 3) {
+                register int j;
+
+                i = pointer[length-2];
+                j = pointer[length-1];
+
+                if (i != IAC || j != SE) {
+                    fprintf(NetTrace, "(terminated by ");
+                    if (TELOPT_OK(i))
+                        fprintf(NetTrace, "%s ", TELOPT(i));
+                    else if (TELCMD_OK(i))
+                        fprintf(NetTrace, "%s ", TELCMD(i));
+                    else
+                        fprintf(NetTrace, "%d ", i);
+                    if (TELOPT_OK(j))
+                        fprintf(NetTrace, "%s", TELOPT(j));
+                    else if (TELCMD_OK(j))
+                        fprintf(NetTrace, "%s", TELCMD(j));
+                    else
+                        fprintf(NetTrace, "%d", j);
+                    fprintf(NetTrace, ", not IAC SE!) ");
+                }
+            }
+            length -= 2;
+        }
+        if (length < 1) {
+            fprintf(NetTrace, "(Empty suboption???)");
+            return;
+        }
+        switch ((unsigned char)(pointer[0])) {
+        case TELOPT_TTYPE:
+            fprintf(NetTrace, "TERMINAL-TYPE ");
+            switch (pointer[1]) {
+            case TELQUAL_IS:
+                fprintf(NetTrace, "IS \"%.*s\"", length-2, (char *)pointer+2);
+                break;
+            case TELQUAL_SEND:
+                fprintf(NetTrace, "SEND");
+                break;
+            default:
+                fprintf(NetTrace,
+                                "- unknown qualifier %d (0x%x).",
+                                pointer[1], pointer[1]);
+            }
+            break;
+        case TELOPT_TSPEED:
+            fprintf(NetTrace, "TERMINAL-SPEED");
+            if (length < 2) {
+                fprintf(NetTrace, " (empty suboption???)");
+                break;
+            }
+            switch (pointer[1]) {
+            case TELQUAL_IS:
+                fprintf(NetTrace, " IS ");
+                fprintf(NetTrace, "%.*s", length-2, (char *)pointer+2);
+                break;
+            default:
+                if (pointer[1] == 1)
+                    fprintf(NetTrace, " SEND");
+                else
+                    fprintf(NetTrace, " %d (unknown)", pointer[1]);
+                for (i = 2; i < length; i++)
+                    fprintf(NetTrace, " ?%d?", pointer[i]);
+                break;
+            }
+            break;
+
+        case TELOPT_LFLOW:
+            fprintf(NetTrace, "TOGGLE-FLOW-CONTROL");
+            if (length < 2) {
+                fprintf(NetTrace, " (empty suboption???)");
+                break;
+            }
+            switch (pointer[1]) {
+            case 0:
+                fprintf(NetTrace, " OFF"); break;
+            case 1:
+                fprintf(NetTrace, " ON"); break;
+            default:
+                fprintf(NetTrace, " %d (unknown)", pointer[1]);
+            }
+            for (i = 2; i < length; i++)
+                fprintf(NetTrace, " ?%d?", pointer[i]);
+            break;
+
+        case TELOPT_NAWS:
+            fprintf(NetTrace, "NAWS");
+            if (length < 2) {
+                fprintf(NetTrace, " (empty suboption???)");
+                break;
+            }
+            if (length == 2) {
+                fprintf(NetTrace, " ?%d?", pointer[1]);
+                break;
+            }
+            fprintf(NetTrace, " %d %d (%d)",
+                pointer[1], pointer[2],
+                (int)((((unsigned int)pointer[1])<<8)|((unsigned int)pointer[2])));
+            if (length == 4) {
+                fprintf(NetTrace, " ?%d?", pointer[3]);
+                break;
+            }
+            fprintf(NetTrace, " %d %d (%d)",
+                pointer[3], pointer[4],
+                (int)((((unsigned int)pointer[3])<<8)|((unsigned int)pointer[4])));
+            for (i = 5; i < length; i++)
+                fprintf(NetTrace, " ?%d?", pointer[i]);
+            break;
+
+        case TELOPT_LINEMODE:
+            fprintf(NetTrace, "LINEMODE ");
+            if (length < 2) {
+                fprintf(NetTrace, " (empty suboption???)");
+                break;
+            }
+            switch ((unsigned char)(pointer[1])) {
+            case WILL:
+                fprintf(NetTrace, "WILL ");
+                goto common;
+            case WONT:
+                fprintf(NetTrace, "WONT ");
+                goto common;
+            case DO:
+                fprintf(NetTrace, "DO ");
+                goto common;
+            case DONT:
+                fprintf(NetTrace, "DONT ");
+            common:
+                if (length < 3) {
+                    fprintf(NetTrace, "(no option???)");
+                    break;
+                }
+                switch ((unsigned char)(pointer[2])) {
+                case LM_FORWARDMASK:
+                    fprintf(NetTrace, "Forward Mask");
+                    for (i = 3; i < length; i++)
+                        fprintf(NetTrace, " %x", pointer[i]);
+                    break;
+                default:
+                    fprintf(NetTrace, "%d (unknown)", pointer[2]);
+                    for (i = 3; i < length; i++)
+                        fprintf(NetTrace, " %d", pointer[i]);
+                    break;
+                }
+                break;
+                
+            case LM_SLC:
+                fprintf(NetTrace, "SLC");
+                for (i = 2; i < length - 2; i += 3) {
+                    if (SLC_NAME_OK(pointer[i+SLC_FUNC]))
+                        fprintf(NetTrace, " %s", SLC_NAME(pointer[i+SLC_FUNC]));
+                    else
+                        fprintf(NetTrace, " %d", pointer[i+SLC_FUNC]);
+                    switch (pointer[i+SLC_FLAGS]&SLC_LEVELBITS) {
+                    case SLC_NOSUPPORT:
+                        fprintf(NetTrace, " NOSUPPORT"); break;
+                    case SLC_CANTCHANGE:
+                        fprintf(NetTrace, " CANTCHANGE"); break;
+                    case SLC_VARIABLE:
+                        fprintf(NetTrace, " VARIABLE"); break;
+                    case SLC_DEFAULT:
+                        fprintf(NetTrace, " DEFAULT"); break;
+                    }
+                    fprintf(NetTrace, "%s%s%s",
+                        pointer[i+SLC_FLAGS]&SLC_ACK ? "|ACK" : "",
+                        pointer[i+SLC_FLAGS]&SLC_FLUSHIN ? "|FLUSHIN" : "",
+                        pointer[i+SLC_FLAGS]&SLC_FLUSHOUT ? "|FLUSHOUT" : "");
+                    if (pointer[i+SLC_FLAGS]& ~(SLC_ACK|SLC_FLUSHIN|
+                                                SLC_FLUSHOUT| SLC_LEVELBITS))
+                        fprintf(NetTrace, "(0x%x)", pointer[i+SLC_FLAGS]);
+                    fprintf(NetTrace, " %d;", pointer[i+SLC_VALUE]);
+                    if ((pointer[i+SLC_VALUE] == IAC) &&
+                        (pointer[i+SLC_VALUE+1] == IAC))
+                                i++;
+                }
+                for (; i < length; i++)
+                    fprintf(NetTrace, " ?%d?", pointer[i]);
+                break;
+
+            case LM_MODE:
+                fprintf(NetTrace, "MODE ");
+                if (length < 3) {
+                    fprintf(NetTrace, "(no mode???)");
+                    break;
+                }
+                {
+                    char tbuf[64];
+                    snprintf(tbuf, sizeof(tbuf), "%s%s%s%s%s",
+                        pointer[2]&MODE_EDIT ? "|EDIT" : "",
+                        pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "",
+                        pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "",
+                        pointer[2]&MODE_LIT_ECHO ? "|LIT_ECHO" : "",
+                        pointer[2]&MODE_ACK ? "|ACK" : "");
+                    fprintf(NetTrace, "%s", tbuf[1] ? &tbuf[1] : "0");
+                }
+                if (pointer[2]&~(MODE_MASK))
+                    fprintf(NetTrace, " (0x%x)", pointer[2]);
+                for (i = 3; i < length; i++)
+                    fprintf(NetTrace, " ?0x%x?", pointer[i]);
+                break;
+            default:
+                fprintf(NetTrace, "%d (unknown)", pointer[1]);
+                for (i = 2; i < length; i++)
+                    fprintf(NetTrace, " %d", pointer[i]);
+            }
+            break;
+
+        case TELOPT_STATUS: {
+            const char *cp;
+            int j, k;
+
+            fprintf(NetTrace, "STATUS");
+
+            switch (pointer[1]) {
+            default:
+                if (pointer[1] == TELQUAL_SEND)
+                    fprintf(NetTrace, " SEND");
+                else
+                    fprintf(NetTrace, " %d (unknown)", pointer[1]);
+                for (i = 2; i < length; i++)
+                    fprintf(NetTrace, " ?%d?", pointer[i]);
+                break;
+            case TELQUAL_IS:
+                if (--want_status_response < 0)
+                    want_status_response = 0;
+                if (NetTrace == stdout)
+                    fprintf(NetTrace, " IS\r\n");
+                else
+                    fprintf(NetTrace, " IS\n");
+
+                for (i = 2; i < length; i++) {
+                    switch((unsigned char)(pointer[i])) {
+                    case DO:    cp = "DO"; goto common2;
+                    case DONT:  cp = "DONT"; goto common2;
+                    case WILL:  cp = "WILL"; goto common2;
+                    case WONT:  cp = "WONT"; goto common2;
+                    common2:
+                        i++;
+                        if (TELOPT_OK((int)pointer[i]))
+                            fprintf(NetTrace, " %s %s", cp, TELOPT(pointer[i]));
+                        else
+                            fprintf(NetTrace, " %s %d", cp, pointer[i]);
+
+                        if (NetTrace == stdout)
+                            fprintf(NetTrace, "\r\n");
+                        else
+                            fprintf(NetTrace, "\n");
+                        break;
+
+                    case SB:
+                        fprintf(NetTrace, " SB ");
+                        i++;
+                        j = k = i;
+                        while (j < length) {
+                            if (pointer[j] == SE) {
+                                if (j+1 == length)
+                                    break;
+                                if (pointer[j+1] == SE)
+                                    j++;
+                                else
+                                    break;
+                            }
+                            pointer[k++] = pointer[j++];
+                        }
+                        printsub(0, &pointer[i], k - i);
+                        if (i < length) {
+                            fprintf(NetTrace, " SE");
+                            i = j;
+                        } else
+                            i = j - 1;
+
+                        if (NetTrace == stdout)
+                            fprintf(NetTrace, "\r\n");
+                        else
+                            fprintf(NetTrace, "\n");
+
+                        break;
+                                
+                    default:
+                        fprintf(NetTrace, " %d", pointer[i]);
+                        break;
+                    }
+                }
+                break;
+            }
+            break;
+          }
+
+        case TELOPT_XDISPLOC:
+            fprintf(NetTrace, "X-DISPLAY-LOCATION ");
+            switch (pointer[1]) {
+            case TELQUAL_IS:
+                fprintf(NetTrace, "IS \"%.*s\"", length-2, (char *)pointer+2);
+                break;
+            case TELQUAL_SEND:
+                fprintf(NetTrace, "SEND");
+                break;
+            default:
+                fprintf(NetTrace, "- unknown qualifier %d (0x%x).",
+                                pointer[1], pointer[1]);
+            }
+            break;
+
+        case TELOPT_ENVIRON:
+            fprintf(NetTrace, "ENVIRON ");
+            switch (pointer[1]) {
+            case TELQUAL_IS:
+                fprintf(NetTrace, "IS ");
+                goto env_common;
+            case TELQUAL_SEND:
+                fprintf(NetTrace, "SEND ");
+                goto env_common;
+            case TELQUAL_INFO:
+                fprintf(NetTrace, "INFO ");
+            env_common:
+                {
+                    register int noquote = 2;
+                    for (i = 2; i < length; i++ ) {
+                        switch (pointer[i]) {
+                        case ENV_VAR:
+                            if (pointer[1] == TELQUAL_SEND)
+                                goto def_case;
+                            fprintf(NetTrace, "\" VAR " + noquote);
+                            noquote = 2;
+                            break;
+
+                        case ENV_VALUE:
+                            fprintf(NetTrace, "\" VALUE " + noquote);
+                            noquote = 2;
+                            break;
+
+                        case ENV_ESC:
+                            fprintf(NetTrace, "\" ESC " + noquote);
+                            noquote = 2;
+                            break;
+
+                        default:
+                        def_case:
+                            if (isprint(pointer[i]) && pointer[i] != '"') {
+                                if (noquote) {
+                                    putc('"', NetTrace);
+                                    noquote = 0;
+                                }
+                                putc(pointer[i], NetTrace);
+                            } else {
+                                fprintf(NetTrace, "\" %03o " + noquote,
+                                                        pointer[i]);
+                                noquote = 2;
+                            }
+                            break;
+                        }
+                    }
+                    if (!noquote)
+                        putc('"', NetTrace);
+                    break;
+                }
+            }
+            break;
+
+        default:
+            if (TELOPT_OK(pointer[0]))
+                fprintf(NetTrace, "%s (unknown)", TELOPT(pointer[0]));
+            else
+                fprintf(NetTrace, "%d (unknown)", pointer[i]);
+            for (i = 1; i < length; i++)
+                fprintf(NetTrace, " %d", pointer[i]);
+            break;
+        }
+        if (direction) {
+            if (NetTrace == stdout)
+                fprintf(NetTrace, "\r\n");
+            else
+                fprintf(NetTrace, "\n");
+        }
+    }
+}
+
+void SetForExit(void) {
+    setconnmode(0);
+#if defined(TN3270)
+    if (In3270) {
+        Finish3270();
+    }
+#else   /* defined(TN3270) */
+    do {
+        telrcv();                       /* Process any incoming data */
+        EmptyTerminal();
+    } while (netiring.full_count());    /* While there is any */
+#endif  /* defined(TN3270) */
+    setcommandmode();
+    fflush(stdout);
+    fflush(stderr);
+#if defined(TN3270)
+    if (In3270) {
+        StopScreen(1);
+    }
+#endif  /* defined(TN3270) */
+    setconnmode(0);
+    EmptyTerminal();                    /* Flush the path to the tty */
+    setcommandmode();
+}
+
+void Exit(int returnCode) {
+    SetForExit();
+    exit(returnCode);
+}
+
+void ExitString(const char *string, int returnCode) {
+    SetForExit();
+    fwrite(string, 1, strlen(string), stderr);
+    exit(returnCode);
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnet/utilities.o b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/utilities.o
new file mode 100644
index 0000000..0cc0eb1
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnet/utilities.o
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/Makefile b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/Makefile
new file mode 100644
index 0000000..9b80e98
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/Makefile
@@ -0,0 +1,38 @@
+all: telnetd
+
+include ../MCONFIG
+include ../MRULES
+
+# -DAUTHENTICATE
+
+# If having unused tty devices root.root and mode 600 bugs you,
+# take out -DPARANOID_TTYS.
+
+CFLAGS += '-DISSUE_FILE="/etc/issue.net"' -DPARANOID_TTYS \
+           -DNO_REVOKE -DKLUDGELINEMODE -DDIAGNOSTICS \
+           -DLOGIN_WRAPPER=\"/usr/lib/telnetd/login\"
+# LIBS += $(LIBTERMCAP)
+
+OBJS = telnetd.o state.o termstat.o slc.o sys_term.o utility.o \
+        global.o setproctitle.o
+
+# authenc.o (empty)
+
+# logout.o logwtmp.o (now from -lutil)
+
+
+telnetd: $(OBJS)
+        $(CC) $(LDFLAGS) $^ $(LIBS) -o $@
+
+$(OBJS): defs.h ext.h pathnames.h telnetd.h logwtmp.h logout.h setproctitle.h
+telnetd.o: ../version.h
+
+install: telnetd
+        install -s -m$(DAEMONMODE) telnetd $(INSTALLROOT)$(SBINDIR)/in.telnetd
+        install -m$(MANMODE) issue.net.5 $(INSTALLROOT)$(MANDIR)/man5/
+        install -m$(MANMODE) telnetd.8 $(INSTALLROOT)$(MANDIR)/man8/in.telnetd.8
+        ln -sf in.telnetd.8 $(INSTALLROOT)$(MANDIR)/man8/telnetd.8
+
+clean:
+        rm -f *.o telnetd 
+
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/authenc.c b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/authenc.c
new file mode 100644
index 0000000..d11a724
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/authenc.c
@@ -0,0 +1,83 @@
+/*-
+ * Copyright (c) 1991 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms are permitted provided
+ * that: (1) source distributions retain this entire copyright notice and
+ * comment, and (2) distributions including binaries display the following
+ * acknowledgement:  ``This product includes software developed by the
+ * University of California, Berkeley and its contributors'' in the
+ * documentation or other materials provided with the distribution and in
+ * all advertising materials mentioning features or use of this software.
+ * Neither the name of the University nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#if 0 /* dead code */
+
+/*
+ * From: @(#)authenc.c  5.1 (Berkeley) 3/1/91
+ */
+char authenc_rcsid[] =
+  "$Id: authenc.c,v 1.5 1999/12/12 14:59:44 dholland Exp $";
+
+#if     defined(ENCRYPT) || defined(AUTHENTICATE)
+#include "telnetd.h"
+#include <libtelnet/misc.h>
+
+int
+net_write(str, len)
+    unsigned char *str;
+    int len;
+{
+    if (nfrontp + len < netobuf + BUFSIZ) {
+        bcopy((void *)str, (void *)nfrontp, len);
+        nfrontp += len;
+        return(len);
+    }
+    return(0);
+}
+
+void
+net_encrypt()
+{
+#if     defined(ENCRYPT)
+    char *s = (nclearto > nbackp) ? nclearto : nbackp;
+    if (s < nfrontp && encrypt_output) {
+        (*encrypt_output)((unsigned char *)s, nfrontp - s);
+    }
+    nclearto = nfrontp;
+#endif
+}
+
+int
+telnet_spin()
+{
+    ttloop();
+    return(0);
+}
+
+char *
+telnet_getenv(val)
+    char *val;
+{
+    extern char *getenv();
+    return(getenv(val));
+}
+
+char *
+telnet_gets(prompt, result, length, echo)
+    char *prompt;
+    char *result;
+    int length;
+    int echo;
+{
+    return((char *)0);
+}
+#endif
+
+#endif /* 0 */
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/defs.h b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/defs.h
new file mode 100644
index 0000000..ea1997f
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/defs.h
@@ -0,0 +1,215 @@
+/*
+ * Copyright (c) 1989 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *      from: @(#)defs.h        5.10 (Berkeley) 3/1/91
+ *      $Id: defs.h,v 1.7 1999/08/02 03:14:03 dholland Exp $
+ */
+
+/*
+ * Telnet server defines
+ */
+#include <sys/types.h>
+#include <sys/param.h>
+
+#define ENV_VAR         NEW_ENV_VAR
+#define ENV_VALUE       NEW_ENV_VALUE
+#define TELOPT_ENVIRON  TELOPT_NEW_ENVIRON
+
+#if defined(PRINTOPTIONS) && defined(DIAGNOSTICS)
+#define TELOPTS
+#define TELCMDS
+#define SLC_NAMES
+#endif
+
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <fcntl.h>
+#include <sys/file.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/ioctl.h>
+#include <netinet/in.h>
+#include <arpa/telnet.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <errno.h>
+#include <netdb.h>
+#include <syslog.h>
+
+#ifndef LOG_DAEMON
+#define LOG_DAEMON      0
+#endif
+
+#ifndef LOG_ODELAY
+#define LOG_ODELAY      0
+#endif
+
+#include <ctype.h>
+#include <string.h>
+#include <termios.h>
+
+#ifdef  __STDC__
+#include <unistd.h>
+#endif
+
+#ifndef _POSIX_VDISABLE
+#ifdef VDISABLE
+#define _POSIX_VDISABLE VDISABLE
+#else
+#define _POSIX_VDISABLE ((unsigned char)'\377')
+#endif
+#endif
+
+/*
+ * I/O data buffers defines
+ */
+#define NETSLOP 64
+
+#define NIACCUM(c)      {   *netip++ = c; \
+                            ncc++; \
+                        }
+
+/* clock manipulations */
+#define settimer(x)     (clocks.x = ++clocks.system)
+#define sequenceIs(x,y) (clocks.x < clocks.y)
+
+/*
+ * Linemode support states, in decreasing order of importance
+ */
+#define REAL_LINEMODE   0x02
+#define KLUDGE_LINEMODE 0x01
+#define NO_LINEMODE     0x00
+
+/*
+ * Structures of information for each special character function.
+ */
+typedef struct {
+        unsigned char flag;             /* the flags for this function */
+        cc_t val;               /* the value of the special character */
+} slcent, *Slcent;
+
+typedef struct {
+        slcent          defset;         /* the default settings */
+        slcent          current;        /* the current settings */
+        cc_t            *sptr;          /* a pointer to the char in */
+                                        /* system data structures */
+} slcfun, *Slcfun;
+
+#ifdef DIAGNOSTICS
+/*
+ * Diagnostics capabilities
+ */
+#define TD_REPORT       0x01    /* Report operations to client */
+#define TD_EXERCISE     0x02    /* Exercise client's implementation */
+#define TD_NETDATA      0x04    /* Display received data stream */
+#define TD_PTYDATA      0x08    /* Display data passed to pty */
+#define TD_OPTIONS      0x10    /* Report just telnet options */
+#endif /* DIAGNOSTICS */
+
+/*
+ * We keep track of each side of the option negotiation.
+ */
+
+#define MY_STATE_WILL           0x01
+#define MY_WANT_STATE_WILL      0x02
+#define MY_STATE_DO             0x04
+#define MY_WANT_STATE_DO        0x08
+
+/*
+ * Macros to check the current state of things
+ */
+
+#define my_state_is_do(opt)             (options[opt]&MY_STATE_DO)
+#define my_state_is_will(opt)           (options[opt]&MY_STATE_WILL)
+#define my_want_state_is_do(opt)        (options[opt]&MY_WANT_STATE_DO)
+#define my_want_state_is_will(opt)      (options[opt]&MY_WANT_STATE_WILL)
+
+#define my_state_is_dont(opt)           (!my_state_is_do(opt))
+#define my_state_is_wont(opt)           (!my_state_is_will(opt))
+#define my_want_state_is_dont(opt)      (!my_want_state_is_do(opt))
+#define my_want_state_is_wont(opt)      (!my_want_state_is_will(opt))
+
+#define set_my_state_do(opt)            (options[opt] |= MY_STATE_DO)
+#define set_my_state_will(opt)          (options[opt] |= MY_STATE_WILL)
+#define set_my_want_state_do(opt)       (options[opt] |= MY_WANT_STATE_DO)
+#define set_my_want_state_will(opt)     (options[opt] |= MY_WANT_STATE_WILL)
+
+#define set_my_state_dont(opt)          (options[opt] &= ~MY_STATE_DO)
+#define set_my_state_wont(opt)          (options[opt] &= ~MY_STATE_WILL)
+#define set_my_want_state_dont(opt)     (options[opt] &= ~MY_WANT_STATE_DO)
+#define set_my_want_state_wont(opt)     (options[opt] &= ~MY_WANT_STATE_WILL)
+
+/*
+ * Tricky code here.  What we want to know is if the MY_STATE_WILL
+ * and MY_WANT_STATE_WILL bits have the same value.  Since the two
+ * bits are adjacent, a little arithmatic will show that by adding
+ * in the lower bit, the upper bit will be set if the two bits were
+ * different, and clear if they were the same.
+ */
+#define my_will_wont_is_changing(opt) \
+                        ((options[opt]+MY_STATE_WILL) & MY_WANT_STATE_WILL)
+
+#define my_do_dont_is_changing(opt) \
+                        ((options[opt]+MY_STATE_DO) & MY_WANT_STATE_DO)
+
+/*
+ * Make everything symetrical
+ */
+
+#define HIS_STATE_WILL                  MY_STATE_DO
+#define HIS_WANT_STATE_WILL             MY_WANT_STATE_DO
+#define HIS_STATE_DO                    MY_STATE_WILL
+#define HIS_WANT_STATE_DO               MY_WANT_STATE_WILL
+
+#define his_state_is_do                 my_state_is_will
+#define his_state_is_will               my_state_is_do
+#define his_want_state_is_do            my_want_state_is_will
+#define his_want_state_is_will          my_want_state_is_do
+
+#define his_state_is_dont               my_state_is_wont
+#define his_state_is_wont               my_state_is_dont
+#define his_want_state_is_dont          my_want_state_is_wont
+#define his_want_state_is_wont          my_want_state_is_dont
+
+#define set_his_state_do                set_my_state_will
+#define set_his_state_will              set_my_state_do
+#define set_his_want_state_do           set_my_want_state_will
+#define set_his_want_state_will         set_my_want_state_do
+
+#define set_his_state_dont              set_my_state_wont
+#define set_his_state_wont              set_my_state_dont
+#define set_his_want_state_dont         set_my_want_state_wont
+#define set_his_want_state_wont         set_my_want_state_dont
+
+#define his_will_wont_is_changing       my_do_dont_is_changing
+#define his_do_dont_is_changing         my_will_wont_is_changing
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/ext.h b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/ext.h
new file mode 100644
index 0000000..b98d6ec
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/ext.h
@@ -0,0 +1,212 @@
+/*
+ * Copyright (c) 1989 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *      from: @(#)ext.h 5.7 (Berkeley) 3/1/91
+ *      $Id: ext.h,v 1.9 1999/12/12 14:59:44 dholland Exp $
+ */
+
+/*
+ * Telnet server variable declarations
+ */
+extern char options[256];
+extern char do_dont_resp[256];
+extern char will_wont_resp[256];
+extern int linemode;    /* linemode on/off */
+
+#ifdef LINEMODE
+extern int uselinemode; /* what linemode to use (on/off) */
+extern int editmode;    /* edit modes in use */
+extern int useeditmode; /* edit modes to use */
+extern int alwayslinemode;      /* command line option */
+#ifdef KLUDGELINEMODE
+extern int lmodetype;   /* Client support for linemode */
+#endif  /* KLUDGELINEMODE */
+#endif  /* LINEMODE */
+
+extern int flowmode;    /* current flow control state */
+
+#ifdef DIAGNOSTICS
+extern int diagnostic;  /* telnet diagnostic capabilities */
+#endif /* DIAGNOSTICS */
+
+#ifdef BFTPDAEMON
+extern int bftpd;               /* behave as bftp daemon */
+#endif /* BFTPDAEMON */
+
+#if defined(SecurID)
+extern int require_SecurID;
+#endif
+
+#if defined(AUTHENTICATE)
+extern int auth_level;
+#endif
+
+extern slcfun slctab[NSLC + 1]; /* slc mapping table */
+
+extern char *terminaltype;
+
+extern char *loginprg;
+
+/*
+ * I/O data buffers, pointers, and counters.
+ */
+extern char ptyobuf[BUFSIZ+NETSLOP], *pfrontp, *pbackp;
+extern char netibuf[BUFSIZ], *netip;
+extern char netobuf[BUFSIZ+NETSLOP], *nfrontp, *nbackp;
+extern char *neturg;            /* one past last byte of urgent data */
+extern int pcc, ncc;
+
+/* printf into netobuf */
+void netoprintf(const char *fmt, ...) __attribute((format (printf, 1, 2))); 
+
+extern int pty, net;
+extern char *line;
+extern int SYNCHing;            /* we are in TELNET SYNCH mode */
+
+void _termstat(void);
+void add_slc(int, int, int);
+void check_slc(void);
+void change_slc(int, int, int);
+void cleanup(int);
+void clientstat(int, int, int);
+void copy_termbuf(char *, int);
+void deferslc(void);
+void defer_terminit(void);
+void do_opt_slc(unsigned char *, int);
+void doeof(void);
+void dooption(int);
+void dontoption(int);
+void edithost(const char *, const char *);
+void fatal(int, const char *);
+void fatalperror(int, const char *);
+void get_slc_defaults(void);
+void init_env(void);
+void init_termbuf(void);
+void interrupt(void);
+void localstat(void);
+void netclear(void);
+void netflush(void);
+
+#ifdef DIAGNOSTICS
+void printoption(const char *, int);
+void printdata(const char *, const char *, int);
+void printsub(char, unsigned char *, int);
+#endif
+
+void ptyflush(void);
+void putchr(int);
+void putf(const char *, char *);
+void recv_ayt(void);
+void send_do(int, int);
+void send_dont(int, int);
+void send_slc(void);
+void send_status(void);
+void send_will(int, int);
+void send_wont(int, int);
+void sendbrk(void);
+void sendsusp(void);
+void set_termbuf(void);
+void start_login(const char *, int, const char *);
+void start_slc(int);
+void startslave(const char *host, int autologin, char *autoname);
+
+#if defined(AUTHENTICATE)
+void start_slave(char *);
+#else
+void start_slave(char *, int, char *);
+#endif
+
+void suboption(void);
+void telrcv(void);
+void ttloop(void);
+void tty_binaryin(int);
+void tty_binaryout(int);
+
+int end_slc(unsigned char **);
+int getnpty(void);
+int getpty(void);
+int login_tty(int);
+int spcset(int, cc_t *, cc_t **);
+int stilloob(int);
+int terminit(void);
+int termstat(void);
+int tty_flowmode(void);
+int tty_isbinaryin(void);
+int tty_isbinaryout(void);
+int tty_iscrnl(void);
+int tty_isecho(void);
+int tty_isediting(void);
+int tty_islitecho(void);
+int tty_isnewmap(void);
+int tty_israw(void);
+int tty_issofttab(void);
+int tty_istrapsig(void);
+int tty_linemode(void);
+
+void tty_rspeed(int);
+void tty_setecho(int);
+void tty_setedit(int);
+void tty_setlinemode(int);
+void tty_setlitecho(int);
+void tty_setsig(int);
+void tty_setsofttab(int);
+void tty_tspeed(int);
+void willoption(int);
+void wontoption(int);
+void writenet(unsigned char *, int);
+
+#if defined(ENCRYPT)
+extern void (*encrypt_output)(unsigned char *, int);
+extern int (*decrypt_input)(int);
+extern char *nclearto;
+#endif
+
+
+/*
+ * The following are some clocks used to decide how to interpret
+ * the relationship between various variables.
+ */
+
+extern struct _clocks {
+    int system;                 /* what the current time is */
+    int echotoggle;             /* last time user entered echo character */
+    int modenegotiated;         /* last time operating mode negotiated */
+    int didnetreceive;          /* last time we read data from network */
+    int ttypesubopt;            /* ttype subopt is received */
+    int tspeedsubopt;           /* tspeed subopt is received */
+    int environsubopt;          /* environ subopt is received */
+    int xdisplocsubopt;         /* xdisploc subopt is received */
+    int baseline;               /* time started to do timed action */
+    int gotDM;                  /* when did we last see a data mark */
+} clocks;
+
+#define DEFAULT_IM      "%i\r\n%s %r (%h) (%t)\r\n\r\n"
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/getent.c b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/getent.c
new file mode 100644
index 0000000..9e0d0f3
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/getent.c
@@ -0,0 +1,71 @@
+/*-
+ * Copyright (c) 1991 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)getent.c   5.1 (Berkeley) 2/28/91
+ */
+char ge_rcsid[] = 
+  "$Id: getent.c,v 1.3 1996/08/15 06:23:28 dholland Exp $";
+
+/*
+ * Copyright (c) 1991 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms are permitted provided
+ * that: (1) source distributions retain this entire copyright notice and
+ * comment, and (2) distributions including binaries display the following
+ * acknowledgement:  ``This product includes software developed by the
+ * University of California, Berkeley and its contributors'' in the
+ * documentation or other materials provided with the distribution and in
+ * all advertising materials mentioning features or use of this software.
+ * Neither the name of the University nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include <stdlib.h>
+
+int getent(char *cp, char *name) {
+    (void)cp;
+    (void)name;
+    return 0;
+}
+
+char *getstr(char *cp, char **cpp) {
+    (void)cp;
+    (void)cpp;
+    return NULL;
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/global.c b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/global.c
new file mode 100644
index 0000000..badd4d5
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/global.c
@@ -0,0 +1,98 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)global.c   5.2 (Berkeley) 6/1/90
+ */
+char global_rcsid[] = 
+  "$Id: global.c,v 1.4 1999/12/12 14:59:44 dholland Exp $";
+
+/*
+ * Allocate global variables.  
+ */
+
+#include "defs.h"
+#include "ext.h"
+
+/*
+ * Telnet server variable declarations
+ */
+char    options[256];
+char    do_dont_resp[256];
+char    will_wont_resp[256];
+int     linemode;       /* linemode on/off */
+
+#ifdef  LINEMODE
+int     uselinemode;    /* what linemode to use (on/off) */
+int     editmode;       /* edit modes in use */
+int     useeditmode;    /* edit modes to use */
+int     alwayslinemode; /* command line option */
+# ifdef KLUDGELINEMODE
+int     lmodetype;      /* Client support for linemode */
+# endif /* KLUDGELINEMODE */
+#endif  /* LINEMODE */
+
+int     flowmode;       /* current flow control state */
+
+#ifdef DIAGNOSTICS
+int     diagnostic;     /* telnet diagnostic capabilities */
+#endif /* DIAGNOSTICS */
+
+#ifdef BFTPDAEMON
+int     bftpd;          /* behave as bftp daemon */
+#endif /* BFTPDAEMON */
+
+#if     defined(SecurID)
+int     require_SecurID;
+#endif
+
+slcfun  slctab[NSLC + 1];       /* slc mapping table */
+
+char    *terminaltype;
+
+/*
+ * I/O data buffers, pointers, and counters.
+ */
+char    ptyobuf[BUFSIZ+NETSLOP], *pfrontp, *pbackp;
+
+char    netibuf[BUFSIZ], *netip;
+
+char    netobuf[BUFSIZ+NETSLOP], *nfrontp, *nbackp;
+char    *neturg;                /* one past last bye of urgent data */
+
+int     pcc, ncc;
+
+int     pty, net;
+int     SYNCHing;               /* we are in TELNET SYNCH mode */
+
+struct _clocks clocks;
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/issue.net.5 b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/issue.net.5
new file mode 100644
index 0000000..c3337ee
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/issue.net.5
@@ -0,0 +1,43 @@
+.\" Copyright (c) 1994 Peter Tobias <tobias@server.et-inf.fho-emden.de>
+.\" This file may be distributed under the GNU General Public License.
+.\" 
+.\" Changed to -mdoc by David A. Holland <dholland@ftp.uk.linux.org>
+.\" in order to work better with some NetKit maintenance scripts.
+.\"
+.Dd May 22, 1994
+.Dt ISSUE.NET 5 
+.Os "Linux NetKit (0.16)"
+.Sh NAME
+.Nm issue.net 
+.Nd identification file for telnet sessions
+.Sh DESCRIPTION
+The file 
+.Pa /etc/issue.net
+is a text file which contains a message or system identification to be
+printed before the login prompt of a telnet session. It may contain
+various `%-char' sequences. The following sequences are supported by
+.Ic telnetd :
+.Bl -tag -offset indent -compact -width "abcde"
+.It %t
+- show the current tty
+.It %h
+- show the system node name (FQDN)
+.It %D
+- show the name of the NIS domain
+.It %d
+- show the current time and date
+.It %s
+- show the name of the operating system
+.It %m
+- show the machine (hardware) type
+.It %r
+- show the operating system release
+.It %v
+- show the operating system version
+.It %%
+- display a single '%' character
+.El
+.Sh FILES
+.Pa /etc/issue.net
+.Sh "SEE ALSO"
+.Xr in.telnetd 8
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/login.3 b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/login.3
new file mode 100644
index 0000000..f059f60
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/login.3
@@ -0,0 +1,107 @@
+.\" Copyright (c) 1995
+.\"     The Regents of the University of California.  All rights reserved.
+.\"
+.\" This code is derived from software developed by the Computer Systems
+.\" Engineering group at Lawrence Berkeley Laboratory under DARPA contract
+.\" BG 91-66 and contributed to Berkeley.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"     This product includes software developed by the University of
+.\"     California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd December 14, 1995
+.Dt LOGIN 3
+.Os "Linux NetKit (0.16)"
+.Sh NAME
+.Nm login ,
+.Nm logout ,
+.Nm logwtmp
+.Nd login utility functions
+.Sh SYNOPSIS
+.Fd #include <util.h>
+.Ft void
+.Fn login "struct utmp *ut"
+.Ft int
+.Fn logout "const char *line"
+.Ft void
+.Fn logwtmp "const char *line" "const char *name" "const char *host"
+.Sh DESCRIPTION
+The
+.Fn login ,
+.Fn logout ,
+and
+.Fn logwtmp
+functions operate on the database of current users in
+.Pa /var/run/utmp
+and on the logfile
+.Pa /var/log/wtmp
+of logins and logouts.
+.Pp
+The
+.Fn login
+function updates the
+.Pa /var/run/utmp
+and
+.Pa /var/log/wtmp
+files with user information contained in
+.Fa ut .
+.Pp
+The
+.Fn logout
+function removes the entry from
+.Pa /var/run/utmp
+corresponding to the device
+.Fa line .
+.Pp
+The
+.Fn logwtmp
+function adds an entry to
+.Pa /var/log/wtmp .
+Since
+.Fn login
+will add the appropriate entry for
+.Pa /var/log/wtmp
+during a login,
+.Fn logwtmp
+is usually used for logouts.
+.Sh RETURN VALUES
+.Fn logout
+returns non-zero if it was able to find and delete an entry for
+.Fa line ,
+and zero if there is no entry for
+.Fa line
+in
+.Pa /var/run/utmp .
+.Sh FILES
+.Bl -tag -width /var/run/wtmp -compact
+.It Pa /dev/\(**
+.It Pa /etc/ttys
+.It Pa /var/run/utmp
+.It Pa /var/log/wtmp
+.El
+.Sh SEE ALSO
+.Xr utmp 5
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/logout.h b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/logout.h
new file mode 100644
index 0000000..4141e31
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/logout.h
@@ -0,0 +1 @@
+int logout(const char *line);
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/logwtmp.h b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/logwtmp.h
new file mode 100644
index 0000000..3843a31
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/logwtmp.h
@@ -0,0 +1,5 @@
+/*
+ * Put this here instead of including <util.h>, since Linux is messed up
+ * and doesn't have <util.h>.
+ */
+void logwtmp(const char *_line, const char *name, const char *host);
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/pathnames.h b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/pathnames.h
new file mode 100644
index 0000000..7af84bd
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/pathnames.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 1989 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *      from: @(#)pathnames.h   5.5 (Berkeley) 6/28/90
+ *      $Id: pathnames.h,v 1.3 1996/08/29 22:31:24 dholland Exp $
+ */
+
+#include <paths.h>
+
+#ifndef _PATH_LOGIN
+#define _PATH_LOGIN  "/bin/login"
+#endif
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/setproctitle.3 b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/setproctitle.3
new file mode 100644
index 0000000..541fa50
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/setproctitle.3
@@ -0,0 +1,73 @@
+.\"     OpenBSD: setproctitle.3,v 1.4 1996/10/08 01:20:08 michaels Exp 
+.\"     $Id: setproctitle.3,v 1.8 1999/12/14 12:53:06 dholland Exp $
+.\"
+.\" Copyright (c) 1994, 1995 Christopher G. Demetriou
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"      This product includes software developed by Christopher G. Demetriou
+.\"      for the NetBSD Project.
+.\" 3. The name of the author may not be used to endorse or promote products
+.\"    derived from this software without specific prior written permission
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd April 13, 1994
+.Dt SETPROCTITLE 3
+.Os "Linux NetKit (0.16)"
+.Sh NAME
+.Nm setproctitle
+.Nd set process title
+.Sh SYNOPSIS
+.Fd #include <stdlib.h>
+.Ft void
+.Fn setproctitle "const char *fmt" "..."
+.Sh DESCRIPTION
+The
+.Fn setproctitle
+function sets the invoking process's title.
+The process title is set to the last component of the program
+name, followed by a colon and the formatted string specified
+by
+.Va fmt .
+If
+.Va fmt
+is NULL, the colon and formatted string are omitted.
+The length of a process title is limited to 2048 bytes.
+.Sh EXAMPLES
+Set the process title to the program name, with no further information:
+.Bd -literal -offset indent
+setproctitle(NULL);
+.Ed
+.Pp
+Set the process title to the program name, an informational string,
+and the process id:
+.Bd -literal -offset indent
+setproctitle("foo! (%d)", getpid());
+.Ed
+.Sh SEE ALSO
+.Xr ps 1 ,
+.Xr w 1 ,
+.Xr printf 3
+.Sh HISTORY
+The
+.Fn setproctitle
+function first appeared in NetBSD 0.9a.
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/setproctitle.c b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/setproctitle.c
new file mode 100644
index 0000000..c207d05
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/setproctitle.c
@@ -0,0 +1,145 @@
+/*
+ * setproctitle implementation for linux.
+ * Stolen from sendmail 8.7.4 and bashed around by David A. Holland
+ */
+
+/*
+ * Copyright (c) 1983, 1995 Eric P. Allman
+ * Copyright (c) 1988, 1993
+ *      The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * From: @(#)conf.c     8.243 (Berkeley) 11/20/95
+ */
+char setproctitle_rcsid[] =
+  "$Id: setproctitle.c,v 1.3 1999/12/10 23:06:39 bryce Exp $";
+
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdarg.h>
+#include <stdio.h>
+
+#include "setproctitle.h"
+/*
+**  SETPROCTITLE -- set process title for ps
+**
+**      Parameters:
+**              fmt -- a printf style format string.
+**              a, b, c -- possible parameters to fmt.
+**
+**      Returns:
+**              none.
+**
+**      Side Effects:
+**              Clobbers argv of our main procedure so ps(1) will
+**              display the title.
+*/
+
+
+/*
+**  Pointers for setproctitle.
+**      This allows "ps" listings to give more useful information.
+*/
+
+static char **Argv = NULL;              /* pointer to argument vector */
+static char *LastArgv = NULL;           /* end of argv */
+static char Argv0[128];                 /* program name */
+
+void
+initsetproctitle(int argc, char **argv, char **envp)
+{
+        register int i;
+        char *tmp;
+
+        /*
+        **  Move the environment so setproctitle can use the space at
+        **  the top of memory.
+        */
+
+        for (i = 0; envp[i] != NULL; i++)
+                continue;
+        __environ = (char **) malloc(sizeof (char *) * (i + 1));
+        for (i = 0; envp[i] != NULL; i++)
+                __environ[i] = strdup(envp[i]);
+        __environ[i] = NULL;
+
+        /*
+        **  Save start and extent of argv for setproctitle.
+        */
+
+        Argv = argv;
+        if (i > 0)
+                LastArgv = envp[i - 1] + strlen(envp[i - 1]);
+        else
+                LastArgv = argv[argc - 1] + strlen(argv[argc - 1]);
+
+        tmp = strrchr(argv[0], '/');
+        if (!tmp) tmp = argv[0];
+        else tmp++;
+        strncpy(Argv0, tmp, sizeof(Argv0));
+        Argv0[sizeof(Argv0)-1] = 0;
+}
+
+void
+setproctitle(const char *fmt, ...)
+{
+        register char *p;
+        register int i=0;
+        static char buf[2048];
+        va_list ap;
+
+        p = buf;
+
+        /* print progname: heading for grep */
+        /* This can't overflow buf due to the relative size of Argv0. */
+        (void) strcpy(p, Argv0);
+        (void) strcat(p, ": ");
+        p += strlen(p);
+
+        /* print the argument string */
+        va_start(ap, fmt);
+        (void) vsnprintf(p, sizeof(buf) - (p - buf), fmt, ap);
+        va_end(ap);
+
+        i = strlen(buf);
+
+        if (i > LastArgv - Argv[0] - 2)
+        {
+                i = LastArgv - Argv[0] - 2;
+                buf[i] = '\0';
+        }
+        (void) strcpy(Argv[0], buf);
+        p = &Argv[0][i];
+        while (p < LastArgv)
+                *p++ = '\0';
+        Argv[1] = NULL;
+}
+
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/setproctitle.h b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/setproctitle.h
new file mode 100644
index 0000000..8652ee8
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/setproctitle.h
@@ -0,0 +1,4 @@
+/* Call this from main. */
+void initsetproctitle(int argc, char **argv, char **envp);
+
+void setproctitle(const char *fmt, ...);
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/slc.c b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/slc.c
new file mode 100644
index 0000000..54579ea
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/slc.c
@@ -0,0 +1,456 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)slc.c      5.7 (Berkeley) 3/1/91
+ */
+char slc_rcsid[] = 
+  "$Id: slc.c,v 1.5 1999/12/12 14:59:44 dholland Exp $";
+
+#include "telnetd.h"
+
+#ifdef LINEMODE
+/*
+ * local varibles
+ */
+static unsigned char *def_slcbuf = (unsigned char *)0;
+static int def_slclen = 0;
+static int slcchange;   /* change to slc is requested */
+static int slcoff;                      /* offset into slc buffer */
+static unsigned char slcbuf[NSLC*6];    /* buffer for slc negotiation */
+
+static void add_slcbuf_raw_char(unsigned char ch) {
+   if (slcoff < sizeof(slcbuf)) {
+      slcbuf[slcoff++] = ch;
+   }
+}
+
+static void add_slcbuf_char(unsigned char ch) {
+   add_slcbuf_raw_char(ch);
+   if (ch==0xff) {
+      add_slcbuf_raw_char(0xff);
+   }
+}
+
+/*
+ * send_slc
+ *
+ * Write out the current special characters to the client.
+ */
+void send_slc(void) {
+    int i;
+
+    /*
+     * Send out list of triplets of special characters
+     * to client.  We only send info on the characters
+     * that are currently supported.
+     */
+    for (i = 1; i <= NSLC; i++) {
+        if ((slctab[i].defset.flag & SLC_LEVELBITS) == SLC_NOSUPPORT)
+            continue;
+        add_slc((unsigned char)i, slctab[i].current.flag,
+                slctab[i].current.val);
+    }
+}
+
+/*
+ * default_slc
+ *
+ * Set pty special characters to all the defaults.
+ */
+void default_slc(void) {
+    int i;
+    for (i = 1; i <= NSLC; i++) {
+        slctab[i].current.val = slctab[i].defset.val;
+        if (slctab[i].current.val == (cc_t)(_POSIX_VDISABLE)) {
+            slctab[i].current.flag = SLC_NOSUPPORT;
+        }
+        else {
+            slctab[i].current.flag = slctab[i].defset.flag;
+        }
+        if (slctab[i].sptr) {
+            *(slctab[i].sptr) = slctab[i].defset.val;
+        }
+    }
+    slcchange = 1;
+}
+
+#endif  /* LINEMODE */
+
+/*
+ * get_slc_defaults
+ *
+ * Initialize the slc mapping table.
+ */
+void get_slc_defaults(void) {
+    int i;
+    init_termbuf();
+    for (i = 1; i <= NSLC; i++) {
+        slctab[i].defset.flag = spcset(i, &slctab[i].defset.val, 
+                                       &slctab[i].sptr);
+        slctab[i].current.flag = SLC_NOSUPPORT; 
+        slctab[i].current.val = 0; 
+    }
+}
+
+#ifdef LINEMODE
+/*
+ * add_slc
+ *
+ * Add an slc triplet to the slc buffer.
+ */
+void add_slc(char func, char flag, cc_t val) {
+    add_slcbuf_char(func);
+    add_slcbuf_char(flag);
+    add_slcbuf_char(val);
+}
+
+/*
+ * start_slc
+ *
+ * Get ready to process incoming slc's and respond to them.
+ *
+ * The parameter getit is non-zero if it is necessary to grab a copy
+ * of the terminal control structures.
+ */
+void start_slc(int getit) {
+    slcchange = 0;
+    if (getit) init_termbuf();
+    snprintf(slcbuf, sizeof(slcbuf), "%c%c%c%c", 
+             IAC, SB, TELOPT_LINEMODE, LM_SLC);
+    slcoff = 4;
+}
+
+/*
+ * end_slc
+ *
+ * Finish up the slc negotiation.  If something to send, then send it.
+ */
+int end_slc(unsigned char **bufp) {
+    /*
+     * If a change has occured, store the new terminal control
+     * structures back to the terminal driver.
+     */
+    if (slcchange) {
+        set_termbuf();
+    }
+
+    /*
+     * If the pty state has not yet been fully processed and there is a
+     * deferred slc request from the client, then do not send any
+     * sort of slc negotiation now.  We will respond to the client's
+     * request very soon.
+     */
+    if (def_slcbuf && (terminit() == 0)) {
+        return 0;
+    }
+
+    if (slcoff > 4) {
+        if (bufp) {
+            *bufp = &slcbuf[4];
+            return(slcoff - 4);
+        } 
+        else {
+            snprintf(slcbuf+slcoff, sizeof(slcbuf)-slcoff, "%c%c", IAC, SE);
+            slcoff += 2;
+            writenet(slcbuf, slcoff);
+            netflush();  /* force it out immediately */
+        }
+    }
+    return 0;
+}
+
+/*
+ * process_slc
+ *
+ * Figure out what to do about the client's slc
+ */
+void process_slc(unsigned char func, unsigned char flag, cc_t val) {
+    register int hislevel, mylevel, ack;
+
+    /*
+     * Ensure that we know something about this function
+     */
+    if (func > NSLC) {
+        add_slc(func, SLC_NOSUPPORT, 0);
+        return;
+    }
+
+    /*
+     * Process the special case requests of 0 SLC_DEFAULT 0
+     * and 0 SLC_VARIABLE 0.  Be a little forgiving here, don't
+     * worry about whether the value is actually 0 or not.
+     */
+    if (func == 0) {
+        if ((flag = flag & SLC_LEVELBITS) == SLC_DEFAULT) {
+            default_slc();
+            send_slc();
+        } 
+        else if (flag == SLC_VARIABLE) {
+            send_slc();
+        }
+        return;
+    }
+
+    /*
+     * Appears to be a function that we know something about.  So
+     * get on with it and see what we know.
+     */
+    
+    hislevel = flag & SLC_LEVELBITS;
+    mylevel = slctab[func].current.flag & SLC_LEVELBITS;
+    ack = flag & SLC_ACK;
+    /*
+     * ignore the command if:
+     * the function value and level are the same as what we already have;
+     * or the level is the same and the ack bit is set
+     */
+    if (hislevel == mylevel && (val == slctab[func].current.val || ack)) {
+        return;
+    } 
+    else if (ack) {
+        /*
+         * If we get here, we got an ack, but the levels don't match.
+         * This shouldn't happen.  If it does, it is probably because
+         * we have sent two requests to set a variable without getting
+         * a response between them, and this is the first response.
+         * So, ignore it, and wait for the next response.
+         */
+        return;
+    } 
+    else {
+        change_slc(func, flag, val);
+    }
+}
+
+/*
+ * change_slc
+ *
+ * Process a request to change one of our special characters.
+ * Compare client's request with what we are capable of supporting.
+ */
+void change_slc(char func, char flag, cc_t val) {
+    register int hislevel, mylevel;
+    
+    hislevel = flag & SLC_LEVELBITS;
+    mylevel = slctab[func].defset.flag & SLC_LEVELBITS;
+    /*
+     * If client is setting a function to NOSUPPORT
+     * or DEFAULT, then we can easily and directly
+     * accomodate the request.
+     */
+    if (hislevel == SLC_NOSUPPORT) {
+        slctab[func].current.flag = flag;
+        slctab[func].current.val = (cc_t)_POSIX_VDISABLE;
+        flag |= SLC_ACK;
+        add_slc(func, flag, val);
+        return;
+    }
+    if (hislevel == SLC_DEFAULT) {
+        /*
+         * Special case here.  If client tells us to use
+         * the default on a function we don't support, then
+         * return NOSUPPORT instead of what we may have as a
+         * default level of DEFAULT.
+         */
+        if (mylevel == SLC_DEFAULT) {
+            slctab[func].current.flag = SLC_NOSUPPORT;
+        } 
+        else {
+            slctab[func].current.flag = slctab[func].defset.flag;
+        }
+        slctab[func].current.val = slctab[func].defset.val;
+        add_slc(func, slctab[func].current.flag,
+                slctab[func].current.val);
+        return;
+    }
+    
+    /*
+     * Client wants us to change to a new value or he
+     * is telling us that he can't change to our value.
+     * Some of the slc's we support and can change,
+     * some we do support but can't change,
+     * and others we don't support at all.
+     * If we can change it then we have a pointer to
+     * the place to put the new value, so change it,
+     * otherwise, continue the negotiation.
+     */
+    if (slctab[func].sptr) {
+        /*
+         * We can change this one.
+         */
+        slctab[func].current.val = val;
+        *(slctab[func].sptr) = val;
+        slctab[func].current.flag = flag;
+        flag |= SLC_ACK;
+        slcchange = 1;
+        add_slc(func, flag, val);
+    } 
+    else {
+        /*
+         * It is not possible for us to support this
+         * request as he asks.
+         *
+         * If our level is DEFAULT, then just ack whatever was
+         * sent. 
+         *
+         * If he can't change and we can't change,
+         * then degenerate to NOSUPPORT.
+         *
+         * Otherwise we send our level back to him, (CANTCHANGE
+         * or NOSUPPORT) and if CANTCHANGE, send
+         * our value as well.
+         */
+        if (mylevel == SLC_DEFAULT) {
+            slctab[func].current.flag = flag;
+            slctab[func].current.val = val;
+            flag |= SLC_ACK;
+        } 
+        else if (hislevel == SLC_CANTCHANGE && mylevel == SLC_CANTCHANGE) {
+            flag &= ~SLC_LEVELBITS;
+            flag |= SLC_NOSUPPORT;
+            slctab[func].current.flag = flag;
+        } 
+        else {
+            flag &= ~SLC_LEVELBITS;
+            flag |= mylevel;
+            slctab[func].current.flag = flag;
+            if (mylevel == SLC_CANTCHANGE) {
+                slctab[func].current.val = slctab[func].defset.val;
+                val = slctab[func].current.val;
+            }
+        }
+        add_slc(func, flag, val);
+    }
+}
+
+#if (VEOF == VMIN)
+cc_t oldeofc = '\004';
+#endif
+
+/*
+ * check_slc
+ *
+ * Check the special characters in use and notify the client if any have
+ * changed.  Only those characters that are capable of being changed are
+ * likely to have changed.  If a local change occurs, kick the support level
+ * and flags up to the defaults.
+ */
+void check_slc(void) {
+    int i;
+    for (i = 1; i <= NSLC; i++) {
+#if (VEOF == VMIN)
+        /*
+         * In a perfect world this would be a neat little
+         * function.  But in this world, we should not notify
+         * client of changes to the VEOF char when
+         * ICANON is off, because it is not representing
+         * a special character.
+         */
+        if (i == SLC_EOF) {
+            if (!tty_isediting()) continue;
+            else if (slctab[i].sptr) oldeofc = *(slctab[i].sptr);
+        }
+#endif  /* VEOF==VMIN */
+
+        if (slctab[i].sptr && (*(slctab[i].sptr) != slctab[i].current.val)) {
+            slctab[i].current.val = *(slctab[i].sptr);
+            if (*(slctab[i].sptr) == (cc_t)_POSIX_VDISABLE) {
+                slctab[i].current.flag = SLC_NOSUPPORT;
+            }
+            else {
+                slctab[i].current.flag = slctab[i].defset.flag;
+            }
+            add_slc((unsigned char)i, slctab[i].current.flag,
+                    slctab[i].current.val);
+        }
+    }
+}
+
+/*
+ * do_opt_slc
+ *
+ * Process an slc option buffer.  Defer processing of incoming slc's
+ * until after the terminal state has been processed.  Save the first slc
+ * request that comes along, but discard all others.
+ *
+ * ptr points to the beginning of the buffer, len is the length.
+ */
+void do_opt_slc(unsigned char  *ptr, int len) {
+    unsigned char func, flag;
+    cc_t val;
+    unsigned char *end = ptr + len;
+
+    if (terminit()) {  /* go ahead */
+        while (ptr < end) {
+            func = *ptr++;
+            if (ptr >= end) break;
+            flag = *ptr++;
+            if (ptr >= end) break;
+            val = (cc_t)*ptr++;
+
+            process_slc(func, flag, val);
+            
+        }
+    } 
+    else {
+        /*
+         * save this slc buffer if it is the first, otherwise dump
+         * it.
+         */
+        if (def_slcbuf == NULL) {
+            def_slclen = len;
+            def_slcbuf = malloc((unsigned)len);
+            if (def_slcbuf == NULL) return;  /* too bad */
+            bcopy(ptr, def_slcbuf, len);
+        }
+    }
+}
+
+/*
+ * deferslc
+ *
+ * Do slc stuff that was deferred.
+ */
+void deferslc(void) {
+    if (def_slcbuf) {
+        start_slc(1);
+        do_opt_slc(def_slcbuf, def_slclen);
+        end_slc(0);
+        free(def_slcbuf);
+        def_slcbuf = (unsigned char *)0;
+        def_slclen = 0;
+    }
+}
+
+#endif  /* LINEMODE */
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/state.c b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/state.c
new file mode 100644
index 0000000..b757411
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/state.c
@@ -0,0 +1,1408 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)state.c    5.10 (Berkeley) 3/22/91
+ */
+char state_rcsid[] = 
+  "$Id: state.c,v 1.12 1999/12/12 19:41:44 dholland Exp $";
+
+#include "telnetd.h"
+
+int not42 = 1;
+
+static int envvarok(char *varp);
+
+static unsigned char doopt[] = { IAC, DO, '%', 'c', 0 };
+static unsigned char dont[] = { IAC, DONT, '%', 'c', 0 };
+unsigned char   will[] = { IAC, WILL, '%', 'c', 0 };
+unsigned char   wont[] = { IAC, WONT, '%', 'c', 0 };
+
+/*
+ * Buffer for sub-options, and macros
+ * for suboptions buffer manipulations
+ */
+unsigned char subbuffer[512], *subpointer=subbuffer, *subend=subbuffer;
+
+#define SB_CLEAR()      subpointer = subbuffer;
+#define SB_TERM()       { subend = subpointer; SB_CLEAR(); }
+#define SB_ACCUM(c)     if (subpointer < (subbuffer + sizeof(subbuffer)-1)) { \
+                                *subpointer++ = (c); \
+                        }
+#define SB_GET()        ((*subpointer++)&0xff)
+#define SB_EOF()        (subpointer >= subend)
+#define SB_LEN()        (subend - subpointer)
+
+
+
+/*
+ * State for recv fsm
+ */
+#define TS_DATA         0       /* base state */
+#define TS_IAC          1       /* look for double IAC's */
+#define TS_CR           2       /* CR-LF ->'s CR */
+#define TS_SB           3       /* throw away begin's... */
+#define TS_SE           4       /* ...end's (suboption negotiation) */
+#define TS_WILL         5       /* will option negotiation */
+#define TS_WONT         6       /* wont " */
+#define TS_DO           7       /* do " */
+#define TS_DONT         8       /* dont " */
+
+void telrcv(void) {
+    register int c;
+    static int state = TS_DATA;
+
+    while (ncc > 0) {
+        if ((&ptyobuf[BUFSIZ] - pfrontp) < 2) break;
+        c = *netip++ & 0377;
+        ncc--;
+
+#if defined(ENCRYPT)
+        if (decrypt_input) {
+            c = (*decrypt_input)(c);
+        }
+#endif
+        switch (state) {
+         case TS_CR:
+             state = TS_DATA;
+             /* Strip off \n or \0 after a \r */
+             if ((c == 0) || (c == '\n')) {
+                 break;
+             }
+             /* FALL THROUGH */
+
+         case TS_DATA:
+             if (c == IAC) {
+                 state = TS_IAC;
+                 break;
+             }
+             /*
+              * We now map \r\n ==> \r for pragmatic reasons.
+              * Many client implementations send \r\n when
+              * the user hits the CarriageReturn key.
+              *
+              * We USED to map \r\n ==> \n, since \r\n says
+              * that we want to be in column 1 of the next
+              * printable line, and \n is the standard
+              * unix way of saying that (\r is only good
+              * if CRMOD is set, which it normally is).
+              */
+             if ((c == '\r') && his_state_is_wont(TELOPT_BINARY)) {
+#if defined(ENCRYPT)
+                 int nc = *netip;
+                 if (decrypt_input) {
+                     nc = (*decrypt_input)(nc & 0xff);
+                 }
+#endif
+#ifdef  LINEMODE
+                 /*
+                  * If we are operating in linemode,
+                  * convert to local end-of-line.
+                  */
+                 if (linemode && (ncc > 0) && (('\n' == nc) ||
+                                               ((0 == nc) && tty_iscrnl())) ) {
+                     netip++; ncc--;
+                     c = '\n';
+                 } 
+                 else 
+#endif
+                 {
+#if defined(ENCRYPT)
+                     if (decrypt_input)
+                         (void)(*decrypt_input)(-1);
+#endif
+                     state = TS_CR;
+                 }
+             }
+             *pfrontp++ = c;
+             break;
+
+         case TS_IAC:
+         gotiac:
+             switch (c) {
+                 
+                 /*
+                  * Send the process on the pty side an
+                  * interrupt.  Do this with a NULL or
+                  * interrupt char; depending on the tty mode.
+                  */
+              case IP:
+                  DIAG(TD_OPTIONS, printoption("td: recv IAC", c));
+                  interrupt();
+                  break;
+              case BREAK:
+                  DIAG(TD_OPTIONS, printoption("td: recv IAC", c));
+                  sendbrk();
+                  break;
+                  
+                  /*
+                   * Are You There?
+                   */
+              case AYT:
+                 DIAG(TD_OPTIONS,
+                      printoption("td: recv IAC", c));
+                  recv_ayt();
+                  break;
+
+                  /*
+                   * Abort Output
+                   */
+              case AO:
+                  {
+                      DIAG(TD_OPTIONS, printoption("td: recv IAC", c));
+                      ptyflush();       /* half-hearted */
+                      init_termbuf();
+                      
+                      if (slctab[SLC_AO].sptr &&
+                          *slctab[SLC_AO].sptr != (cc_t)(_POSIX_VDISABLE)) 
+                      {
+                          *pfrontp++ =
+                              (unsigned char)*slctab[SLC_AO].sptr;
+                      }
+
+                      netclear();       /* clear buffer back */
+                      *nfrontp++ = (char)IAC;
+                      *nfrontp++ = (char)DM;
+                      neturg = nfrontp-1; /* off by one XXX */
+                      DIAG(TD_OPTIONS, printoption("td: send IAC", DM));
+                      break;
+                  }
+
+                  /*
+                   * Erase Character and
+                   * Erase Line
+                   */
+              case EC:
+              case EL:
+                 {
+                     cc_t ch;
+                     DIAG(TD_OPTIONS, printoption("td: recv IAC", c));
+                     ptyflush();        /* half-hearted */
+                     init_termbuf();
+                     if (c == EC) ch = *slctab[SLC_EC].sptr;
+                     else ch = *slctab[SLC_EL].sptr;
+                     if (ch != (cc_t)(_POSIX_VDISABLE))
+                         *pfrontp++ = (unsigned char)ch;
+                     break;
+                 }
+                  
+                  /*
+                   * Check for urgent data...
+                   */
+              case DM:
+                  DIAG(TD_OPTIONS, printoption("td: recv IAC", c));
+                  SYNCHing = stilloob(net);
+                  settimer(gotDM);
+                  break;
+                  
+                  /*
+                   * Begin option subnegotiation...
+                   */
+              case SB:
+                  state = TS_SB;
+                  SB_CLEAR();
+                  continue;
+
+              case WILL:
+                  state = TS_WILL;
+                  continue;
+
+              case WONT:
+                  state = TS_WONT;
+                  continue;
+
+              case DO:
+                  state = TS_DO;
+                  continue;
+                  
+              case DONT:
+                  state = TS_DONT;
+                  continue;
+
+              case EOR:
+                  if (his_state_is_will(TELOPT_EOR)) doeof();
+                  break;
+                  
+                  /*
+                   * Handle RFC 10xx Telnet linemode option additions
+                   * to command stream (EOF, SUSP, ABORT).
+                   */
+              case xEOF:
+                  doeof();
+                  break;
+                  
+              case SUSP:
+                  sendsusp();
+                  break;
+
+              case ABORT:
+                  sendbrk();
+                  break;
+
+              case IAC:
+                 *pfrontp++ = c;
+                  break;
+             }
+             state = TS_DATA;
+             break;
+
+         case TS_SB:
+             if (c == IAC) {
+                 state = TS_SE;
+             } 
+             else {
+                 SB_ACCUM(c);
+             }
+             break;
+             
+         case TS_SE:
+             if (c != SE) {
+                 if (c != IAC) {
+                                /*
+                                 * bad form of suboption negotiation.
+                                 * handle it in such a way as to avoid
+                                 * damage to local state.  Parse
+                                 * suboption buffer found so far,
+                                 * then treat remaining stream as
+                                 * another command sequence.
+                                 */
+                     
+                                /* for DIAGNOSTICS */
+                     SB_ACCUM(IAC);
+                     SB_ACCUM(c);
+                     subpointer -= 2;
+                     
+                     SB_TERM();
+                     suboption();
+                     state = TS_IAC;
+                     goto gotiac;
+                 }
+                 SB_ACCUM(c);
+                 state = TS_SB;
+             }
+             else {
+                 /* for DIAGNOSTICS */
+                 SB_ACCUM(IAC);
+                 SB_ACCUM(SE);
+                 subpointer -= 2;
+                 
+                 SB_TERM();
+                 suboption();   /* handle sub-option */
+                 state = TS_DATA;
+             }
+             break;
+             
+         case TS_WILL:
+             willoption(c);
+             state = TS_DATA;
+             continue;
+
+         case TS_WONT:
+             wontoption(c);
+             state = TS_DATA;
+             continue;
+
+         case TS_DO:
+             dooption(c);
+             state = TS_DATA;
+             continue;
+             
+         case TS_DONT:
+             dontoption(c);
+             state = TS_DATA;
+             continue;
+             
+         default:
+             syslog(LOG_ERR, "telnetd: panic state=%d\n", state);
+             printf("telnetd: panic state=%d\n", state);
+             exit(1);
+        }
+    }
+}
+
+/*
+ * The will/wont/do/dont state machines are based on Dave Borman's
+ * Telnet option processing state machine.
+ *
+ * These correspond to the following states:
+ *      my_state = the last negotiated state
+ *      want_state = what I want the state to go to
+ *      want_resp = how many requests I have sent
+ * All state defaults are negative, and resp defaults to 0.
+ *
+ * When initiating a request to change state to new_state:
+ * 
+ * if ((want_resp == 0 && new_state == my_state) || want_state == new_state) {
+ *      do nothing;
+ * } else {
+ *      want_state = new_state;
+ *      send new_state;
+ *      want_resp++;
+ * }
+ *
+ * When receiving new_state:
+ *
+ * if (want_resp) {
+ *      want_resp--;
+ *      if (want_resp && (new_state == my_state))
+ *              want_resp--;
+ * }
+ * if ((want_resp == 0) && (new_state != want_state)) {
+ *      if (ok_to_switch_to new_state)
+ *              want_state = new_state;
+ *      else
+ *              want_resp++;
+ *      send want_state;
+ * }
+ * my_state = new_state;
+ *
+ * Note that new_state is implied in these functions by the function itself.
+ * will and do imply positive new_state, wont and dont imply negative.
+ *
+ * Finally, there is one catch.  If we send a negative response to a
+ * positive request, my_state will be the positive while want_state will
+ * remain negative.  my_state will revert to negative when the negative
+ * acknowlegment arrives from the peer.  Thus, my_state generally tells
+ * us not only the last negotiated state, but also tells us what the peer
+ * wants to be doing as well.  It is important to understand this difference
+ * as we may wish to be processing data streams based on our desired state
+ * (want_state) or based on what the peer thinks the state is (my_state).
+ *
+ * This all works fine because if the peer sends a positive request, the data
+ * that we receive prior to negative acknowlegment will probably be affected
+ * by the positive state, and we can process it as such (if we can; if we
+ * can't then it really doesn't matter).  If it is that important, then the
+ * peer probably should be buffering until this option state negotiation
+ * is complete.
+ *
+ */
+void send_do(int option, int init) {
+    if (init) {
+        if ((do_dont_resp[option] == 0 && his_state_is_will(option)) ||
+            his_want_state_is_will(option))
+            return;
+        /*
+         * Special case for TELOPT_TM:  We send a DO, but pretend
+         * that we sent a DONT, so that we can send more DOs if
+         * we want to.
+         */
+        if (option == TELOPT_TM)
+            set_his_want_state_wont(option);
+        else
+            set_his_want_state_will(option);
+        do_dont_resp[option]++;
+    }
+    netoprintf((char *)doopt, option);
+    
+    DIAG(TD_OPTIONS, printoption("td: send do", option));
+}
+
+#ifdef  AUTHENTICATE
+extern void auth_request();
+#endif
+
+#ifdef  LINEMODE
+static void doclientstat(void);
+#endif
+
+#ifdef  ENCRYPT
+extern void encrypt_send_support();
+#endif
+
+void willoption(int option) {
+    int changeok = 0;
+    void (*func)(void) = 0;
+    
+    /*
+     * process input from peer.
+     */
+    
+    DIAG(TD_OPTIONS, printoption("td: recv will", option));
+    
+    if (do_dont_resp[option]) {
+        do_dont_resp[option]--;
+        if (do_dont_resp[option] && his_state_is_will(option))
+            do_dont_resp[option]--;
+    }
+    if (do_dont_resp[option] == 0) {
+        if (his_want_state_is_wont(option)) {
+            switch (option) {
+                
+            case TELOPT_BINARY:
+                init_termbuf();
+                tty_binaryin(1);
+                set_termbuf();
+                changeok++;
+                break;
+                
+            case TELOPT_ECHO:
+                /*
+                 * See comments below for more info.
+                 */
+                not42 = 0;      /* looks like a 4.2 system */
+                break;
+                
+            case TELOPT_TM:
+#if defined(LINEMODE) && defined(KLUDGELINEMODE)
+                /*
+                 * This telnetd implementation does not really
+                 * support timing marks, it just uses them to
+                 * support the kludge linemode stuff.  If we
+                 * receive a will or wont TM in response to our
+                 * do TM request that may have been sent to
+                 * determine kludge linemode support, process
+                 * it, otherwise TM should get a negative
+                 * response back.
+                 */
+                /*
+                 * Handle the linemode kludge stuff.
+                 * If we are not currently supporting any
+                 * linemode at all, then we assume that this
+                 * is the client telling us to use kludge
+                 * linemode in response to our query.  Set the
+                 * linemode type that is to be supported, note
+                 * that the client wishes to use linemode, and
+                 * eat the will TM as though it never arrived.
+                 */
+                if (lmodetype < KLUDGE_LINEMODE) {
+                    lmodetype = KLUDGE_LINEMODE;
+                    clientstat(TELOPT_LINEMODE, WILL, 0);
+                    send_wont(TELOPT_SGA, 1);
+                }
+#endif  /* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+                /*
+                 * We never respond to a WILL TM, and
+                 * we leave the state WONT.
+                 */
+                return;
+
+            case TELOPT_LFLOW:
+                 /*
+                  * If we are going to support flow control
+                  * option, then don't worry peer that we can't
+                  * change the flow control characters.
+                  */
+                slctab[SLC_XON].defset.flag &= ~SLC_LEVELBITS;
+                slctab[SLC_XON].defset.flag |= SLC_DEFAULT;
+                slctab[SLC_XOFF].defset.flag &= ~SLC_LEVELBITS;
+                slctab[SLC_XOFF].defset.flag |= SLC_DEFAULT;
+            case TELOPT_TTYPE:
+            case TELOPT_SGA:
+            case TELOPT_NAWS:
+            case TELOPT_TSPEED:
+            case TELOPT_XDISPLOC:
+            case TELOPT_ENVIRON:
+                changeok++;
+                break;
+                
+#ifdef LINEMODE
+            case TELOPT_LINEMODE:
+#ifdef KLUDGELINEMODE
+                /*
+                 * Note client's desire to use linemode.
+                 */
+                lmodetype = REAL_LINEMODE;
+#endif  /* KLUDGELINEMODE */
+                func = doclientstat;
+                changeok++;
+                break;
+#endif  /* LINEMODE */
+                
+#ifdef  AUTHENTICATE
+            case TELOPT_AUTHENTICATION:
+                func = auth_request;
+                changeok++;
+                break;
+#endif
+                
+#ifdef ENCRYPT
+            case TELOPT_ENCRYPT:
+                func = encrypt_send_support;
+                changeok++;
+                break;
+#endif
+
+            default:
+                break;
+            }
+            if (changeok) {
+                set_his_want_state_will(option);
+                send_do(option, 0);
+            } 
+            else {
+                do_dont_resp[option]++;
+                send_dont(option, 0);
+            }
+        } 
+        else {
+            /*
+             * Option processing that should happen when
+             * we receive conformation of a change in
+             * state that we had requested.
+             */
+            switch (option) {
+             case TELOPT_ECHO:
+                not42 = 0;      /* looks like a 4.2 system */
+                /*
+                 * Egads, he responded "WILL ECHO".  Turn
+                 * it off right now!
+                 */
+                send_dont(option, 1);
+                /*
+                 * "WILL ECHO".  Kludge upon kludge!
+                 * A 4.2 client is now echoing user input at
+                 * the tty.  This is probably undesireable and
+                 * it should be stopped.  The client will
+                 * respond WONT TM to the DO TM that we send to
+                 * check for kludge linemode.  When the WONT TM
+                 * arrives, linemode will be turned off and a
+                 * change propogated to the pty.  This change
+                 * will cause us to process the new pty state
+                 * in localstat(), which will notice that
+                 * linemode is off and send a WILL ECHO
+                 * so that we are properly in character mode and
+                 * all is well.
+                 */
+                break;
+#ifdef  LINEMODE
+             case TELOPT_LINEMODE:
+# ifdef KLUDGELINEMODE
+                 /*
+                  * Note client's desire to use linemode.
+                  */
+                 lmodetype = REAL_LINEMODE;
+# endif /* KLUDGELINEMODE */
+                func = doclientstat;
+                break;
+#endif  /* LINEMODE */
+
+#ifdef  AUTHENTICATE
+            case TELOPT_AUTHENTICATION:
+                func = auth_request;
+                break;
+#endif
+
+#ifdef  ENCRYPT
+            case TELOPT_ENCRYPT:
+                func = encrypt_send_support;
+                break;
+#endif
+            }
+        }
+    }
+    set_his_state_will(option);
+    if (func) (*func)();
+}
+
+void send_dont(int option, int init) {
+    if (init) {
+        if ((do_dont_resp[option] == 0 && his_state_is_wont(option)) ||
+            his_want_state_is_wont(option))
+            return;
+        set_his_want_state_wont(option);
+        do_dont_resp[option]++;
+    }
+    netoprintf((char *) dont, option);
+
+    DIAG(TD_OPTIONS, printoption("td: send dont", option));
+}
+
+void wontoption(int option) {
+    /*
+     * Process client input.
+     */
+
+    DIAG(TD_OPTIONS, printoption("td: recv wont", option));
+    
+    if (do_dont_resp[option]) {
+        do_dont_resp[option]--;
+        if (do_dont_resp[option] && his_state_is_wont(option))
+            do_dont_resp[option]--;
+    }
+    if (do_dont_resp[option] == 0) {
+        if (his_want_state_is_will(option)) {
+            /* it is always ok to change to negative state */
+            switch (option) {
+            case TELOPT_ECHO:
+                not42 = 1; /* doesn't seem to be a 4.2 system */
+                break;
+                
+            case TELOPT_BINARY:
+                init_termbuf();
+                tty_binaryin(0);
+                set_termbuf();
+                break;
+                
+#ifdef LINEMODE
+            case TELOPT_LINEMODE:
+#ifdef KLUDGELINEMODE
+                /*
+                 * If real linemode is supported, then client is
+                 * asking to turn linemode off.
+                 */
+                if (lmodetype != REAL_LINEMODE)
+                    break;
+                lmodetype = KLUDGE_LINEMODE;
+# endif /* KLUDGELINEMODE */
+                clientstat(TELOPT_LINEMODE, WONT, 0);
+                break;
+#endif  /* LINEMODE */
+                
+            case TELOPT_TM:
+                /*
+                 * If we get a WONT TM, and had sent a DO TM,
+                 * don't respond with a DONT TM, just leave it
+                 * as is.  Short circut the state machine to
+                 * achive this.
+                 */
+                set_his_want_state_wont(TELOPT_TM);
+                return;
+                
+            case TELOPT_LFLOW:
+                /*
+                 * If we are not going to support flow control
+                 * option, then let peer know that we can't
+                 * change the flow control characters.
+                 */
+                slctab[SLC_XON].defset.flag &= ~SLC_LEVELBITS;
+                slctab[SLC_XON].defset.flag |= SLC_CANTCHANGE;
+                slctab[SLC_XOFF].defset.flag &= ~SLC_LEVELBITS;
+                slctab[SLC_XOFF].defset.flag |= SLC_CANTCHANGE;
+                break;
+                
+#if defined(AUTHENTICATE)
+             case TELOPT_AUTHENTICATION:
+                auth_finished(0, AUTH_REJECT);
+                break;
+#endif
+
+                /*
+                 * For options that we might spin waiting for
+                 * sub-negotiation, if the client turns off the
+                 * option rather than responding to the request,
+                 * we have to treat it here as if we got a response
+                 * to the sub-negotiation, (by updating the timers)
+                 * so that we'll break out of the loop.
+                 */
+            case TELOPT_TTYPE:
+                settimer(ttypesubopt);
+                break;
+
+            case TELOPT_TSPEED:
+                settimer(tspeedsubopt);
+                break;
+
+            case TELOPT_XDISPLOC:
+                settimer(xdisplocsubopt);
+                break;
+                
+            case TELOPT_ENVIRON:
+                settimer(environsubopt);
+                break;
+
+            default:
+                break;
+            }
+            set_his_want_state_wont(option);
+            if (his_state_is_will(option)) send_dont(option, 0);
+        } 
+        else {
+            switch (option) {
+             case TELOPT_TM:
+#if defined(LINEMODE) && defined(KLUDGELINEMODE)
+                 if (lmodetype < REAL_LINEMODE) {
+                     lmodetype = NO_LINEMODE;
+                     clientstat(TELOPT_LINEMODE, WONT, 0);
+                     send_will(TELOPT_SGA, 1);
+                     send_will(TELOPT_ECHO, 1);
+                 }
+#endif  /* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+                 break;
+
+#if     defined(AUTHENTICATE)
+            case TELOPT_AUTHENTICATION:
+                auth_finished(0, AUTH_REJECT);
+                 break;
+#endif
+            default:
+                break;
+            }
+        }
+    }
+}  /* end of wontoption */
+
+void send_will(int option, int init) {
+    if (init) {
+        if ((will_wont_resp[option] == 0 && my_state_is_will(option))||
+            my_want_state_is_will(option))
+            return;
+        set_my_want_state_will(option);
+        will_wont_resp[option]++;
+    }
+    netoprintf((char *) will, option);
+
+    DIAG(TD_OPTIONS, printoption("td: send will", option));
+}
+
+#if !defined(LINEMODE) || !defined(KLUDGELINEMODE)
+/*
+ * When we get a DONT SGA, we will try once to turn it
+ * back on.  If the other side responds DONT SGA, we
+ * leave it at that.  This is so that when we talk to
+ * clients that understand KLUDGELINEMODE but not LINEMODE,
+ * we'll keep them in char-at-a-time mode.
+ */
+int turn_on_sga = 0;
+#endif
+
+void dooption(int option) {
+    int changeok = 0;
+
+    /*
+     * Process client input.
+     */
+    
+    DIAG(TD_OPTIONS, printoption("td: recv do", option));
+    
+    if (will_wont_resp[option]) {
+        will_wont_resp[option]--;
+        if (will_wont_resp[option] && my_state_is_will(option))
+            will_wont_resp[option]--;
+    }
+    if ((will_wont_resp[option] == 0) && (my_want_state_is_wont(option))) {
+        switch (option) {
+        case TELOPT_ECHO:
+#ifdef  LINEMODE
+#ifdef  KLUDGELINEMODE
+            if (lmodetype == NO_LINEMODE)
+#else
+            if (his_state_is_wont(TELOPT_LINEMODE))
+#endif
+#endif
+            {
+                init_termbuf();
+                tty_setecho(1);
+                set_termbuf();
+            }
+            changeok++;
+            break;
+
+        case TELOPT_BINARY:
+            init_termbuf();
+            tty_binaryout(1);
+            set_termbuf();
+            changeok++;
+            break;
+
+        case TELOPT_SGA:
+#if defined(LINEMODE) && defined(KLUDGELINEMODE)
+            /*
+             * If kludge linemode is in use, then we must
+             * process an incoming do SGA for linemode
+             * purposes.
+             */
+            if (lmodetype == KLUDGE_LINEMODE) {
+                /*
+                 * Receipt of "do SGA" in kludge
+                 * linemode is the peer asking us to
+                 * turn off linemode.  Make note of
+                 * the request.
+                 */
+                clientstat(TELOPT_LINEMODE, WONT, 0);
+                /*
+                 * If linemode did not get turned off
+                 * then don't tell peer that we did.
+                 * Breaking here forces a wont SGA to
+                 * be returned.
+                 */
+                if (linemode)  break;
+            }
+#else
+            turn_on_sga = 0;
+#endif  /* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+            changeok++;
+            break;
+
+        case TELOPT_STATUS:
+            changeok++;
+            break;
+            
+        case TELOPT_TM:
+            /*
+             * Special case for TM.  We send a WILL, but
+             * pretend we sent a WONT.
+             */
+            send_will(option, 0);
+            set_my_want_state_wont(option);
+            set_my_state_wont(option);
+            return;
+            
+        case TELOPT_LOGOUT:
+            /*
+             * When we get a LOGOUT option, respond
+             * with a WILL LOGOUT, make sure that
+             * it gets written out to the network,
+             * and then just go away...
+             */
+            set_my_want_state_will(TELOPT_LOGOUT);
+            send_will(TELOPT_LOGOUT, 0);
+            set_my_state_will(TELOPT_LOGOUT);
+            (void)netflush();
+            cleanup(0);
+            /* NOT REACHED */
+            break;
+
+#if defined(ENCRYPT)
+        case TELOPT_ENCRYPT:
+            changeok++;
+            break;
+#endif
+        case TELOPT_LINEMODE:
+        case TELOPT_TTYPE:
+        case TELOPT_NAWS:
+        case TELOPT_TSPEED:
+        case TELOPT_LFLOW:
+        case TELOPT_XDISPLOC:
+        case TELOPT_ENVIRON:
+        default:
+            break;
+        }
+        if (changeok) {
+            set_my_want_state_will(option);
+            send_will(option, 0);
+        } 
+        else {
+            will_wont_resp[option]++;
+            send_wont(option, 0);
+        }
+    }
+    set_my_state_will(option);
+}
+
+void send_wont(int option, int init) {
+    if (init) {
+        if ((will_wont_resp[option] == 0 && my_state_is_wont(option)) ||
+            my_want_state_is_wont(option))
+            return;
+        set_my_want_state_wont(option);
+        will_wont_resp[option]++;
+    }
+    netoprintf((char *)wont, option);
+    
+    DIAG(TD_OPTIONS, printoption("td: send wont", option));
+}
+
+void dontoption(int option) {
+    /*
+     * Process client input.
+     */
+    DIAG(TD_OPTIONS, printoption("td: recv dont", option));
+
+    if (will_wont_resp[option]) {
+        will_wont_resp[option]--;
+        if (will_wont_resp[option] && my_state_is_wont(option))
+            will_wont_resp[option]--;
+    }
+    if ((will_wont_resp[option] == 0) && (my_want_state_is_will(option))) {
+        switch (option) {
+        case TELOPT_BINARY:
+            init_termbuf();
+            tty_binaryout(0);
+            set_termbuf();
+            break;
+
+        case TELOPT_ECHO:       /* we should stop echoing */
+#ifdef  LINEMODE
+#ifdef  KLUDGELINEMODE
+            if (lmodetype == NO_LINEMODE)
+#else
+            if (his_state_is_wont(TELOPT_LINEMODE))
+#endif
+#endif
+            {
+                init_termbuf();
+                tty_setecho(0);
+                set_termbuf();
+            }
+            break;
+
+        case TELOPT_SGA:
+#if defined(LINEMODE) && defined(KLUDGELINEMODE)
+            /*
+             * If kludge linemode is in use, then we
+             * must process an incoming do SGA for
+             * linemode purposes.
+             */
+            if (lmodetype == KLUDGE_LINEMODE) {
+                /*
+                 * The client is asking us to turn
+                 * linemode on.
+                 */
+                clientstat(TELOPT_LINEMODE, WILL, 0);
+                /*
+                 * If we did not turn line mode on,
+                 * then what do we say?  Will SGA?
+                 * This violates design of telnet.
+                 * Gross.  Very Gross.
+                 */
+            }
+            break;
+#else
+            set_my_want_state_wont(option);
+            if (my_state_is_will(option))
+                send_wont(option, 0);
+            set_my_state_wont(option);
+            if (turn_on_sga ^= 1) send_will(option,1);
+            return;
+#endif  /* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+            
+         default:
+            break;
+        }
+
+        set_my_want_state_wont(option);
+        if (my_state_is_will(option))
+            send_wont(option, 0);
+    }
+    set_my_state_wont(option);
+}
+
+/*
+ * suboption()
+ *
+ *      Look at the sub-option buffer, and try to be helpful to the other
+ * side.
+ *
+ *      Currently we recognize:
+ *
+ *      Terminal type is
+ *      Linemode
+ *      Window size
+ *      Terminal speed
+ */
+void suboption(void) {
+    int subchar;
+
+    DIAG(TD_OPTIONS, {netflush(); printsub('<', subpointer, SB_LEN()+2);});
+
+    subchar = SB_GET();
+    switch (subchar) {
+     case TELOPT_TSPEED: {
+        int xspeed, rspeed;
+        if (his_state_is_wont(TELOPT_TSPEED))   /* Ignore if option disabled */
+            break;
+
+        settimer(tspeedsubopt);
+        if (SB_EOF() || SB_GET() != TELQUAL_IS) return;
+        xspeed = atoi((char *)subpointer);
+
+        while (SB_GET() != ',' && !SB_EOF());
+        if (SB_EOF()) return;
+        
+        rspeed = atoi((char *)subpointer);
+        clientstat(TELOPT_TSPEED, xspeed, rspeed);
+        break;
+    }
+
+    case TELOPT_TTYPE: {                /* Yaaaay! */
+        static char terminalname[41];
+
+        if (his_state_is_wont(TELOPT_TTYPE))    /* Ignore if option disabled */
+            break;
+        settimer(ttypesubopt);
+        
+        if (SB_EOF() || SB_GET() != TELQUAL_IS) {
+            return;             /* ??? XXX but, this is the most robust */
+        }
+
+        terminaltype = terminalname;
+
+        while ((terminaltype < (terminalname + sizeof (terminalname) -1) ) &&
+               !SB_EOF()) 
+        {
+            int c;
+            c = SB_GET();
+            if (isupper(c)) {
+                c = tolower(c);
+            }
+            *terminaltype++ = c;    /* accumulate name */
+        }
+        *terminaltype = 0;
+        terminaltype = terminalname;
+        break;
+    }
+
+    case TELOPT_NAWS: {
+        int xwinsize, ywinsize;
+        if (his_state_is_wont(TELOPT_NAWS))     /* Ignore if option disabled */
+            break;
+
+        if (SB_EOF()) return;
+        xwinsize = SB_GET() << 8;
+        if (SB_EOF()) return;
+        xwinsize |= SB_GET();
+        if (SB_EOF()) return;
+        ywinsize = SB_GET() << 8;
+        if (SB_EOF()) return;
+        ywinsize |= SB_GET();
+        clientstat(TELOPT_NAWS, xwinsize, ywinsize);
+        break;
+    }
+
+#ifdef  LINEMODE
+    case TELOPT_LINEMODE: {
+        register int request;
+
+        if (his_state_is_wont(TELOPT_LINEMODE)) /* Ignore if option disabled */
+                break;
+        /*
+         * Process linemode suboptions.
+         */
+        if (SB_EOF())
+            break;              /* garbage was sent */
+        request = SB_GET();     /* get will/wont */
+
+        if (SB_EOF())
+            break;              /* another garbage check */
+
+        if (request == LM_SLC) {  /* SLC is not preceeded by WILL or WONT */
+                /*
+                 * Process suboption buffer of slc's
+                 */
+                start_slc(1);
+                do_opt_slc(subpointer, subend - subpointer);
+                (void) end_slc(0);
+                break;
+        } else if (request == LM_MODE) {
+                if (SB_EOF())
+                    return;
+                useeditmode = SB_GET();  /* get mode flag */
+                clientstat(LM_MODE, 0, 0);
+                break;
+        }
+
+        if (SB_EOF())
+            break;
+        switch (SB_GET()) {  /* what suboption? */
+        case LM_FORWARDMASK:
+                /*
+                 * According to spec, only server can send request for
+                 * forwardmask, and client can only return a positive response.
+                 * So don't worry about it.
+                 */
+
+        default:
+                break;
+        }
+        break;
+    }  /* end of case TELOPT_LINEMODE */
+#endif
+    case TELOPT_STATUS: {
+        int mode;
+
+        if (SB_EOF())
+            break;
+        mode = SB_GET();
+        switch (mode) {
+        case TELQUAL_SEND:
+            if (my_state_is_will(TELOPT_STATUS))
+                send_status();
+            break;
+
+        case TELQUAL_IS:
+            break;
+
+        default:
+            break;
+        }
+        break;
+    }  /* end of case TELOPT_STATUS */
+
+    case TELOPT_XDISPLOC: {
+        if (SB_EOF() || SB_GET() != TELQUAL_IS)
+                return;
+        settimer(xdisplocsubopt);
+        subpointer[SB_LEN()] = '\0';
+        (void)setenv("DISPLAY", (char *)subpointer, 1);
+        break;
+    }  /* end of case TELOPT_XDISPLOC */
+
+    case TELOPT_ENVIRON: {
+        register int c;
+        register char *cp, *varp, *valp;
+
+        if (SB_EOF())
+                return;
+        c = SB_GET();
+        if (c == TELQUAL_IS)
+                settimer(environsubopt);
+        else if (c != TELQUAL_INFO)
+                return;
+
+        while (!SB_EOF() && SB_GET() != ENV_VAR)
+                ;
+
+        if (SB_EOF())
+                return;
+
+        cp = varp = (char *)subpointer;
+        valp = 0;
+
+        while (!SB_EOF()) {
+            switch (c = SB_GET()) {
+            case ENV_VALUE:
+                *cp = '\0';
+                cp = valp = (char *)subpointer;
+                break;
+                
+            case ENV_VAR:
+                *cp = '\0';
+                if (envvarok(varp)) {
+                    if (valp)
+                        (void)setenv(varp, valp, 1);
+                    else
+                        unsetenv(varp);
+                }
+                cp = varp = (char *)subpointer;
+                valp = 0;
+                break;
+                
+            case ENV_ESC:
+                if (SB_EOF())
+                    break;
+                c = SB_GET();
+                /* FALL THROUGH */
+            default:
+                /* I think this test is correct... */
+                if (cp < subbuffer+sizeof(subbuffer)-1) *cp++ = c;
+                break;
+            }
+        }
+        *cp = '\0';
+        if (envvarok(varp)) {
+            if (valp)
+                (void)setenv(varp, valp, 1);
+            else
+                unsetenv(varp);
+        }
+        break;
+    }  /* end of case TELOPT_ENVIRON */
+#if defined(AUTHENTICATE)
+    case TELOPT_AUTHENTICATION:
+        if (SB_EOF())
+            break;
+        switch(SB_GET()) {
+        case TELQUAL_SEND:
+        case TELQUAL_REPLY:
+            /*
+             * These are sent by us and cannot be sent by
+             * the client.
+             */
+            break;
+        case TELQUAL_IS:
+            auth_is(subpointer, SB_LEN());
+            break;
+        case TELQUAL_NAME:
+            auth_name(subpointer, SB_LEN());
+            break;
+        }
+        break;
+#endif
+#if defined(ENCRYPT)
+    case TELOPT_ENCRYPT:
+        if (SB_EOF())
+            break;
+        switch(SB_GET()) {
+        case ENCRYPT_SUPPORT:
+            encrypt_support(subpointer, SB_LEN());
+            break;
+        case ENCRYPT_IS:
+            encrypt_is(subpointer, SB_LEN());
+            break;
+        case ENCRYPT_REPLY:
+            encrypt_reply(subpointer, SB_LEN());
+            break;
+        case ENCRYPT_START:
+            encrypt_start(subpointer, SB_LEN());
+            break;
+        case ENCRYPT_END:
+            encrypt_end();
+            break;
+        case ENCRYPT_REQSTART:
+            encrypt_request_start(subpointer, SB_LEN());
+            break;
+        case ENCRYPT_REQEND:
+            /*
+             * We can always send an REQEND so that we cannot
+             * get stuck encrypting.  We should only get this
+             * if we have been able to get in the correct mode
+             * anyhow.
+             */
+            encrypt_request_end();
+            break;
+        case ENCRYPT_ENC_KEYID:
+            encrypt_enc_keyid(subpointer, SB_LEN());
+            break;
+        case ENCRYPT_DEC_KEYID:
+            encrypt_dec_keyid(subpointer, SB_LEN());
+            break;
+        default:
+            break;
+        }
+        break;
+#endif
+
+    default:
+        break;
+    }  /* end of switch */
+
+}  /* end of suboption */
+
+#ifdef LINEMODE
+static void doclientstat(void) {
+    clientstat(TELOPT_LINEMODE, WILL, 0);
+}
+#endif
+
+#define ADD(c)   *ncp++ = c;
+#define ADD_DATA(c) { *ncp++ = c; if (c == SE) *ncp++ = c; }
+
+void send_status(void) {
+    unsigned char statusbuf[256];
+    register unsigned char *ncp;
+    register unsigned char i;
+    
+    ncp = statusbuf;
+    
+    netflush(); /* get rid of anything waiting to go out */
+    
+    ADD(IAC);
+    ADD(SB);
+    ADD(TELOPT_STATUS);
+    ADD(TELQUAL_IS);
+    
+    /*
+     * We check the want_state rather than the current state,
+     * because if we received a DO/WILL for an option that we
+     * don't support, and the other side didn't send a DONT/WONT
+     * in response to our WONT/DONT, then the "state" will be
+     * WILL/DO, and the "want_state" will be WONT/DONT.  We
+     * need to go by the latter.
+     */
+    for (i = 0; i < NTELOPTS; i++) {
+        if (my_want_state_is_will(i)) {
+            ADD(WILL);
+            ADD_DATA(i);
+            if (i == IAC) ADD(IAC);
+        }
+        if (his_want_state_is_will(i)) {
+            ADD(DO);
+            ADD_DATA(i);
+            if (i == IAC) ADD(IAC);
+        }
+    }
+
+    if (his_want_state_is_will(TELOPT_LFLOW)) {
+        ADD(SB);
+        ADD(TELOPT_LFLOW);
+        ADD(flowmode);
+        ADD(SE);
+    }
+
+#ifdef LINEMODE
+    if (his_want_state_is_will(TELOPT_LINEMODE)) {
+        unsigned char *cp, *cpe;
+        int len;
+        
+        ADD(SB);
+        ADD(TELOPT_LINEMODE);
+        ADD(LM_MODE);
+        ADD_DATA(editmode);
+        if (editmode == IAC) ADD(IAC);
+        ADD(SE);
+        
+        ADD(SB);
+        ADD(TELOPT_LINEMODE);
+        ADD(LM_SLC);
+        start_slc(0);
+        send_slc();
+        len = end_slc(&cp);
+        for (cpe = cp + len; cp < cpe; cp++) ADD_DATA(*cp);
+        ADD(SE);
+    }
+#endif  /* LINEMODE */
+
+    ADD(IAC);
+    ADD(SE);
+
+    writenet(statusbuf, ncp - statusbuf);
+    netflush(); /* Send it on its way */
+
+    DIAG(TD_OPTIONS, {printsub('>', statusbuf, ncp - statusbuf); netflush();});
+}
+
+/* check that variable is safe to pass to login or shell */
+#if 0  /* insecure version */
+static int envvarok(char *varp) {
+    if (strncmp(varp, "LD_", strlen("LD_")) &&
+        strncmp(varp, "ELF_LD_", strlen("ELF_LD_")) &&
+        strncmp(varp, "AOUT_LD_", strlen("AOUT_LD_")) &&
+        strncmp(varp, "_RLD_", strlen("_RLD_")) &&
+        strcmp(varp, "LIBPATH") &&
+        strcmp(varp, "ENV") &&
+        strcmp(varp, "IFS")) 
+    {
+        return 1;
+    } 
+    else {
+        /* optionally syslog(LOG_INFO) here */
+        return 0;
+    }
+}
+
+#else
+static int envvarok(char *varp) {
+    /*
+     * Allow only these variables.
+     */
+    if (!strcmp(varp, "TERM")) return 1;
+    if (!strcmp(varp, "DISPLAY")) return 1;
+    if (!strcmp(varp, "USER")) return 1;
+    if (!strcmp(varp, "LOGNAME")) return 1;
+    if (!strcmp(varp, "POSIXLY_CORRECT")) return 1;
+
+    /* optionally syslog(LOG_INFO) here */
+    return 0;
+}
+
+#endif
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/sys_term.c b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/sys_term.c
new file mode 100644
index 0000000..57db624
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/sys_term.c
@@ -0,0 +1,744 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)sys_term.c 5.16 (Berkeley) 3/22/91
+ */
+char st_rcsid[] = 
+  "$Id: sys_term.c,v 1.16 1999/12/12 14:59:45 dholland Exp $";
+
+#include <utmp.h>
+
+#include "telnetd.h"
+#include "pathnames.h"
+
+#if defined(__GLIBC__) && (__GLIBC__ >= 2)
+/* mmm, nonstandard */
+#include <pty.h>
+#else
+int openpty(int *, int *, char *, struct termios *, struct winsize *);
+#endif
+
+#define ARCH64 ((sizeof(void *)) == 8)
+#define ARCH32 ((sizeof(void *)) == 4)
+
+#if defined(AUTHENTICATE)
+#include <libtelnet/auth.h>
+#endif
+
+static struct termios termbuf, termbuf2;        /* pty control structure */
+
+/*static int cleanopen(char *line);*/
+
+/*
+ * init_termbuf()
+ * copy_termbuf(cp)
+ * set_termbuf()
+ *
+ * These three routines are used to get and set the "termbuf" structure
+ * to and from the kernel.  init_termbuf() gets the current settings.
+ * copy_termbuf() hands in a new "termbuf" to write to the kernel, and
+ * set_termbuf() writes the structure into the kernel.
+ */
+
+void init_termbuf(void) {
+    tcgetattr(pty, &termbuf);
+    termbuf2 = termbuf;
+}
+
+#if defined(LINEMODE) && defined(TIOCPKT_IOCTL)
+/*
+ * ?
+ */
+void copy_termbuf(char *cp, int len) {
+    if (len > sizeof(termbuf)) len = sizeof(termbuf);
+    bcopy(cp, (char *)&termbuf, len);
+    termbuf2 = termbuf;
+}
+#endif /* defined(LINEMODE) && defined(TIOCPKT_IOCTL) */
+
+void set_termbuf(void) {
+    if (memcmp(&termbuf, &termbuf2, sizeof(termbuf))) {
+        tcsetattr(pty, TCSANOW, &termbuf);
+    }
+}
+
+
+/*
+ * spcset(func, valp, valpp)
+ *
+ * This function takes various special characters (func), and
+ * sets *valp to the current value of that character, and
+ * *valpp to point to where in the "termbuf" structure that
+ * value is kept.
+ *
+ * It returns the SLC_ level of support for this function.
+ */
+
+
+int spcset(int func, cc_t *valp, cc_t **valpp) {
+
+#define setval(a, b)    *valp = termbuf.c_cc[a]; \
+                        *valpp = &termbuf.c_cc[a]; \
+                        return(b);
+#define defval(a) *valp = ((cc_t)a); *valpp = (cc_t *)0; return(SLC_DEFAULT);
+
+    switch(func) {
+    case SLC_EOF:
+        setval(VEOF, SLC_VARIABLE);
+    case SLC_EC:
+        setval(VERASE, SLC_VARIABLE);
+    case SLC_EL:
+        setval(VKILL, SLC_VARIABLE);
+    case SLC_IP:
+        setval(VINTR, SLC_VARIABLE|SLC_FLUSHIN|SLC_FLUSHOUT);
+    case SLC_ABORT:
+        setval(VQUIT, SLC_VARIABLE|SLC_FLUSHIN|SLC_FLUSHOUT);
+    case SLC_XON:
+#ifdef VSTART
+        setval(VSTART, SLC_VARIABLE);
+#else
+        defval(0x13);
+#endif
+    case SLC_XOFF:
+#ifdef  VSTOP
+        setval(VSTOP, SLC_VARIABLE);
+#else
+        defval(0x11);
+#endif
+    case SLC_EW:
+#ifdef  VWERASE
+        setval(VWERASE, SLC_VARIABLE);
+#else
+        defval(0);
+#endif
+    case SLC_RP:
+#ifdef  VREPRINT
+        setval(VREPRINT, SLC_VARIABLE);
+#else
+        defval(0);
+#endif
+    case SLC_LNEXT:
+#ifdef  VLNEXT
+        setval(VLNEXT, SLC_VARIABLE);
+#else
+        defval(0);
+#endif
+    case SLC_AO:
+#if     !defined(VDISCARD) && defined(VFLUSHO)
+# define VDISCARD VFLUSHO
+#endif
+#ifdef  VDISCARD
+        setval(VDISCARD, SLC_VARIABLE|SLC_FLUSHOUT);
+#else
+        defval(0);
+#endif
+    case SLC_SUSP:
+#ifdef  VSUSP
+        setval(VSUSP, SLC_VARIABLE|SLC_FLUSHIN);
+#else
+        defval(0);
+#endif
+#ifdef  VEOL
+    case SLC_FORW1:
+        setval(VEOL, SLC_VARIABLE);
+#endif
+#ifdef  VEOL2
+    case SLC_FORW2:
+        setval(VEOL2, SLC_VARIABLE);
+#endif
+    case SLC_AYT:
+#ifdef  VSTATUS
+        setval(VSTATUS, SLC_VARIABLE);
+#else
+        defval(0);
+#endif
+        
+    case SLC_BRK:
+    case SLC_SYNCH:
+    case SLC_EOR:
+        defval(0);
+        
+    default:
+        *valp = 0;
+        *valpp = 0;
+        return(SLC_NOSUPPORT);
+    }
+}
+
+/*
+ * getpty()
+ *
+ * Allocate a pty.  As a side effect, the external character
+ * array "line" contains the name of the slave side.
+ *
+ * Returns the file descriptor of the opened pty.
+ */
+static char linedata[PATH_MAX];
+char *line = linedata;
+
+static int ptyslavefd=-1;
+
+int getpty(void) {
+    int masterfd;
+
+    if (openpty(&masterfd, &ptyslavefd, line, NULL, NULL)) {
+        return -1;
+    }
+    return masterfd;
+}
+
+#ifdef  LINEMODE
+/*
+ * tty_flowmode()       Find out if flow control is enabled or disabled.
+ * tty_linemode()       Find out if linemode (external processing) is enabled.
+ * tty_setlinemod(on)   Turn on/off linemode.
+ * tty_isecho()         Find out if echoing is turned on.
+ * tty_setecho(on)      Enable/disable character echoing.
+ * tty_israw()          Find out if terminal is in RAW mode.
+ * tty_binaryin(on)     Turn on/off BINARY on input.
+ * tty_binaryout(on)    Turn on/off BINARY on output.
+ * tty_isediting()      Find out if line editing is enabled.
+ * tty_istrapsig()      Find out if signal trapping is enabled.
+ * tty_setedit(on)      Turn on/off line editing.
+ * tty_setsig(on)       Turn on/off signal trapping.
+ * tty_issofttab()      Find out if tab expansion is enabled.
+ * tty_setsofttab(on)   Turn on/off soft tab expansion.
+ * tty_islitecho()      Find out if typed control chars are echoed literally
+ * tty_setlitecho()     Turn on/off literal echo of control chars
+ * tty_tspeed(val)      Set transmit speed to val.
+ * tty_rspeed(val)      Set receive speed to val.
+ */
+
+int tty_flowmode(void) {
+    return (termbuf.c_iflag & IXON ? 1 : 0);
+}
+
+int tty_linemode(void) {
+    return (termbuf.c_lflag & EXTPROC);
+}
+
+void tty_setlinemode(int on) {
+#ifdef TIOCEXT
+    set_termbuf();
+    ioctl(pty, TIOCEXT, (char *)&on);
+    init_termbuf();
+#else   /* !TIOCEXT */
+# ifdef EXTPROC
+    if (on) termbuf.c_lflag |= EXTPROC;
+    else termbuf.c_lflag &= ~EXTPROC;
+# endif
+#endif  /* TIOCEXT */
+}
+
+int tty_isecho(void) {
+    return (termbuf.c_lflag & ECHO);
+}
+#endif  /* LINEMODE */
+
+void tty_setecho(int on) {
+    if (on) termbuf.c_lflag |= ECHO;
+    else termbuf.c_lflag &= ~ECHO;
+}
+
+#if defined(LINEMODE) && defined(KLUDGELINEMODE)
+int tty_israw(void) {
+    return(!(termbuf.c_lflag & ICANON));
+}
+#endif  /* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+
+void tty_binaryin(int on) {
+    if (on) {
+        termbuf.c_iflag &= ~ISTRIP;
+    }
+    else {
+        termbuf.c_iflag |= ISTRIP;
+    }
+}
+
+void tty_binaryout(int on) {
+    if (on) {
+        termbuf.c_cflag &= ~(CSIZE|PARENB);
+        termbuf.c_cflag |= CS8;
+        termbuf.c_oflag &= ~OPOST;
+    } 
+    else {
+        termbuf.c_cflag &= ~CSIZE;
+        termbuf.c_cflag |= CS7|PARENB;
+        termbuf.c_oflag |= OPOST;
+    }
+}
+
+int tty_isbinaryin(void) {
+    return (!(termbuf.c_iflag & ISTRIP));
+}
+
+int tty_isbinaryout(void) {
+    return (!(termbuf.c_oflag&OPOST));
+}
+
+#ifdef  LINEMODE
+int tty_isediting(void) {
+    return(termbuf.c_lflag & ICANON);
+}
+
+int tty_istrapsig(void) {
+    return(termbuf.c_lflag & ISIG);
+}
+
+void tty_setedit(int on) {
+    if (on) termbuf.c_lflag |= ICANON;
+    else termbuf.c_lflag &= ~ICANON;
+}
+
+void tty_setsig(int on) {
+    if (on) termbuf.c_lflag |= ISIG;
+    else termbuf.c_lflag &= ~ISIG;
+}
+#endif  /* LINEMODE */
+
+int tty_issofttab(void) {
+#ifdef OXTABS
+    return (termbuf.c_oflag & OXTABS);
+#endif
+#ifdef TABDLY
+    return ((termbuf.c_oflag & TABDLY) == TAB3);
+#endif
+}
+
+void tty_setsofttab(int on) {
+    if (on) {
+#ifdef  OXTABS
+        termbuf.c_oflag |= OXTABS;
+#endif
+#ifdef  TABDLY
+        termbuf.c_oflag &= ~TABDLY;
+        termbuf.c_oflag |= TAB3;
+#endif
+    } 
+    else {
+#ifdef  OXTABS
+        termbuf.c_oflag &= ~OXTABS;
+#endif
+#ifdef  TABDLY
+        termbuf.c_oflag &= ~TABDLY;
+        termbuf.c_oflag |= TAB0;
+#endif
+    }
+}
+
+int tty_islitecho(void) {
+    return (!(termbuf.c_lflag & ECHOCTL));
+}
+
+void tty_setlitecho(int on) {
+    if (on) termbuf.c_lflag &= ~ECHOCTL;
+    else termbuf.c_lflag |= ECHOCTL;
+}
+
+int tty_iscrnl(void) {
+    return (termbuf.c_iflag & ICRNL);
+}
+
+/*
+ * A table of available terminal speeds
+ */
+struct termspeeds {
+        int     speed;
+        int     value;
+} termspeeds[] = {
+        { 0,     B0 },    { 50,    B50 },   { 75,    B75 },
+        { 110,   B110 },  { 134,   B134 },  { 150,   B150 },
+        { 200,   B200 },  { 300,   B300 },  { 600,   B600 },
+        { 1200,  B1200 }, { 1800,  B1800 }, { 2400,  B2400 },
+        { 4800,  B4800 }, { 9600,  B9600 }, { 19200, B9600 },
+        { 38400, B9600 }, { -1,    B9600 }
+};
+
+void tty_tspeed(int val) {
+    struct termspeeds *tp;
+    for (tp = termspeeds; (tp->speed != -1) && (val > tp->speed); tp++);
+    cfsetospeed(&termbuf, tp->value);
+}
+
+void tty_rspeed(int val) {
+    struct termspeeds *tp;
+    for (tp = termspeeds; (tp->speed != -1) && (val > tp->speed); tp++);
+    cfsetispeed(&termbuf, tp->value);
+}
+
+/*
+ * getptyslave()
+ *
+ * Open the slave side of the pty, and do any initialization
+ * that is necessary.  The return value is a file descriptor
+ * for the slave side.
+ */
+#ifdef  TIOCGWINSZ
+extern int def_row, def_col;
+#endif
+extern int def_tspeed, def_rspeed;
+
+static int getptyslave(void) {
+#if 0
+    register int t = -1;
+
+# ifdef LINEMODE
+    int waslm;
+# endif
+# ifdef TIOCGWINSZ
+    struct winsize ws;
+# endif
+    /*
+     * Opening the slave side may cause initilization of the
+     * kernel tty structure.  We need remember the state of
+     *  if linemode was turned on
+     *  terminal window size
+     *  terminal speed
+     * so that we can re-set them if we need to.
+     */
+# ifdef LINEMODE
+    waslm = tty_linemode();
+# endif
+
+
+    /*
+     * Make sure that we don't have a controlling tty, and
+     * that we are the session (process group) leader.
+     */
+    t = open(_PATH_TTY, O_RDWR);
+    if (t >= 0) {
+        ioctl(t, TIOCNOTTY, (char *)0);
+        close(t);
+    }
+
+    t = cleanopen(line);
+    if (t < 0) fatalperror(net, line);
+#endif /* 0 */
+
+    struct winsize ws;
+    int t = ptyslavefd;
+
+    /*
+     * set up the tty modes as we like them to be.
+     */
+    init_termbuf();
+# ifdef TIOCGWINSZ
+    if (def_row || def_col) {
+        bzero((char *)&ws, sizeof(ws));
+        ws.ws_col = def_col;
+        ws.ws_row = def_row;
+        ioctl(t, TIOCSWINSZ, (char *)&ws);
+    }
+# endif
+
+    /*
+     * Settings for all other termios/termio based
+     * systems, other than 4.4BSD.  In 4.4BSD the
+     * kernel does the initial terminal setup.
+     *
+     * XXX what about linux?
+     */
+#  ifndef       OXTABS
+#   define OXTABS       0
+#  endif
+    termbuf.c_lflag |= ECHO;
+    termbuf.c_oflag |= OPOST|ONLCR|OXTABS;
+    termbuf.c_iflag |= ICRNL;
+    termbuf.c_iflag &= ~IXOFF;
+
+    tty_rspeed((def_rspeed > 0) ? def_rspeed : 9600);
+    tty_tspeed((def_tspeed > 0) ? def_tspeed : 9600);
+# ifdef LINEMODE
+    if (waslm) tty_setlinemode(1);
+# endif /* LINEMODE */
+
+    /*
+     * Set the tty modes, and make this our controlling tty.
+     */
+    set_termbuf();
+    if (login_tty(t) == -1) fatalperror(net, "login_tty");
+
+    if (net > 2) close(net);
+    if (pty > 2) close(pty);
+    return t;
+}
+
+#if 0
+#ifndef O_NOCTTY
+#define O_NOCTTY        0
+#endif
+/*
+ * Open the specified slave side of the pty,
+ * making sure that we have a clean tty.
+ */
+static int cleanopen(char *lyne) {
+    register int t;
+
+    /*
+     * Make sure that other people can't open the
+     * slave side of the connection.
+     */
+    chown(lyne, 0, 0);
+    chmod(lyne, 0600);
+
+#ifndef NO_REVOKE
+    revoke(lyne);
+#endif
+
+    t = open(lyne, O_RDWR|O_NOCTTY);
+    if (t < 0) return(-1);
+
+    /*
+     * Hangup anybody else using this ttyp, then reopen it for
+     * ourselves.
+     */
+# if !defined(__linux__)
+    /* this looks buggy to me, our ctty is really a pty at this point */
+    signal(SIGHUP, SIG_IGN);
+    vhangup();
+    signal(SIGHUP, SIG_DFL);
+    t = open(lyne, O_RDWR|O_NOCTTY);
+    if (t < 0) return(-1);
+# endif
+    return(t);
+}
+#endif /* 0 */
+
+int login_tty(int t) {
+    if (setsid() < 0) fatalperror(net, "setsid()");
+    if (ioctl(t, TIOCSCTTY, (char *)0) < 0) {
+        fatalperror(net, "ioctl(sctty)");
+    }
+    if (t != 0) dup2(t, 0);
+    if (t != 1) dup2(t, 1);
+    if (t != 2) dup2(t, 2);
+    if (t > 2) close(t);
+    return 0;
+}
+
+/*
+ * startslave(host)
+ *
+ * Given a hostname, do whatever
+ * is necessary to startup the login process on the slave side of the pty.
+ */
+
+/* ARGSUSED */
+void startslave(const char *host, int autologin, char *autoname) {
+    int i;
+
+#if defined(AUTHENTICATE)
+    if (!autoname || !autoname[0]) autologin = 0;
+    if (autologin < auth_level) {
+        fatal(net, "Authorization failed");
+        exit(1);
+    }
+#endif
+
+    i = fork();
+    if (i < 0) fatalperror(net, "fork");
+    if (i) {
+        /* parent */
+        signal(SIGHUP,SIG_IGN);
+        close(ptyslavefd);
+    } 
+    else {
+        /* child */
+        signal(SIGHUP,SIG_IGN);
+        getptyslave();
+        start_login(host, autologin, autoname);
+        /*NOTREACHED*/
+    }
+}
+
+char *envinit[3];
+
+void init_env(void) {
+    char **envp;
+    envp = envinit;
+    if ((*envp = getenv("TZ"))!=NULL)
+        *envp++ -= 3;
+    *envp = 0;
+    environ = envinit;
+}
+
+/*
+ * start_login(host)
+ *
+ * Assuming that we are now running as a child processes, this
+ * function will turn us into the login process.
+ */
+
+struct argv_stuff {
+   const char **argv;
+   int argc;
+   int argmax;
+};
+
+static void addarg(struct argv_stuff *, const char *);
+static void initarg(struct argv_stuff *);
+
+void start_login(const char *host, int autologin, const char *name) {
+    struct argv_stuff avs;
+    char *const *argvfoo;
+    (void)autologin;
+
+    initarg(&avs);
+
+    /*
+     * -h : pass on name of host.
+     *          WARNING:  -h is accepted by login if and only if
+     *                  getuid() == 0.
+     * -p : don't clobber the environment (so terminal type stays set).
+     *
+     * -f : force this login, he has already been authenticated
+     */
+    addarg(&avs, loginprg);
+    addarg(&avs, "-h");
+    addarg(&avs, host);
+#if !defined(NO_LOGIN_P)
+    addarg(&avs, "-p");
+#endif
+#ifdef BFTPDAEMON
+    /*
+     * Are we working as the bftp daemon?  If so, then ask login
+     * to start bftp instead of shell.
+     */
+    if (bftpd) {
+        addarg(&avs, "-e");
+        addarg(&avs, BFTPPATH);
+    } 
+    else
+#endif
+    {
+#if defined (SecurID)
+        /*
+         * don't worry about the -f that might get sent.
+         * A -s is supposed to override it anyhow.
+         */
+        if (require_SecurID) addarg(&avs, "-s");
+#endif
+        if (*name=='-') {
+            syslog(LOG_ERR, "Attempt to login with an option!");
+            name = "";
+        }
+#if defined (AUTHENTICATE)
+        if (auth_level >= 0 && autologin == AUTH_VALID) {
+# if !defined(NO_LOGIN_F)
+            addarg(&avs, "-f");
+# endif
+            addarg(&avs, name);
+        } 
+        else
+#endif
+        {
+            if (getenv("USER")) {
+                addarg(&avs, getenv("USER"));
+                if (*getenv("USER") == '-') {
+                    write(1,"I don't hear you!\r\n",19);
+                    syslog(LOG_ERR,"Attempt to login with an option!");
+                    exit(1);
+                }
+            }
+        }
+    }
+    closelog();
+    /* execv() should really take char const* const *, but it can't */ 
+    /*argvfoo = argv*/;
+    memcpy(&argvfoo, &avs.argv, sizeof(argvfoo));
+    execv(loginprg, argvfoo);
+
+    openlog("telnetd", LOG_PID | LOG_ODELAY, LOG_DAEMON);
+    syslog(LOG_ERR, "%s: %m\n", loginprg);
+    closelog();
+    fatalperror(net, loginprg);
+}
+
+static void initarg(struct argv_stuff *avs) {
+   /*
+    * 10 entries and a null
+    */
+   avs->argmax = 11;
+   avs->argv = malloc(sizeof(avs->argv[0]) * avs->argmax);
+   if (avs->argv == NULL) {
+      fprintf(stderr, "Out of memory\n");
+      exit(1);
+   }
+   avs->argc = 0;
+   avs->argv[0] = NULL;
+}
+
+static void addarg(struct argv_stuff *avs, const char *val) {
+   if (avs->argc>=avs->argmax-1) {
+       avs->argmax += 10;
+       avs->argv = realloc(avs->argv, sizeof(avs->argv[0])*avs->argmax);
+       if (avs->argv == NULL) {
+          fprintf(stderr, "Out of memory\n");
+          exit(1);
+       }
+   }
+
+   avs->argv[avs->argc++] = val;
+   avs->argv[avs->argc] = NULL;
+}
+
+/*
+ * cleanup()
+ *
+ * This is the routine to call when we are all through, to
+ * clean up anything that needs to be cleaned up.
+ */
+void cleanup(int sig) {
+    char *p;
+    (void)sig;
+
+    p = line + sizeof("/dev/") - 1;
+    if (logout(p)) logwtmp(p, "", "");
+#ifdef PARANOID_TTYS
+    /*
+     * dholland 16-Aug-96 chmod the tty when not in use
+     * This will make it harder to attach unwanted stuff to it
+     * (which is a security risk) but will break some programs.
+     */
+    chmod(line, 0600);
+#else
+    chmod(line, 0666);
+#endif
+    chown(line, 0, 0);
+    *p = 'p';
+    chmod(line, 0666);
+    chown(line, 0, 0);
+    shutdown(net, 2);
+    exit(1);
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/t.c b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/t.c
new file mode 100644
index 0000000..f1d76d1
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/t.c
@@ -0,0 +1,2 @@
+#include <stdio.h>
+int main(){printf ("%d\n", BUFSIZ);}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/telnetd.8 b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/telnetd.8
new file mode 100644
index 0000000..7353448
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/telnetd.8
@@ -0,0 +1,486 @@
+.\" Copyright (c) 1983 The Regents of the University of California.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"     This product includes software developed by the University of
+.\"     California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"     from: @(#)telnetd.8     6.8 (Berkeley) 4/20/91
+.\"     $Id: telnetd.8,v 1.13 1999/12/14 12:53:06 dholland Exp $
+.\"
+.Dd December 29, 1996
+.Dt IN.TELNETD 8
+.Os "Linux NetKit (0.16)"
+.Sh NAME
+.Nm in.telnetd
+.Nd DARPA
+.Tn telnet
+protocol server
+.Sh SYNOPSIS
+.Nm /usr/sbin/in.telnetd
+.Op Fl hns
+.Op Fl a Ar authmode
+.Op Fl D Ar debugmode
+.Op Fl L Ar loginprg
+.Op Fl S Ar tos
+.Op Fl X Ar authtype
+.Op Fl edebug
+.Op Fl debug Ar port
+.Sh DESCRIPTION
+The
+.Nm in.telnetd
+program is a server which supports the 
+.Tn DARPA
+.Tn telnet
+interactive communication protocol.
+.Nm In.telnetd
+is normally invoked by the internet server (see
+.Xr inetd 8 )
+for requests to connect to the
+.Tn telnet
+port as indicated by the
+.Pa /etc/services
+file (see
+.Xr services 5 ) .
+The
+.Fl debug
+option may be used to start up 
+.Nm in.telnetd
+manually, instead of through
+.Xr inetd 8 .
+If started up this way, 
+.Ar port
+may be specified to run 
+.Nm in.telnetd
+on an alternate 
+.Tn TCP 
+port number.
+.Pp
+The 
+.Nm in.telnetd
+program accepts the following options:
+.Bl -tag -width "-a authmode"
+.It Fl a Ar authmode
+This option may be used for specifying what mode should
+be used for authentication.
+Note that this option is only useful if
+.Nm in.telnetd
+has been compiled with support for authentication, which is not
+available in the current version.  The following values of
+.Ar authmode 
+are understood:
+.Bl -tag -width debug
+.It debug
+Turns on authentication debugging code.
+.It user
+Only allow connections when the remote user can provide valid
+authentication information to identify the remote user, and is allowed
+access to the specified account without providing a password.
+.It valid
+Only allow connections when the remote user can provide valid
+authentication information to identify the remote user.  The
+.Xr login 1
+command will provide any additional user verification needed if the
+remote user is not allowed automatic access to the specified account.
+.It other
+Only allow connections that supply some authentication information.
+This option is currently not supported by any of the existing
+authentication mechanisms, and is thus the same as specifying
+.Cm valid .
+.It none
+This is the default state.  Authentication information is not
+required.  If no or insufficient authentication information is
+provided, then the
+.Xr login 1
+program will provide the necessary user verification.
+.It off
+This disables the authentication code.  All user verification will
+happen through the
+.Xr login 1
+program.
+.El
+.It Fl D Ar debugmode
+This option may be used for debugging purposes.  This allows
+.Nm in.telnetd
+to print out debugging information to the connection, allowing the
+user to see what
+.Nm in.telnetd
+is doing.  There are several possible values for
+.Ar debugmode:
+.Bl -tag -width exercise
+.It Cm options
+Prints information about the negotiation of
+.Tn telnet
+options.
+.It Cm report
+Prints the 
+.Cm options
+information, plus some additional information about what processing is
+going on.
+.It Cm netdata
+Displays the data stream received by
+.Nm in.telnetd.
+.It Cm ptydata
+Displays data written to the pty.
+.It Cm exercise
+Has not been implemented yet.
+.El
+.It Fl edebug
+If
+.Nm in.telnetd
+has been compiled with support for encryption, then the
+.Fl edebug
+option may be used to enable encryption debugging code.
+.It Fl h
+Disables the printing of host-specific information before
+login has been completed.
+.It Fl L Ar loginprg
+This option may be used to specify a different login program.
+By default, 
+.Pa /usr/lib/telnetd/login
+is used.
+.It Fl n
+Disable
+.Dv TCP
+keep-alives.  Normally
+.Nm in.telnetd
+enables the
+.Tn TCP
+keep-alive mechanism to probe connections that
+have been idle for some period of time to determine
+if the client is still there, so that idle connections
+from machines that have crashed or can no longer
+be reached may be cleaned up.
+.It Fl s
+This option is only enabled if
+.Nm in.telnetd
+is compiled with support for
+.Tn SecurID
+cards.
+It causes the
+.Fl s
+option to be passed on to
+.Xr login 1 ,
+and thus is only useful if
+.Xr login 1
+supports the
+.Fl s
+flag to indicate that only
+.Tn SecurID
+validated logins are allowed. This is usually useful for controlling
+remote logins from outside of a firewall.
+.It Fl S Ar tos
+Sets the IP type-of-service (TOS) option for the telnet
+connection to the value
+.Ar tos .
+.It Fl X Ar authtype
+This option is only valid if
+.Nm in.telnetd
+has been built with support for the authentication option.
+It disables the use of
+.Ar authtype
+authentication, and
+can be used to temporarily disable
+a specific authentication type without having to recompile
+.Nm in.telnetd .
+.El
+.Pp
+If the file
+.Pa /etc/issue.net
+is present,
+.Nm in.telnetd
+will display its contents before the login prompt of a telnet session (see
+.Xr issue.net 5 ) .
+.Pp
+.Nm In.telnetd
+operates by allocating a pseudo-terminal device (see
+.Xr pty 4 )
+for a client, then creating a login process which has
+the slave side of the pseudo-terminal as 
+.Dv stdin ,
+.Dv stdout ,
+and
+.Dv stderr .
+.Nm In.telnetd
+manipulates the master side of the pseudo-terminal,
+implementing the
+.Tn telnet
+protocol and passing characters
+between the remote client and the login process.
+.Pp
+When a
+.Tn telnet
+session is started up, 
+.Nm in.telnetd
+sends
+.Tn telnet
+options to the client side indicating
+a willingness to do the
+following
+.Tn telnet
+options, which are described in more detail below:
+.Bd -literal -offset indent
+DO AUTHENTICATION
+WILL ENCRYPT
+DO TERMINAL TYPE
+DO TSPEED
+DO XDISPLOC
+DO NEW-ENVIRON
+DO ENVIRON
+WILL SUPPRESS GO AHEAD
+DO ECHO
+DO LINEMODE
+DO NAWS
+WILL STATUS
+DO LFLOW
+DO TIMING-MARK
+.Ed
+.Pp
+The pseudo-terminal allocated to the client is configured
+to operate in \*(lqcooked\*(rq mode, and with 
+.Dv XTABS
+.Dv CRMOD
+enabled (see
+.Xr tty 4 ) .
+.Pp
+.Nm In.telnetd
+has support for enabling locally the following
+.Tn telnet
+options:
+.Bl -tag -width "DO AUTHENTICATION"
+.It "WILL ECHO"
+When the
+.Dv LINEMODE
+option is enabled, a
+.Dv WILL ECHO
+or
+.Dv WONT ECHO
+will be sent to the client to indicate the
+current state of terminal echoing.
+When terminal echo is not desired, a
+.Dv WILL ECHO
+is sent to indicate that
+.Tn in.telnetd
+will take care of echoing any data that needs to be
+echoed to the terminal, and then nothing is echoed.
+When terminal echo is desired, a
+.Dv WONT ECHO
+is sent to indicate that
+.Tn in.telnetd
+will not be doing any terminal echoing, so the
+client should do any terminal echoing that is needed.
+.It "WILL BINARY"
+Indicates that the client is willing to send a
+8 bits of data, rather than the normal 7 bits
+of the Network Virtual Terminal.
+.It "WILL SGA"
+Indicates that it will not be sending
+.Dv IAC GA,
+go ahead, commands.
+.It "WILL STATUS"
+Indicates a willingness to send the client, upon
+request, of the current status of all
+.Tn TELNET
+options.
+.It "WILL TIMING-MARK"
+Whenever a
+.Dv DO TIMING-MARK
+command is received, it is always responded
+to with a
+.Dv WILL TIMING-MARK
+.It "WILL LOGOUT"
+When a
+.Dv DO LOGOUT
+is received, a
+.Dv WILL LOGOUT
+is sent in response, and the
+.Tn TELNET
+session is shut down.
+.It "WILL ENCRYPT"
+Only sent if
+.Nm in.telnetd
+is compiled with support for data encryption, and
+indicates a willingness to decrypt
+the data stream.
+.El
+.Pp
+.Nm In.telnetd
+has support for enabling remotely the following
+.Tn TELNET
+options:
+.Bl -tag -width "DO AUTHENTICATION"
+.It "DO BINARY"
+Sent to indicate that
+.Tn in.telnetd
+is willing to receive an 8 bit data stream.
+.It "DO LFLOW"
+Requests that the client handle flow control
+characters remotely.
+.It "DO ECHO"
+This is not really supported, but is sent to identify a 4.2BSD
+.Xr telnet 1
+client, which will improperly respond with
+.Dv WILL ECHO.
+If a
+.Dv WILL ECHO
+is received, a
+.Dv DONT ECHO
+will be sent in response.
+.It "DO TERMINAL-TYPE"
+Indicates a desire to be able to request the
+name of the type of terminal that is attached
+to the client side of the connection.
+.It "DO SGA"
+Indicates that it does not need to receive
+.Dv IAC GA,
+the go ahead command.
+.It "DO NAWS"
+Requests that the client inform the server when
+the window (display) size changes.
+.It "DO TERMINAL-SPEED"
+Indicates a desire to be able to request information
+about the speed of the serial line to which
+the client is attached.
+.It "DO XDISPLOC"
+Indicates a desire to be able to request the name
+of the X windows display that is associated with
+the telnet client.
+.It "DO NEW-ENVIRON"
+Indicates a desire to be able to request environment
+variable information, as described in RFC 1572.
+.It "DO ENVIRON"
+Indicates a desire to be able to request environment
+variable information, as described in RFC 1408.
+.It "DO LINEMODE"
+Only sent if
+.Nm in.telnetd
+is compiled with support for linemode, and
+requests that the client do line by line processing.
+.It "DO TIMING-MARK"
+Only sent if
+.Nm in.telnetd
+is compiled with support for both linemode and
+kludge linemode, and the client responded with
+.Dv WONT LINEMODE.
+If the client responds with
+.Dv WILL TM,
+the it is assumed that the client supports
+kludge linemode.
+Note that the
+.Op Fl k
+option can be used to disable this.
+.It "DO AUTHENTICATION"
+Only sent if
+.Nm in.telnetd
+is compiled with support for authentication, and
+indicates a willingness to receive authentication
+information for automatic login.
+.It "DO ENCRYPT"
+Only sent if
+.Nm in.telnetd
+is compiled with support for data encryption, and
+indicates a willingness to decrypt
+the data stream.
+.Xr issue.net 5 ) .
+.Sh FILES
+.Pa /etc/services ,
+.Pa /etc/issue.net
+.Sh "SEE ALSO"
+.Xr telnet 1 ,
+.Xr login 1 ,
+.Xr issue.net 5 ,
+.Sh STANDARDS
+.Bl -tag -compact -width RFC-1572
+.It Cm RFC-854
+.Tn TELNET
+PROTOCOL SPECIFICATION
+.It Cm RFC-855
+TELNET OPTION SPECIFICATIONS
+.It Cm RFC-856
+TELNET BINARY TRANSMISSION
+.It Cm RFC-857
+TELNET ECHO OPTION
+.It Cm RFC-858
+TELNET SUPPRESS GO AHEAD OPTION
+.It Cm RFC-859
+TELNET STATUS OPTION
+.It Cm RFC-860
+TELNET TIMING MARK OPTION
+.It Cm RFC-861
+TELNET EXTENDED OPTIONS - LIST OPTION
+.It Cm RFC-885
+TELNET END OF RECORD OPTION
+.It Cm RFC-1073
+Telnet Window Size Option
+.It Cm RFC-1079
+Telnet Terminal Speed Option
+.It Cm RFC-1091
+Telnet Terminal-Type Option
+.It Cm RFC-1096
+Telnet X Display Location Option
+.It Cm RFC-1123
+Requirements for Internet Hosts -- Application and Support
+.It Cm RFC-1184
+Telnet Linemode Option
+.It Cm RFC-1372
+Telnet Remote Flow Control Option
+.It Cm RFC-1416
+Telnet Authentication Option
+.It Cm RFC-1411
+Telnet Authentication: Kerberos Version 4
+.It Cm RFC-1412
+Telnet Authentication: SPX
+.It Cm RFC-1571
+Telnet Environment Option Interoperability Issues
+.It Cm RFC-1572
+Telnet Environment Option
+.Sh BUGS
+Some
+.Tn TELNET
+commands are only partially implemented.
+.Pp
+Because of bugs in the original 4.2 BSD
+.Xr telnet 1 ,
+.Nm in.telnetd
+performs some dubious protocol exchanges to try to discover if the remote
+client is, in fact, a 4.2 BSD
+.Xr telnet 1 .
+.Pp
+Binary mode
+has no common interpretation except between similar operating systems
+(Unix in this case).
+.Pp
+The terminal type name received from the remote client is converted to
+lower case.
+.Pp
+.Nm In.telnetd
+never sends
+.Tn TELNET
+.Dv IAC GA
+(go ahead) commands.
+.Pp
+The source code is not comprehensible.
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/telnetd.c b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/telnetd.c
new file mode 100644
index 0000000..ffa49e8
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/telnetd.c
@@ -0,0 +1,1163 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+char copyright[] =
+  "@(#) Copyright (c) 1989 Regents of the University of California.\n"
+  "All rights reserved.\n";
+
+/*
+ * From: @(#)telnetd.c  5.48 (Berkeley) 3/1/91
+ */
+char telnetd_rcsid[] = 
+  "$Id: telnetd.c,v 1.23 1999/12/14 00:43:31 dholland Exp $";
+
+#include "../version.h"
+
+#include <netdb.h>
+#include <termcap.h>
+#include <netinet/in.h>
+/* #include <netinet/ip.h> */ /* Don't think this is used at all here */
+#include <arpa/inet.h>
+#include <assert.h>
+#include "telnetd.h"
+#include "pathnames.h"
+#include "setproctitle.h"
+
+#if     defined(AUTHENTICATE)
+#include <libtelnet/auth.h>
+#include <libtelnet/auth-proto.h>
+#include <libtelnet/misc-proto.h>
+int     auth_level = 0;
+#endif
+#if     defined(SecurID)
+int     require_SecurID = 0;
+#endif
+
+static void doit(struct sockaddr_in *who);
+static int terminaltypeok(const char *s);
+
+/*
+ * I/O data buffers,
+ * pointers, and counters.
+ */
+char    ptyibuf[BUFSIZ], *ptyip = ptyibuf;
+char    ptyibuf2[BUFSIZ];
+
+int     hostinfo = 1;                   /* do we print login banner? */
+
+int debug = 0;
+int keepalive = 1;
+#ifdef LOGIN_WRAPPER
+char *loginprg = LOGIN_WRAPPER;
+#else
+char *loginprg = _PATH_LOGIN;
+#endif
+char *progname;
+
+extern void usage(void);
+
+int
+main(int argc, char *argv[], char *env[])
+{
+        struct sockaddr_in from;
+        int on = 1;
+        socklen_t fromlen;
+        register int ch;
+
+#if     defined(IPPROTO_IP) && defined(IP_TOS)
+        int tos = -1;
+#endif
+
+        initsetproctitle(argc, argv, env);
+
+        pfrontp = pbackp = ptyobuf;
+        netip = netibuf;
+        nfrontp = nbackp = netobuf;
+#if     defined(ENCRYPT)
+        nclearto = 0;
+#endif
+
+        progname = strdup(*argv);
+
+        while ((ch = getopt(argc, argv, "d:a:e:lhnr:I:D:B:sS:a:X:L:")) != EOF) {
+                switch(ch) {
+
+#ifdef  AUTHENTICATE
+                case 'a':
+                        /*
+                         * Check for required authentication level
+                         */
+                        if (strcmp(optarg, "debug") == 0) {
+                                extern int auth_debug_mode;
+                                auth_debug_mode = 1;
+                        } else if (strcasecmp(optarg, "none") == 0) {
+                                auth_level = 0;
+                        } else if (strcasecmp(optarg, "other") == 0) {
+                                auth_level = AUTH_OTHER;
+                        } else if (strcasecmp(optarg, "user") == 0) {
+                                auth_level = AUTH_USER;
+                        } else if (strcasecmp(optarg, "valid") == 0) {
+                                auth_level = AUTH_VALID;
+                        } else if (strcasecmp(optarg, "off") == 0) {
+                                /*
+                                 * This hack turns off authentication
+                                 */
+                                auth_level = -1;
+                        } else {
+                                fprintf(stderr,
+                            "telnetd: unknown authorization level for -a\n");
+                        }
+                        break;
+#endif  /* AUTHENTICATE */
+
+#ifdef BFTPDAEMON
+                case 'B':
+                        bftpd++;
+                        break;
+#endif /* BFTPDAEMON */
+
+                case 'd':
+                        if (strcmp(optarg, "ebug") == 0) {
+                                debug++;
+                                break;
+                        }
+                        usage();
+                        /* NOTREACHED */
+                        break;
+
+#ifdef DIAGNOSTICS
+                case 'D':
+                        /*
+                         * Check for desired diagnostics capabilities.
+                         */
+                        if (!strcmp(optarg, "report")) {
+                                diagnostic |= TD_REPORT|TD_OPTIONS;
+                        } else if (!strcmp(optarg, "exercise")) {
+                                diagnostic |= TD_EXERCISE;
+                        } else if (!strcmp(optarg, "netdata")) {
+                                diagnostic |= TD_NETDATA;
+                        } else if (!strcmp(optarg, "ptydata")) {
+                                diagnostic |= TD_PTYDATA;
+                        } else if (!strcmp(optarg, "options")) {
+                                diagnostic |= TD_OPTIONS;
+                        } else {
+                                usage();
+                                /* NOT REACHED */
+                        }
+                        break;
+#endif /* DIAGNOSTICS */
+
+#ifdef  AUTHENTICATE
+                case 'e':
+                        if (strcmp(optarg, "debug") == 0) {
+                                extern int auth_debug_mode;
+                                auth_debug_mode = 1;
+                                break;
+                        }
+                        usage();
+                        /* NOTREACHED */
+                        break;
+#endif  /* AUTHENTICATE */
+
+                case 'h':
+                        hostinfo = 0;
+                        break;
+
+#ifdef  LINEMODE
+                case 'l':
+                        alwayslinemode = 1;
+                        break;
+#endif  /* LINEMODE */
+
+                case 'L':
+                        loginprg = strdup(optarg);
+                        /* XXX what if strdup fails? */
+                        break;
+
+                case 'n':
+                        keepalive = 0;
+                        break;
+
+#ifdef  SecurID
+                case 's':
+                        /* SecurID required */
+                        require_SecurID = 1;
+                        break;
+#endif  /* SecurID */
+                case 'S':
+#ifdef  HAS_GETTOS
+                        if ((tos = parsetos(optarg, "tcp")) < 0)
+                                fprintf(stderr, "%s%s%s\n",
+                                        "telnetd: Bad TOS argument '", optarg,
+                                        "'; will try to use default TOS");
+#else
+                        fprintf(stderr, "%s%s\n", "TOS option unavailable; ",
+                                                "-S flag not supported\n");
+#endif
+                        break;
+
+#ifdef  AUTHENTICATE
+                case 'X':
+                        /*
+                         * Check for invalid authentication types
+                         */
+                        auth_disable_name(optarg);
+                        break;
+#endif  /* AUTHENTICATE */
+
+                default:
+                        fprintf(stderr, "telnetd: %c: unknown option\n", ch);
+                        /* FALLTHROUGH */
+                case '?':
+                        usage();
+                        /* NOTREACHED */
+                }
+        }
+
+        argc -= optind;
+        argv += optind;
+
+        if (debug) {
+            int s, ns;
+            socklen_t foo;
+            struct servent *sp;
+            struct sockaddr_in sn;
+
+            memset(&sn, 0, sizeof(sn));
+            sn.sin_family = AF_INET;
+
+            if (argc > 1) {
+                usage();
+                /* NOTREACHED */
+            } else if (argc == 1) {
+                    if ((sp = getservbyname(*argv, "tcp"))!=NULL) {
+                        sn.sin_port = sp->s_port;
+                    } 
+                    else {
+                        int pt = atoi(*argv);
+                        if (pt <= 0) {
+                            fprintf(stderr, "telnetd: %s: bad port number\n",
+                                    *argv);
+                            usage();
+                            /* NOTREACHED */
+                        }
+                        sn.sin_port = htons(pt);
+                   }
+            } else {
+                sp = getservbyname("telnet", "tcp");
+                if (sp == 0) {
+                    fprintf(stderr, "telnetd: tcp/telnet: unknown service\n");
+                    exit(1);
+                }
+                sn.sin_port = sp->s_port;
+            }
+
+            s = socket(AF_INET, SOCK_STREAM, 0);
+            if (s < 0) {
+                    perror("telnetd: socket");;
+                    exit(1);
+            }
+            (void) setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on));
+            if (bind(s, (struct sockaddr *)&sn, sizeof(sn)) < 0) {
+                perror("bind");
+                exit(1);
+            }
+            if (listen(s, 1) < 0) {
+                perror("listen");
+                exit(1);
+            }
+            foo = sizeof(sn);
+            ns = accept(s, (struct sockaddr *)&sn, &foo);
+            if (ns < 0) {
+                perror("accept");
+                exit(1);
+            }
+            (void) dup2(ns, 0);
+            (void) close(ns);
+            (void) close(s);
+        } else if (argc > 0) {
+                usage();
+                /* NOT REACHED */
+        }
+
+        openlog("telnetd", LOG_PID | LOG_ODELAY, LOG_DAEMON);
+        fromlen = sizeof (from);
+        if (getpeername(0, (struct sockaddr *)&from, &fromlen) < 0) {
+                fprintf(stderr, "%s: ", progname);
+                perror("getpeername");
+                _exit(1);
+        }
+        if (keepalive &&
+            setsockopt(0, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof (on)) < 0) {
+                syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m");
+        }
+
+#if     defined(IPPROTO_IP) && defined(IP_TOS)
+        {
+# if    defined(HAS_GETTOS)
+                struct tosent *tp;
+                if (tos < 0 && (tp = gettosbyname("telnet", "tcp")))
+                        tos = tp->t_tos;
+# endif
+                if (tos < 0)
+                        tos = 020;      /* Low Delay bit */
+                if (tos
+                   && (setsockopt(0, IPPROTO_IP, IP_TOS, &tos, sizeof(tos)) < 0)
+                   && (errno != ENOPROTOOPT) )
+                        syslog(LOG_WARNING, "setsockopt (IP_TOS): %m");
+        }
+#endif  /* defined(IPPROTO_IP) && defined(IP_TOS) */
+        net = 0;
+        doit(&from);
+        /* NOTREACHED */
+        return 0;
+}  /* end of main */
+
+void
+usage(void)
+{
+        fprintf(stderr, "Usage: telnetd");
+#ifdef  AUTHENTICATE
+        fprintf(stderr, " [-a (debug|other|user|valid|off)]\n\t");
+#endif
+#ifdef BFTPDAEMON
+        fprintf(stderr, " [-B]");
+#endif
+        fprintf(stderr, " [-debug port]");
+#ifdef DIAGNOSTICS
+        fprintf(stderr, " [-D (options|report|exercise|netdata|ptydata)]\n\t");
+#endif
+#ifdef  AUTHENTICATE
+        fprintf(stderr, " [-edebug]");
+#endif
+        fprintf(stderr, " [-h]");
+#ifdef LINEMODE
+        fprintf(stderr, " [-l]");
+#endif
+        fprintf(stderr, " [-L login_program]");
+        fprintf(stderr, " [-n]");
+#ifdef  SecurID
+        fprintf(stderr, " [-s]");
+#endif
+#ifdef  AUTHENTICATE
+        fprintf(stderr, " [-X auth-type]");
+#endif
+        fprintf(stderr, "\n");
+        exit(1);
+}
+
+/*
+ * getterminaltype
+ *
+ *      Ask the other end to send along its terminal type and speed.
+ * Output is the variable terminaltype filled in.
+ */
+
+static void _gettermname(void);
+
+static
+int
+getterminaltype(char *name)
+{
+    int retval = -1;
+    (void)name;
+
+    settimer(baseline);
+#if defined(AUTHENTICATE)
+    /*
+     * Handle the Authentication option before we do anything else.
+     */
+    send_do(TELOPT_AUTHENTICATION, 1);
+    while (his_will_wont_is_changing(TELOPT_AUTHENTICATION))
+        ttloop();
+    if (his_state_is_will(TELOPT_AUTHENTICATION)) {
+        retval = auth_wait(name);
+    }
+#endif
+
+#if     defined(ENCRYPT)
+    send_will(TELOPT_ENCRYPT, 1);
+#endif
+    send_do(TELOPT_TTYPE, 1);
+    send_do(TELOPT_TSPEED, 1);
+    send_do(TELOPT_XDISPLOC, 1);
+    send_do(TELOPT_ENVIRON, 1);
+    while (
+#if     defined(ENCRYPT)
+           his_do_dont_is_changing(TELOPT_ENCRYPT) ||
+#endif
+           his_will_wont_is_changing(TELOPT_TTYPE) ||
+           his_will_wont_is_changing(TELOPT_TSPEED) ||
+           his_will_wont_is_changing(TELOPT_XDISPLOC) ||
+           his_will_wont_is_changing(TELOPT_ENVIRON)) {
+        ttloop();
+    }
+#if     defined(ENCRYPT)
+    /*
+     * Wait for the negotiation of what type of encryption we can
+     * send with.  If autoencrypt is not set, this will just return.
+     */
+    if (his_state_is_will(TELOPT_ENCRYPT)) {
+        encrypt_wait();
+    }
+#endif
+    if (his_state_is_will(TELOPT_TSPEED)) {
+        netoprintf("%c%c%c%c%c%c", 
+                   IAC, SB, TELOPT_TSPEED, TELQUAL_SEND, IAC, SE);
+    }
+    if (his_state_is_will(TELOPT_XDISPLOC)) {
+        netoprintf("%c%c%c%c%c%c", 
+                   IAC, SB, TELOPT_XDISPLOC, TELQUAL_SEND, IAC, SE);
+    }
+    if (his_state_is_will(TELOPT_ENVIRON)) {
+        netoprintf("%c%c%c%c%c%c", 
+                   IAC, SB, TELOPT_ENVIRON, TELQUAL_SEND, IAC, SE);
+    }
+    if (his_state_is_will(TELOPT_TTYPE)) {
+       netoprintf("%c%c%c%c%c%c", 
+                  IAC, SB, TELOPT_TTYPE, TELQUAL_SEND, IAC, SE);
+    }
+    if (his_state_is_will(TELOPT_TSPEED)) {
+        while (sequenceIs(tspeedsubopt, baseline))
+            ttloop();
+    }
+    if (his_state_is_will(TELOPT_XDISPLOC)) {
+        while (sequenceIs(xdisplocsubopt, baseline))
+            ttloop();
+    }
+    if (his_state_is_will(TELOPT_ENVIRON)) {
+        while (sequenceIs(environsubopt, baseline))
+            ttloop();
+    }
+    if (his_state_is_will(TELOPT_TTYPE)) {
+        char first[256], last[256];
+
+        while (sequenceIs(ttypesubopt, baseline))
+            ttloop();
+
+        /*
+         * If the other side has already disabled the option, then
+         * we have to just go with what we (might) have already gotten.
+         */
+        if (his_state_is_will(TELOPT_TTYPE) && !terminaltypeok(terminaltype)) {
+            /*
+             * Due to state.c, terminaltype points to a static char[41].
+             * Therefore, this assert cannot fail, and therefore, strings
+             * arising from "terminaltype" can be safely strcpy'd into
+             * first[] or last[].
+             */
+            assert(strlen(terminaltype) < sizeof(first));
+
+            strcpy(first, terminaltype);
+
+            for(;;) {
+                /*
+                 * Save the unknown name, and request the next name.
+                 */
+                strcpy(last, terminaltype);
+
+                _gettermname();
+                assert(strlen(terminaltype) < sizeof(first));
+
+                if (terminaltypeok(terminaltype))
+                    break;
+
+                if (!strcmp(last, terminaltype) ||
+                    his_state_is_wont(TELOPT_TTYPE)) {
+                    /*
+                     * We've hit the end.  If this is the same as
+                     * the first name, just go with it.
+                     */
+                    if (!strcmp(first, terminaltype))
+                        break;
+                    /*
+                     * Get the terminal name one more time, so that
+                     * RFC1091 compliant telnets will cycle back to
+                     * the start of the list.
+                     */
+                     _gettermname();
+                    assert(strlen(terminaltype) < sizeof(first));
+
+                    if (strcmp(first, terminaltype)) {
+                        /*
+                         * first[] came from terminaltype, so it must fit
+                         * back in.
+                         */
+                        strcpy(terminaltype, first);
+                    }
+                    break;
+                }
+            }
+        }
+    }
+    return(retval);
+}  /* end of getterminaltype */
+
+static
+void
+_gettermname(void)
+{
+    /*
+     * If the client turned off the option,
+     * we can't send another request, so we
+     * just return.
+     */
+    if (his_state_is_wont(TELOPT_TTYPE))
+        return;
+
+    settimer(baseline);
+    netoprintf("%c%c%c%c%c%c", IAC, SB, TELOPT_TTYPE, TELQUAL_SEND, IAC, SE);
+    while (sequenceIs(ttypesubopt, baseline))
+        ttloop();
+}
+
+static int
+terminaltypeok(const char *s)
+{
+    /* char buf[2048]; */
+
+    if (terminaltype == NULL)
+        return(1);
+
+    /*
+     * Fix from Chris Evans: if it has a / in it, termcap will
+     * treat it as a filename. Oops.
+     */
+    if (strchr(s, '/')) {
+        return 0;
+    }
+
+    /*
+     * If it's absurdly long, accept it without asking termcap.
+     *
+     * This means that it won't get seen again until after login,
+     * at which point exploiting buffer problems in termcap doesn't
+     * gain one anything.
+     *
+     * It's possible this limit ought to be raised to 128, but nothing
+     * in my termcap is more than 64, 64 is _plenty_ for most, and while
+     * buffers aren't likely to be smaller than 64, they might be 80 and
+     * thus less than 128.
+     */
+    if (strlen(s) > 63) {
+       return 0;
+    }
+
+    /*
+     * tgetent() will return 1 if the type is known, and
+     * 0 if it is not known.  If it returns -1, it couldn't
+     * open the database.  But if we can't open the database,
+     * it won't help to say we failed, because we won't be
+     * able to verify anything else.  So, we treat -1 like 1.
+     */
+
+    /*
+     * Don't do this - tgetent is not really trustworthy. Assume
+     * the terminal type is one we know; terminal types are pretty
+     * standard now. And if it isn't, it's unlikely we're going to
+     * know anything else the remote telnet might send as an alias
+     * for it.
+     *
+     * if (tgetent(buf, s) == 0)
+     *    return(0);
+     */
+    return(1);
+}
+
+#ifndef MAXHOSTNAMELEN
+#define MAXHOSTNAMELEN 64
+#endif  /* MAXHOSTNAMELEN */
+
+char host_name[MAXHOSTNAMELEN];
+char remote_host_name[MAXHOSTNAMELEN];
+
+extern void telnet(int, int);
+
+/*
+ * Get a pty, scan input lines.
+ */
+static void
+doit(struct sockaddr_in *who)
+{
+        const char *host;
+        struct hostent *hp;
+        int level;
+        char user_name[256];
+
+        /*
+         * Find an available pty to use.
+         */
+        pty = getpty();
+        if (pty < 0)
+                fatalperror(net, "getpty");
+
+        /* get name of connected client */
+        hp = gethostbyaddr((char *)&who->sin_addr, sizeof (struct in_addr),
+                who->sin_family);
+        if (hp)
+                host = hp->h_name;
+        else
+                host = inet_ntoa(who->sin_addr);
+
+        /*
+         * We must make a copy because Kerberos is probably going
+         * to also do a gethost* and overwrite the static data...
+         */
+        {
+                int i;
+                strncpy(remote_host_name, host, sizeof(remote_host_name)-1);
+                remote_host_name[sizeof(remote_host_name)-1] = 0;
+
+                /* Disallow funnies. */
+                for (i=0; remote_host_name[i]; i++) {
+                    if (remote_host_name[i]<=32 || remote_host_name[i]>126) 
+                        remote_host_name[i] = '?';
+                }
+        }
+        host = remote_host_name;
+
+        /* Get local host name */
+        {
+                struct hostent *h;
+                gethostname(host_name, sizeof(host_name));
+                h = gethostbyname(host_name);
+                if (h) {
+                    strncpy(host_name, h->h_name, sizeof(host_name));
+                    host_name[sizeof(host_name)-1] = 0;
+                }
+        }
+
+#if     defined(AUTHENTICATE) || defined(ENCRYPT)
+        auth_encrypt_init(host_name, host, "TELNETD", 1);
+#endif
+
+        init_env();
+        /*
+         * get terminal type.
+         */
+        *user_name = 0;
+        level = getterminaltype(user_name);
+        setenv("TERM", terminaltype ? terminaltype : "network", 1);
+
+        /* TODO list stuff provided by Laszlo Vecsey <master@internexus.net> */
+
+        /*
+         * Set REMOTEHOST environment variable
+         */
+        setproctitle("%s", host);
+        setenv("REMOTEHOST", host, 0);
+
+        /*
+         * Start up the login process on the slave side of the terminal
+         */
+        startslave(host, level, user_name);
+
+        telnet(net, pty);  /* begin server processing */
+
+        /*NOTREACHED*/
+}  /* end of doit */
+
+/*
+ * Main loop.  Select from pty and network, and
+ * hand data to telnet receiver finite state machine.
+ */
+void telnet(int f, int p)
+{
+    int on = 1;
+    char *HE;
+    const char *IM;
+
+    /*
+     * Initialize the slc mapping table.
+     */
+    get_slc_defaults();
+
+    /*
+     * Do some tests where it is desireable to wait for a response.
+     * Rather than doing them slowly, one at a time, do them all
+     * at once.
+     */
+    if (my_state_is_wont(TELOPT_SGA))
+        send_will(TELOPT_SGA, 1);
+    /*
+     * Is the client side a 4.2 (NOT 4.3) system?  We need to know this
+     * because 4.2 clients are unable to deal with TCP urgent data.
+     *
+     * To find out, we send out a "DO ECHO".  If the remote system
+     * answers "WILL ECHO" it is probably a 4.2 client, and we note
+     * that fact ("WILL ECHO" ==> that the client will echo what
+     * WE, the server, sends it; it does NOT mean that the client will
+     * echo the terminal input).
+     */
+    send_do(TELOPT_ECHO, 1);
+    
+#ifdef  LINEMODE
+    if (his_state_is_wont(TELOPT_LINEMODE)) {
+        /*
+         * Query the peer for linemode support by trying to negotiate
+         * the linemode option.
+         */
+        linemode = 0;
+        editmode = 0;
+        send_do(TELOPT_LINEMODE, 1);  /* send do linemode */
+    }
+#endif  /* LINEMODE */
+
+    /*
+     * Send along a couple of other options that we wish to negotiate.
+     */
+    send_do(TELOPT_NAWS, 1);
+    send_will(TELOPT_STATUS, 1);
+    flowmode = 1;  /* default flow control state */
+    send_do(TELOPT_LFLOW, 1);
+    
+    /*
+     * Spin, waiting for a response from the DO ECHO.  However,
+     * some REALLY DUMB telnets out there might not respond
+     * to the DO ECHO.  So, we spin looking for NAWS, (most dumb
+     * telnets so far seem to respond with WONT for a DO that
+     * they don't understand...) because by the time we get the
+     * response, it will already have processed the DO ECHO.
+     * Kludge upon kludge.
+     */
+    while (his_will_wont_is_changing(TELOPT_NAWS)) {
+        ttloop();
+    }
+    
+    /*
+     * But...
+     * The client might have sent a WILL NAWS as part of its
+     * startup code; if so, we'll be here before we get the
+     * response to the DO ECHO.  We'll make the assumption
+     * that any implementation that understands about NAWS
+     * is a modern enough implementation that it will respond
+     * to our DO ECHO request; hence we'll do another spin
+     * waiting for the ECHO option to settle down, which is
+     * what we wanted to do in the first place...
+     */
+    if (his_want_state_is_will(TELOPT_ECHO) &&
+        his_state_is_will(TELOPT_NAWS)) {
+        while (his_will_wont_is_changing(TELOPT_ECHO))
+            ttloop();
+    }
+    /*
+     * On the off chance that the telnet client is broken and does not
+     * respond to the DO ECHO we sent, (after all, we did send the
+     * DO NAWS negotiation after the DO ECHO, and we won't get here
+     * until a response to the DO NAWS comes back) simulate the
+     * receipt of a will echo.  This will also send a WONT ECHO
+     * to the client, since we assume that the client failed to
+     * respond because it believes that it is already in DO ECHO
+     * mode, which we do not want.
+     */
+    if (his_want_state_is_will(TELOPT_ECHO)) {
+        DIAG(TD_OPTIONS, netoprintf("td: simulating recv\r\n"););
+        willoption(TELOPT_ECHO);
+    }
+    
+    /*
+     * Finally, to clean things up, we turn on our echo.  This
+     * will break stupid 4.2 telnets out of local terminal echo.
+     */
+    
+    if (my_state_is_wont(TELOPT_ECHO))
+        send_will(TELOPT_ECHO, 1);
+    
+    /*
+     * Turn on packet mode
+     */
+    ioctl(p, TIOCPKT, (char *)&on);
+#if defined(LINEMODE) && defined(KLUDGELINEMODE)
+    /*
+     * Continuing line mode support.  If client does not support
+     * real linemode, attempt to negotiate kludge linemode by sending
+     * the do timing mark sequence.
+     */
+    if (lmodetype < REAL_LINEMODE)
+        send_do(TELOPT_TM, 1);
+#endif  /* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+    
+    /*
+     * Call telrcv() once to pick up anything received during
+     * terminal type negotiation, 4.2/4.3 determination, and
+     * linemode negotiation.
+     */
+    telrcv();
+    
+    ioctl(f, FIONBIO, (char *)&on);
+    ioctl(p, FIONBIO, (char *)&on);
+
+#if defined(SO_OOBINLINE)
+    setsockopt(net, SOL_SOCKET, SO_OOBINLINE, &on, sizeof on);
+#endif  /* defined(SO_OOBINLINE) */
+    
+#ifdef  SIGTSTP
+    signal(SIGTSTP, SIG_IGN);
+#endif
+#ifdef  SIGTTOU
+    /*
+     * Ignoring SIGTTOU keeps the kernel from blocking us
+     * in ttioct() in /sys/tty.c.
+     */
+    signal(SIGTTOU, SIG_IGN);
+#endif
+    
+    signal(SIGCHLD, cleanup);
+    
+#ifdef TIOCNOTTY
+    {
+        register int t;
+        t = open(_PATH_TTY, O_RDWR);
+        if (t >= 0) {
+            (void) ioctl(t, TIOCNOTTY, (char *)0);
+            (void) close(t);
+        }
+    }
+#endif
+    
+    /*
+     * Show banner that getty never gave.
+     *
+     * We put the banner in the pty input buffer.  This way, it
+     * gets carriage return null processing, etc., just like all
+     * other pty --> client data.
+     */
+    
+    if (getenv("USER"))
+        hostinfo = 0;
+    
+    IM = DEFAULT_IM;
+    HE = 0;
+
+    edithost(HE, host_name);
+    if (hostinfo && *IM)
+        putf(IM, ptyibuf2);
+    
+    if (pcc) strncat(ptyibuf2, ptyip, pcc+1);
+    ptyip = ptyibuf2;
+    pcc = strlen(ptyip);
+#ifdef LINEMODE
+    /*
+     * Last check to make sure all our states are correct.
+     */
+    init_termbuf();
+    localstat();
+#endif  /* LINEMODE */
+
+    DIAG(TD_REPORT, netoprintf("td: Entering processing loop\r\n"););
+    
+    for (;;) {
+        fd_set ibits, obits, xbits;
+        int c, hifd;
+        
+        if (ncc < 0 && pcc < 0)
+            break;
+        
+        FD_ZERO(&ibits);
+        FD_ZERO(&obits);
+        FD_ZERO(&xbits);
+        hifd=0;
+        /*
+         * Never look for input if there's still
+         * stuff in the corresponding output buffer
+         */
+        if (nfrontp - nbackp || pcc > 0) {
+            FD_SET(f, &obits);
+            if (f >= hifd) hifd = f+1;
+        } 
+        else {
+            FD_SET(p, &ibits);
+            if (p >= hifd) hifd = p+1;
+        }
+        if (pfrontp - pbackp || ncc > 0) {
+            FD_SET(p, &obits);
+            if (p >= hifd) hifd = p+1;
+        } 
+        else {
+            FD_SET(f, &ibits);
+            if (f >= hifd) hifd = f+1;
+        }
+        if (!SYNCHing) {
+            FD_SET(f, &xbits);
+            if (f >= hifd) hifd = f+1;
+        }
+        if ((c = select(hifd, &ibits, &obits, &xbits,
+                        (struct timeval *)0)) < 1) {
+            if (c == -1) {
+                if (errno == EINTR) {
+                    continue;
+                }
+            }
+            sleep(5);
+            continue;
+        }
+        
+        /*
+         * Any urgent data?
+         */
+        if (FD_ISSET(net, &xbits)) {
+            SYNCHing = 1;
+        }
+        
+        /*
+         * Something to read from the network...
+         */
+        if (FD_ISSET(net, &ibits)) {
+#if !defined(SO_OOBINLINE)
+            /*
+             * In 4.2 (and 4.3 beta) systems, the
+             * OOB indication and data handling in the kernel
+             * is such that if two separate TCP Urgent requests
+             * come in, one byte of TCP data will be overlaid.
+             * This is fatal for Telnet, but we try to live
+             * with it.
+             *
+             * In addition, in 4.2 (and...), a special protocol
+             * is needed to pick up the TCP Urgent data in
+             * the correct sequence.
+             *
+             * What we do is:  if we think we are in urgent
+             * mode, we look to see if we are "at the mark".
+             * If we are, we do an OOB receive.  If we run
+             * this twice, we will do the OOB receive twice,
+             * but the second will fail, since the second
+             * time we were "at the mark", but there wasn't
+             * any data there (the kernel doesn't reset
+             * "at the mark" until we do a normal read).
+             * Once we've read the OOB data, we go ahead
+             * and do normal reads.
+             *
+             * There is also another problem, which is that
+             * since the OOB byte we read doesn't put us
+             * out of OOB state, and since that byte is most
+             * likely the TELNET DM (data mark), we would
+             * stay in the TELNET SYNCH (SYNCHing) state.
+             * So, clocks to the rescue.  If we've "just"
+             * received a DM, then we test for the
+             * presence of OOB data when the receive OOB
+             * fails (and AFTER we did the normal mode read
+             * to clear "at the mark").
+             */
+            if (SYNCHing) {
+                int atmark;
+                
+                ioctl(net, SIOCATMARK, (char *)&atmark);
+                if (atmark) {
+                    ncc = recv(net, netibuf, sizeof (netibuf), MSG_OOB);
+                    if ((ncc == -1) && (errno == EINVAL)) {
+                        ncc = read(net, netibuf, sizeof (netibuf));
+                        if (sequenceIs(didnetreceive, gotDM)) {
+                            SYNCHing = stilloob(net);
+                        }
+                    }
+                } 
+                else {
+                    ncc = read(net, netibuf, sizeof (netibuf));
+                }
+            } 
+            else {
+                ncc = read(net, netibuf, sizeof (netibuf));
+            }
+            settimer(didnetreceive);
+#else   /* !defined(SO_OOBINLINE)) */
+            ncc = read(net, netibuf, sizeof (netibuf));
+#endif  /* !defined(SO_OOBINLINE)) */
+            if (ncc < 0 && errno == EWOULDBLOCK)
+                ncc = 0;
+            else {
+                if (ncc <= 0) {
+                    break;
+                }
+                netip = netibuf;
+            }
+            DIAG((TD_REPORT | TD_NETDATA),
+                 netoprintf("td: netread %d chars\r\n", ncc););
+            DIAG(TD_NETDATA, printdata("nd", netip, ncc));
+        }
+        
+        /*
+         * Something to read from the pty...
+         */
+        if (FD_ISSET(p, &ibits)) {
+            pcc = read(p, ptyibuf, BUFSIZ);
+            /*
+             * On some systems, if we try to read something
+             * off the master side before the slave side is
+             * opened, we get EIO.
+             */
+            if (pcc < 0 && (errno == EWOULDBLOCK || errno == EIO)) {
+                pcc = 0;
+            } 
+            else {
+                if (pcc <= 0)
+                    break;
+#ifdef  LINEMODE
+                                /*
+                                 * If ioctl from pty, pass it through net
+                                 */
+                if (ptyibuf[0] & TIOCPKT_IOCTL) {
+                    copy_termbuf(ptyibuf+1, pcc-1);
+                    localstat();
+                    pcc = 1;
+                }
+#endif  /* LINEMODE */
+                if (ptyibuf[0] & TIOCPKT_FLUSHWRITE) {
+                    netclear(); /* clear buffer back */
+#ifndef NO_URGENT
+                    /*
+                     * There are client telnets on some
+                     * operating systems get screwed up
+                     * royally if we send them urgent
+                     * mode data.
+                     */
+                    netoprintf("%c%c", IAC, DM);
+                    neturg = nfrontp-1; /* off by one XXX */
+#endif
+                }
+                if (his_state_is_will(TELOPT_LFLOW) &&
+                    (ptyibuf[0] &
+                     (TIOCPKT_NOSTOP|TIOCPKT_DOSTOP))) {
+                        netoprintf("%c%c%c%c%c%c",
+                                   IAC, SB, TELOPT_LFLOW,
+                                   ptyibuf[0] & TIOCPKT_DOSTOP ? 1 : 0,
+                                   IAC, SE);
+                }
+                pcc--;
+                ptyip = ptyibuf+1;
+            }
+        }
+        
+        while (pcc > 0) {
+            if ((&netobuf[BUFSIZ] - nfrontp) < 2)
+                break;
+            c = *ptyip++ & 0377, pcc--;
+            if (c == IAC)
+                *nfrontp++ = c;
+            *nfrontp++ = c;
+            if ((c == '\r'  ) && (my_state_is_wont(TELOPT_BINARY))) {
+                if (pcc > 0 && ((*ptyip & 0377) == '\n')) {
+                    *nfrontp++ = *ptyip++ & 0377;
+                    pcc--;
+                } 
+                else *nfrontp++ = '\0';
+            }
+        }
+
+        if (FD_ISSET(f, &obits) && (nfrontp - nbackp) > 0)
+            netflush();
+        if (ncc > 0)
+            telrcv();
+        if (FD_ISSET(p, &obits) && (pfrontp - pbackp) > 0)
+            ptyflush();
+    }
+    cleanup(0);
+}  /* end of telnet */
+        
+#ifndef TCSIG
+# ifdef TIOCSIG
+#  define TCSIG TIOCSIG
+# endif
+#endif
+
+/*
+ * Send interrupt to process on other side of pty.
+ * If it is in raw mode, just write NULL;
+ * otherwise, write intr char.
+ */
+void interrupt(void) {
+    ptyflush(); /* half-hearted */
+    
+#ifdef  TCSIG
+    (void) ioctl(pty, TCSIG, (char *)SIGINT);
+#else   /* TCSIG */
+    init_termbuf();
+    *pfrontp++ = slctab[SLC_IP].sptr ?
+         (unsigned char)*slctab[SLC_IP].sptr : '\177';
+#endif  /* TCSIG */
+}
+
+/*
+ * Send quit to process on other side of pty.
+ * If it is in raw mode, just write NULL;
+ * otherwise, write quit char.
+ */
+void sendbrk(void) {
+    ptyflush(); /* half-hearted */
+#ifdef  TCSIG
+    (void) ioctl(pty, TCSIG, (char *)SIGQUIT);
+#else   /* TCSIG */
+    init_termbuf();
+    *pfrontp++ = slctab[SLC_ABORT].sptr ?
+         (unsigned char)*slctab[SLC_ABORT].sptr : '\034';
+#endif  /* TCSIG */
+}
+
+void sendsusp(void) {
+#ifdef  SIGTSTP
+    ptyflush(); /* half-hearted */
+# ifdef TCSIG
+    (void) ioctl(pty, TCSIG, (char *)SIGTSTP);
+# else  /* TCSIG */
+    *pfrontp++ = slctab[SLC_SUSP].sptr ?
+        (unsigned char)*slctab[SLC_SUSP].sptr : '\032';
+# endif /* TCSIG */
+#endif  /* SIGTSTP */
+}
+
+/*
+ * When we get an AYT, if ^T is enabled, use that.  Otherwise,
+ * just send back "[Yes]".
+ */
+void recv_ayt(void) {
+#if     defined(SIGINFO) && defined(TCSIG)
+    if (slctab[SLC_AYT].sptr && *slctab[SLC_AYT].sptr != _POSIX_VDISABLE) {
+        (void) ioctl(pty, TCSIG, (char *)SIGINFO);
+        return;
+    }
+#endif
+    netoprintf("\r\n[%s : yes]\r\n", host_name);
+}
+
+void doeof(void) {
+    init_termbuf();
+
+#if     defined(LINEMODE) && (VEOF == VMIN)
+    if (!tty_isediting()) {
+        extern char oldeofc;
+        *pfrontp++ = oldeofc;
+        return;
+    }
+#endif
+    *pfrontp++ = slctab[SLC_EOF].sptr ?
+             (unsigned char)*slctab[SLC_EOF].sptr : '\004';
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/telnetd.h b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/telnetd.h
new file mode 100644
index 0000000..4c66824
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/telnetd.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 1989 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *      from: @(#)telnetd.h     5.3 (Berkeley) 3/1/91
+ *      $Id: telnetd.h,v 1.2 1999/03/27 07:46:21 dholland Exp $
+ */
+
+
+#include "defs.h"
+#include "ext.h"
+#include <errno.h>
+
+#ifdef  DIAGNOSTICS
+#define DIAG(a,b)       if (diagnostic & (a)) b
+#else
+#define DIAG(a,b)
+#endif
+
+/* other external variables */
+extern  char **environ;
+
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/termstat.c b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/termstat.c
new file mode 100644
index 0000000..1871480
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/termstat.c
@@ -0,0 +1,588 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)termstat.c 5.10 (Berkeley) 3/22/91
+ */
+char termstat_rcsid[] = 
+  "$Id: termstat.c,v 1.6 1999/12/12 14:59:45 dholland Exp $";
+
+#include "telnetd.h"
+
+/*
+ * local variables
+ */
+int def_tspeed = -1, def_rspeed = -1;
+#ifdef  TIOCSWINSZ
+int def_row = 0, def_col = 0;
+#endif
+#ifdef  LINEMODE
+static int _terminit = 0;
+#endif  /* LINEMODE */
+
+#ifdef  LINEMODE
+/*
+ * localstat
+ *
+ * This function handles all management of linemode.
+ *
+ * Linemode allows the client to do the local editing of data
+ * and send only complete lines to the server.  Linemode state is
+ * based on the state of the pty driver.  If the pty is set for
+ * external processing, then we can use linemode.  Further, if we
+ * can use real linemode, then we can look at the edit control bits
+ * in the pty to determine what editing the client should do.
+ *
+ * Linemode support uses the following state flags to keep track of
+ * current and desired linemode state.
+ *      alwayslinemode : true if -l was specified on the telnetd
+ *      command line.  It means to have linemode on as much as
+ *      possible.
+ *
+ *      lmodetype: signifies whether the client can
+ *      handle real linemode, or if use of kludgeomatic linemode
+ *      is preferred.  It will be set to one of the following:
+ *              REAL_LINEMODE : use linemode option
+ *              KLUDGE_LINEMODE : use kludge linemode
+ *              NO_LINEMODE : client is ignorant of linemode
+ *
+ *      linemode, uselinemode : linemode is true if linemode
+ *      is currently on, uselinemode is the state that we wish
+ *      to be in.  If another function wishes to turn linemode
+ *      on or off, it sets or clears uselinemode.
+ *
+ *      editmode, useeditmode : like linemode/uselinemode, but
+ *      these contain the edit mode states (edit and trapsig).
+ *
+ * The state variables correspond to some of the state information
+ * in the pty.
+ *      linemode:
+ *              In real linemode, this corresponds to whether the pty
+ *              expects external processing of incoming data.
+ *              In kludge linemode, this more closely corresponds to the
+ *              whether normal processing is on or not.  (ICANON in
+ *              system V, or COOKED mode in BSD.)
+ *              If the -l option was specified (alwayslinemode), then
+ *              an attempt is made to force external processing on at
+ *              all times.
+ *
+ * The following heuristics are applied to determine linemode
+ * handling within the server.
+ *      1) Early on in starting up the server, an attempt is made
+ *         to negotiate the linemode option.  If this succeeds
+ *         then lmodetype is set to REAL_LINEMODE and all linemode
+ *         processing occurs in the context of the linemode option.
+ *      2) If the attempt to negotiate the linemode option failed,
+ *         then we try to use kludge linemode.  We test for this
+ *         capability by sending "do Timing Mark".  If a positive
+ *         response comes back, then we assume that the client
+ *         understands kludge linemode (ech!) and the
+ *         lmodetype flag is set to KLUDGE_LINEMODE.
+ *      3) Otherwise, linemode is not supported at all and
+ *         lmodetype remains set to NO_LINEMODE (which happens
+ *         to be 0 for convenience).
+ *      4) At any time a command arrives that implies a higher
+ *         state of linemode support in the client, we move to that
+ *         linemode support.
+ *
+ * A short explanation of kludge linemode is in order here.
+ *      1) The heuristic to determine support for kludge linemode
+ *         is to send a do timing mark.  We assume that a client
+ *         that supports timing marks also supports kludge linemode.
+ *         A risky proposition at best.
+ *      2) Further negotiation of linemode is done by changing the
+ *         the server's state regarding SGA.  If server will SGA,
+ *         then linemode is off, if server won't SGA, then linemode
+ *         is on.
+ */
+        void
+localstat()
+{
+        void netflush();
+        int need_will_echo = 0;
+
+        /*
+         * Check for state of BINARY options.
+         */
+        if (tty_isbinaryin()) {
+                if (his_want_state_is_wont(TELOPT_BINARY))
+                        send_do(TELOPT_BINARY, 1);
+        } else {
+                if (his_want_state_is_will(TELOPT_BINARY))
+                        send_dont(TELOPT_BINARY, 1);
+        }
+
+        if (tty_isbinaryout()) {
+                if (my_want_state_is_wont(TELOPT_BINARY))
+                        send_will(TELOPT_BINARY, 1);
+        } else {
+                if (my_want_state_is_will(TELOPT_BINARY))
+                        send_wont(TELOPT_BINARY, 1);
+        }
+
+        /*
+         * Check for changes to flow control if client supports it.
+         */
+        if (his_state_is_will(TELOPT_LFLOW)) {
+                if (tty_flowmode() != flowmode) {
+                        flowmode = tty_flowmode();
+                        (void) netoprintf("%c%c%c%c%c%c", IAC, SB,
+                                          TELOPT_LFLOW, flowmode, IAC, SE);
+                }
+        }
+
+        /*
+         * Check linemode on/off state
+         */
+        uselinemode = tty_linemode();
+
+        /*
+         * If alwayslinemode is on, and pty is changing to turn it off, then
+         * force linemode back on.
+         */
+        if (alwayslinemode && linemode && !uselinemode) {
+                uselinemode = 1;
+                tty_setlinemode(uselinemode);
+        }
+
+#if     defined(ENCRYPT)
+        /*
+         * If the terminal is not echoing, but editing is enabled,
+         * something like password input is going to happen, so
+         * if we the other side is not currently sending encrypted
+         * data, ask the other side to start encrypting.
+         */
+        if (his_state_is_will(TELOPT_ENCRYPT)) {
+                static int enc_passwd = 0;
+                if (uselinemode && !tty_isecho() && tty_isediting()
+                    && (enc_passwd == 0) && !decrypt_input) {
+                        encrypt_send_request_start();
+                        enc_passwd = 1;
+                } else if (enc_passwd) {
+                        encrypt_send_request_end();
+                        enc_passwd = 0;
+                }
+        }
+#endif
+
+        /*
+         * Do echo mode handling as soon as we know what the
+         * linemode is going to be.
+         * If the pty has echo turned off, then tell the client that
+         * the server will echo.  If echo is on, then the server
+         * will echo if in character mode, but in linemode the
+         * client should do local echoing.  The state machine will
+         * not send anything if it is unnecessary, so don't worry
+         * about that here.
+         *
+         * If we need to send the WILL ECHO (because echo is off),
+         * then delay that until after we have changed the MODE.
+         * This way, when the user is turning off both editing
+         * and echo, the client will get editing turned off first.
+         * This keeps the client from going into encryption mode
+         * and then right back out if it is doing auto-encryption
+         * when passwords are being typed.
+         */
+        if (uselinemode) {
+                if (tty_isecho())
+                        send_wont(TELOPT_ECHO, 1);
+                else
+                        need_will_echo = 1;
+        }
+
+        /*
+         * If linemode is being turned off, send appropriate
+         * command and then we're all done.
+         */
+         if (!uselinemode && linemode) {
+# ifdef KLUDGELINEMODE
+                if (lmodetype == REAL_LINEMODE) {
+# endif /* KLUDGELINEMODE */
+                        send_dont(TELOPT_LINEMODE, 1);
+# ifdef KLUDGELINEMODE
+                } else if (lmodetype == KLUDGE_LINEMODE)
+                        send_will(TELOPT_SGA, 1);
+# endif /* KLUDGELINEMODE */
+                send_will(TELOPT_ECHO, 1);
+                linemode = uselinemode;
+                goto done;
+        }
+
+# ifdef KLUDGELINEMODE
+        /*
+         * If using real linemode check edit modes for possible later use.
+         * If we are in kludge linemode, do the SGA negotiation.
+         */
+        if (lmodetype == REAL_LINEMODE) {
+# endif /* KLUDGELINEMODE */
+                useeditmode = 0;
+                if (tty_isediting())
+                        useeditmode |= MODE_EDIT;
+                if (tty_istrapsig())
+                        useeditmode |= MODE_TRAPSIG;
+                if (tty_issofttab())
+                        useeditmode |= MODE_SOFT_TAB;
+                if (tty_islitecho())
+                        useeditmode |= MODE_LIT_ECHO;
+# ifdef KLUDGELINEMODE
+        } else if (lmodetype == KLUDGE_LINEMODE) {
+                if (tty_isediting() && uselinemode)
+                        send_wont(TELOPT_SGA, 1);
+                else
+                        send_will(TELOPT_SGA, 1);
+        }
+# endif /* KLUDGELINEMODE */
+
+        /*
+         * Negotiate linemode on if pty state has changed to turn it on.
+         * Send appropriate command and send along edit mode, then all done.
+         */
+        if (uselinemode && !linemode) {
+# ifdef KLUDGELINEMODE
+                if (lmodetype == KLUDGE_LINEMODE) {
+                        send_wont(TELOPT_SGA, 1);
+                } else if (lmodetype == REAL_LINEMODE) {
+# endif /* KLUDGELINEMODE */
+                        send_do(TELOPT_LINEMODE, 1);
+                        /* send along edit modes */
+                        (void) netoprintf("%c%c%c%c%c%c%c", IAC, SB,
+                                TELOPT_LINEMODE, LM_MODE, useeditmode,
+                                IAC, SE);
+                        editmode = useeditmode;
+# ifdef KLUDGELINEMODE
+                }
+# endif /* KLUDGELINEMODE */
+                linemode = uselinemode;
+                goto done;
+        }
+
+# ifdef KLUDGELINEMODE
+        /*
+         * None of what follows is of any value if not using
+         * real linemode.
+         */
+        if (lmodetype < REAL_LINEMODE)
+                goto done;
+# endif /* KLUDGELINEMODE */
+
+        if (linemode && his_state_is_will(TELOPT_LINEMODE)) {
+                /*
+                 * If edit mode changed, send edit mode.
+                 */
+                 if (useeditmode != editmode) {
+                        /*
+                         * Send along appropriate edit mode mask.
+                         */
+                        (void) netoprintf("%c%c%c%c%c%c%c", IAC, SB,
+                                TELOPT_LINEMODE, LM_MODE, useeditmode,
+                                IAC, SE);
+                        editmode = useeditmode;
+                }
+                                                        
+
+                /*
+                 * Check for changes to special characters in use.
+                 */
+                start_slc(0);
+                check_slc();
+                (void) end_slc(0);
+        }
+
+done:
+        if (need_will_echo)
+                send_will(TELOPT_ECHO, 1);
+        /*
+         * Some things should be deferred until after the pty state has
+         * been set by the local process.  Do those things that have been
+         * deferred now.  This only happens once.
+         */
+        if (_terminit == 0) {
+                _terminit = 1;
+                defer_terminit();
+        }
+
+        netflush();
+        set_termbuf();
+        return;
+
+}  /* end of localstat */
+#endif  /* LINEMODE */
+
+
+/*
+ * clientstat
+ *
+ * Process linemode related requests from the client.
+ * Client can request a change to only one of linemode, editmode or slc's
+ * at a time, and if using kludge linemode, then only linemode may be
+ * affected.
+ */
+void clientstat(register int code, register int parm1, register int parm2)
+{
+        /*
+         * Get a copy of terminal characteristics.
+         */
+        init_termbuf();
+
+        /*
+         * Process request from client. code tells what it is.
+         */
+        switch (code) {
+#ifdef  LINEMODE
+        case TELOPT_LINEMODE:
+                /*
+                 * Don't do anything unless client is asking us to change
+                 * modes.
+                 */
+                uselinemode = (parm1 == WILL);
+                if (uselinemode != linemode) {
+# ifdef KLUDGELINEMODE
+                        /*
+                         * If using kludge linemode, make sure that
+                         * we can do what the client asks.
+                         * We can not turn off linemode if alwayslinemode
+                         * and the ICANON bit is set.
+                         */
+                        if (lmodetype == KLUDGE_LINEMODE) {
+                                if (alwayslinemode && tty_isediting()) {
+                                        uselinemode = 1;
+                                }
+                        }
+                
+                        /*
+                         * Quit now if we can't do it.
+                         */
+                        if (uselinemode == linemode)
+                                return;
+
+                        /*
+                         * If using real linemode and linemode is being
+                         * turned on, send along the edit mode mask.
+                         */
+                        if (lmodetype == REAL_LINEMODE && uselinemode)
+# else  /* KLUDGELINEMODE */
+                        if (uselinemode)
+# endif /* KLUDGELINEMODE */
+                        {
+                                useeditmode = 0;
+                                if (tty_isediting())
+                                        useeditmode |= MODE_EDIT;
+                                if (tty_istrapsig)
+                                        useeditmode |= MODE_TRAPSIG;
+                                if (tty_issofttab())
+                                        useeditmode |= MODE_SOFT_TAB;
+                                if (tty_islitecho())
+                                        useeditmode |= MODE_LIT_ECHO;
+                                (void) netoprintf("%c%c%c%c%c%c%c", IAC,
+                                        SB, TELOPT_LINEMODE, LM_MODE,
+                                                        useeditmode, IAC, SE);
+                                editmode = useeditmode;
+                        }
+
+
+                        tty_setlinemode(uselinemode);
+
+                        linemode = uselinemode;
+
+                }
+                break;
+        
+        case LM_MODE:
+            {
+                register int ack, changed;
+
+                /*
+                 * Client has sent along a mode mask.  If it agrees with
+                 * what we are currently doing, ignore it; if not, it could
+                 * be viewed as a request to change.  Note that the server
+                 * will change to the modes in an ack if it is different from
+                 * what we currently have, but we will not ack the ack.
+                 */
+                 useeditmode &= MODE_MASK;
+                 ack = (useeditmode & MODE_ACK);
+                 useeditmode &= ~MODE_ACK;
+
+                 if (changed = (useeditmode ^ editmode)) {
+                        /*
+                         * This check is for a timing problem.  If the
+                         * state of the tty has changed (due to the user
+                         * application) we need to process that info
+                         * before we write in the state contained in the
+                         * ack!!!  This gets out the new MODE request,
+                         * and when the ack to that command comes back
+                         * we'll set it and be in the right mode.
+                         */
+                        if (ack)
+                                localstat();
+                        if (changed & MODE_EDIT)
+                                tty_setedit(useeditmode & MODE_EDIT);
+
+                        if (changed & MODE_TRAPSIG)
+                                tty_setsig(useeditmode & MODE_TRAPSIG);
+
+                        if (changed & MODE_SOFT_TAB)
+                                tty_setsofttab(useeditmode & MODE_SOFT_TAB);
+
+                        if (changed & MODE_LIT_ECHO)
+                                tty_setlitecho(useeditmode & MODE_LIT_ECHO);
+
+                        set_termbuf();
+
+                        if (!ack) {
+                                (void) netoprintf("%c%c%c%c%c%c%c", IAC,
+                                        SB, TELOPT_LINEMODE, LM_MODE,
+                                        useeditmode|MODE_ACK,
+                                        IAC, SE);
+                        }
+                
+                        editmode = useeditmode;
+                }
+
+                break;
+
+            }  /* end of case LM_MODE */
+#endif  /* LINEMODE */
+
+        case TELOPT_NAWS:
+#ifdef  TIOCSWINSZ
+            {
+                struct winsize ws;
+
+                def_col = parm1;
+                def_row = parm2;
+#ifdef  LINEMODE
+                /*
+                 * Defer changing window size until after terminal is
+                 * initialized.
+                 */
+                if (terminit() == 0)
+                        return;
+#endif  /* LINEMODE */
+
+                /*
+                 * Change window size as requested by client.
+                 */
+
+                ws.ws_col = parm1;
+                ws.ws_row = parm2;
+                (void) ioctl(pty, TIOCSWINSZ, (char *)&ws);
+            }
+#endif  /* TIOCSWINSZ */
+                
+                break;
+        
+        case TELOPT_TSPEED:
+            {
+                def_tspeed = parm1;
+                def_rspeed = parm2;
+#ifdef  LINEMODE
+                /*
+                 * Defer changing the terminal speed.
+                 */
+                if (terminit() == 0)
+                        return;
+#endif  /* LINEMODE */
+                /*
+                 * Change terminal speed as requested by client.
+                 * We set the receive speed first, so that if we can't
+                 * store seperate receive and transmit speeds, the transmit
+                 * speed will take precedence.
+                 */
+                tty_rspeed(parm2);
+                tty_tspeed(parm1);
+                set_termbuf();
+
+                break;
+
+            }  /* end of case TELOPT_TSPEED */
+
+        default:
+                /* What? */
+                break;
+        }  /* end of switch */
+
+        netflush();
+
+}  /* end of clientstat */
+
+#ifdef  LINEMODE
+/*
+ * defer_terminit
+ *
+ * Some things should not be done until after the login process has started
+ * and all the pty modes are set to what they are supposed to be.  This
+ * function is called when the pty state has been processed for the first time. 
+ * It calls other functions that do things that were deferred in each module.
+ */
+        void
+defer_terminit()
+{
+
+        /*
+         * local stuff that got deferred.
+         */
+        if (def_tspeed != -1) {
+                clientstat(TELOPT_TSPEED, def_tspeed, def_rspeed);
+                def_tspeed = def_rspeed = 0;
+        }
+
+#ifdef  TIOCSWINSZ
+        if (def_col || def_row) {
+                struct winsize ws;
+
+                bzero((char *)&ws, sizeof(ws));
+                ws.ws_col = def_col;
+                ws.ws_row = def_row;
+                (void) ioctl(pty, TIOCSWINSZ, (char *)&ws);
+        }
+#endif
+
+        /*
+         * The only other module that currently defers anything.
+         */
+        deferslc();
+
+}  /* end of defer_terminit */
+
+/*
+ * terminit
+ *
+ * Returns true if the pty state has been processed yet.
+ */
+        int
+terminit()
+{
+        return _terminit;
+
+}  /* end of terminit */
+#endif  /* LINEMODE */
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/utility.c b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/utility.c
new file mode 100644
index 0000000..29b7da1
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/telnetd/utility.c
@@ -0,0 +1,1145 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)utility.c  5.8 (Berkeley) 3/22/91
+ */
+char util_rcsid[] = 
+  "$Id: utility.c,v 1.11 1999/12/12 14:59:45 dholland Exp $";
+
+#define PRINTOPTIONS
+
+#include <stdarg.h>
+#include <sys/utsname.h>
+
+#ifdef AUTHENTICATE
+#include <libtelnet/auth.h>
+#endif
+
+#include "telnetd.h"
+
+/*
+ * utility functions performing io related tasks
+ */
+
+void
+netoprintf(const char *fmt, ...)
+{
+   int len, maxsize;
+   va_list ap;
+   int done=0;
+
+   while (!done) {
+      maxsize = sizeof(netobuf) - (nfrontp - netobuf);
+
+      va_start(ap, fmt);
+      len = vsnprintf(nfrontp, maxsize, fmt, ap);
+      va_end(ap);
+
+      if (len<0 || len==maxsize) {
+         /* didn't fit */
+         netflush();
+      }
+      else {
+         done = 1;
+      }
+   }
+   nfrontp += len;
+}
+
+/*
+ * ttloop
+ *
+ *      A small subroutine to flush the network output buffer, get some data
+ * from the network, and pass it through the telnet state machine.  We
+ * also flush the pty input buffer (by dropping its data) if it becomes
+ * too full.
+ */
+
+void
+ttloop(void)
+{
+
+    DIAG(TD_REPORT, netoprintf("td: ttloop\r\n"););
+                     
+    if (nfrontp-nbackp) {
+        netflush();
+    }
+    ncc = read(net, netibuf, sizeof(netibuf));
+    if (ncc < 0) {
+        syslog(LOG_INFO, "ttloop: read: %m\n");
+        exit(1);
+    } else if (ncc == 0) {
+        syslog(LOG_INFO, "ttloop: peer died: EOF\n");
+        exit(1);
+    }
+    DIAG(TD_REPORT, netoprintf("td: ttloop read %d chars\r\n", ncc););
+    netip = netibuf;
+    telrcv();                   /* state machine */
+    if (ncc > 0) {
+        pfrontp = pbackp = ptyobuf;
+        telrcv();
+    }
+}  /* end of ttloop */
+
+/*
+ * Check a descriptor to see if out of band data exists on it.
+ */
+int stilloob(int s)             /* socket number */
+{
+    static struct timeval timeout = { 0, 0 };
+    fd_set      excepts;
+    int value;
+
+    do {
+        FD_ZERO(&excepts);
+        FD_SET(s, &excepts);
+        value = select(s+1, (fd_set *)0, (fd_set *)0, &excepts, &timeout);
+    } while ((value == -1) && (errno == EINTR));
+
+    if (value < 0) {
+        fatalperror(pty, "select");
+    }
+    if (FD_ISSET(s, &excepts)) {
+        return 1;
+    } else {
+        return 0;
+    }
+}
+
+void    ptyflush(void)
+{
+        int n;
+
+        if ((n = pfrontp - pbackp) > 0) {
+                DIAG((TD_REPORT | TD_PTYDATA),
+                     netoprintf("td: ptyflush %d chars\r\n", n););
+                DIAG(TD_PTYDATA, printdata("pd", pbackp, n));
+                n = write(pty, pbackp, n);
+        }
+        if (n < 0) {
+                if (errno == EWOULDBLOCK || errno == EINTR)
+                        return;
+                cleanup(0);
+        }
+        pbackp += n;
+        if (pbackp == pfrontp)
+                pbackp = pfrontp = ptyobuf;
+}
+
+/*
+ * nextitem()
+ *
+ *      Return the address of the next "item" in the TELNET data
+ * stream.  This will be the address of the next character if
+ * the current address is a user data character, or it will
+ * be the address of the character following the TELNET command
+ * if the current address is a TELNET IAC ("I Am a Command")
+ * character.
+ */
+static
+char *
+nextitem(char *current)
+{
+    if ((*current&0xff) != IAC) {
+        return current+1;
+    }
+    switch (*(current+1)&0xff) {
+    case DO:
+    case DONT:
+    case WILL:
+    case WONT:
+        return current+3;
+    case SB:            /* loop forever looking for the SE */
+        {
+            register char *look = current+2;
+
+            for (;;) {
+                if ((*look++&0xff) == IAC) {
+                    if ((*look++&0xff) == SE) {
+                        return look;
+                    }
+                }
+            }
+        }
+    default:
+        return current+2;
+    }
+}  /* end of nextitem */
+
+
+/*
+ * netclear()
+ *
+ *      We are about to do a TELNET SYNCH operation.  Clear
+ * the path to the network.
+ *
+ *      Things are a bit tricky since we may have sent the first
+ * byte or so of a previous TELNET command into the network.
+ * So, we have to scan the network buffer from the beginning
+ * until we are up to where we want to be.
+ *
+ *      A side effect of what we do, just to keep things
+ * simple, is to clear the urgent data pointer.  The principal
+ * caller should be setting the urgent data pointer AFTER calling
+ * us in any case.
+ */
+void netclear(void)
+{
+    register char *thisitem, *next;
+    char *good;
+#define wewant(p)       ((nfrontp > p) && ((*p&0xff) == IAC) && \
+                                ((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
+
+#if     defined(ENCRYPT)
+    thisitem = nclearto > netobuf ? nclearto : netobuf;
+#else
+    thisitem = netobuf;
+#endif
+
+    while ((next = nextitem(thisitem)) <= nbackp) {
+        thisitem = next;
+    }
+
+    /* Now, thisitem is first before/at boundary. */
+
+#if     defined(ENCRYPT)
+    good = nclearto > netobuf ? nclearto : netobuf;
+#else
+    good = netobuf;     /* where the good bytes go */
+#endif
+
+    while (nfrontp > thisitem) {
+        if (wewant(thisitem)) {
+            int length;
+
+            next = thisitem;
+            do {
+                next = nextitem(next);
+            } while (wewant(next) && (nfrontp > next));
+            length = next-thisitem;
+            bcopy(thisitem, good, length);
+            good += length;
+            thisitem = next;
+        } else {
+            thisitem = nextitem(thisitem);
+        }
+    }
+
+    nbackp = netobuf;
+    nfrontp = good;             /* next byte to be sent */
+    neturg = 0;
+}  /* end of netclear */
+
+/*
+ *  netflush
+ *              Send as much data as possible to the network,
+ *      handling requests for urgent data.
+ */
+extern int not42;
+void
+netflush(void)
+{
+    int n;
+
+    if ((n = nfrontp - nbackp) > 0) {
+        DIAG(TD_REPORT,
+            { netoprintf("td: netflush %d chars\r\n", n);
+              n = nfrontp - nbackp;  /* update count */
+            });
+#if     defined(ENCRYPT)
+        if (encrypt_output) {
+                char *s = nclearto ? nclearto : nbackp;
+                if (nfrontp - s > 0) {
+                        (*encrypt_output)((unsigned char *)s, nfrontp-s);
+                        nclearto = nfrontp;
+                }
+        }
+#endif
+        /*
+         * if no urgent data, or if the other side appears to be an
+         * old 4.2 client (and thus unable to survive TCP urgent data),
+         * write the entire buffer in non-OOB mode.
+         */
+        if ((neturg == 0) || (not42 == 0)) {
+            n = write(net, nbackp, n);  /* normal write */
+        } else {
+            n = neturg - nbackp;
+            /*
+             * In 4.2 (and 4.3) systems, there is some question about
+             * what byte in a sendOOB operation is the "OOB" data.
+             * To make ourselves compatible, we only send ONE byte
+             * out of band, the one WE THINK should be OOB (though
+             * we really have more the TCP philosophy of urgent data
+             * rather than the Unix philosophy of OOB data).
+             */
+            if (n > 1) {
+                n = send(net, nbackp, n-1, 0);  /* send URGENT all by itself */
+            } else {
+                n = send(net, nbackp, n, MSG_OOB);      /* URGENT data */
+            }
+        }
+    }
+    if (n < 0) {
+        if (errno == EWOULDBLOCK || errno == EINTR)
+                return;
+        cleanup(0);
+    }
+    nbackp += n;
+#if     defined(ENCRYPT)
+    if (nbackp > nclearto)
+        nclearto = 0;
+#endif
+    if (nbackp >= neturg) {
+        neturg = 0;
+    }
+    if (nbackp == nfrontp) {
+        nbackp = nfrontp = netobuf;
+#if     defined(ENCRYPT)
+        nclearto = 0;
+#endif
+    }
+    return;
+}  /* end of netflush */
+
+
+/*
+ * writenet
+ *
+ * Just a handy little function to write a bit of raw data to the net.
+ * It will force a transmit of the buffer if necessary
+ *
+ * arguments
+ *    ptr - A pointer to a character string to write
+ *    len - How many bytes to write
+ */
+void writenet(register unsigned char *ptr, register int len)
+{
+        /* flush buffer if no room for new data) */
+        if ((&netobuf[BUFSIZ] - nfrontp) < len) {
+                /* if this fails, don't worry, buffer is a little big */
+                netflush();
+        }
+
+        bcopy(ptr, nfrontp, len);
+        nfrontp += len;
+
+}  /* end of writenet */
+
+
+/*
+ * miscellaneous functions doing a variety of little jobs follow ...
+ */
+
+
+void
+fatal(int f, const char *msg)
+{
+        char buf[BUFSIZ];
+
+        (void) snprintf(buf, sizeof(buf), "telnetd: %s.\r\n", msg);
+#if     defined(ENCRYPT)
+        if (encrypt_output) {
+                /*
+                 * Better turn off encryption first....
+                 * Hope it flushes...
+                 */
+                encrypt_send_end();
+                netflush();
+        }
+#endif
+        (void) write(f, buf, (int)strlen(buf));
+        sleep(1);       /*XXX*/
+        exit(1);
+}
+
+void
+fatalperror(int f, const char *msg)
+{
+        char buf[BUFSIZ];
+        snprintf(buf, sizeof(buf), "%s: %s\r\n", msg, strerror(errno));
+        fatal(f, buf);
+}
+
+char editedhost[32];
+struct utsname kerninfo;
+
+void
+edithost(const char *pat, const char *host)
+{
+        char *res = editedhost;
+
+        uname(&kerninfo);
+
+        if (!pat)
+                pat = "";
+        while (*pat) {
+                switch (*pat) {
+
+                case '#':
+                        if (*host)
+                                host++;
+                        break;
+
+                case '@':
+                        if (*host)
+                                *res++ = *host++;
+                        break;
+
+                default:
+                        *res++ = *pat;
+                        break;
+                }
+                if (res == &editedhost[sizeof editedhost - 1]) {
+                        *res = '\0';
+                        return;
+                }
+                pat++;
+        }
+        if (*host)
+                (void) strncpy(res, host,
+                                sizeof editedhost - (res - editedhost) -1);
+        else
+                *res = '\0';
+        editedhost[sizeof editedhost - 1] = '\0';
+}
+
+static char *putlocation;
+
+static 
+void
+putstr(const char *s)
+{
+    while (*s) putchr(*s++);
+}
+
+void putchr(int cc)
+{
+        *putlocation++ = cc;
+}
+
+static char fmtstr[] = { "%H:%M on %A, %d %B %Y" };
+
+void putf(const char *cp, char *where)
+{
+        char *slash;
+        time_t t;
+        char db[100];
+
+        if (where)
+        putlocation = where;
+
+        while (*cp) {
+                if (*cp != '%') {
+                        putchr(*cp++);
+                        continue;
+                }
+                switch (*++cp) {
+
+                case 't':
+                        slash = strrchr(line, '/');
+                        if (slash == NULL)
+                                putstr(line);
+                        else
+                                putstr(slash+1);
+                        break;
+
+                case 'h':
+                        putstr(editedhost);
+                        break;
+
+                case 'd':
+                        (void)time(&t);
+                        (void)strftime(db, sizeof(db), fmtstr, localtime(&t));
+                        putstr(db);
+                        break;
+
+                case '%':
+                        putchr('%');
+                        break;
+
+                case 'D':
+                        {
+                                char    buff[128];
+
+                                if (getdomainname(buff,sizeof(buff)) < 0
+                                        || buff[0] == '\0'
+                                        || strcmp(buff, "(none)") == 0)
+                                        break;
+                                putstr(buff);
+                        }
+                        break;
+
+                case 'i':
+                        {
+                                char buff[3];
+                                FILE *fp;
+                                int p, c;
+
+                                if ((fp = fopen(ISSUE_FILE, "r")) == NULL)
+                                        break;
+                                p = '\n';
+                                while ((c = fgetc(fp)) != EOF) {
+                                        if (p == '\n' && c == '#') {
+                                                do {
+                                                        c = fgetc(fp);
+                                                } while (c != EOF && c != '\n');
+                                                continue;
+                                        } else if (c == '%') {
+                                                buff[0] = c;
+                                                c = fgetc(fp);
+                                                if (c == EOF) break;
+                                                buff[1] = c;
+                                                buff[2] = '\0';
+                                                putf(buff, NULL);
+                                        } else {
+                                                if (c == '\n') putchr('\r');
+                                                putchr(c);
+                                                p = c;
+                                        }
+                                };
+                                (void) fclose(fp);
+                        }
+                        return; /* ignore remainder of the banner string */
+                        /*NOTREACHED*/
+
+                case 's':
+                        putstr(kerninfo.sysname);
+                        break;
+
+                case 'm':
+                        putstr(kerninfo.machine);
+                        break;
+
+                case 'r':
+                        putstr(kerninfo.release);
+                        break;
+
+                case 'v':
+#ifdef __linux__
+                        putstr(kerninfo.version);
+#else
+                        puts(kerninfo.version);
+#endif
+                        break;
+                }
+                cp++;
+        }
+}
+
+#ifdef DIAGNOSTICS
+/*
+ * Print telnet options and commands in plain text, if possible.
+ */
+void
+printoption(const char *fmt, int option)
+{
+        if (TELOPT_OK(option))
+                netoprintf("%s %s\r\n", fmt, TELOPT(option));
+        else if (TELCMD_OK(option))
+                netoprintf("%s %s\r\n", fmt, TELCMD(option));
+        else
+                netoprintf("%s %d\r\n", fmt, option);
+}
+
+/* direction: '<' or '>' */
+/* pointer: where suboption data sits */
+/* length: length of suboption data */
+void
+printsub(char direction, unsigned char *pointer, int length)
+{
+    register int i = -1;
+#ifdef AUTHENTICATE
+    char buf[512];
+#endif
+
+        if (!(diagnostic & TD_OPTIONS))
+                return;
+
+        if (direction) {
+            netoprintf("td: %s suboption ",
+                       direction == '<' ? "recv" : "send");
+            if (length >= 3) {
+                register int j;
+
+                i = pointer[length-2];
+                j = pointer[length-1];
+
+                if (i != IAC || j != SE) {
+                    netoprintf("(terminated by ");
+                    if (TELOPT_OK(i))
+                        netoprintf("%s ", TELOPT(i));
+                    else if (TELCMD_OK(i))
+                        netoprintf("%s ", TELCMD(i));
+                    else
+                        netoprintf("%d ", i);
+                    if (TELOPT_OK(j))
+                        netoprintf("%s", TELOPT(j));
+                    else if (TELCMD_OK(j))
+                        netoprintf("%s", TELCMD(j));
+                    else
+                        netoprintf("%d", j);
+                    netoprintf(", not IAC SE!) ");
+                }
+            }
+            length -= 2;
+        }
+        if (length < 1) {
+            netoprintf("(Empty suboption???)");
+            return;
+        }
+        switch (pointer[0]) {
+        case TELOPT_TTYPE:
+            netoprintf("TERMINAL-TYPE ");
+            switch (pointer[1]) {
+            case TELQUAL_IS:
+                netoprintf("IS \"%.*s\"", length-2, (char *)pointer+2);
+                break;
+            case TELQUAL_SEND:
+                netoprintf("SEND");
+                break;
+            default:
+                netoprintf("- unknown qualifier %d (0x%x).",
+                                pointer[1], pointer[1]);
+            }
+            break;
+        case TELOPT_TSPEED:
+            netoprintf("TERMINAL-SPEED");
+            if (length < 2) {
+                netoprintf(" (empty suboption???)");
+                break;
+            }
+            switch (pointer[1]) {
+            case TELQUAL_IS:
+                netoprintf(" IS %.*s", length-2, (char *)pointer+2);
+                break;
+            default:
+                if (pointer[1] == 1)
+                    netoprintf(" SEND");
+                else
+                    netoprintf(" %d (unknown)", pointer[1]);
+                for (i = 2; i < length; i++) {
+                    netoprintf(" ?%d?", pointer[i]);
+                }
+                break;
+            }
+            break;
+
+        case TELOPT_LFLOW:
+            netoprintf("TOGGLE-FLOW-CONTROL");
+            if (length < 2) {
+                netoprintf(" (empty suboption???)");
+                break;
+            }
+            switch (pointer[1]) {
+            case 0:
+                netoprintf(" OFF"); break;
+            case 1:
+                netoprintf(" ON"); break;
+            default:
+                netoprintf(" %d (unknown)", pointer[1]);
+            }
+            for (i = 2; i < length; i++) {
+                netoprintf(" ?%d?", pointer[i]);
+            }
+            break;
+
+        case TELOPT_NAWS:
+            netoprintf("NAWS");
+            if (length < 2) {
+                netoprintf(" (empty suboption???)");
+                break;
+            }
+            if (length == 2) {
+                netoprintf(" ?%d?", pointer[1]);
+                break;
+            }
+            netoprintf(" %d %d (%d)",
+                pointer[1], pointer[2],
+                (int)((((unsigned int)pointer[1])<<8)|((unsigned int)pointer[2])));
+            if (length == 4) {
+                netoprintf(" ?%d?", pointer[3]);
+                break;
+            }
+            netoprintf(" %d %d (%d)",
+                pointer[3], pointer[4],
+                (int)((((unsigned int)pointer[3])<<8)|((unsigned int)pointer[4])));
+            for (i = 5; i < length; i++) {
+                netoprintf(" ?%d?", pointer[i]);
+            }
+            break;
+
+        case TELOPT_LINEMODE:
+            netoprintf("LINEMODE ");
+            if (length < 2) {
+                netoprintf(" (empty suboption???)");
+                break;
+            }
+            switch (pointer[1]) {
+            case WILL:
+                netoprintf("WILL ");
+                goto common;
+            case WONT:
+                netoprintf("WONT ");
+                goto common;
+            case DO:
+                netoprintf("DO ");
+                goto common;
+            case DONT:
+                netoprintf("DONT ");
+            common:
+                if (length < 3) {
+                    netoprintf("(no option???)");
+                    break;
+                }
+                switch (pointer[2]) {
+                case LM_FORWARDMASK:
+                    netoprintf("Forward Mask");
+                    for (i = 3; i < length; i++) {
+                        netoprintf(" %x", pointer[i]);
+                    }
+                    break;
+                default:
+                    netoprintf("%d (unknown)", pointer[2]);
+                    for (i = 3; i < length; i++) {
+                        netoprintf(" %d", pointer[i]);
+                    }
+                    break;
+                }
+                break;
+                
+            case LM_SLC:
+                netoprintf("SLC");
+                for (i = 2; i < length - 2; i += 3) {
+                    if (SLC_NAME_OK(pointer[i+SLC_FUNC]))
+                        netoprintf(" %s", SLC_NAME(pointer[i+SLC_FUNC]));
+                    else
+                        netoprintf(" %d", pointer[i+SLC_FUNC]);
+                    switch (pointer[i+SLC_FLAGS]&SLC_LEVELBITS) {
+                    case SLC_NOSUPPORT:
+                        netoprintf(" NOSUPPORT"); break;
+                    case SLC_CANTCHANGE:
+                        netoprintf(" CANTCHANGE"); break;
+                    case SLC_VARIABLE:
+                        netoprintf(" VARIABLE"); break;
+                    case SLC_DEFAULT:
+                        netoprintf(" DEFAULT"); break;
+                    }
+                    netoprintf("%s%s%s",
+                        pointer[i+SLC_FLAGS]&SLC_ACK ? "|ACK" : "",
+                        pointer[i+SLC_FLAGS]&SLC_FLUSHIN ? "|FLUSHIN" : "",
+                        pointer[i+SLC_FLAGS]&SLC_FLUSHOUT ? "|FLUSHOUT" : "");
+                    if (pointer[i+SLC_FLAGS]& ~(SLC_ACK|SLC_FLUSHIN|
+                                                SLC_FLUSHOUT| SLC_LEVELBITS)) {
+                        netoprintf("(0x%x)", pointer[i+SLC_FLAGS]);
+                    }
+                    netoprintf(" %d;", pointer[i+SLC_VALUE]);
+                    if ((pointer[i+SLC_VALUE] == IAC) &&
+                        (pointer[i+SLC_VALUE+1] == IAC))
+                                i++;
+                }
+                for (; i < length; i++) {
+                    netoprintf(" ?%d?", pointer[i]);
+                }
+                break;
+
+            case LM_MODE:
+                netoprintf("MODE ");
+                if (length < 3) {
+                    netoprintf("(no mode???)");
+                    break;
+                }
+                {
+                    char tbuf[32];
+                    snprintf(tbuf, sizeof(tbuf), "%s%s%s%s%s",
+                        pointer[2]&MODE_EDIT ? "|EDIT" : "",
+                        pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "",
+                        pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "",
+                        pointer[2]&MODE_LIT_ECHO ? "|LIT_ECHO" : "",
+                        pointer[2]&MODE_ACK ? "|ACK" : "");
+                    netoprintf("%s", tbuf[1] ? &tbuf[1] : "0");
+                }
+                if (pointer[2]&~(MODE_EDIT|MODE_TRAPSIG|MODE_ACK)) {
+                    netoprintf(" (0x%x)", pointer[2]);
+                }
+                for (i = 3; i < length; i++) {
+                    netoprintf(" ?0x%x?", pointer[i]);
+                }
+                break;
+            default:
+                netoprintf("%d (unknown)", pointer[1]);
+                for (i = 2; i < length; i++) {
+                    netoprintf(" %d", pointer[i]);
+                }
+            }
+            break;
+
+        case TELOPT_STATUS: {
+            const char *cp;
+            register int j, k;
+
+            netoprintf("STATUS");
+
+            switch (pointer[1]) {
+            default:
+                if (pointer[1] == TELQUAL_SEND)
+                    netoprintf(" SEND");
+                else
+                    netoprintf(" %d (unknown)", pointer[1]);
+                for (i = 2; i < length; i++) {
+                    netoprintf(" ?%d?", pointer[i]);
+                }
+                break;
+            case TELQUAL_IS:
+                netoprintf(" IS\r\n");
+
+                for (i = 2; i < length; i++) {
+                    switch(pointer[i]) {
+                    case DO:    cp = "DO"; goto common2;
+                    case DONT:  cp = "DONT"; goto common2;
+                    case WILL:  cp = "WILL"; goto common2;
+                    case WONT:  cp = "WONT"; goto common2;
+                    common2:
+                        i++;
+                        if (TELOPT_OK((int)pointer[i]))
+                            netoprintf(" %s %s", cp, TELOPT(pointer[i]));
+                        else
+                            netoprintf(" %s %d", cp, pointer[i]);
+
+                        netoprintf("\r\n");
+                        break;
+
+                    case SB:
+                        netoprintf(" SB ");
+                        i++;
+                        j = k = i;
+                        while (j < length) {
+                            if (pointer[j] == SE) {
+                                if (j+1 == length)
+                                    break;
+                                if (pointer[j+1] == SE)
+                                    j++;
+                                else
+                                    break;
+                            }
+                            pointer[k++] = pointer[j++];
+                        }
+                        printsub(0, &pointer[i], k - i);
+                        if (i < length) {
+                            netoprintf(" SE");
+                            i = j;
+                        } else
+                            i = j - 1;
+
+                        netoprintf("\r\n");
+
+                        break;
+                                
+                    default:
+                        netoprintf(" %d", pointer[i]);
+                        break;
+                    }
+                }
+                break;
+            }
+            break;
+          }
+
+        case TELOPT_XDISPLOC:
+            netoprintf("X-DISPLAY-LOCATION ");
+            switch (pointer[1]) {
+            case TELQUAL_IS:
+                netoprintf("IS \"%.*s\"", length-2, (char *)pointer+2);
+                break;
+            case TELQUAL_SEND:
+                netoprintf("SEND");
+                break;
+            default:
+                netoprintf("- unknown qualifier %d (0x%x).",
+                                pointer[1], pointer[1]);
+            }
+            break;
+
+        case TELOPT_ENVIRON:
+            netoprintf("ENVIRON ");
+            switch (pointer[1]) {
+            case TELQUAL_IS:
+                netoprintf("IS ");
+                goto env_common;
+            case TELQUAL_SEND:
+                netoprintf("SEND ");
+                goto env_common;
+            case TELQUAL_INFO:
+                netoprintf("INFO ");
+            env_common:
+                {
+                    register int noquote = 2;
+                    for (i = 2; i < length; i++ ) {
+                        switch (pointer[i]) {
+                        case ENV_VAR:
+                            if (pointer[1] == TELQUAL_SEND)
+                                goto def_case;
+                            netoprintf("\" VAR " + noquote);
+                            noquote = 2;
+                            break;
+
+                        case ENV_VALUE:
+                            netoprintf("\" VALUE " + noquote);
+                            noquote = 2;
+                            break;
+
+                        case ENV_ESC:
+                            netoprintf("\" ESC " + noquote);
+                            noquote = 2;
+                            break;
+
+                        default:
+                        def_case:
+                            if (isprint(pointer[i]) && pointer[i] != '"') {
+                                if (noquote) {
+                                    netoprintf("\"");
+                                    noquote = 0;
+                                }
+                                netoprintf("%c", pointer[i]);
+                            } else {
+                                netoprintf("\" %03o " + noquote,
+                                                        pointer[i]);
+                                noquote = 2;
+                            }
+                            break;
+                        }
+                    }
+                    if (!noquote)
+                        netoprintf("\"");
+                    break;
+                }
+            }
+            break;
+
+#if     defined(AUTHENTICATE)
+        case TELOPT_AUTHENTICATION:
+            netoprintf("AUTHENTICATION");
+        
+            if (length < 2) {
+                netoprintf(" (empty suboption???)");
+                break;
+            }
+            switch (pointer[1]) {
+            case TELQUAL_REPLY:
+            case TELQUAL_IS:
+                netoprintf(" %s ", (pointer[1] == TELQUAL_IS) ?
+                                                        "IS" : "REPLY");
+                if (AUTHTYPE_NAME_OK(pointer[2]))
+                    netoprintf("%s ", AUTHTYPE_NAME(pointer[2]));
+                else
+                    netoprintf("%d ", pointer[2]);
+                if (length < 3) {
+                    netoprintf("(partial suboption???)");
+                    break;
+                }
+                netoprintf("%s|%s",
+                        ((pointer[3] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+                        "CLIENT" : "SERVER",
+                        ((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+                        "MUTUAL" : "ONE-WAY");
+
+                auth_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+                netoprintf("%s", buf);
+                break;
+
+            case TELQUAL_SEND:
+                i = 2;
+                netoprintf(" SEND ");
+                while (i < length) {
+                    if (AUTHTYPE_NAME_OK(pointer[i]))
+                        netoprintf("%s ", AUTHTYPE_NAME(pointer[i]));
+                    else
+                        netoprintf("%d ", pointer[i]);
+                    if (++i >= length) {
+                        netoprintf("(partial suboption???)");
+                        break;
+                    }
+                    netoprintf("%s|%s ",
+                        ((pointer[i] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+                                                        "CLIENT" : "SERVER",
+                        ((pointer[i] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+                                                        "MUTUAL" : "ONE-WAY");
+                    ++i;
+                }
+                break;
+
+            case TELQUAL_NAME:
+                i = 2;
+                netoprintf(" NAME \"");
+                /*
+                 * Was:
+                 *    while (i < length)
+                 *       *nfrontp += pointer[i++];
+                 *    *nfrontp += '"';
+                 *
+                 * but I'm pretty sure that's wrong...
+                 */
+                while (i < length)
+                    netoprintf("%c", pointer[i++]);
+                netoprintf("\"");
+                break;
+
+            default:
+                    for (i = 2; i < length; i++) {
+                        netoprintf(" ?%d?", pointer[i]);
+                    }
+                    break;
+            }
+            break;
+#endif
+
+#if     defined(ENCRYPT)
+        case TELOPT_ENCRYPT:
+            netoprintf("ENCRYPT");
+            if (length < 2) {
+                netoprintf(" (empty suboption???)");
+                break;
+            }
+            switch (pointer[1]) {
+            case ENCRYPT_START:
+                netoprintf(" START");
+                break;
+
+            case ENCRYPT_END:
+                netoprintf(" END");
+                break;
+
+            case ENCRYPT_REQSTART:
+                netoprintf(" REQUEST-START");
+                break;
+
+            case ENCRYPT_REQEND:
+                netoprintf(" REQUEST-END");
+                break;
+
+            case ENCRYPT_IS:
+            case ENCRYPT_REPLY:
+                netoprintf(" %s ", (pointer[1] == ENCRYPT_IS) ?
+                                                        "IS" : "REPLY");
+                if (length < 3) {
+                    netoprintf(" (partial suboption???)");
+                    break;
+                }
+                if (ENCTYPE_NAME_OK(pointer[2]))
+                    netoprintf("%s ", ENCTYPE_NAME(pointer[2]));
+                else
+                    netoprintf(" %d (unknown)", pointer[2]);
+
+                encrypt_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+                netoprintf("%s", buf);
+                break;
+
+            case ENCRYPT_SUPPORT:
+                i = 2;
+                netoprintf(" SUPPORT ");
+                while (i < length) {
+                    if (ENCTYPE_NAME_OK(pointer[i]))
+                        netoprintf("%s ", ENCTYPE_NAME(pointer[i]));
+                    else
+                        netoprintf("%d ", pointer[i]);
+                    i++;
+                }
+                break;
+
+            case ENCRYPT_ENC_KEYID:
+                netoprintf(" ENC_KEYID", pointer[1]);
+                goto encommon;
+
+            case ENCRYPT_DEC_KEYID:
+                netoprintf(" DEC_KEYID", pointer[1]);
+                goto encommon;
+
+            default:
+                netoprintf(" %d (unknown)", pointer[1]);
+            encommon:
+                for (i = 2; i < length; i++) {
+                    netoprintf(" %d", pointer[i]);
+                }
+                break;
+            }
+            break;
+#endif
+
+        default:
+            if (TELOPT_OK(pointer[0]))
+                netoprintf("%s (unknown)", TELOPT(pointer[0]));
+            else
+                netoprintf("%d (unknown)", pointer[i]);
+            for (i = 1; i < length; i++) {
+                netoprintf(" %d", pointer[i]);
+            }
+            break;
+        }
+        netoprintf("\r\n");
+}
+
+/*
+ * Dump a data buffer in hex and ascii to the output data stream.
+ */
+void
+printdata(const char *tag, const char *ptr, int cnt)
+{
+        register int i;
+        char xbuf[30];
+
+        while (cnt) {
+                /* flush net output buffer if no room for new data) */
+                if ((&netobuf[BUFSIZ] - nfrontp) < 80) {
+                        netflush();
+                }
+
+                /* add a line of output */
+                netoprintf("%s: ", tag);
+                for (i = 0; i < 20 && cnt; i++) {
+                        netoprintf("%02x", *ptr);
+                        if (isprint(*ptr)) {
+                                xbuf[i] = *ptr;
+                        } else {
+                                xbuf[i] = '.';
+                        }
+                        if (i % 2) { 
+                                netoprintf(" ");
+                        }
+                        cnt--;
+                        ptr++;
+                }
+                xbuf[i] = '\0';
+                netoprintf(" %s\r\n", xbuf );
+        } 
+}
+#endif /* DIAGNOSTICS */
diff --git a/exploits/7350855-netkit/netkit-telnet-0.16/version.h b/exploits/7350855-netkit/netkit-telnet-0.16/version.h
new file mode 100644
index 0000000..3cfe28f
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.16/version.h
@@ -0,0 +1,5 @@
+/*
+ * String to embed in binaries to identify package
+ */
+
+char pkg[]="$NetKit: netkit-telnet-0.16 $";
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/BUGS b/exploits/7350855-netkit/netkit-telnet-0.17/BUGS
new file mode 100644
index 0000000..484d00d
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/BUGS
@@ -0,0 +1,24 @@
+telnet:
+        - will apparently sometimes assert in ungetch. I think I've
+          fixed this, so if you still see it let me know.
+        - hangs if you telnet to chargen port and push ^Z 
+          (due to bogus protocol negotiation attempts)
+        - binary mode doesn't handle crlf right
+        - should warn if the connection isn't encrypted
+
+telnetd:
+        - hangs if you do the following:
+                telnet
+                log in
+                cat >/dev/null
+                type 256 'a's with no CRs
+            *THIS IS A KERNEL BUG*  Patch enclosed.
+        
+        - crashes in ncurses if the terminal type is undefined,
+          with some versions of ncurses.
+        - should allow passing random user envs as "TELNET_*"
+        - should set REMOTEHOST to the remote hostname
+        - passes login the -p flag instead of sending envs explicitly
+        - should only use included logout() et al. if real ones aren't 
+          available in system libs.
+        - addarg() in sys_term.c does some very questionable casts.
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/ChangeLog b/exploits/7350855-netkit/netkit-telnet-0.17/ChangeLog
new file mode 100644
index 0000000..7ef5e3e
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/ChangeLog
@@ -0,0 +1,170 @@
+22-Jul-2000:
+        Bug fixes for environment processing from Olaf Kirch. Also fixes
+          privacy issue noticed by Steve Bellovin. Also fix a wrong 
+          assert().
+
+21-May-2000:
+        Fix bug found by Herbert Xu (herbert@gondor.apana.org.au) - telnet
+          was sending terminal type "(null)" as part of the terminal type
+          list.
+
+12-Apr-2000:
+        IPPROTO_IP is not a macro in Linux, so don't check it with #ifdef.
+        Also, add initial experimental login wrapper, but don't make it 
+          part of the default build.
+
+14-Dec-1999:
+        netkit-telnet-0.16 is released.
+
+13-Dec-1999:
+        Per recommendation of the linux-security-audit list, don't bother
+          (in telnetd) to ask termcap/ncurses if a terminal type is good;
+        assume it is. This means telnetd no longer links against termcap.
+
+12-Dec-1999:
+        Massive buffer cleanup in telnetd; minor cleanup to telnet.
+
+5-Dec-1999:
+        Remove some more bogus #ifdefs in telnet.
+
+29-Oct-1999:
+        Fix latent bug in the array classes used in telnet.
+
+14-Sep-1999:
+        Merge old fix to keep telnet from hanging up when under heavy load
+          (Olaf Kirch, okir@caldera.de)
+
+19-Aug-1999:
+        Patches for compiling with gcc 2.95. (Jeremy Buhler,
+          jbuhler@cs.washington.edu)
+
+18-Aug-1999:
+        netkit-telnet-0.14 released.
+
+17-Aug-1999:
+        telnetd patch from Chris Evans to reject termcap entries with 
+          '/' in them, as libtermcap will treat them as paths and open
+          them as root, with various interesting consequences...
+          Issue found by Tymm Twillman (tymm@coe.missouri.edu).
+
+1-Aug-1999:
+        Massive cleanup of telnetd. Changed telnetd to use openpty() from
+          libutil, so we can let libc deal with changes in pty management.
+
+1-Aug-1999:
+        Did complete y2k and y2038 audit. 
+
+31-Jul-1999:
+        Redid makefiles/config stuff for new confgen version.
+
+15-Jul-1999:
+        Set the process title (visible with ps) to show the remote host name.
+        Also filter control characters from the remote host name, just in case.
+        Set environment variable REMOTEHOST also.
+
+16-Oct-1997:
+        Added OPOST to the terminal stuff a la NCSA telnet fixup
+
+23-Sep-1997:
+        Assorted signed/unsigned character fixes and hacking in telnet.
+        (Martin Mares, mj@mj.gts.cz)
+        Fix various crashes in telnet arising from undefining environment
+        variables.
+        "telnet h" no longer prints a usage message.
+
+12-Jun-1997:
+        netkit-telnet-0.10 released.
+
+08-Jun-1997:
+        More adjustments for glibc.
+        Include kernel patch to fix hang on long input; thanks to Bill
+          Hawes (whawes@star.net).
+
+19-May-1997:
+        Fix some nonsense with ayt and signals, since glibc has SIGINFO.
+
+13-May-1997:
+        8-bit fix to telnet. (Lukas Wunner, lukas@design.de)
+        Set ut_type correctly in telnetd's logout. (Steve Coile, 
+          steve@patriot.net)
+
+05-Apr-1997:
+        Added configure script to generate MCONFIG.
+        Better utmp handling in telnetd.
+
+08-Mar-1997: 
+        Split from full NetKit package. 
+        Generated this change log from NetKit's.
+
+29-Dec-1996
+        NetKit-0.09 released.
+        Assorted alpha/glibc patches. (Erik Troan, ewt@redhat.com)
+        Assorted bug fixes from Debian. (Peter Tobias, 
+          tobias@et-inf.fho-emden.de)
+        Telnetd supports -L option for alternate login program. (Peter Tobias)
+        Hardened programs against DNS h_length spoofing attacks.
+        Use inet_aton() everywhere instead of inet_addr().
+        Fixed crash in telnet caused by ^C or ^Z or ^\ under 
+          certain circumstances.
+        Rewrote telnet and telnetd man pages.
+
+22-Aug-1996
+        NetKit-B-0.08 released.
+        (almost) everything now compiles with lots of warnings turned on.
+        Massive hacking on telnet.
+        telnet honors the -E flag (was broken in .07, .07A)
+        telnetd intercepts ENV environment variable.
+        Merged libtelnet into telnet and telnetd dirs.
+        telnetd now sets idle tty devices to root.root mode 600.
+
+25-Jul-1996
+        NetKit-B-0.07A released.
+        Fixed a bug in telnet where the escape character was being ignored.
+        Fixed a bug in telnetd; now uses the correct names for the last ptys
+          (that is, ptya0-ptyef, not ptyA0-ptyEf.)
+
+23-Jul-1996
+        NetKit-B-0.07 released.
+        Integrated a collection of patches that had been lurking on the net,
+          including the 256-ptys support for telnetd and passive mode ftp.
+        Major security fixes, including to fingerd, lpr, rlogin, rsh, talkd, 
+          and telnetd. Do *not* use the sliplogin from earlier versions of this
+          package, either.
+        Much of the code builds without libbsd.a or bsd includes.
+        Massive code cleanup. Almost everything compiles clean with gcc
+          -Wall now. rusers and rusersd do not; patches to rpcgen to fix
+          this would be appreciated if anyone feels like it.
+        Kerberos support has been removed. It didn't work anyway, and
+          proper Kerberos tools come with Kerberos.
+        New maintainer:  David A. Holland, dholland@hcs.harvard.edu
+
+date not known
+        NetKit-B-0.06 released.
+
+date not known
+        NetKit-B-0.05 released.
+        Fixed writing entries to /var/adm/wtmp by ftpd, rlogind and
+          telnetd. (logwtmp.c) Florian
+          This is only necessary for the GNU last, not for the one 
+          in util-linux...
+
+date not known
+        NetKit-B-0.04 released.
+        Did some nasty changes to telnet/extern.h. I should really take
+          the current version from NetBSD again and make a clean port of
+          it. (signals).
+
+date not known
+        NetKit-B-0.03 released.
+        telnetd: changed the default 'etc/issue.net' to not output the
+          hostname and then the domainname (that should be the fqdn, but
+          is wrong!) Changed also the man page issue.net.5
+        changed telnetd to get the fqdn and not only use what
+          'gethostname' returns
+        telnetd: changed some code back to original form to properly
+          enable binary mode negotiation (outgoing data wasn't binary)
+          Please test this out: do "telnet some_other_not_linux_host" and
+          then do "vi TEST_FILE" and test some strange characters >127
+          like ° or §.
+        telnetd: added issue.net.5 to "make install"
+
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/MCONFIG.in b/exploits/7350855-netkit/netkit-telnet-0.17/MCONFIG.in
new file mode 100644
index 0000000..cedb9d1
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/MCONFIG.in
@@ -0,0 +1,30 @@
+# Dirs
+INSTALLROOT
+BINDIR
+MANDIR
+SBINDIR
+
+# Modes
+BINMODE
+DAEMONMODE
+MANMODE
+
+# Compiling
+ALLWARNINGS
+CC
+CXX
+CFLAGS
+CXXFLAGS
+LDFLAGS
+LIBS
+
+# Features
+FN(snprintf)
+FN(logwtmp)
+LIBTERMCAP
+GLIBC
+BSDSIGNAL
+
+# We actually use openpty, but they come from the same place on all systems
+# I know.
+FN(forkpty)
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/MRULES b/exploits/7350855-netkit/netkit-telnet-0.17/MRULES
new file mode 100644
index 0000000..6d8015e
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/MRULES
@@ -0,0 +1,8 @@
+# Standard compilation rules (don't use make builtins)
+
+%.o: %.c
+        $(CC) $(CFLAGS) $< -c
+
+%.o: %.cc
+        $(CXX) $(CXXFLAGS) $< -c
+
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/Makefile b/exploits/7350855-netkit/netkit-telnet-0.17/Makefile
new file mode 100644
index 0000000..06c8e1e
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/Makefile
@@ -0,0 +1,20 @@
+# You can do "make SUB=blah" to make only a few, or edit here, or both
+# You can also run make directly in the subdirs you want.
+
+SUB =   telnet telnetd telnetlogin
+
+%.build:
+        (cd $(patsubst %.build, %, $@) && $(MAKE))
+
+%.install:
+        (cd $(patsubst %.install, %, $@) && $(MAKE) install)
+
+%.clean:
+        (cd $(patsubst %.clean, %, $@) && $(MAKE) clean)
+
+all:     $(patsubst %, %.build, $(SUB))
+install: $(patsubst %, %.install, $(SUB))
+clean:   $(patsubst %, %.clean, $(SUB))
+
+distclean: clean
+        rm -f MCONFIG
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/README b/exploits/7350855-netkit/netkit-telnet-0.17/README
new file mode 100644
index 0000000..87f56d2
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/README
@@ -0,0 +1,127 @@
+This is netkit-telnet-0.17 for Linux.
+
+This package updates netkit-telnet-0.16.
+
+If you're reading this off a CD, go right away and check the net
+archives for later versions and security fixes. As of this writing the
+home site for NetKit is
+        ftp://ftp.uk.linux.org/pub/linux/Networking/netkit
+
+Contents:
+        telnet          Client for telnet protocol
+        telnetd         Daemon for telnet protocol
+
+Note: These programs do not provide encryption or strong
+authentication of network connections. As such, their use for remote
+logins is discouraged. The "ssh" protocol and package can be used
+instead.
+
+Requires:
+        Working compiler, libc, and kernel, and a recent version of
+        ncurses or libtermcap.
+
+        Note that while telnet uses the C++ compiler, it neither requires
+        nor uses libstdc++.
+
+Security:
+        This release contains no security fixes relative to 
+        netkit-telnet-0.16. However, versions prior to that should not be 
+        used.
+
+        Telnetd is evil legacy code and is not trustworthy - do not
+        run it unless you absolutely need it.
+
+        This release contains experimental login wrapper code to permit
+        running telnetd as a non-root user. This code is not built by 
+        default. Look in the "telnetlogin" directory and the telnetlogin 
+        man page contained therein for more information.
+
+Old kernels:
+        If you have an old kernel, you may need to apply the enclosed
+        pty-hang patch to it. I don't unfortunately know at the moment 
+        which kernel versions need the patch, but current 2.0.x and
+        2.2.x should be ok without it.
+
+        The following test will tell you if you need the patch: telnet
+        to localhost, do "cat >/dev/null", and type 256 characters
+        without any newlines. If you need the patch, telnetd will hang
+        completely at this point. If it refuses to accept more input,
+        but does not hang, you do not need the patch.
+
+Installation:
+        Do "./configure --help" and decide what options you want. The
+        defaults should be suitable for most Linux systems. Then run
+        the configure script.
+
+        Do "make" to compile.
+        Then (as root) do "make install".
+
+        Save a backup copy of any mission-critical program in case the
+        new one doesn't work, and so forth. We warned you.
+
+        If you get gcc warnings from files in /usr/include, they are
+        due to problems in your libc, not netkit. (You may only see
+        them when compiling netkit because netkit turns on a lot of
+        compiler warnings.)
+
+DEC CC:
+        The DEC compiler for the Alpha is now freely available. This
+        is a much better compiler with gcc, that is, it generates much
+        better code. If you have the DEC compiler, you can explicitly
+        use the DEC compiler instead of gcc by configuring like this:
+
+                ./configure --with-c-compiler=ccc
+
+        It is known to generate spurious warnings on some files. Also,
+        some headers from some versions of glibc confuse it; that may
+        prevent netkit from working. Other problems should be reported
+        as bugs.
+
+        Note that there is no corresponding C++ compiler, so telnet
+        will be compiled with g++ anyway.
+
+Bugs:
+        Please make sure the header files in /usr/include match the
+        libc version installed in /lib and /usr/lib. If you have weird
+        problems this is the most likely culprit.
+
+        Also, before reporting a bug, be sure you're working with the
+        latest version.
+
+        If something doesn't compile for you, fix it and send diffs.
+        If you can't, send the compiler's error output.
+
+        If it compiles but doesn't work, send as complete a bug report as 
+        you can. Patches and fixes are welcome, as long as you describe 
+        adequately what they're supposed to fix. Please, one patch per
+        distinct fix. Please do NOT send the whole archive back or
+        reindent the source.
+
+        Be sure to send all correspondence in e-mail to the netkit address.
+        Postings to netnews or mailing lists will not be seen due to the 
+        enormous volume. Also, anything that doesn't get filed in the bug
+        database is quite likely to end up forgotten.
+
+        Please don't report known bugs (see the BUGS file(s)) unless you
+        are including fixes. :-)
+
+        Mail should be sent to: netbug@ftp.uk.linux.org
+
+
+Early in April 2000, a hacker broke into the machine that was hosting
+the netkit bug database for me and trashed it. Unfortunately, it seems
+backups hadn't gotten done for a while, so three months of mail (since
+mid-January) was lost. So, if you sent something and didn't hear back,
+or you sent something, heard back, but the changes failed to appear in
+this release (unlikely but possible) - please resend.
+
+Please see http://www.hcs.harvard.edu/~dholland/computers/netkit.html
+if you are curious why it was so long between the 0.10 and 0.16 releases.
+
+Future plans for netkit maintenance are still up in the air, but in the
+meantime new releases will still appear from time to time. I don't have
+a whole lot of cycles to spare to work on netkit, so things are likely
+to continue to be fairly slow.
+
+David A. Holland
+23 July 2000
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/configure b/exploits/7350855-netkit/netkit-telnet-0.17/configure
new file mode 100644
index 0000000..eb04933
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/configure
@@ -0,0 +1,572 @@
+#!/bin/sh
+#
+# This file was generated by confgen version 2.
+# Do not edit.
+#
+
+PREFIX='/usr'
+#EXECPREFIX='$PREFIX'
+INSTALLROOT=''
+BINMODE='755'
+#DAEMONMODE='$BINMODE'
+MANMODE='644'
+
+while [ x$1 != x ]; do case $1 in
+
+        --help)
+        cat <<EOF
+Usage: configure [options]
+    --help                Show this message
+    --with-debug          Enable debugging
+    --prefix=path         Prefix for location of files [/usr]
+    --exec-prefix=path    Location for arch-depedent files [prefix]
+    --installroot=root    Top of filesystem tree to install in [/]
+    --binmode=mode        Mode for binaries [755]
+    --daemonmode=mode     Mode for daemon binaries [same as binmode]
+    --manmode=mode        Mode for manual pages [644]
+    --with-c-compiler=cc  Program for compiling C source [guessed]
+    --with-c++-compiler=cc Program for compiling C++ source [guessed]
+EOF
+        exit 0;;
+        --verbose) ;;
+        --quiet) ;;
+
+        --subdir) . ../configure.defs;;
+
+        --with-debug|--debug) DEBUG=1;;
+        --prefix=*) PREFIX=`echo $1 | sed 's/^[^=]*=//'` ;;
+        --exec-prefix=*) EXECPREFIX=`echo $1 | sed 's/^[^=]*=//'` ;;
+        --installroot=*) INSTALLROOT=`echo $1 | sed 's/^[^=]*=//'` ;;
+        --binmode=*) BINMODE=`echo $1 | sed 's/^[^=]*=//'` ;;
+        --daemonmode=*) DAEMONMODE=`echo $1 | sed 's/^[^=]*=//'` ;;
+        --manmode=*) MANMODE=`echo $1 | sed 's/^[^=]*=//'` ;;
+        --with-c-compiler=*) CC=`echo $1 | sed 's/^[^=]*=//'` ;;
+        --with-c++-compiler=*) CXX=`echo $1 | sed 's/^[^=]*=//'` ;;
+        *) echo "Unrecognized option: $1"; exit 1;;
+esac 
+shift
+done
+
+if [ x$EXECPREFIX = x ]; then 
+        EXECPREFIX="$PREFIX"
+fi
+
+if [ x$DAEMONMODE = x ]; then 
+        DAEMONMODE="$BINMODE"
+fi
+
+BINDIR="$EXECPREFIX/bin"
+SBINDIR="$EXECPREFIX/sbin"
+MANDIR="$PREFIX/man"
+
+echo "Directories: $BINDIR $SBINDIR $MANDIR "
+
+if [ x$INSTALLROOT != x ]; then
+    echo "Installing in chroot tree rooted at $INSTALLROOT"
+fi
+
+##################################################
+
+WARNINGS='-Wall -W -Wpointer-arith -Wbad-function-cast -Wcast-qual -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations -Wnested-externs -Winline '
+
+cat << EOF > __conftest.c
+    int main() { int class=0; return class; }
+EOF
+
+if [ x"$CC" = x ]; then
+    echo -n 'Looking for a C compiler... '
+    for TRY in egcs gcc g++ CC c++ cc; do
+       (
+           $TRY __conftest.c -o __conftest || exit 1;
+           ./__conftest || exit 1;
+       ) >/dev/null 2>&1 || continue;
+       CC=$TRY
+       break;
+    done
+    if [ x"$CC" = x ]; then
+        echo 'failed.'
+        echo 'Cannot find a C compiler. Run configure with --with-c-compiler.'
+        rm -f __conftest*
+        exit
+    fi
+    echo "$CC"
+else
+    echo -n 'Checking if C compiler works... '
+    if (
+          $CC __conftest.c -o __conftest || exit 1
+          ./__conftest || exit 1
+       ) >/dev/null 2>&1; then
+         echo 'yes'
+     else
+         echo 'no'
+         echo 'Compiler '"$CC"' does not exist or cannot compile C; try another.'
+         rm -f __conftest*
+         exit
+     fi
+fi
+
+echo -n "Checking if $CC accepts gcc warnings... "
+if (
+    $CC $WARNINGS __conftest.c -o __conftest || exit 1
+   ) >/dev/null 2>&1; then
+     echo 'yes'
+     CC_WARNINGS=1
+else
+     echo 'no'
+fi
+
+cat << EOF > __conftest.cc
+    template <class T> class fnord { public: T x; fnord(T y) { x=y; }};
+    int main() { fnord<int> *a = new fnord<int>(0); return a->x; }
+EOF
+
+if [ x"$CXX" = x ]; then
+    echo -n 'Looking for a C++ compiler... '
+    for TRY in egcs gcc g++ CC c++ cc; do
+       (
+           $TRY __conftest.cc -o __conftest || exit 1;
+           ./__conftest || exit 1;
+       ) >/dev/null 2>&1 || continue;
+       CXX=$TRY
+       break;
+    done
+    if [ x"$CXX" = x ]; then
+        echo 'failed.'
+        echo 'Cannot find a C++ compiler. Run configure with --with-cpp-compiler.'
+        rm -f __conftest*
+        exit
+    fi
+    echo "$CXX"
+else
+    echo -n 'Checking if C++ compiler works... '
+    if (
+          $CXX __conftest.cc -o __conftest || exit 1
+          ./__conftest || exit 1
+       ) >/dev/null 2>&1; then
+         echo 'yes'
+     else
+         echo 'no'
+         echo 'Compiler '"$CXX"' does not exist or cannot compile C++; try another.'
+         rm -f __conftest*
+         exit
+     fi
+fi
+
+echo -n "Checking if $CXX accepts gcc warnings... "
+if (
+    $CXX $WARNINGS __conftest.cc -o __conftest || exit 1
+   ) >/dev/null 2>&1; then
+     echo 'yes'
+     CXX_WARNINGS=1
+else
+     echo 'no'
+fi
+
+if [ x$DEBUG = x ]; then
+    echo -n "Checking if $CC accepts -O2... "
+    if (
+         $CC -O2 __conftest.c -o __conftest
+       ) >/dev/null 2>&1; then
+         echo 'yes'
+         CFLAGS="$CFLAGS -O2"
+    else
+         echo 'no'
+         echo -n "Checking if $CC accepts -O... "
+         if (
+              $CC -O __conftest.c -o __conftest
+            ) >/dev/null 2>&1; then
+              echo 'yes'
+              CFLAGS="$CFLAGS -O"
+         else
+              echo 'no'
+         fi
+    fi
+
+else
+    echo -n "Checking if $CC accepts -g... "
+    if (
+         $CC -g __conftest.c -o __conftest
+       ) >/dev/null 2>&1; then
+         echo 'yes'
+         CFLAGS="$CFLAGS -g"
+    else
+         echo 'no'
+    fi
+
+fi
+
+if [ x"$CC" != x"$CXX" ]; then
+    if [ x$DEBUG = x ]; then
+        echo -n "Checking if $CXX accepts -O2... "
+        if (
+             $CXX -O2 __conftest.cc -o __conftest
+           ) >/dev/null 2>&1; then
+             echo 'yes'
+             CXXFLAGS="$CXXFLAGS -O2"
+        else
+             echo 'no'
+             echo -n "Checking if $CXX accepts -O... "
+             if (
+                  $CXX -O __conftest.cc -o __conftest
+                ) >/dev/null 2>&1; then
+                  echo 'yes'
+                  CXXFLAGS="$CXXFLAGS -O"
+             else
+                  echo 'no'
+             fi
+        fi
+
+    else
+        echo -n "Checking if $CXX accepts -g... "
+        if (
+             $CXX -g __conftest.cc -o __conftest
+           ) >/dev/null 2>&1; then
+             echo 'yes'
+             CXXFLAGS="$CXXFLAGS -g"
+        else
+             echo 'no'
+        fi
+
+    fi
+else
+    CXXFLAGS="$CFLAGS"
+fi
+echo -n "Checking if $CXX accepts -fno-rtti... "
+if (
+     $CXX -fno-rtti __conftest.cc -o __conftest
+   ) >/dev/null 2>&1; then
+     echo 'yes'
+     CXXFLAGS="$CXXFLAGS -fno-rtti"
+else
+     echo 'no'
+fi
+
+echo -n "Checking if $CXX accepts -fno-exceptions... "
+if (
+     $CXX -fno-exceptions __conftest.cc -o __conftest
+   ) >/dev/null 2>&1; then
+     echo 'yes'
+     CXXFLAGS="$CXXFLAGS -fno-exceptions"
+else
+     echo 'no'
+fi
+
+
+LDFLAGS=
+LIBS=
+
+rm -f __conftest*
+
+##################################################
+
+echo -n 'Checking for BSD signal semantics... '
+cat <<EOF >__conftest.cc
+#include <unistd.h>
+#include <signal.h>
+int count=0;
+void handle(int foo) { count++; }
+int main() {
+    int pid=getpid();
+    signal(SIGINT, handle);
+    kill(pid,SIGINT);
+    kill(pid,SIGINT);
+    kill(pid,SIGINT);
+    if (count!=3) return 1;
+    return 0;
+}
+
+EOF
+if (
+      $CXX $CXXFLAGS  __conftest.cc  -o __conftest || exit 1
+      ./__conftest || exit 1
+   ) >/dev/null 2>&1; then
+    echo 'yes'
+else
+    if (
+          $CXX $CXXFLAGS -D__USE_BSD_SIGNAL __conftest.cc  -o __conftest || exit 1
+          ./__conftest || exit 1
+       ) >/dev/null 2>&1; then
+        echo '-D__USE_BSD_SIGNAL'
+        CFLAGS="$CFLAGS -D__USE_BSD_SIGNAL"
+        CXXFLAGS="$CXXFLAGS -D__USE_BSD_SIGNAL"
+    else
+        echo 'no'
+        echo 'This package needs BSD signal semantics to run.'
+        rm -f __conftest*
+        exit
+    fi
+fi
+rm -f __conftest*
+
+##################################################
+
+echo -n 'Checking for ncurses... '
+cat <<EOF >__conftest.cc
+#include <stdio.h>
+#include <curses.h>
+#ifndef KEY_DOWN
+syntax error. /* not ncurses */
+#endif
+int main() {
+    endwin();
+    return 0;
+}
+
+EOF
+if (
+      $CXX $CXXFLAGS  __conftest.cc -lncurses -o __conftest || exit 1
+   ) >/dev/null 2>&1; then
+    echo 'yes'
+    NCURSES=1
+else
+    if (
+          $CXX $CXXFLAGS -I/usr/include/ncurses __conftest.cc -lncurses -o __conftest || exit 1
+       ) >/dev/null 2>&1; then
+        echo '-I/usr/include/ncurses'
+        CFLAGS="$CFLAGS -I/usr/include/ncurses"
+        CXXFLAGS="$CXXFLAGS -I/usr/include/ncurses"
+        NCURSES=1
+    else
+        echo 'no'
+    fi
+fi
+
+if [ x$NCURSES != x ]; then
+    LIBTERMCAP=-lncurses
+else
+    echo -n 'Checking for traditional termcap... '
+cat <<EOF >__conftest.cc
+#include <stdio.h>
+#include <termcap.h>
+int main() {
+    tgetent(NULL, NULL); return 0;
+}
+
+EOF
+    if (
+          $CXX $CXXFLAGS  __conftest.cc -ltermcap -o __conftest || exit 1
+       ) >/dev/null 2>&1; then
+        echo '-ltermcap'
+        LIBTERMCAP=-ltermcap
+    else
+        echo 'not found'
+        echo 'This package needs termcap to run.'
+        rm -f __conftest*
+        exit
+    fi
+fi
+rm -f __conftest*
+
+##################################################
+
+echo -n 'Checking for GNU libc... '
+cat <<EOF >__conftest.cc
+#include <stdio.h>
+#if defined(__GLIBC__) && (__GLIBC__ >= 2)
+int tester;
+#endif
+int main() { tester=6; return 0; }
+
+EOF
+if (
+      $CXX $CXXFLAGS  __conftest.cc  -o __conftest || exit 1
+   ) >/dev/null 2>&1; then
+    echo 'yes'
+    USE_GLIBC=1
+else
+    echo 'no'
+fi
+rm -f __conftest*
+
+##################################################
+
+echo -n 'Checking for forkpty... '
+cat <<EOF >__conftest.cc
+#include <pty.h>
+int main() { forkpty(0, 0, 0, 0); }
+
+EOF
+if (
+      $CXX $CXXFLAGS  __conftest.cc  -o __conftest || exit 1
+   ) >/dev/null 2>&1; then
+    echo 'yes'
+else
+    if (
+          $CXX $CXXFLAGS  __conftest.cc -lutil -o __conftest || exit 1
+       ) >/dev/null 2>&1; then
+        echo '-lutil'
+        LIBS="$LIBS -lutil"
+    else
+        if (
+              $CXX $CXXFLAGS  __conftest.cc -lbsd -o __conftest || exit 1
+           ) >/dev/null 2>&1; then
+            echo '-lbsd'
+            LIBBSD="-lbsd"
+        else
+            echo 'no'
+            echo 'This package requires forkpty.'
+            rm -f __conftest*
+            exit
+        fi
+    fi
+fi
+rm -f __conftest*
+
+##################################################
+
+echo -n 'Checking for logwtmp... '
+cat <<EOF >__conftest.cc
+#ifdef __cplusplus
+extern "C"
+#endif
+void logwtmp(const char *, const char *, const char *);
+int main() { logwtmp(0, 0, 0); }
+
+EOF
+if (
+      $CXX $CXXFLAGS  __conftest.cc  -o __conftest || exit 1
+   ) >/dev/null 2>&1; then
+    echo 'yes'
+else
+    if (
+          $CXX $CXXFLAGS  __conftest.cc -lutil -o __conftest || exit 1
+       ) >/dev/null 2>&1; then
+        echo '-lutil'
+        LIBS="$LIBS -lutil"
+    else
+        if (
+              $CXX $CXXFLAGS  __conftest.cc -lbsd -o __conftest || exit 1
+           ) >/dev/null 2>&1; then
+            echo '-lbsd'
+            LIBBSD="-lbsd"
+        else
+            echo 'no'
+            echo 'This package requires logwtmp.'
+            rm -f __conftest*
+            exit
+        fi
+    fi
+fi
+rm -f __conftest*
+
+##################################################
+
+echo -n 'Checking for snprintf declaration... '
+cat <<EOF >__conftest.cc
+#include <stdio.h>
+int main() {
+    void *x = (void *)snprintf;
+    printf("%lx", (long)x);
+    return 0;
+}
+
+EOF
+if (
+      $CXX $CXXFLAGS  __conftest.cc  -o __conftest || exit 1
+   ) >/dev/null 2>&1; then
+    echo 'ok'
+else
+    if (
+          $CXX $CXXFLAGS -D_GNU_SOURCE __conftest.cc  -o __conftest || exit 1
+          ./__conftest || exit 1
+       ) >/dev/null 2>&1; then
+        echo '-D_GNU_SOURCE'
+        CFLAGS="$CFLAGS -D_GNU_SOURCE"
+        CXXFLAGS="$CXXFLAGS -D_GNU_SOURCE"
+    else
+        echo 'manual'
+        CFLAGS="$CFLAGS -DDECLARE_SNPRINTF"
+        CXXFLAGS="$CXXFLAGS -DDECLARE_SNPRINTF"
+    fi
+fi
+rm -f __conftest*
+
+echo -n 'Checking for snprintf implementation... '
+cat <<EOF >__conftest.cc
+#include <stdio.h>
+#include <string.h>
+#ifdef DECLARE_SNPRINTF
+#ifdef __cplusplus
+extern "C"
+#endif /*__cplusplus*/
+int snprintf(char *, int, const char *, ...);
+#endif /*DECLARE_SNPRINTF*/
+int main() {
+    char buf[32];
+    snprintf(buf, 8, "%s", "1234567890");
+    if (strlen(buf)!=7) return 1;
+    return 0;
+}
+
+EOF
+if (
+      $CXX $CXXFLAGS  __conftest.cc $LIBBSD -o __conftest || exit 1
+      ./__conftest || exit 1
+   ) >/dev/null 2>&1; then
+    echo 'ok'
+else
+    if (
+          $CXX $CXXFLAGS  __conftest.cc -lsnprintf $LIBBSD -o __conftest || exit 1
+          ./__conftest || exit 1
+       ) >/dev/null 2>&1; then
+        echo '-lsnprintf'
+        LIBS="$LIBS -lsnprintf"
+    else
+        if (
+              $CXX $CXXFLAGS  __conftest.cc -ldb $LIBBSD -o __conftest || exit 1
+              ./__conftest || exit 1
+           ) >/dev/null 2>&1; then
+            echo '-ldb'
+            LIBS="$LIBS -ldb"
+        else
+            echo 'missing'
+            echo 'This package requires snprintf.'
+            rm -f __conftest*
+            exit
+        fi
+    fi
+fi
+rm -f __conftest*
+
+##################################################
+
+## libbsd should go last in case it's broken
+if [ "x$LIBBSD" != x ]; then
+    LIBS="$LIBS $LIBBSD"
+fi
+
+echo 'Generating MCONFIG...'
+(
+    echo -n '# Generated by configure (confgen version 2) on '
+    date
+    echo '#'
+    echo
+
+    echo "BINDIR=$BINDIR"
+    echo "SBINDIR=$SBINDIR"
+    echo "MANDIR=$MANDIR"
+    echo "BINMODE=$BINMODE"
+    echo "DAEMONMODE=$DAEMONMODE"
+    echo "MANMODE=$MANMODE"
+    echo "PREFIX=$PREFIX"
+    echo "EXECPREFIX=$EXECPREFIX"
+    echo "INSTALLROOT=$INSTALLROOT"
+    echo "CC=$CC"
+    echo "CXX=$CXX"
+    if [ x$CC_WARNINGS != x ]; then
+        CFLAGS="$CFLAGS $WARNINGS"
+    fi
+
+    if [ x$CXX_WARNINGS != x ]; then
+        CXXFLAGS="$CXXFLAGS $WARNINGS"
+    fi
+
+    echo "CFLAGS=$CFLAGS" | sed 's/= */=/'
+    echo "CXXFLAGS=$CXXFLAGS" | sed 's/= */=/'
+    echo "LDFLAGS=$LDFLAGS" | sed 's/= */=/'
+    echo "LIBS=$LIBS" | sed 's/= */=/'
+
+    echo "LIBTERMCAP=$LIBTERMCAP"
+    echo "USE_GLIBC=$USE_GLIBC"
+) > MCONFIG
+
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/debian/changelog b/exploits/7350855-netkit/netkit-telnet-0.17/debian/changelog
new file mode 100644
index 0000000..4bdcc10
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/debian/changelog
@@ -0,0 +1,244 @@
+netkit-telnet (0.17-14) unstable; urgency=high
+
+  * Fixed netobuf buffer overflows.
+
+ -- Herbert Xu <herbert@debian.org>  Sat, 11 Aug 2001 17:52:25 +1000
+
+netkit-telnet (0.17-13) unstable; urgency=medium
+
+  * Updated devpts check to include devfs as well.
+
+ -- Herbert Xu <herbert@debian.org>  Sat, 19 May 2001 15:33:41 +1000
+
+netkit-telnet (0.17-12) unstable; urgency=low
+
+  * Added include <sys/time.h> to telnetd/utility.c (closes: #96803).
+
+ -- Herbert Xu <herbert@debian.org>  Wed,  9 May 2001 21:17:12 +1000
+
+netkit-telnet (0.17-11) unstable; urgency=low
+
+  * Added exit 0 to telnetd.postrm (closes: #93934).
+  * Changed misleading help message (closes: #94231).
+
+ -- Herbert Xu <herbert@debian.org>  Sat, 21 Apr 2001 22:52:11 +1000
+
+netkit-telnet (0.17-10) unstable; urgency=low
+
+  * Renamed member printf to xprintf (closes: #91351).
+  * Use new in C++ compiler test (closes: #91353).
+
+ -- Herbert Xu <herbert@debian.org>  Fri, 13 Apr 2001 19:34:12 +1000
+
+netkit-telnet (0.17-9) unstable; urgency=low
+
+  * Fixed path to license file (Christoph Martin, closes: #86476).
+  * Added missing #DEBHELPER# tag to telnet.prerm (Hiroyuki YAMAMORI,
+    closes: #86894).
+  * Only call update-alternatives in prerm if removing or deconfiguring
+    (closes: #87330).
+
+ -- Herbert Xu <herbert@debian.org>  Sun, 25 Feb 2001 00:00:59 +1100
+
+netkit-telnet (0.17-8) unstable; urgency=low
+
+  * Removed remnant of suidregister from telnetd (closes: #85882).
+  * Fixed handling of sockaddr lengths (closes: #86177).
+  * Dynamically allocate editedhost (closes: #86080).
+
+ -- Herbert Xu <herbert@debian.org>  Sat, 17 Feb 2001 12:53:11 +1100
+
+netkit-telnet (0.17-7) unstable; urgency=low
+
+  * Added includes for gcc 2.97 (Randolph Chung, closes: #83337).
+  * Avoid DNS lookups if the address is numerical (closes: #83828).
+  * Added menu hint (closes: #80161).
+
+ -- Herbert Xu <herbert@debian.org>  Mon, 29 Jan 2001 21:10:59 +1100
+
+netkit-telnet (0.17-6) unstable; urgency=low
+
+  * Added menu entry for telnet (closes: #74845).
+
+ -- Herbert Xu <herbert@debian.org>  Sat, 21 Oct 2000 11:08:44 +1100
+
+netkit-telnet (0.17-5) unstable; urgency=low
+
+  * Fixed a memory allocation bug.
+
+ -- Herbert Xu <herbert@debian.org>  Fri, 22 Sep 2000 23:12:57 +1100
+
+netkit-telnet (0.17-4) unstable; urgency=low
+
+  * Relaxed telnetlogin a bit.
+  * Provide telnet-client (closes: #70549).
+
+ -- Herbert Xu <herbert@debian.org>  Sat,  9 Sep 2000 17:42:53 +1100
+
+netkit-telnet (0.17-3) unstable; urgency=low
+
+  * Check for EAFNOSUPPORT after calling socket(2) in telnet.
+  * Added IPv6 support for telnetd.
+
+ -- Herbert Xu <herbert@debian.org>  Sun, 27 Aug 2000 11:28:48 +1100
+
+netkit-telnet (0.17-2) unstable; urgency=low
+
+  * Install telnetlogin ourselves (closes: #69773).
+  * Fixed alternatives typo (closes: #69597).
+
+ -- Herbert Xu <herbert@debian.org>  Wed, 23 Aug 2000 20:01:38 +1000
+
+netkit-telnet (0.17-1) unstable; urgency=low
+
+  * New upstream release.
+  * Applied a modified version of Jason Gunthorpe's IPv6 patch for telnet
+    (closes: #68998).
+  * Read /etc/telnetrc before .telnetrc if it exists.  The idea was from
+    Robert Luberda.  Documented the special hostname DEFAULT (closes: #69113).
+  * Use alternatives for /usr/bin/telnet (closes: #56754).
+
+ -- Herbert Xu <herbert@debian.org>  Sat, 19 Aug 2000 14:06:48 +1000
+
+netkit-telnet (0.16-6) unstable; urgency=low
+
+  * Handle localchars correctly (closes: #66039).
+
+ -- Herbert Xu <herbert@debian.org>  Mon, 26 Jun 2000 15:01:42 +1000
+
+netkit-telnet (0.16-5) unstable; urgency=low
+
+  * Fixed a bug in responses to TTYPE queries where a (null) could be sent
+    instead of the correct terminal type (closes: #63155).
+
+ -- Herbert Xu <herbert@debian.org>  Sat,  6 May 2000 09:42:58 +1000
+
+netkit-telnet (0.16-4) frozen unstable; urgency=low
+
+  * Disabled signal handling that does not work (closes: #62388).  Patches
+    that provide correct signal handling are welcome.
+
+ -- Herbert Xu <herbert@debian.org>  Mon, 24 Apr 2000 16:58:22 +1000
+
+netkit-telnet (0.16-3) frozen unstable; urgency=medium
+
+  * Restored the default to not being 8-bit clean since it breaks SunOS
+    (closes: #60352, #60386).  People who need 8-bit cleanness should use -8.
+  * Made FHS compliant.
+
+ -- Herbert Xu <herbert@debian.org>  Wed, 15 Mar 2000 10:39:00 +1100
+
+netkit-telnet (0.16-2) frozen unstable; urgency=low
+
+  * Recompiled with libncurses5.
+  * Changed the permission of /usr/lib/telnetd/login to 4754 (closes: #58786).
+  * telnet is now 8-bit clean by default since it appeared to be so in slink,
+    albeit unintentionally (closes: #57685).
+
+ -- Herbert Xu <herbert@debian.org>  Sun, 12 Mar 2000 21:10:47 +1100
+
+netkit-telnet (0.16-1) frozen unstable; urgency=low
+
+  * New upstream release with security fixes.
+  * Run as root if devpts is not present.
+
+ -- Herbert Xu <herbert@debian.org>  Thu,  3 Feb 2000 13:42:29 +1100
+
+netkit-telnet (0.14-9) unstable; urgency=low
+
+  * Compile login with -g -O2 -Wall.
+  * Fixed path to default login in in.telnetd(8).
+  * Fixed usage() output (closes: #51498).
+
+ -- Herbert Xu <herbert@debian.org>  Tue, 30 Nov 1999 22:43:39 +1100
+
+netkit-telnet (0.14-8) unstable; urgency=low
+
+  * Call fatalperror() instead of fatal() when getpty() fails.
+  * Delete telnetd group before creating telnetd (closes: #46659).
+
+ -- Herbert Xu <herbert@debian.org>  Tue,  5 Oct 1999 17:52:36 +1000
+
+netkit-telnet (0.14-7) unstable; urgency=low
+
+  * Redirect stderr for group existence check to /dev/null.
+
+ -- Herbert Xu <herbert@debian.org>  Sat, 25 Sep 1999 22:00:31 +1000
+
+netkit-telnet (0.14-6) unstable; urgency=low
+
+  * Check for existence of user/group before removing (fixes #45651).
+
+ -- Herbert Xu <herbert@debian.org>  Tue, 21 Sep 1999 21:07:18 +1000
+
+netkit-telnet (0.14-5) unstable; urgency=low
+
+  * Depend on base-files (>= 2.1.8) for group utmp (fixes #44687).
+
+ -- Herbert Xu <herbert@debian.org>  Sat, 11 Sep 1999 12:53:08 +1000
+
+netkit-telnet (0.14-4) unstable; urgency=low
+
+  * Rebuilt with working fakeroot (fixes #44043, #44044).
+
+ -- Herbert Xu <herbert@debian.org>  Fri,  3 Sep 1999 20:32:28 +1000
+
+netkit-telnet (0.14-3) unstable; urgency=medium
+
+  * telnetd is now a member of utmp (fixes #43543).
+  * Call adduser with --quiet (fixes #43587).
+  * configure now works with egcs 2.95 (fixes #43580, #43747)
+
+ -- Herbert Xu <herbert@debian.org>  Thu,  2 Sep 1999 21:18:06 +1000
+
+netkit-telnet (0.14-2) unstable; urgency=low
+
+  * telnetd now depends on adduser and passwd (fixes #43515).
+
+ -- Herbert Xu <herbert@debian.org>  Thu, 26 Aug 1999 14:49:25 +1000
+
+netkit-telnet (0.14-1) unstable; urgency=low
+
+  * New upstream release.
+  * Installed the login wrapper (fixes #42092).
+  * Reopen logging if necessary (fixes #36149).
+
+ -- Herbert Xu <herbert@debian.org>  Tue, 24 Aug 1999 09:17:24 +1000
+
+netkit-telnet (0.12-6) unstable; urgency=low
+
+  * Applied patch from Matt McLean for openpty support (fixes #35629).
+  * Use glibc versions of logout/logwtmp.
+
+ -- Herbert Xu <herbert@debian.org>  Tue, 29 Jun 1999 14:16:14 +1000
+
+netkit-telnet (0.12-5) unstable; urgency=low
+
+  * Fixed a bug with hostnames longer than 64 characters (fixes #33559).
+
+ -- Herbert Xu <herbert@debian.org>  Tue, 16 Mar 1999 15:24:36 +1100
+
+netkit-telnet (0.12-4) frozen unstable; urgency=low
+
+  * Uploaded to slink.
+
+ -- Herbert Xu <herbert@debian.org>  Sun, 15 Nov 1998 15:04:40 +1100
+
+netkit-telnet (0.12-3) unstable; urgency=low
+
+  * Rebuilt with libncurses4.
+
+ -- Herbert Xu <herbert@debian.org>  Sun,  1 Nov 1998 19:38:49 +1100
+
+netkit-telnet (0.12-2) unstable; urgency=low
+
+  * Rebuilt with libstdc++2.9 (fixes #27789).
+
+ -- Herbert Xu <herbert@debian.org>  Thu, 15 Oct 1998 22:32:04 +1000
+
+netkit-telnet (0.12-1) unstable; urgency=low
+
+  * Initial Release.
+
+ -- Herbert Xu <herbert@debian.org>  Mon, 28 Sep 1998 16:50:43 +1000
+
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/debian/control b/exploits/7350855-netkit/netkit-telnet-0.17/debian/control
new file mode 100644
index 0000000..69e4a3a
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/debian/control
@@ -0,0 +1,25 @@
+Source: netkit-telnet
+Section: net
+Priority: standard
+Maintainer: Herbert Xu <herbert@debian.org>
+Standards-Version: 3.5.6
+Build-Depends: debhelper, libncurses-dev
+
+Package: telnet
+Architecture: any
+Depends: ${shlibs:Depends}
+Replaces: netstd
+Provides: telnet-client
+Description: The telnet client.
+ The telnet command is used for interactive communication with another host
+ using the TELNET protocol.
+
+Package: telnetd
+Architecture: any
+Priority: optional
+Depends: adduser, base-files (>= 2.1.8), dpkg (>= 1.7.0), netbase, passwd, ${shlibs:Depends}
+Replaces: netstd
+Conflicts: suidmanager (<< 0.50)
+Description: The telnet server.
+ The in.telnetd program is a server which supports the DARPA telnet interactive
+ communication protocol.
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/debian/copyright b/exploits/7350855-netkit/netkit-telnet-0.17/debian/copyright
new file mode 100644
index 0000000..35d61af
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/debian/copyright
@@ -0,0 +1,18 @@
+This package was split from netstd by Herbert Xu herbert@debian.org on
+Mon, 28 Sep 1998 16:50:43 +1000.
+
+netstd was created by Peter Tobias tobias@et-inf.fho-emden.de on
+Wed, 20 Jul 1994 17:23:21 +0200.
+
+It was downloaded from ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/.
+
+Copyright:
+
+Copyright (c) 1988, 1993 The Regents of the University of California.
+Copyright (c) 1995 David A. Holland
+Copyright (c) 1994 Peter Tobias (issue.net(5))
+Copyright (c) 1983, 1995 Eric P. Allman (setproctitle.[ch])
+
+The license can be found at /usr/share/common-licenses/BSD.
+
+$Id: copyright,v 1.4 2001/02/18 20:28:33 herbert Exp $
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/debian/dirs b/exploits/7350855-netkit/netkit-telnet-0.17/debian/dirs
new file mode 100644
index 0000000..b078dea
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/debian/dirs
@@ -0,0 +1,3 @@
+usr/bin
+usr/share/doc/telnet
+usr/share/man/man1
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/debian/docs b/exploits/7350855-netkit/netkit-telnet-0.17/debian/docs
new file mode 100644
index 0000000..9632452
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/debian/docs
@@ -0,0 +1,2 @@
+BUGS
+README 
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/debian/menu b/exploits/7350855-netkit/netkit-telnet-0.17/debian/menu
new file mode 100644
index 0000000..f8d50c6
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/debian/menu
@@ -0,0 +1,3 @@
+?package(telnet): \
+        needs="text" section="Apps/Net" title="Telnet" command="telnet" \
+        hints="Terminal"
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/debian/postinst b/exploits/7350855-netkit/netkit-telnet-0.17/debian/postinst
new file mode 100644
index 0000000..9e6119f
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/debian/postinst
@@ -0,0 +1,8 @@
+#!/bin/sh -e
+# $Id: postinst,v 1.4 2000/08/23 10:08:42 herbert Exp $
+
+update-alternatives --install /usr/bin/telnet telnet /usr/bin/telnet.netkit \
+                    100 --slave /usr/share/man/man1/telnet.1.gz telnet.1.gz \
+                                /usr/share/man/man1/telnet.netkit.1.gz
+
+#DEBHELPER#
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/debian/prerm b/exploits/7350855-netkit/netkit-telnet-0.17/debian/prerm
new file mode 100644
index 0000000..5d58010
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/debian/prerm
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+if [ "$1" = remove ] || [ "$1" = deconfigure ]; then
+        update-alternatives --remove telnet /usr/bin/telnet.netkit
+fi
+
+#DEBHELPER#
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/debian/rules b/exploits/7350855-netkit/netkit-telnet-0.17/debian/rules
new file mode 100644
index 0000000..ebbb79b
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/debian/rules
@@ -0,0 +1,85 @@
+#!/usr/bin/make -f
+# $Id: rules,v 1.11 2001/01/28 11:03:24 herbert Exp $
+# Sample debian/rules that uses debhelper. GNU copyright 1997 by Joey Hess.
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+build: build-stamp
+build-stamp:
+        dh_testdir
+
+        if [ ! -f MCONFIG ]; then \
+                ./configure; \
+                sed -e 's/^CFLAGS=\(.*\)$$/CFLAGS= -Ddebian -D_GNU_SOURCE -g \1/' \
+                    -e 's/^CXXFLAGS=\(.*\)$$/CXXFLAGS= -Ddebian -D_GNU_SOURCE -g \1/' \
+                    MCONFIG > MCONFIG.new; \
+                mv MCONFIG.new MCONFIG; \
+        fi
+        $(MAKE)
+
+        touch build-stamp
+
+clean:
+        dh_testdir
+        dh_testroot
+        rm -f build-stamp install-stamp
+
+        -$(MAKE) distclean
+
+        dh_clean
+
+install: install-stamp
+install-stamp: build-stamp
+        dh_testdir
+        dh_testroot
+        dh_clean -k
+        dh_installdirs
+
+        $(MAKE) -C telnet INSTALLROOT=`pwd`/debian/tmp MANDIR=/usr/share/man \
+                install
+        mv debian/tmp/usr/bin/telnet debian/tmp/usr/bin/telnet.netkit
+        mv debian/tmp/usr/share/man/man1/telnet.1 \
+           debian/tmp/usr/share/man/man1/telnet.netkit.1
+        cp telnet/README debian/tmp/usr/share/doc/telnet/README.telnet
+        cp telnet/README.old debian/tmp/usr/share/doc/telnet/README.telnet.old
+        $(MAKE) -C telnetd INSTALLROOT=`pwd`/debian/telnetd \
+                MANDIR=/usr/share/man install
+        cp telnetlogin/telnetlogin.8 debian/telnetd/usr/share/man/man8
+        cp telnetlogin/telnetlogin debian/telnetd/usr/lib
+
+        touch install-stamp
+
+# Build architecture-independent files here.
+binary-indep: build install
+# We have nothing to do by default.
+
+# Build architecture-dependent files here.
+binary-arch: build install
+#       dh_testversion
+        dh_testdir
+        dh_testroot
+        dh_installdocs
+        dh_installexamples
+        dh_installmenu
+#       dh_installemacsen
+#       dh_installinit
+        dh_installcron
+#       dh_installmanpages
+#       dh_undocumented
+        dh_installchangelogs ChangeLog
+        dh_strip
+        dh_compress
+        dh_fixperms
+        dh_installdeb
+        dh_shlibdeps
+        dh_gencontrol
+#       dh_makeshlibs
+        dh_md5sums
+        dh_builddeb
+
+source diff:                                                                  
+        @echo >&2 'source and diff are obsolete - use dpkg-source -b'; false
+
+binary: binary-indep binary-arch
+.PHONY: build clean binary-indep binary-arch binary
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/debian/telnetd.dirs b/exploits/7350855-netkit/netkit-telnet-0.17/debian/telnetd.dirs
new file mode 100644
index 0000000..710b719
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/debian/telnetd.dirs
@@ -0,0 +1,4 @@
+usr/lib
+usr/share/man/man5
+usr/share/man/man8
+usr/sbin
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/debian/telnetd.docs b/exploits/7350855-netkit/netkit-telnet-0.17/debian/telnetd.docs
new file mode 100644
index 0000000..9632452
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/debian/telnetd.docs
@@ -0,0 +1,2 @@
+BUGS
+README 
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/debian/telnetd.postinst b/exploits/7350855-netkit/netkit-telnet-0.17/debian/telnetd.postinst
new file mode 100644
index 0000000..48c3981
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/debian/telnetd.postinst
@@ -0,0 +1,57 @@
+#!/bin/sh -e
+# $Id: telnetd.postinst,v 1.13 2001/05/19 05:34:26 herbert Exp $
+
+update_inetd_entry() {
+        if [ $2 ]; then
+                update-inetd --remove "$rootent"
+                update-inetd --group STANDARD --add "$telnetdent"
+        else
+                update-inetd --remove "$telnetdent"
+                update-inetd --group STANDARD --add "$rootent"
+        fi
+}
+
+if ! id -u telnetd >/dev/null 2>&1; then
+        if sg telnetd -c true 2>/dev/null; then
+                adduser --quiet --system --ingroup telnetd \
+                        --home /usr/lib/telnetd telnetd
+        else
+                adduser --quiet --system --group --home /usr/lib/telnetd \
+                        telnetd
+        fi
+        adduser --quiet --system --group --home /usr/lib/telnetd telnetd
+fi
+adduser --quiet telnetd utmp
+
+if [ -z "$(dpkg-statoverride --list /usr/lib/telnetlogin)" ]; then
+        chown root.telnetd /usr/lib/telnetlogin
+        chmod 4754 /usr/lib/telnetlogin
+fi
+
+rootent="telnet         stream  tcp     nowait  root    /usr/sbin/tcpd  /usr/sbin/in.telnetd"
+telnetdent="telnet              stream  tcp     nowait  telnetd.telnetd /usr/sbin/tcpd  /usr/sbin/in.telnetd"
+
+if egrep -q "^(devpts /dev/pts|devfs /dev) " /proc/mounts; then
+        devpts=yes
+else
+        devpts=
+fi
+
+case "$1" in
+abort-upgrade | abort-deconfigure | abort-remove)
+        update-inetd --enable telnet
+        ;;
+configure)
+        if [ -z "$2" ] || dpkg --compare-versions "$2" lt 0.17-13; then
+                update_inetd_entry "$2" $devpts
+        else
+                update-inetd --enable telnet
+        fi
+        ;;
+*)
+        printf "$0: incorrect arguments: $*\n" >&2
+        exit 1
+        ;;
+esac
+
+#DEBHELPER#
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/debian/telnetd.postrm b/exploits/7350855-netkit/netkit-telnet-0.17/debian/telnetd.postrm
new file mode 100644
index 0000000..2178a8c
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/debian/telnetd.postrm
@@ -0,0 +1,25 @@
+#!/bin/sh -e
+# $Id: telnetd.postrm,v 1.9 2001/04/14 07:02:13 herbert Exp $
+
+case "$1" in
+abort-install | abort-upgrade | upgrade | failed-upgrade)
+        ;;
+remove | disappear)
+        id telnetd > /dev/null 2>&1 && userdel telnetd
+        sg telnetd -c true 2> /dev/null && groupdel telnetd
+        ;;
+purge)
+        # If netbase is not installed, then we don't need to do the remove.
+        if command -v update-inetd >/dev/null 2>&1; then
+                update-inetd --remove "telnet   .*      /usr/sbin/in.telnetd"
+        fi
+        ;;
+*)
+        echo "$0: incorrect arguments: $*" >&2
+        exit 1
+        ;;
+esac
+
+#DEBHELPER#
+
+exit 0
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/debian/telnetd.prerm b/exploits/7350855-netkit/netkit-telnet-0.17/debian/telnetd.prerm
new file mode 100644
index 0000000..0d344ed
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/debian/telnetd.prerm
@@ -0,0 +1,6 @@
+#!/bin/sh -e
+# $Id: telnetd.prerm,v 1.3 2001/03/15 20:38:36 herbert Exp $
+
+update-inetd --disable telnet
+
+#DEBHELPER#
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/pty-hang.patch b/exploits/7350855-netkit/netkit-telnet-0.17/pty-hang.patch
new file mode 100644
index 0000000..850f4b9
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/pty-hang.patch
@@ -0,0 +1,99 @@
+From whawes@star.net Sun May 25 11:17:36 1997
+Received: from venus.star.net (root@venus.star.net [199.232.114.5]) by hcs.harvard.edu (8.8.5/8.8.3) with ESMTP id LAA15293 for <dholland@hcs.harvard.edu>; Sun, 25 May 1997 11:17:35 -0400 (EDT)
+Received: from hawes (bos221p.star.net [199.232.112.221]) by venus.star.net (8.8.5/8.7.3) with ESMTP id LAA29775; Sun, 25 May 1997 11:17:08 -0400
+Message-ID: <33885894.B2043F5E@star.net>
+Date: Sun, 25 May 1997 11:19:48 -0400
+From: Bill Hawes <whawes@star.net>
+X-Mailer: Mozilla 4.0b3 [en] (WinNT; I)
+MIME-Version: 1.0
+To: David Holland <dholland@hcs.harvard.edu>,
+        Alan Cox <net-patches@lxorguk.ukuu.org.uk>,
+        Peter Tobias <tobias@server.et-inf.fho-emden.de>,
+        "Theodore Ts'o" <tytso@MIT.EDU>
+Subject: kernel patch to fix telnetd deadlock
+X-Priority: 3 (Normal)
+Content-Type: multipart/mixed; boundary="------------B47A35BD86775A5D9DA0F308"
+Status: RO
+
+This is a multi-part message in MIME format.
+--------------B47A35BD86775A5D9DA0F308
+Content-Type: text/plain; charset=us-ascii
+Content-Transfer-Encoding: 7bit
+
+Attached is a patch for drivers/char/n_tty.c that fixes the telnetd
+deadlock when more than 256 chars are typed without a newline.  With
+this patch in place, the total of typed-ahead and entered commands is
+still limited to 256 chars, but telnetd comes back to life when the
+buffer is emptied.
+
+Here's what the problem was:
+telnetd does a select() on the master side of a pty to see when it's
+safe to write a character without blocking.
+
+The N_TTY line discipline select() calls the pty driver's
+chars_in_buffer() function to see how many characters are buffered.
+If there are more than 256, the caller has to wait.
+
+The pty driver.chars_in_buffer calls the other side's ldisc
+chars_in_buffer() function.  Here's where the problem arises: the slave
+pty is in canonical mode, so that no characters can be read until a
+newline is entered.  But the n_tty_chars_in_buffer was returning the
+full number of characters entered, even if no newline had been entered. 
+Hence after 256 characters were typed, select() makes telnetd wait, and
+the newline can never arrive.
+
+The patch corrects n_tty_chars_in_buffer() by checking for canonical
+mode and returning 0 if no data is available to be read.
+
+I've tested this on 2.0.30, and it should apply to 2.1.40 as well.
+Please check it out and forward it as you see wish.
+
+I'm working on a patch for pty.c to allow a greater amount of type-ahead
+while still avoiding a deadlock.
+
+Regards,
+Bill Hawes
+--------------B47A35BD86775A5D9DA0F308
+Content-Type: text/plain; charset=us-ascii; name="n_tty-chars-patch"
+Content-Transfer-Encoding: 7bit
+Content-Disposition: inline; filename="n_tty-chars-patch"
+
+--- drivers/char/n_tty.c.old    Mon Sep  2 08:18:26 1996
++++ drivers/char/n_tty.c        Sun May 25 10:10:29 1997
+@@ -86,10 +86,31 @@
+ 
+ /*
+  * Return number of characters buffered to be delivered to user
++ *     WSH 05/20/97: Added check for canonical mode
++ *     In canonical mode, no characters are available to be read until 
++ *     the first newline has been entered.  (Any characters in the buffer
++ *     may yet be erased ...)
++ *
++ *     This was causing a deadlock in telnetd: select() thought the buffer
++ *      was already too full, so telnetd couldn't send a newline, but the
++ *      slave PTY couldn't read anything because there was no newline.
+  */
+ int n_tty_chars_in_buffer(struct tty_struct *tty)
+ {
+-       return tty->read_cnt;
++       /* Check first for canonical mode ... */
++       if (tty->icanon) {
++               if (!tty->canon_data) return 0;
++
++               /* Would prefer to just fall through and return the true
++                * count, but that could still cause deadlocks until some
++                * other routines are patched.  For now, calculate the
++                * characters actually available for reading.
++                */
++               return (tty->canon_head > tty->read_tail) ?
++                       tty->canon_head - tty->read_tail :
++                       tty->canon_head + (N_TTY_BUF_SIZE - tty->read_tail);
++       }
++       return tty->read_cnt; /* all characters available */ 
+ }
+ 
+ /*
+
+--------------B47A35BD86775A5D9DA0F308--
+
+
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/Makefile b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/Makefile
new file mode 100644
index 0000000..70246fe
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/Makefile
@@ -0,0 +1,30 @@
+all: telnet
+
+include ../MCONFIG
+include ../MRULES
+
+#CXXFLAGS:=$(patsubst -O2, -g, $(CXXFLAGS))
+
+# -DAUTHENTICATE
+CXXFLAGS += -DUSE_TERMIO -DKLUDGELINEMODE
+LIBS = $(LIBTERMCAP)
+
+SRCS = commands.cc main.cc network.cc ring.cc sys_bsd.cc telnet.cc \
+        terminal.cc tn3270.cc utilities.cc genget.cc environ.cc netlink.cc
+
+OBJS = $(patsubst %.cc, %.o, $(SRCS))
+
+telnet: $(OBJS)
+        $(CXX) $(LDFLAGS) $^ $(LIBS) -o $@
+
+include depend.mk
+depend:
+        $(CXX) $(CXXFLAGS) -MM $(SRCS) >depend.mk
+
+install: telnet
+        install -s -m$(BINMODE) telnet $(INSTALLROOT)$(BINDIR)
+        install -m$(MANMODE) telnet.1 $(INSTALLROOT)$(MANDIR)/man1
+
+clean:
+        rm -f *.o telnet
+
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/README b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/README
new file mode 100644
index 0000000..cd18f9a
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/README
@@ -0,0 +1,26 @@
+
+Telnet has been massively hacked up for this release. 
+
+It presently requires a C++ compiler (gcc 2.7.2 or higher
+recommended), but not libg++ or libstdc++. That is, unless you went to
+special effort to not install the C++ compiler when you installed gcc,
+you'll be fine.
+
+Large amounts of further hacking are expected. If you're interested in
+working on it, please contact me, as diffs are likely to become
+useless very quickly.
+
+Support for assorted old/broken systems has been dropped.  Some such
+support may be reinstated in the future once the code has been cleaned
+up sufficiently. On the other hand, it may not.
+
+Known bugs/shortcomings at this point:
+
+        - Under some circumstances it can theoretically encounter a
+          buffer overflow condition and drop data on the floor. If
+          anyone actually observes this ``in the wild'' I'd appreciate
+          knowing the circumstances. I'm also not convinced the old
+          behavior was any better.
+        - Various of the debug/trace modes don't work. This probably
+          doesn't matter to anyone not actually coding on it.
+
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/README.old b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/README.old
new file mode 100644
index 0000000..086c88f
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/README.old
@@ -0,0 +1,566 @@
+
+
+This is a distribution of both client and server telnet.  These programs
+have been compiled on:
+                        telnet  telnetd
+        BSD 4.3 Reno      X       X
+        UNICOS 5.1        X       X
+        UNICOS 6.0        X       X
+        UNICOS 6.1        X       X
+        UNICOS 7.0        X       X
+        SunOs 3.5         X       X (no linemode in server)
+        SunOs 4.1         X       X (no linemode in server)
+        DYNIX V3.0.17.9   X       X (no linemode in server)
+        Ultrix 3.1        X       X (no linemode in server)
+        Ultrix 4.0        X       X (no linemode in server)
+
+In addition, previous versions have been compiled on the following
+machines, but were not available for testing this version.
+                        telnet  telnetd
+        SunOs 4.0.3c      X       X (no linemode in server)
+        BSD 4.3           X       X (no linemode in server)
+        DYNIX V3.0.12     X       X (no linemode in server)
+
+Februrary 22, 1991:
+
+    Features:
+
+        This version of telnet/telnetd has support for both
+        the AUTHENTICATION and ENCRYPTION options.  The
+        AUTHENTICATION option is fairly well defined, and
+        an option number has been assigned to it.  The
+        ENCRYPTION option is still in a state of flux; an
+        option number has NOT been assigned to it yet.
+        The code is provided in this release for experimental
+        and testing purposes.
+
+        The telnet "send" command can now be used to send
+        do/dont/will/wont commands, with any telnet option
+        name.  The rules for when do/dont/will/wont are sent
+        are still followed, so just because the user requests
+        that one of these be sent doesn't mean that it will
+        be sent...
+
+        The telnet "getstatus" command no longer requires
+        that option printing be enabled to see the response
+        to the "DO STATUS" command.
+
+        A -n flag has been added to telnetd to disable
+        keepalives.
+
+        A new telnet command, "auth" has been added (if
+        AUTHENTICATE is defined).  It has four sub-commands,
+        "status", "debug", "disable", "enable" and "help".
+
+        A new telnet command, "encrypt" has been added (if
+        ENCRYPT is defined).  It has many sub-commands:
+        "enable", "type", "start", "stop", "input",
+        "-input", "output", "-output", "status", "auto",
+        "verbose", "debug", and "help".
+
+        An "rlogin" interface has been added.  If the program
+        is named "rlogin", or the "-r" flag is given, then
+        an rlogin type of interface will be used.
+                ~.      Terminates the session
+                ~<susp> Suspend the session
+                ~^]     Escape to telnet command mode
+                ~~      Pass through the ~.
+            BUG: If you type the rlogin escape character
+                 in the middle of a line while in rlogin
+                 mode, you cannot erase it or any characters
+                 before it.  Hopefully this can be fixed
+                 in a future release...
+
+    General changes:
+
+        A "libtelnet.a" has now been created.  This libraray
+        contains code that is common to both telnet and
+        telnetd.  This is also where library routines that
+        are needed, but are not in the standard C library,
+        are placed.
+
+        The makefiles have been re-done.  All of the site
+        specific configuration information has now been put
+        into a single "Config.generic" file, in the top level
+        directory.  Changing this one file will take care of
+        all three subdirectories.  Also, to add a new/local
+        definition, a "Config.local" file may be created
+        at the top level; if that file exists, the subdirectories
+        will use that file instead of "Config.generic".
+
+        Many 1-2 line functions in commands.c have been
+        removed, and just inserted in-line, or replaced
+        with a macro.
+
+    Bug Fixes:
+
+        The non-termio code in both telnet and telnetd was
+        setting/clearing CTLECH in the sg_flags word.  This
+        was incorrect, and has been changed to set/clear the
+        LCTLECH bit in the local mode word.
+
+        The SRCRT #define has been removed.  If IP_OPTIONS
+        and IPPROTO_IP are defined on the system, then the
+        source route code is automatically enabled.
+
+        The NO_GETTYTAB #define has been removed; there
+        is a compatability routine that can be built into
+        libtelnet to achive the same results.
+
+        The server, telnetd, has been switched to use getopt()
+        for parsing the argument list.
+
+        The code for getting the input/output speeds via
+        cfgetispeed()/cfgetospeed() was still not quite
+        right in telnet.  Posix says if the ispeed is 0,
+        then it is really equal to the ospeed.
+
+        The suboption processing code in telnet now has
+        explicit checks to make sure that we received
+        the entire suboption (telnetd was already doing this).
+
+        The telnet code for processing the terminal type
+        could cause a core dump if an existing connection
+        was closed, and a new connection opened without
+        exiting telnet.
+
+        Telnetd was doing a TCSADRAIN when setting the new
+        terminal settings;  This is not good, because it means
+        that the tcsetattr() will hang waiting for output to
+        drain, and telnetd is the only one that will drain
+        the output...  The fix is to use TCSANOW which does
+        not wait.
+
+        Telnetd was improperly setting/clearing the ISTRIP
+        flag in the c_lflag field, it should be using the
+        c_iflag field. 
+
+        When the child process of telnetd was opening the
+        slave side of the pty, it was re-setting the EXTPROC
+        bit too early, and some of the other initialization
+        code was wiping it out.  This would cause telnetd
+        to go out of linemode and into single character mode.
+
+        One instance of leaving linemode in telnetd forgot
+        to send a WILL ECHO to the client, the net result
+        would be that the user would see double character
+        echo.
+
+        If the MODE was being changed several times very
+        quickly, telnetd could get out of sync with the
+        state changes and the returning acks; and wind up
+        being left in the wrong state.
+
+September 14, 1990:
+
+        Switch the client to use getopt() for parsing the
+        argument list.  The 4.3Reno getopt.c is included for
+        systems that don't have getopt().
+
+        Use the posix _POSIX_VDISABLE value for what value
+        to use when disabling special characters.  If this
+        is undefined, it defaults to 0x3ff.
+
+        For non-termio systems, TIOCSETP was being used to
+        change the state of the terminal.  This causes the
+        input queue to be flushed, which we don't want.  This
+        is now changed to TIOCSETN.
+
+        Take out the "#ifdef notdef" around the code in the
+        server that generates a "sync" when the pty oputput
+        is flushed.  The potential problem is that some older
+        telnet clients may go into an infinate loop when they
+        receive a "sync", if so, the server can be compiled
+        with "NO_URGENT" defined.
+
+        Fix the client where it was setting/clearing the OPOST
+        bit in the c_lflag field, not the c_oflag field.
+
+        Fix the client where it was setting/clearing the ISTRIP
+        bit in the c_lflag field, not the c_iflag field.  (On
+        4.3Reno, this is the ECHOPRT bit in the c_lflag field.)
+        The client also had its interpretation of WILL BINARY
+        and DO BINARY reversed.
+
+        Fix a bug in client that would cause a core dump when
+        attempting to remove the last environment variable.
+
+        In the client, there were a few places were switch()
+        was being passed a character, and if it was a negative
+        value, it could get sign extended, and not match
+        the 8 bit case statements.  The fix is to and the
+        switch value with 0xff.
+
+        Add a couple more printoption() calls in the client, I
+        don't think there are any more places were a telnet
+        command can be received and not printed out when
+        "options" is on.
+
+        A new flag has been added to the client, "-a".  Currently,
+        this just causes the USER name to be sent across, in
+        the future this may be used to signify that automatic
+        authentication is requested.
+
+        The USER variable is now only sent by the client if
+        the "-a" or "-l user" options are explicity used, or
+        if the user explicitly asks for the "USER" environment
+        variable to be exported.  In the server, if it receives
+        the "USER" environment variable, it won't print out the
+        banner message, so that only "Password:" will be printed.
+        This makes the symantics more like rlogin, and should be
+        more familiar to the user.  (People are not used to
+        getting a banner message, and then getting just a
+        "Password:" prompt.)
+
+        Re-vamp the code for starting up the child login
+        process.  The code was getting ugly, and it was
+        hard to tell what was really going on.  What we
+        do now is after the fork(), in the child:
+                1) make sure we have no controlling tty
+                2) open and initialize the tty
+                3) do a setsid()/setpgrp()
+                4) makes the tty our controlling tty.
+        On some systems, #2 makes the tty our controlling
+        tty, and #4 is a no-op.  The parent process does
+        a gets rid of any controlling tty after the child
+        is fork()ed.
+
+        Use the strdup() library routine in telnet, instead
+        of the local savestr() routine.  If you don't have
+        strdup(), you need to define NO_STRDUP.
+
+        Add support for ^T (SIGINFO/VSTATUS), found in the
+        4.3Reno distribution.  This maps to the AYT character.
+        You need a 4-line bugfix in the kernel to get this
+        to work properly:
+
+        > *** tty_pty.c.ORG     Tue Sep 11 09:41:53 1990
+        > --- tty_pty.c Tue Sep 11 17:48:03 1990
+        > ***************
+        > *** 609,613 ****
+        >                       if ((tp->t_lflag&NOFLSH) == 0)
+        >                               ttyflush(tp, FREAD|FWRITE);
+        > !                     pgsignal(tp->t_pgrp, *(unsigned int *)data);
+        >                       return(0);
+        >               }
+        > --- 609,616 ----
+        >                       if ((tp->t_lflag&NOFLSH) == 0)
+        >                               ttyflush(tp, FREAD|FWRITE);
+        > !                     pgsignal(tp->t_pgrp, *(unsigned int *)data, 1);
+        > !                     if ((*(unsigned int *)data == SIGINFO) &&
+        > !                         ((tp->t_lflag&NOKERNINFO) == 0))
+        > !                             ttyinfo(tp);
+        >                       return(0);
+        >               }
+
+        The client is now smarter when setting the telnet escape
+        character; it only sets it to one of VEOL and VEOL2 if
+        one of them is undefined, and the other one is not already
+        defined to the telnet escape character.
+
+        Handle TERMIOS systems that have seperate input and output
+        line speed settings imbedded in the flags.
+
+        Many other minor bug fixes.
+
+June 20, 1990:
+        Re-organize makefiles and source tree.  The telnet/Source
+        directory is now gone, and all the source that was in
+        telnet/Source is now just in the telnet directory.
+
+        Seperate makefile for each system are now gone.  There
+        are two makefiles, Makefile and Makefile.generic.
+        The "Makefile" has the definitions for the various
+        system, and "Makefile.generic" does all the work.
+        There is a variable called "WHAT" that is used to
+        specify what to make.  For example, in the telnet
+        directory, you might say:
+                make 4.4bsd WHAT=clean
+        to clean out the directory.
+
+        Add support for the ENVIRON and XDISPLOC options.
+        In order for the server to work, login has to have
+        the "-p" option to preserve environment variables.
+
+        Add the SOFT_TAB and LIT_ECHO modes in the LINEMODE support.
+
+        Add the "-l user" option to command line and open command
+        (This is passed through the ENVIRON option).
+
+        Add the "-e" command line option, for setting the escape
+        character.
+
+        Add the "-D", diagnostic, option to the server.  This allows
+        the server to print out debug information, which is very
+        useful when trying to debug a telnet that doesn't have any
+        debugging ability.
+
+        Turn off the literal next character when not in LINEMODE.
+
+        Don't recognize ^Y locally, just pass it through.
+
+        Make minor modifications for Sun4.0 and Sun4.1
+
+        Add support for both FORW1 and FORW2 characters.  The
+        telnet escpape character is set to whichever of the
+        two is not being used.  If both are in use, the escape
+        character is not set, so when in linemode the user will
+        have to follow the escape character with a <CR> or <EOF)
+        to get it passed through.
+
+        Commands can now be put in single and double quotes, and
+        a backslash is now an escape character.  This is needed
+        for allowing arbitrary strings to be assigned to environment
+        variables.
+
+        Switch telnetd to use macros like telnet for keeping
+        track of the state of all the options.
+
+        Fix telnetd's processing of options so that we always do
+        the right processing of the LINEMODE option, regardless
+        of who initiates the request to turn it on.  Also, make
+        sure that if the other side went "WILL ECHO" in response
+        to our "DO ECHO", that we send a "DONT ECHO" to get the
+        option turned back off!
+
+        Fix the TERMIOS setting of the terminal speed to handle both
+        BSD's seperate fields, and the SYSV method of CBAUD bits.
+
+        Change how we deal with the other side refusing to enable
+        an option.  The sequence used to be: send DO option; receive
+        WONT option; send DONT option.  Now, the sequence is: send
+        DO option; receive WONT option.  Both should be valid
+        according to the spec, but there has been at least one
+        client implementation of telnet identified that can get
+        really confused by this.  (The exact sequence, from a trace
+        on the server side, is (numbers are number of responses that
+        we expect to get after that line...):
+
+                send WILL ECHO  1 (initial request)
+                send WONT ECHO  2 (server is changing state)
+                recv DO ECHO    1 (first reply, ok.  expect DONT ECHO next)
+                send WILL ECHO  2 (server changes state again)
+                recv DONT ECHO  1 (second reply, ok.  expect DO ECHO next)
+                recv DONT ECHO  0 (third reply, wrong answer. got DONT!!!)
+        ***     send WONT ECHO    (send WONT to acknowledge the DONT)
+                send WILL ECHO  1 (ask again to enable option)
+                recv DO ECHO    0
+
+                recv DONT ECHO  0
+                send WONT ECHO  1
+                recv DONT ECHO  0
+                recv DO ECHO    1
+                send WILL ECHO  0
+                (and the last 5 lines loop forever)
+
+        The line with the "***" is last of the WILL/DONT/WONT sequence.
+        The change to the server to not generate that makes this same
+        example become:
+
+                send will ECHO  1
+                send wont ECHO  2
+                recv do ECHO    1
+                send will ECHO  2
+                recv dont ECHO  1
+                recv dont ECHO  0
+                recv do ECHO    1
+                send will ECHO  0
+
+        There is other option negotiation going on, and not sending
+        the third part changes some of the timings, but this specific
+        example no longer gets stuck in a loop.  The "telnet.state"
+        file has been modified to reflect this change to the algorithm.
+
+        A bunch of miscellaneous bug fixes and changes to make
+        lint happier.
+
+        This version of telnet also has some KERBEROS stuff in
+        it. This has not been tested, it uses an un-authorized
+        telnet option number, and uses an out-of-date version
+        of the (still being defined) AUTHENTICATION option.
+        There is no support for this code, do not enable it.
+
+
+March 1, 1990:
+CHANGES/BUGFIXES SINCE LAST RELEASE:
+        Some support for IP TOS has been added.  Requires that the
+        kernel support the IP_TOS socket option (currently this
+        is only in UNICOS 6.0).
+
+        Both telnet and telnetd now use the cc_t typedef.  typedefs are
+        included for systems that don't have it (in termios.h).
+
+        SLC_SUSP was not supported properly before.  It is now.
+
+        IAC EOF was not translated  properly in telnetd for SYSV_TERMIO
+        when not in linemode.  It now saves a copy of the VEOF character,
+        so that when ICANON is turned off and we can't trust it anymore
+        (because it is now the VMIN character) we use the saved value.
+
+        There were two missing "break" commands in the linemode
+        processing code in telnetd.
+
+        Telnetd wasn't setting the kernel window size information
+        properly.  It was using the rows for both rows and columns...
+
+Questions/comments go to
+                David Borman
+                Cray Research, Inc.
+                655F Lone Oak Drive
+                Eagan, MN 55123
+                dab@cray.com.
+
+README: You are reading it.
+
+Config.generic:
+        This file contains all the OS specific definitions.  It
+        has pre-definitions for many common system types, and is
+        in standard makefile fromat.  See the comments at the top
+        of the file for more information.
+
+Config.local:
+        This is not part of the distribution, but if this file exists,
+        it is used instead of "Config.generic".  This allows site
+        specific configuration without having to modify the distributed
+        "Config.generic" file.
+
+kern.diff:
+        This file contains the diffs for the changes needed for the
+        kernel to support LINEMODE is the server.  These changes are
+        for a 4.3BSD system.  You may need to make some changes for
+        your particular system.
+
+        There is a new bit in the terminal state word, TS_EXTPROC.
+        When this bit is set, several aspects of the terminal driver
+        are disabled.  Input line editing, character echo, and
+        mapping of signals are all disabled.  This allows the telnetd
+        to turn of these functions when in linemode, but still keep
+        track of what state the user wants the terminal to be in.
+
+        New ioctl()s:
+
+                TIOCEXT         Turn on/off the TS_EXTPROC bit
+                TIOCGSTATE      Get t_state of tty to look at TS_EXTPROC bit
+                TIOCSIG         Generate a signal to processes in the
+                                current process group of the pty.
+
+        There is a new mode for packet driver, the TIOCPKT_IOCTL bit.
+        When packet mode is turned on in the pty, and the TS_EXTPROC
+        bit is set, then whenever the state of the pty is changed, the
+        next read on the master side of the pty will have the TIOCPKT_IOCTL
+        bit set, and the data will contain the following:
+                struct xx {
+                        struct sgttyb a;
+                        struct tchars b;
+                        struct ltchars c;
+                        int t_state;
+                        int t_flags;
+                }
+        This allows the process on the server side of the pty to know
+        when the state of the terminal has changed, and what the new
+        state is.
+
+        However, if you define USE_TERMIO or SYSV_TERMIO, the code will
+        expect that the structure returned in the TIOCPKT_IOCTL is
+        the termio/termios structure.
+
+stty.diff:
+        This file contains the changes needed for the stty(1) program
+        to report on the current status of the TS_EXTPROC bit.  It also
+        allows the user to turn on/off the TS_EXTPROC bit.  This is useful
+        because it allows the user to say "stty -extproc", and the
+        LINEMODE option will be automatically disabled, and saying "stty
+        extproc" will re-enable the LINEMODE option.
+
+telnet.state:
+        Both the client and server have code in them to deal
+        with option negotiation loops.  The algorithm that is
+        used is described in this file.
+
+tmac.doc:
+        Macros for use in formatting the man pages on non-4.3Reno
+        systems.
+
+telnet:
+        This directory contains the client code.  No kernel changes are
+        needed to use this code.
+
+telnetd:
+        This directory contains the server code.  If LINEMODE or KLUDGELINEMODE
+        are defined, then the kernel modifications listed above are needed.
+
+libtelnet:
+        This directory contains code that is common to both the client
+        and the server.
+
+arpa:
+        This directory has a new <arpa/telnet.h>
+
+
+The following TELNET options are supported:
+        
+        LINEMODE:
+                The LINEMODE option is supported as per RFC1116.  The
+                FORWARDMASK option is not currently supported.
+
+        BINARY: The client has the ability to turn on/off the BINARY
+                option in each direction.  Turning on BINARY from
+                server to client causes the LITOUT bit to get set in
+                the terminal driver on both ends,  turning on BINARY
+                from the client to the server causes the PASS8 bit
+                to get set in the terminal driver on both ends.
+
+        TERMINAL-TYPE:
+                This is supported as per RFC1091.  On the server side,
+                when a terminal type is received, termcap/terminfo
+                is consulted to determine if it is a known terminal
+                type.  It keeps requesting terminal types until it
+                gets one that it recongnizes, or hits the end of the
+                list.  The server side looks up the entry in the
+                termcap/terminfo data base, and generates a list of
+                names which it then passes one at a time to each
+                request for a terminal type, duplicating the last
+                entry in the list before cycling back to the beginning.
+
+        NAWS:   The Negotiate about Window Size, as per RFC 1073.
+
+        TERMINAL-SPEED:
+                Implemented as per RFC 1079
+
+        TOGGLE-FLOW-CONTROL:
+                Implemented as per RFC 1080
+
+        TIMING-MARK:
+                As per RFC 860
+
+        SGA:    As per RFC 858
+
+        ECHO:   As per RFC 857
+
+        STATUS:
+                The server will send its current status upon
+                request.  It does not ask for the clients status.
+                The client will request the servers current status
+                from the "send getstatus" command.
+
+        ENVIRON:
+                This option is currently being defined by the IETF
+                Telnet Working Group, and an RFC has not yet been
+                issued, but should be in the near future...
+
+        X-DISPLAY-LOCATION:
+                This functionality can be done through the ENVIRON
+                option, it is added here for completeness.
+
+        AUTHENTICATION:
+                This option is currently being defined by the IETF
+                Telnet Working Group, and an RFC has not yet been
+                issued.  The basic framework is pretty much decided,
+                but the definitions for the specific authentication
+                schemes is still in a state of flux.
+
+        ENCRYPT:
+                This option is currently being defined by the IETF
+                Telnet Working Group, and an RFC has not yet been
+                issued.  The draft RFC is still in a state of flux,
+                so this code may change in the future.
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/TODO b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/TODO
new file mode 100644
index 0000000..f67f253
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/TODO
@@ -0,0 +1,13 @@
+eliminate global variables
+        clean up command processing
+                fix "send" command
+        clean up option processing
+
+add empty encrypt hooks (layer over ring buffers)
+flushout --> use nullsink
+
+fix ring buffer so it allocates more buf instead of overflowing
+
+put tracing back in
+
+authentication?
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/array.h b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/array.h
new file mode 100644
index 0000000..56f1123
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/array.h
@@ -0,0 +1,97 @@
+//
+//      File:        array.h
+//      Date:        16-Jul-95
+//      Description: array template
+//
+/*
+ * Copyright (c) 1995 David A. Holland.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the Author nor the names of any contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef ARRAY_H
+#define ARRAY_H
+
+#ifndef assert
+#include <assert.h>
+#endif
+
+#ifndef NULL
+#define NULL 0
+#endif
+
+inline void *operator new(size_t, void *v) { return v; }
+
+template <class T>
+class array {
+  protected:
+    T *v;
+    int n, max;
+
+    void reallocto(int newsize) {
+      while (max<newsize) max += 16;
+      char *x = new char[max*sizeof(T)];
+      memcpy(x,v,n*sizeof(T));
+      delete []((char *)v);
+      v = (T *) x;
+    }
+  public:
+    array() { v=NULL; n=max=0; }
+    ~array() { setsize(0); delete []((char *)v); }
+
+    int num() const { return n; }
+
+    void setsize(int newsize) {
+      if (newsize>max) reallocto(newsize);
+      if (newsize>n) {
+        // call default constructors
+        for (int i=n; i<newsize; i++) (void) new(&v[i]) T;
+      }
+      else {
+        // call destructors
+        for (int i=newsize; i<n; i++) v[i].~T();
+      }
+      n = newsize;
+    }
+
+    T &operator [] (int ix) const {
+      assert(ix>=0 && ix<n);
+      return v[ix];
+    }
+
+    int add(const T &val) {
+      int ix = n;
+      setsize(n+1);
+      v[ix] = val;
+      return ix;
+    }
+
+    void push(const T &val) { add(val); }
+
+    T pop() { T t = (*this)[n-1]; setsize(n-1); return t; }
+};
+
+#endif
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/authenc.cc b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/authenc.cc
new file mode 100644
index 0000000..8cc6e57
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/authenc.cc
@@ -0,0 +1,116 @@
+/*-
+ * Copyright (c) 1991 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)authenc.c  5.1 (Berkeley) 3/1/91
+ */
+char au_rcsid[] = 
+  "$Id: authenc.cc,v 1.6 2000/07/23 03:24:53 dholland Exp $";
+
+#if     defined(ENCRYPT) || defined(AUTHENTICATE)
+#include <sys/types.h>
+#include <arpa/telnet.h>
+#include <libtelnet/encrypt.h>
+#include <libtelnet/misc.h>
+
+#include "ring.h"
+#include "externs.h"
+#include "defines.h"
+#include "types.h"
+#include "proto.h"
+
+        int
+net_write(str, len)
+        unsigned char *str;
+        int len;
+{
+        if (NETROOM() > len) {
+                netoring.supply_data(str, len);
+                if (str[0] == IAC && str[1] == SE)
+                        printsub('>', &str[2], len-2);
+                return(len);
+        }
+        return(0);
+}
+
+        void
+net_encrypt()
+{
+#if     defined(ENCRYPT)
+        if (encrypt_output)
+                ring_encrypt(&netoring, encrypt_output);
+        else
+                ring_clearto(&netoring);
+#endif
+}
+
+        int
+telnet_spin()
+{
+        return(-1);
+}
+
+        char *
+telnet_getenv(val)
+        char *val;
+{
+        /* not sure about the export_only flag, but this code
+         * isn't used anyway --okir */
+        return((char *)env_getvalue((unsigned char *)val, 1));
+}
+
+        char *
+telnet_gets(prompt, result, length, echo)
+        char *prompt;
+        char *result;
+        int length;
+        int echo;
+{
+        extern char *getpass();
+        extern int globalmode;
+        int om = globalmode;
+        char *res;
+
+        TerminalNewMode(-1);
+        if (echo) {
+                printf("%s", prompt);
+                res = fgets(result, length, stdin);
+        } 
+        else if ((res = getpass(prompt))!=NULL) {
+                strncpy(result, res, length);
+                res = result;
+        }
+        TerminalNewMode(om);
+        return(res);
+}
+#endif
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/commands.cc b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/commands.cc
new file mode 100644
index 0000000..b7460fa
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/commands.cc
@@ -0,0 +1,2262 @@
+/*
+ * Copyright (c) 1988, 1990 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)commands.c 5.5 (Berkeley) 3/22/91
+ */
+char cmd_rcsid[] = 
+  "$Id: commands.cc,v 1.34 2000/07/23 04:16:24 dholland Exp $";
+
+#include <string.h>
+
+#include <sys/param.h>
+#include <sys/file.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <netinet/ip.h>
+
+#ifdef  CRAY
+#include <fcntl.h>
+#endif  /* CRAY */
+
+#include <sys/wait.h>
+#include <signal.h>
+#include <netdb.h>
+#include <ctype.h>
+#include <pwd.h>
+#include <stdarg.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <arpa/inet.h>
+#include <arpa/telnet.h>
+
+#include "ring.h"
+
+#include "externs.h"
+#include "defines.h"
+#include "types.h"
+#include "genget.h"
+#include "environ.h"
+#include "proto.h"
+#include "ptrarray.h"
+#include "netlink.h"
+
+/* In Linux, this is an enum */
+#if defined(__linux__) || defined(IPPROTO_IP)
+#define HAS_IPPROTO_IP
+#endif
+
+#ifndef CRAY
+#if (defined(vax) || defined(tahoe) || defined(hp300)) && !defined(ultrix)
+#include <machine/endian.h>
+#endif /* vax */
+#endif /* CRAY */
+
+#define HELPINDENT ((int) sizeof ("connect"))
+
+#if     defined(HAS_IPPROTO_IP) && defined(IP_TOS)
+int tos = -1;
+#endif  /* defined(HAS_IPPROTO_IP) && defined(IP_TOS) */
+
+static unsigned long sourceroute(char *arg, char **cpp, int *lenp);
+
+
+char    *hostname;
+static char *_hostname;
+
+//typedef int (*intrtn_t)(int argc, const char *argv[]);
+
+class command_entry;
+typedef ptrarray<command_entry> command_table;
+
+static int process_command(command_table *tab, int argc, const char **argv);
+
+
+class command_entry {
+ protected:
+    const char *name;    /* command name */
+    const char *help;    /* help string (NULL for no help) */
+
+    int nargs;
+    union {             /* routine which executes command */
+        command_table *subhandler;
+        int (*handlern)(int, const char **);
+        int (*handler0)(void);
+        int (*handler1)(const char *);
+        int (*handler2)(const char *, const char *);
+    };
+ public:
+    command_entry(const char *n, const char *e, 
+                  int (*h)(int, const char **)) 
+    { 
+        name = n; 
+        help = e;
+        nargs = -1; handlern = h; 
+    }
+    command_entry(const char *n, const char *e,
+                  int (*h)(void)) 
+    { 
+        name = n; 
+        help = e;
+        nargs = 0; handler0 = h; 
+    }
+    command_entry(const char *n, const char *e,
+                  int (*h)(const char *)) 
+    { 
+        name = n; 
+        help = e;
+        nargs = 1; handler1 = h; 
+    }
+    command_entry(const char *n, const char *e,
+                  int (*h)(const char *, const char *)) 
+    { 
+        name = n; 
+        help = e;
+        nargs = 2; handler2 = h; 
+    }
+    command_entry(const char *n, const char *e, command_table *sub) {
+        name = n;
+        help = e;
+        nargs = -2;
+        subhandler = sub;
+    }
+    
+    int call(int argc, const char *argv[]) {
+        assert(argc>=1);
+        if (nargs>=0 && argc!=nargs+1) {
+            fprintf(stderr, "Wrong number of arguments for command.\n");
+            fprintf(stderr, "Try ? %s for help\n", argv[0]);
+            return 0;    /* is this right? */
+        }
+        if (nargs==-2) {
+            if (argc<2) {
+                fprintf(stderr, "`%s' requires a subcommand.\n", argv[0]);
+                fprintf(stderr, "Try %s ? for help\n", argv[0]);
+                return 0;    /* is this right? */
+            }
+            return process_command(subhandler, argc-1, argv+1);
+        }
+        else if (nargs==-1) return handlern(argc, argv);
+        else if (nargs==0) return handler0();
+        else if (nargs==1) return handler1(argv[1]);
+        else if (nargs==2) return handler2(argv[1], argv[2]);
+        return 0;
+    }
+
+    void describe() {
+        if (help) printf("%-*s\t%s\n", HELPINDENT, name, help);
+    }
+    void gethelp() {
+        if (help) printf("%s\n", help);
+        else printf("No help available\n");
+    }
+
+    const char *getname() const { return name; }
+};
+
+static char line[256];
+static char saveline[256];
+static int margc;
+static const char *margv[20];
+
+static void makeargv(void) {
+    register char *cp, *cp2, c;
+    register const char **argp = margv;
+
+    margc = 0;
+    cp = line;
+    if (*cp == '!') {           /* Special case shell escape */
+        strcpy(saveline, line); /* save for shell command */
+        *argp++ = "!";          /* No room in string to get this */
+        margc++;
+        cp++;
+    }
+    while ((c = *cp)!=0) {
+        register int inquote = 0;
+        while (isspace(c))
+            c = *++cp;
+        if (c == '\0')
+            break;
+        *argp++ = cp;
+        margc += 1;
+        for (cp2 = cp; c != '\0'; c = *++cp) {
+            if (inquote) {
+                if (c == inquote) {
+                    inquote = 0;
+                    continue;
+                }
+            } else {
+                if (c == '\\') {
+                    if ((c = *++cp) == '\0')
+                        break;
+                } else if (c == '"') {
+                    inquote = '"';
+                    continue;
+                } else if (c == '\'') {
+                    inquote = '\'';
+                    continue;
+                } else if (isspace(c))
+                    break;
+            }
+            *cp2++ = c;
+        }
+        *cp2 = '\0';
+        if (c == '\0')
+            break;
+        cp++;
+    }
+    *argp++ = 0;
+}
+
+/*
+ * Make a character string into a number.
+ *
+ * Todo:  1.  Could take random integers (12, 0x12, 012, 0b1).
+ */
+
+static int special(const char *s) {
+    char c;
+    char b;
+    
+    switch (*s) {
+     case '^':
+         b = *++s;
+         if (b == '?') {
+             c = b | 0x40;              /* DEL */
+         } 
+         else {
+             c = b & 0x1f;
+         }
+         break;
+     default:
+         c = *s;
+         break;
+    }
+    return c;
+}
+
+/*
+ * Construct a control character sequence
+ * for a special character.
+ */
+static const char *control(cc_t c)
+{
+        static char buf[5];
+        /*
+         * The only way I could get the Sun 3.5 compiler
+         * to shut up about
+         *      if ((unsigned int)c >= 0x80)
+         * was to assign "c" to an unsigned int variable...
+         * Arggg....
+         */
+        register unsigned int uic = (unsigned int)c;
+
+        if (uic == 0x7f)
+                return ("^?");
+        if (c == (cc_t)_POSIX_VDISABLE) {
+                return "off";
+        }
+        if (uic >= 0x80) {
+                buf[0] = '\\';
+                buf[1] = ((c>>6)&07) + '0';
+                buf[2] = ((c>>3)&07) + '0';
+                buf[3] = (c&07) + '0';
+                buf[4] = 0;
+        } else if (uic >= 0x20) {
+                buf[0] = c;
+                buf[1] = 0;
+        } else {
+                buf[0] = '^';
+                buf[1] = '@'+c;
+                buf[2] = 0;
+        }
+        return (buf);
+}
+
+
+
+/*
+ *      The following are data structures and routines for
+ *      the "send" command.
+ *
+ */
+ 
+struct sendlist {
+    const char *name;           /* How user refers to it (case independent) */
+    const char *help;           /* Help information (0 ==> no help) */
+    int needconnect;            /* Need to be connected */
+    int narg;                   /* Number of arguments */
+    int (*handler)(const char *, const char *); 
+                                /* Routine to perform (for special ops) */
+    int nbyte;                  /* Number of bytes to send this command */
+    int what;                   /* Character to be sent (<0 ==> special) */
+};
+
+static int send_esc(const char *, const char *);
+static int send_help(const char *, const char *);
+static int send_docmd(const char *, const char *);
+static int send_dontcmd(const char *, const char *);
+static int send_willcmd(const char *, const char *);
+static int send_wontcmd(const char *, const char *);
+
+extern int send_do(int, int);
+extern int send_dont(int, int);
+extern int send_will(int, int);
+extern int send_wont(int, int);
+
+static int dosynch1(const char *, const char *) { return dosynch(); }
+
+static struct sendlist Sendlist[] = {
+    { "ao",     "Send Telnet Abort output",             1, 0, 0, 2, AO },
+    { "ayt",    "Send Telnet 'Are You There'",          1, 0, 0, 2, AYT },
+    { "brk",    "Send Telnet Break",                    1, 0, 0, 2, BREAK },
+    { "break",  0,                                      1, 0, 0, 2, BREAK },
+    { "ec",     "Send Telnet Erase Character",          1, 0, 0, 2, EC },
+    { "el",     "Send Telnet Erase Line",               1, 0, 0, 2, EL },
+    { "escape", "Send current escape character",        1, 0, send_esc, 1, 0 },
+    { "ga",     "Send Telnet 'Go Ahead' sequence",      1, 0, 0, 2, GA },
+    { "ip",     "Send Telnet Interrupt Process",        1, 0, 0, 2, IP },
+    { "intp",   0,                                      1, 0, 0, 2, IP },
+    { "interrupt", 0,                                   1, 0, 0, 2, IP },
+    { "intr",   0,                                      1, 0, 0, 2, IP },
+    { "nop",    "Send Telnet 'No operation'",           1, 0, 0, 2, NOP },
+    { "eor",    "Send Telnet 'End of Record'",          1, 0, 0, 2, EOR },
+    { "abort",  "Send Telnet 'Abort Process'",          1, 0, 0, 2, ABORT },
+    { "susp",   "Send Telnet 'Suspend Process'",        1, 0, 0, 2, SUSP },
+    { "eof",    "Send Telnet End of File Character",    1, 0, 0, 2, xEOF },
+    { "synch",  "Perform Telnet 'Synch operation'",     1, 0, dosynch1, 2, 0 },
+    { "getstatus", "Send request for STATUS",   1, 0, get_status, 6, 0 },
+    { "?",      "Display send options",         0, 0, send_help, 0, 0 },
+    { "help",   0,                              0, 0, send_help, 0, 0 },
+    { "do",     0,                              0, 1, send_docmd, 3, 0 },
+    { "dont",   0,                              0, 1, send_dontcmd, 3, 0 },
+    { "will",   0,                              0, 1, send_willcmd, 3, 0 },
+    { "wont",   0,                              0, 1, send_wontcmd, 3, 0 },
+    { 0, 0, 0, 0, 0, 0, 0 }
+};
+
+#define GETSEND(name) ((struct sendlist *) genget(name, (char **) Sendlist, \
+                                sizeof(struct sendlist)))
+
+static int sendcmd(int argc, const char *argv[]) {
+    int count;          /* how many bytes we are going to need to send */
+    int i;
+/*    int question = 0;*/       /* was at least one argument a question */
+    struct sendlist *s; /* pointer to current command */
+    int success = 0;
+    int needconnect = 0;
+
+    if (argc < 2) {
+        printf("need at least one argument for 'send' command\n");
+        printf("'send ?' for help\n");
+        return 0;
+    }
+    /*
+     * First, validate all the send arguments.
+     * In addition, we see how much space we are going to need, and
+     * whether or not we will be doing a "SYNCH" operation (which
+     * flushes the network queue).
+     */
+    count = 0;
+    for (i = 1; i < argc; i++) {
+        s = GETSEND(argv[i]);
+        if (s == 0) {
+            printf("Unknown send argument '%s'\n'send ?' for help.\n",
+                        argv[i]);
+            return 0;
+        } 
+        else if (s == AMBIGUOUS) {
+            printf("Ambiguous send argument '%s'\n'send ?' for help.\n",
+                        argv[i]);
+            return 0;
+        }
+        if (i + s->narg >= argc) {
+            fprintf(stderr,
+            "Need %d argument%s to 'send %s' command.  'send %s ?' for help.\n",
+                s->narg, s->narg == 1 ? "" : "s", s->name, s->name);
+            return 0;
+        }
+        count += s->nbyte;
+        if (s->handler == send_help) {
+            send_help(NULL, NULL);
+            return 0;
+        }
+
+        i += s->narg;
+        needconnect += s->needconnect;
+    }
+    if (!connected && needconnect) {
+        printf("?Need to be connected first.\n");
+        printf("'send ?' for help\n");
+        return 0;
+    }
+    /* Now, do we have enough room? */
+    if (netoring.empty_count() < count) {
+        printf("There is not enough room in the buffer TO the network\n");
+        printf("to process your request.  Nothing will be done.\n");
+        printf("('send synch' will throw away most data in the network\n");
+        printf("buffer, if this might help.)\n");
+        return 0;
+    }
+    /* OK, they are all OK, now go through again and actually send */
+    count = 0;
+    for (i = 1; i < argc; i++) {
+        if ((s = GETSEND(argv[i])) == 0) {
+            fprintf(stderr, "Telnet 'send' error - argument disappeared!\n");
+            quit();
+            /*NOTREACHED*/
+        }
+        if (s->handler) {
+            count++;
+            success += (*s->handler)((s->narg > 0) ? argv[i+1] : 0,
+                                     (s->narg > 1) ? argv[i+2] : 0);
+            i += s->narg;
+        } 
+        else {
+            NET2ADD(IAC, s->what);
+            printoption("SENT", IAC, s->what);
+        }
+    }
+    return (count == success);
+}
+
+static int send_esc(const char *, const char *) {
+    NETADD(escapechar);
+    return 1;
+}
+
+static int send_docmd(const char *name, const char *) {
+    return send_tncmd(send_do, "do", name);
+}
+
+static int send_dontcmd(const char *name, const char *) {
+    return(send_tncmd(send_dont, "dont", name));
+}
+
+static int send_willcmd(const char *name, const char *) {
+    return(send_tncmd(send_will, "will", name));
+}
+
+static int send_wontcmd(const char *name, const char *) {
+    return(send_tncmd(send_wont, "wont", name));
+}
+
+int send_tncmd(int (*func)(int, int), const char *cmd, const char *name) {
+    char **cpp;
+    extern char *telopts[];
+
+    if (isprefix(name, "help") || isprefix(name, "?")) {
+        register int col, len;
+
+        printf("Usage: send %s <option>\n", cmd);
+        printf("Valid options are:\n\t");
+
+        col = 8;
+        for (cpp = telopts; *cpp; cpp++) {
+            len = strlen(*cpp) + 1;
+            if (col + len > 65) {
+                printf("\n\t");
+                col = 8;
+            }
+            printf(" %s", *cpp);
+            col += len;
+        }
+        printf("\n");
+        return 0;
+    }
+    cpp = genget(name, telopts, sizeof(char *));
+    if (cpp == AMBIGUOUS) {
+        fprintf(stderr,"'%s': ambiguous argument ('send %s ?' for help).\n",
+                                        name, cmd);
+        return 0;
+    }
+    if (cpp == 0) {
+        fprintf(stderr, "'%s': unknown argument ('send %s ?' for help).\n",
+                                        name, cmd);
+        return 0;
+    }
+    if (!connected) {
+        printf("?Need to be connected first.\n");
+        return 0;
+    }
+    (*func)(cpp - telopts, 1);
+    return 1;
+}
+
+static int send_help(const char *, const char *) {
+    struct sendlist *s; /* pointer to current command */
+    for (s = Sendlist; s->name; s++) {
+        if (s->help)
+            printf("%-15s %s\n", s->name, s->help);
+    }
+    return(0);
+}
+
+/*
+ * The following are the routines and data structures referred
+ * to by the arguments to the "toggle" command.
+ */
+
+static int lclchars(int) {
+    donelclchars = 1;
+    return 1;
+}
+
+static int togdebug(int) {
+    return nlink.setdebug(debug);
+}
+
+
+static int togcrlf(int) {
+    if (crlf) {
+        printf("Will send carriage returns as telnet <CR><LF>.\n");
+    } 
+    else {
+        printf("Will send carriage returns as telnet <CR><NUL>.\n");
+    }
+    return 1;
+}
+
+int binmode;
+
+static int togbinary(int val) {
+    donebinarytoggle = 1;
+
+    if (val >= 0) {
+        binmode = val;
+    } else {
+        if (my_want_state_is_will(TELOPT_BINARY) &&
+                                my_want_state_is_do(TELOPT_BINARY)) {
+            binmode = 1;
+        } else if (my_want_state_is_wont(TELOPT_BINARY) &&
+                                my_want_state_is_dont(TELOPT_BINARY)) {
+            binmode = 0;
+        }
+        val = binmode ? 0 : 1;
+    }
+
+    if (val == 1) {
+        if (my_want_state_is_will(TELOPT_BINARY) &&
+                                        my_want_state_is_do(TELOPT_BINARY)) {
+            printf("Already operating in binary mode with remote host.\n");
+        } else {
+            printf("Negotiating binary mode with remote host.\n");
+            tel_enter_binary(3);
+        }
+    } else {
+        if (my_want_state_is_wont(TELOPT_BINARY) &&
+                                        my_want_state_is_dont(TELOPT_BINARY)) {
+            printf("Already in network ascii mode with remote host.\n");
+        } else {
+            printf("Negotiating network ascii mode with remote host.\n");
+            tel_leave_binary(3);
+        }
+    }
+    return 1;
+}
+
+static int togrbinary(int val) {
+    donebinarytoggle = 1;
+
+    if (val == -1)
+        val = my_want_state_is_do(TELOPT_BINARY) ? 0 : 1;
+
+    if (val == 1) {
+        if (my_want_state_is_do(TELOPT_BINARY)) {
+            printf("Already receiving in binary mode.\n");
+        } 
+        else {
+            printf("Negotiating binary mode on input.\n");
+            tel_enter_binary(1);
+        }
+    } 
+    else {
+        if (my_want_state_is_dont(TELOPT_BINARY)) {
+            printf("Already receiving in network ascii mode.\n");
+        } else {
+            printf("Negotiating network ascii mode on input.\n");
+            tel_leave_binary(1);
+        }
+    }
+    return 1;
+}
+
+static int togxbinary(int val) {
+    donebinarytoggle = 1;
+
+    if (val == -1)
+        val = my_want_state_is_will(TELOPT_BINARY) ? 0 : 1;
+
+    if (val == 1) {
+        if (my_want_state_is_will(TELOPT_BINARY)) {
+            printf("Already transmitting in binary mode.\n");
+        } 
+        else {
+            printf("Negotiating binary mode on output.\n");
+            tel_enter_binary(2);
+        }
+    } 
+    else {
+        if (my_want_state_is_wont(TELOPT_BINARY)) {
+            printf("Already transmitting in network ascii mode.\n");
+        } 
+        else {
+            printf("Negotiating network ascii mode on output.\n");
+            tel_leave_binary(2);
+        }
+    }
+    return 1;
+}
+
+
+static int netdata;             /* Print out network data flow */
+static int prettydump;  /* Print "netdata" output in user readable format */
+static int termdata;    /* Print out terminal data flow */
+
+static int togglehelp(int);
+
+struct togglelist {
+    const char *name;                   /* name of toggle */
+    const char *help;                   /* help message */
+    int (*handler)(int);        /* routine to do actual setting */
+    int *variable;
+    const char *actionexplanation;
+};
+
+static struct togglelist Togglelist[] = {
+    { "autoflush", "flushing of output when sending interrupt characters",
+      NULL, &autoflush,
+      "flush output when sending interrupt characters" },
+
+    { "autosynch", "automatic sending of interrupt characters in urgent mode",
+      NULL, &autosynch,
+      "send interrupt characters in urgent mode" },
+
+#if 0
+    { "autologin", "automatic sending of login and/or authentication info",
+      NULL, &autologin,
+      "send login name and/or authentication information" },
+    { "authdebug", "Toggle authentication debugging",
+      auth_togdebug, NULL,
+      "print authentication debugging information" },
+    { "autoencrypt", "automatic encryption of data stream",
+      EncryptAutoEnc, NULL,
+      "automatically encrypt output" },
+    { "autodecrypt", "automatic decryption of data stream",
+      EncryptAutoDec, NULL,
+      "automatically decrypt input" },
+    { "verbose_encrypt", "Toggle verbose encryption output",
+      EncryptVerbose, NULL,
+      "print verbose encryption output" },
+    { "encdebug", "Toggle encryption debugging",
+      EncryptDebug, NULL,
+      "print encryption debugging information" },
+#endif
+
+    { "skiprc", "don't read the telnetrc files",
+      NULL, &skiprc,
+      "read the telnetrc files" },
+    { "binary",
+      "sending and receiving of binary data",
+      togbinary, NULL,
+      NULL },
+    { "inbinary", "receiving of binary data",
+      togrbinary, NULL,
+      NULL },
+    { "outbinary", "sending of binary data",
+      togxbinary, 0,
+      NULL },
+    { "crlf", "sending carriage returns as telnet <CR><LF>",
+      togcrlf, &crlf,
+      NULL },
+    { "crmod", "mapping of received carriage returns",
+      NULL, &crmod,
+      "map carriage return on output" },
+    { "localchars", "local recognition of certain control characters",
+      lclchars, &localchars,
+      "recognize certain control characters" },
+
+    { " ", "", 0, 0, 0 },               /* empty line */
+
+#if defined(TN3270) && !defined(__linux__)
+    { "apitrace", "(debugging) toggle tracing of API transactions",
+      NULL, &apitrace,
+      "trace API transactions" },
+    { "cursesdata", "(debugging) toggle printing of hexadecimal curses data",
+      NULL, &cursesdata,
+      "print hexadecimal representation of curses data" },
+#endif  /* TN3270 and not linux */
+
+    { "debug", "debugging",
+      togdebug, &debug,
+      "turn on socket level debugging" },
+    { "netdata", "printing of hexadecimal network data (debugging)",
+      NULL, &netdata,
+      "print hexadecimal representation of network traffic" },
+    { "prettydump","output of \"netdata\" to user readable format (debugging)",
+      NULL, &prettydump,
+      "print user readable output for \"netdata\"" },
+    { "options", "viewing of options processing (debugging)",
+      NULL, &showoptions,
+      "show option processing" },
+
+    { "termdata", "(debugging) toggle printing of hexadecimal terminal data",
+      NULL, &termdata,
+      "print hexadecimal representation of terminal traffic" },
+
+    { "?", NULL, togglehelp, 0, 0 },
+    { "help", NULL, togglehelp, 0, 0 },
+    { 0, 0, 0, 0, 0 }
+};
+
+static int togglehelp(int) {
+    struct togglelist *c;
+
+    for (c = Togglelist; c->name; c++) {
+        if (c->help) {
+            if (*c->help)
+                printf("%-15s toggle %s\n", c->name, c->help);
+            else
+                printf("\n");
+        }
+    }
+    printf("\n");
+    printf("%-15s %s\n", "?", "display help information");
+    return 0;
+}
+
+static void settogglehelp(int set) {
+    struct togglelist *c;
+
+    for (c = Togglelist; c->name; c++) {
+        if (c->help) {
+            if (*c->help)
+                printf("%-15s %s %s\n", c->name, set ? "enable" : "disable",
+                                                c->help);
+            else
+                printf("\n");
+        }
+    }
+}
+
+#define GETTOGGLE(name) (struct togglelist *) \
+                genget(name, (char **) Togglelist, sizeof(struct togglelist))
+
+static int toggle(int argc, const char *argv[]) {
+    int retval = 1;
+    const char *name;
+    struct togglelist *c;
+
+    if (argc < 2) {
+        fprintf(stderr,
+            "Need an argument to 'toggle' command.  'toggle ?' for help.\n");
+        return 0;
+    }
+    argc--;
+    argv++;
+    while (argc--) {
+        name = *argv++;
+        c = GETTOGGLE(name);
+        if (c == AMBIGUOUS) {
+            fprintf(stderr, "'%s': ambiguous argument ('toggle ?' for help).\n",
+                                        name);
+            return 0;
+        } 
+        else if (c == 0) {
+            fprintf(stderr, "'%s': unknown argument ('toggle ?' for help).\n",
+                                        name);
+            return 0;
+        } 
+        else {
+            if (c->variable) {
+                *c->variable = !*c->variable;           /* invert it */
+                if (c->actionexplanation) {
+                    printf("%s %s.\n", *c->variable? "Will" : "Won't",
+                                                        c->actionexplanation);
+                }
+            }
+            if (c->handler) {
+                retval &= (*c->handler)(-1);
+            }
+        }
+    }
+    return retval;
+}
+
+/*
+ * The following perform the "set" command.
+ */
+
+struct setlist {
+    const char *name;                           /* name */
+    const char *help;                           /* help information */
+    void (*handler)(const char *);
+    cc_t *charp;                        /* where it is located at */
+};
+
+static struct setlist Setlist[] = {
+#ifdef  KLUDGELINEMODE
+    { "echo",   "character to toggle local echoing on/off", 0, &echoc },
+#endif
+    { "escape", "character to escape back to telnet command mode", 0, &escapechar },
+    { "rlogin", "rlogin escape character", 0, &rlogin },
+    { "tracefile", "file to write trace information to", SetNetTrace, (cc_t *)NetTraceFile},
+    { " ", "", 0, 0 },
+    { " ", "The following need 'localchars' to be toggled true", 0, 0 },
+    { "flushoutput", "character to cause an Abort Output", 0, termFlushCharp },
+    { "interrupt", "character to cause an Interrupt Process", 0, termIntCharp },
+    { "quit",   "character to cause an Abort process", 0, termQuitCharp },
+    { "eof",    "character to cause an EOF ", 0, termEofCharp },
+    { " ", "", 0, 0 },
+    { " ", "The following are for local editing in linemode", 0, 0 },
+    { "erase",  "character to use to erase a character", 0, termEraseCharp },
+    { "kill",   "character to use to erase a line", 0, termKillCharp },
+    { "lnext",  "character to use for literal next", 0, termLiteralNextCharp },
+    { "susp",   "character to cause a Suspend Process", 0, termSuspCharp },
+    { "reprint", "character to use for line reprint", 0, termRprntCharp },
+    { "worderase", "character to use to erase a word", 0, termWerasCharp },
+    { "start",  "character to use for XON", 0, termStartCharp },
+    { "stop",   "character to use for XOFF", 0, termStopCharp },
+    { "forw1",  "alternate end of line character", 0, termForw1Charp },
+    { "forw2",  "alternate end of line character", 0, termForw2Charp },
+    { "ayt",    "alternate AYT character", 0, termAytCharp },
+    { 0, 0, 0, 0 }
+};
+
+#if     defined(CRAY) && !defined(__STDC__)
+/* Work around compiler bug in pcc 4.1.5 */
+    void
+_setlist_init()
+{
+#ifndef KLUDGELINEMODE
+#define N 5
+#else
+#define N 6
+#endif
+        Setlist[N+0].charp = &termFlushChar;
+        Setlist[N+1].charp = &termIntChar;
+        Setlist[N+2].charp = &termQuitChar;
+        Setlist[N+3].charp = &termEofChar;
+        Setlist[N+6].charp = &termEraseChar;
+        Setlist[N+7].charp = &termKillChar;
+        Setlist[N+8].charp = &termLiteralNextChar;
+        Setlist[N+9].charp = &termSuspChar;
+        Setlist[N+10].charp = &termRprntChar;
+        Setlist[N+11].charp = &termWerasChar;
+        Setlist[N+12].charp = &termStartChar;
+        Setlist[N+13].charp = &termStopChar;
+        Setlist[N+14].charp = &termForw1Char;
+        Setlist[N+15].charp = &termForw2Char;
+        Setlist[N+16].charp = &termAytChar;
+#undef  N
+}
+#endif  /* defined(CRAY) && !defined(__STDC__) */
+
+static struct setlist *
+getset(const char *name)
+{
+    return (struct setlist *)
+                genget(name, (char **) Setlist, sizeof(struct setlist));
+}
+
+void set_escape_char(char *s) {
+    if (rlogin != _POSIX_VDISABLE) {
+        rlogin = (s && *s) ? special(s) : _POSIX_VDISABLE;
+        printf("Telnet rlogin escape character is '%s'.\n",
+               control(rlogin));
+    } 
+    else {
+        escapechar = (s && *s) ? special(s) : _POSIX_VDISABLE;
+        printf("Telnet escape character is '%s'.\n", control(escapechar));
+    }
+}
+
+static int setcmd(int argc, const char *argv[]) {
+    int value;
+    struct setlist *ct;
+    struct togglelist *c;
+
+    if (argc < 2 || argc > 3) {
+        printf("Format is 'set Name Value'\n'set ?' for help.\n");
+        return 0;
+    }
+    if ((argc == 2) && (isprefix(argv[1], "?") || isprefix(argv[1], "help"))) {
+        for (ct = Setlist; ct->name; ct++)
+            printf("%-15s %s\n", ct->name, ct->help);
+        printf("\n");
+        settogglehelp(1);
+        printf("%-15s %s\n", "?", "display help information");
+        return 0;
+    }
+
+    ct = getset(argv[1]);
+    if (ct == 0) {
+        c = GETTOGGLE(argv[1]);
+        if (c == 0) {
+            fprintf(stderr, "'%s': unknown argument ('set ?' for help).\n",
+                        argv[1]);
+            return 0;
+        } 
+        else if (c == AMBIGUOUS) {
+            fprintf(stderr, "'%s': ambiguous argument ('set ?' for help).\n",
+                        argv[1]);
+            return 0;
+        }
+        if (c->variable) {
+            if ((argc == 2) || (strcmp("on", argv[2]) == 0))
+                *c->variable = 1;
+            else if (strcmp("off", argv[2]) == 0)
+                *c->variable = 0;
+            else {
+                printf("Format is 'set togglename [on|off]'\n'set ?' for help.\n");
+                return 0;
+            }
+            if (c->actionexplanation) {
+                printf("%s %s.\n", *c->variable? "Will" : "Won't",
+                                                        c->actionexplanation);
+            }
+        }
+        if (c->handler)
+            (*c->handler)(1);
+    } 
+    else if (argc != 3) {
+        printf("Format is 'set Name Value'\n'set ?' for help.\n");
+        return 0;
+    } 
+    else if (ct == AMBIGUOUS) {
+        fprintf(stderr, "'%s': ambiguous argument ('set ?' for help).\n",
+                        argv[1]);
+        return 0;
+    } 
+    else if (ct->handler) {
+        (*ct->handler)(argv[2]);
+        printf("%s set to \"%s\".\n", ct->name, (char *)ct->charp);
+    } 
+    else {
+        if (strcmp("off", argv[2])) {
+            value = special(argv[2]);
+        } else {
+            value = _POSIX_VDISABLE;
+        }
+        *(ct->charp) = (cc_t)value;
+        printf("%s character is '%s'.\n", ct->name, control(*(ct->charp)));
+    }
+    slc_check();
+    return 1;
+}
+
+static int unsetcmd(int argc, const char *argv[]) {
+    struct setlist *ct;
+    struct togglelist *c;
+    const char *name;
+
+    if (argc < 2) {
+        fprintf(stderr,
+            "Need an argument to 'unset' command.  'unset ?' for help.\n");
+        return 0;
+    }
+    if (isprefix(argv[1], "?") || isprefix(argv[1], "help")) {
+        for (ct = Setlist; ct->name; ct++)
+            printf("%-15s %s\n", ct->name, ct->help);
+        printf("\n");
+        settogglehelp(0);
+        printf("%-15s %s\n", "?", "display help information");
+        return 0;
+    }
+
+    argc--;
+    argv++;
+    while (argc--) {
+        name = *argv++;
+        ct = getset(name);
+        if (ct == 0) {
+            c = GETTOGGLE(name);
+            if (c == 0) {
+                fprintf(stderr, "'%s': unknown argument ('unset ?' for help).\n",
+                        name);
+                return 0;
+            } 
+            else if (c == AMBIGUOUS) {
+                fprintf(stderr, "'%s': ambiguous argument ('unset ?' for help).\n",
+                        name);
+                return 0;
+            }
+            if (c->variable) {
+                *c->variable = 0;
+                if (c->actionexplanation) {
+                    printf("%s %s.\n", *c->variable? "Will" : "Won't",
+                                                        c->actionexplanation);
+                }
+            }
+            if (c->handler)
+                (*c->handler)(0);
+        } 
+        else if (ct == AMBIGUOUS) {
+            fprintf(stderr, "'%s': ambiguous argument ('unset ?' for help).\n",
+                        name);
+            return 0;
+        } 
+        else if (ct->handler) {
+            (*ct->handler)(0);
+            printf("%s reset to \"%s\".\n", ct->name, (char *)ct->charp);
+        } 
+        else {
+            *(ct->charp) = _POSIX_VDISABLE;
+            printf("%s character is '%s'.\n", ct->name, control(*(ct->charp)));
+        }
+    }
+    return 1;
+}
+
+/*
+ * The following are the data structures and routines for the
+ * 'mode' command.
+ */
+#ifdef  KLUDGELINEMODE
+extern int kludgelinemode;
+
+static int dokludgemode(int) {
+    kludgelinemode = 1;
+    send_wont(TELOPT_LINEMODE, 1);
+    send_dont(TELOPT_SGA, 1);
+    send_dont(TELOPT_ECHO, 1);
+    return 0;
+}
+#endif
+
+static int dolinemode(int) {
+#ifdef  KLUDGELINEMODE
+    if (kludgelinemode)
+        send_dont(TELOPT_SGA, 1);
+#endif
+    send_will(TELOPT_LINEMODE, 1);
+    send_dont(TELOPT_ECHO, 1);
+    return 1;
+}
+
+static int docharmode(int) {
+#ifdef  KLUDGELINEMODE
+    if (kludgelinemode)
+        send_do(TELOPT_SGA, 1);
+    else
+#endif
+    send_wont(TELOPT_LINEMODE, 1);
+    send_do(TELOPT_ECHO, 1);
+    return 1;
+}
+
+static int dolmmode(int bit, int on) {
+    unsigned char c;
+    extern int linemode;
+
+    if (my_want_state_is_wont(TELOPT_LINEMODE)) {
+        printf("?Need to have LINEMODE option enabled first.\n");
+        printf("'mode ?' for help.\n");
+        return 0;
+    }
+
+    if (on)
+        c = (linemode | bit);
+    else
+        c = (linemode & ~bit);
+    lm_mode(&c, 1, 1);
+    return 1;
+}
+
+int setmode(int bit) {
+    return dolmmode(bit, 1);
+}
+
+int clearmode(int bit) {
+    return dolmmode(bit, 0);
+}
+
+struct modelist {
+        const char      *name;          /* command name */
+        const char      *help;          /* help string */
+        int     (*handler)(int);        /* routine which executes command */
+        int     needconnect;    /* Do we need to be connected to execute? */
+        int     arg1;
+};
+
+extern int modehelp(int);
+
+static struct modelist ModeList[] = {
+    { "character", "Disable LINEMODE option",                 docharmode, 1,0},
+#ifdef  KLUDGELINEMODE
+    { "",          "(or disable obsolete line-by-line mode)", NULL, 0,0 },
+#endif
+    { "line",      "Enable LINEMODE option",                  dolinemode, 1,0},
+#ifdef  KLUDGELINEMODE
+    { "",          "(or enable obsolete line-by-line mode)",  NULL, 0,0 },
+#endif
+    { "",          "",                                        NULL, 0, 0 },
+    { "",       "These require the LINEMODE option to be enabled", NULL, 0, 0},
+    { "isig",   "Enable signal trapping",       setmode, 1, MODE_TRAPSIG },
+    { "+isig",  0,                              setmode, 1, MODE_TRAPSIG },
+    { "-isig",  "Disable signal trapping",      clearmode, 1, MODE_TRAPSIG },
+    { "edit",   "Enable character editing",     setmode, 1, MODE_EDIT },
+    { "+edit",  0,                              setmode, 1, MODE_EDIT },
+    { "-edit",  "Disable character editing",    clearmode, 1, MODE_EDIT },
+    { "softtabs", "Enable tab expansion",       setmode, 1, MODE_SOFT_TAB },
+    { "+softtabs", 0,                           setmode, 1, MODE_SOFT_TAB },
+    { "-softtabs", "Disable character editing", clearmode, 1, MODE_SOFT_TAB },
+    { "litecho", "Enable literal character echo", setmode, 1, MODE_LIT_ECHO },
+    { "+litecho", 0,                            setmode, 1, MODE_LIT_ECHO },
+    { "-litecho", "Disable literal character echo", clearmode, 1, MODE_LIT_ECHO },
+    { "help",   0,                              modehelp, 0, 0 },
+#ifdef  KLUDGELINEMODE
+    { "kludgeline", 0,                          dokludgemode, 1, 0 },
+#endif
+    { "", "", 0, 0, 0 },
+    { "?",      "Print help information",       modehelp, 0, 0 },
+    { 0, 0, 0, 0, 0 },
+};
+
+
+int modehelp(int) {
+    struct modelist *mt;
+
+    printf("format is:  'mode Mode', where 'Mode' is one of:\n\n");
+    for (mt = ModeList; mt->name; mt++) {
+        if (mt->help) {
+            if (*mt->help)
+                printf("%-15s %s\n", mt->name, mt->help);
+            else
+                printf("\n");
+        }
+    }
+    return 0;
+}
+
+#define GETMODECMD(name) (struct modelist *) \
+                genget(name, (char **) ModeList, sizeof(struct modelist))
+
+static int modecmd(const char *arg) {
+    struct modelist *mt;
+
+    mt = GETMODECMD(arg);
+    if (mt == 0) {
+        fprintf(stderr, "Unknown mode '%s' ('mode ?' for help).\n", arg);
+    } 
+    else if (mt == AMBIGUOUS) {
+        fprintf(stderr, "Ambiguous mode '%s' ('mode ?' for help).\n", arg);
+    } 
+    else if (mt->needconnect && !connected) {
+        printf("?Need to be connected first.\n");
+        printf("'mode ?' for help.\n");
+    }
+    else if (mt->handler) {
+        return (*mt->handler)(mt->arg1);
+    }
+    return 0;
+}
+
+/*
+ * The following data structures and routines implement the
+ * "display" command.
+ */
+
+static void dotog(struct togglelist *tl) {
+    if (tl->variable && tl->actionexplanation) {
+        if (*tl->variable) {
+            printf("will");
+        } 
+        else {
+            printf("won't");
+        }
+        printf(" %s.\n", tl->actionexplanation);
+    }
+}
+
+static void doset(struct setlist *sl) {
+    if (sl->name && *sl->name != ' ') {
+        if (sl->handler == 0) {
+            printf("%-15s [%s]\n", sl->name, control(*sl->charp));
+        }
+        else {
+            printf("%-15s \"%s\"\n", sl->name, (char *)sl->charp);
+        }
+    }
+}
+
+static int display(int argc, const char *argv[]) {
+    struct togglelist *tl;
+    struct setlist *sl;
+
+    if (argc == 1) {
+        for (tl = Togglelist; tl->name; tl++) {
+            dotog(tl);
+        }
+        printf("\n");
+        for (sl = Setlist; sl->name; sl++) {
+            doset(sl);
+        }
+    } 
+    else {
+        int i;
+
+        for (i = 1; i < argc; i++) {
+            sl = getset(argv[i]);
+            tl = GETTOGGLE(argv[i]);
+            if (sl == AMBIGUOUS || tl == AMBIGUOUS) {
+                printf("?Ambiguous argument '%s'.\n", argv[i]);
+                return 0;
+            } 
+            else if (!sl && !tl) {
+                printf("?Unknown argument '%s'.\n", argv[i]);
+                return 0;
+            } 
+            else {
+                if (tl) {
+                    dotog(tl);
+                }
+                if (sl) {
+                    doset(sl);
+                }
+            }
+        }
+    }
+    optionstatus();
+    return 1;
+}
+
+/*
+ * The following are the data structures, and many of the routines,
+ * relating to command processing.
+ */
+
+/*
+ * Set the escape character.
+ */
+static int setescape(int argc, const char *argv[]) {
+        const char *arg;
+        char buf[50];
+
+        printf(
+            "Deprecated usage - please use 'set escape%s%s' in the future.\n",
+                                (argc > 2)? " ":"", (argc > 2)? argv[1]: "");
+        if (argc > 2) {
+                arg = argv[1];
+        }
+        else {
+                printf("new escape character: ");
+                (void) fgets(buf, sizeof(buf), stdin);
+                arg = buf;
+        }
+        if (arg[0] != '\0')
+                escapechar = arg[0];
+        if (!In3270) {
+                printf("Escape character is '%s'.\n", control(escapechar));
+        }
+        (void) fflush(stdout);
+        return 1;
+}
+
+static int togcrmod(void) {
+    crmod = !crmod;
+    printf("Deprecated usage - please use 'toggle crmod' in the future.\n");
+    printf("%s map carriage return on output.\n", crmod ? "Will" : "Won't");
+    fflush(stdout);
+    return 1;
+}
+
+int suspend(void) {
+#ifdef  SIGTSTP
+    setcommandmode();
+    {
+        long oldrows, oldcols, newrows, newcols, err;
+
+        err = TerminalWindowSize(&oldrows, &oldcols);
+        (void) kill(0, SIGTSTP);
+        err += TerminalWindowSize(&newrows, &newcols);
+        if (connected && !err &&
+            ((oldrows != newrows) || (oldcols != newcols))) {
+                sendnaws();
+        }
+    }
+    /* reget parameters in case they were changed */
+    TerminalSaveState();
+    setconnmode(0);
+#else
+    printf("Suspend is not supported.  Try the '!' command instead\n");
+#endif
+    return 1;
+}
+
+#if !defined(TN3270)
+int shell(int argc, const char **) {
+    setcommandmode();
+    switch(vfork()) {
+    case -1:
+        perror("Fork failed\n");
+        break;
+
+    case 0:
+        {
+            /*
+             * Fire up the shell in the child.
+             */
+            const char *shellp, *shellname;
+
+            shellp = getenv("SHELL");
+            if (shellp == NULL)
+                shellp = "/bin/sh";
+            if ((shellname = rindex(shellp, '/')) == 0)
+                shellname = shellp;
+            else
+                shellname++;
+            if (argc > 1)
+                execl(shellp, shellname, "-c", &saveline[1], 0);
+            else
+                execl(shellp, shellname, 0);
+            perror("Execl");
+            _exit(1);
+        }
+    default:
+            wait(NULL); /* Wait for the shell to complete */
+    }
+    return 1;
+}
+#endif  /* !defined(TN3270) */
+
+static int dobye(int isfromquit) {
+    extern int resettermname;
+
+    if (connected) {
+        nlink.close(1);
+        printf("Connection closed.\n");
+        connected = 0;
+        resettermname = 1;
+
+        /* reset options */
+        tninit();
+#if     defined(TN3270)
+        SetIn3270();            /* Get out of 3270 mode */
+#endif  /* defined(TN3270) */
+    }
+    if (!isfromquit) {
+        siglongjmp(toplevel, 1);
+        /* NOTREACHED */
+    }
+    return 1;                   /* Keep lint, etc., happy */
+}
+
+static int bye(void) {
+    if (!connected) {
+        printf("Need to be connected first for `bye'.\n");
+        return 0;
+    }
+    return dobye(0);
+}
+
+void quit(void) {
+    dobye(1);
+    Exit(0);
+}
+
+int logout(void) {
+    if (!connected) {
+        printf("Need to be connected first for `logout'.\n");
+        return 0;
+    }
+    send_do(TELOPT_LOGOUT, 1);
+    netflush();
+    return 1;
+}
+
+/*
+ * The ENVIRON command.
+ */
+
+struct envcmd {
+        const char      *name;
+        const char      *help;
+        void    (*handler)(const char *, const char *);
+        int     narg;
+};
+
+static void env_help(const char *, const char *);
+
+typedef void (*envfunc)(const char *, const char *);
+
+struct envcmd EnvList[] = {
+    { "define", "Define an environment variable",
+                                                env_define,     2 },
+    { "undefine", "Undefine an environment variable",
+                                                (envfunc) env_undefine, 1 },
+    { "export", "Mark an environment variable for automatic export",
+                                                (envfunc) env_export,   1 },
+    { "unexport", "Don't mark an environment variable for automatic export",
+                                                (envfunc) env_unexport, 1 },
+    { "send",   "Send an environment variable", (envfunc) env_send,     1 },
+    { "list",   "List the current environment variables",
+                                                (envfunc) env_list,     0 },
+    { "help",   0,                              env_help,               0 },
+    { "?",      "Print help information",       env_help,               0 },
+    { 0, 0, 0, 0 },
+};
+
+static void env_help(const char *, const char *) {
+    struct envcmd *c;
+
+    for (c = EnvList; c->name; c++) {
+        if (c->help) {
+            if (*c->help)
+                printf("%-15s %s\n", c->name, c->help);
+            else
+                printf("\n");
+        }
+    }
+}
+
+static struct envcmd *getenvcmd(const char *name) {
+    return (struct envcmd *)
+                genget(name, (char **) EnvList, sizeof(struct envcmd));
+}
+
+int env_cmd(int argc, const char *argv[]) {
+    struct envcmd *c;
+
+    if (argc < 2) {
+        fprintf(stderr,
+            "Need an argument to 'environ' command.  'environ ?' for help.\n");
+        return 0;
+    }
+    c = getenvcmd(argv[1]);
+    if (c == 0) {
+        fprintf(stderr, "'%s': unknown argument ('environ ?' for help).\n",
+                                argv[1]);
+        return 0;
+    }
+    if (c == AMBIGUOUS) {
+        fprintf(stderr, "'%s': ambiguous argument ('environ ?' for help).\n",
+                                argv[1]);
+        return 0;
+    }
+    if (c->narg + 2 != argc) {
+        fprintf(stderr,
+            "Need %s%d argument%s to 'environ %s' command.  'environ ?' for help.\n",
+                c->narg < argc + 2 ? "only " : "",
+                c->narg, c->narg == 1 ? "" : "s", c->name);
+        return 0;
+    }
+    (*c->handler)(argv[2], argv[3]);
+    return 1;
+}
+
+
+/*
+ * The AUTHENTICATE command.
+ *
+ *    auth status      Display status
+ *    auth disable     Disable an authentication type
+ *    auth enable      Enable an authentication type
+ *
+ * The ENCRYPT command.
+ *
+ *   encrypt enable     Enable encryption
+ *   encrypt disable    Disable encryption
+ *   encrypt type foo   Set encryption type
+ *   encrypt start      Start encryption
+ *   encrypt stop       Stop encryption
+ *   encrypt input      Start encrypting input stream
+ *   encrypt -input     Stop encrypting input stream
+ *   encrypt output     Start encrypting output stream
+ *   encrypt -output    Stop encrypting output stream
+ *   encrypt status     Print status
+ */
+
+
+#ifdef TN3270
+char *oflgs[] = { "read-only", "write-only", "read-write" };
+    
+static void filestuff(int fd) {
+    int res;
+
+#ifdef  F_GETOWN
+    setconnmode(0);
+    res = fcntl(fd, F_GETOWN, 0);
+    setcommandmode();
+
+    if (res == -1) {
+        perror("fcntl");
+        return;
+    }
+    printf("\tOwner is %d.\n", res);
+#endif
+
+    setconnmode(0);
+    res = fcntl(fd, F_GETFL, 0);
+    setcommandmode();
+
+    if (res == -1) {
+        perror("fcntl");
+        return;
+    }
+    printf("\tFlags are 0x%x: %s\n", res, oflgs[res]);
+}
+#endif /* TN3270 */
+
+/*
+ * Print status about the connection.
+ */
+static int dostatus(int notmuch) {
+    if (connected) {
+        printf("Connected to %s.\n", hostname);
+        if (!notmuch) {
+            int mode = getconnmode();
+
+            if (my_want_state_is_will(TELOPT_LINEMODE)) {
+                printf("Operating with LINEMODE option\n");
+                printf("%s line editing\n", (mode&MODE_EDIT) ? "Local" : "No");
+                printf("%s catching of signals\n",
+                                        (mode&MODE_TRAPSIG) ? "Local" : "No");
+                slcstate();
+#ifdef  KLUDGELINEMODE
+            } 
+            else if (kludgelinemode && my_want_state_is_dont(TELOPT_SGA)) {
+                printf("Operating in obsolete linemode\n");
+#endif
+            } 
+            else {
+                printf("Operating in single character mode\n");
+                if (localchars)
+                    printf("Catching signals locally\n");
+            }
+            printf("%s character echo\n", (mode&MODE_ECHO) ? "Local" : "Remote");
+            if (my_want_state_is_will(TELOPT_LFLOW))
+                printf("%s flow control\n", (mode&MODE_FLOW) ? "Local" : "No");
+        }
+    } 
+    else {
+        printf("No connection.\n");
+    }
+#if !defined(TN3270)
+    printf("Escape character is '%s'.\n", control(escapechar));
+    (void) fflush(stdout);
+#else /* !defined(TN3270) */
+    if ((!In3270) && !notmuch) {
+        printf("Escape character is '%s'.\n", control(escape));
+    }
+    if ((argc >= 2) && !strcmp(argv[1], "everything")) {
+        printf("SIGIO received %d time%s.\n",
+                                sigiocount, (sigiocount == 1)? "":"s");
+        if (In3270) {
+            printf("Process ID %d, process group %d.\n",
+                                            getpid(), getpgrp(getpid()));
+            printf("Terminal input:\n");
+            filestuff(tin);
+            printf("Terminal output:\n");
+            filestuff(tout);
+            printf("Network socket:\n");
+            filestuff(net);
+        }
+    }
+    if (In3270 && transcom) {
+       printf("Transparent mode command is '%s'.\n", transcom);
+    }
+    fflush(stdout);
+    if (In3270) {
+        return 0;
+    }
+#endif /* TN3270 */
+    return 1;
+}
+
+static int status(void) {
+    int notmuch = 1;
+    return dostatus(notmuch);
+}
+
+#ifdef  SIGINFO
+/*
+ * Function that gets called when SIGINFO is received.
+ */
+void ayt_status(int) {
+    dostatus(1);
+}
+#endif
+
+int tn(int argc, const char *argv[]) {
+    struct sockaddr_in sn;
+    char *srp = NULL;
+    int srlen;
+    int family = 0;
+    const char *cmd, *volatile user = 0;
+    const char *portp = NULL;
+    char *hostp = NULL;
+    char *resolv_hostp;
+    struct addrinfo hints;
+    struct addrinfo *hostaddr = 0;
+    int res;
+    char name[NI_MAXHOST];
+    char service[NI_MAXSERV];
+    struct addrinfo *tmpaddr;
+
+    /* clear the socket address prior to use */
+    memset(&sn, 0, sizeof(sn));
+
+    if (connected) {
+        printf("?Already connected to %s\n", hostname);
+        return 0;
+    }
+    if (_hostname) {
+        delete[] _hostname;
+        _hostname = 0;
+    }
+    if (argc < 2) {
+        (void) strcpy(line, "open ");
+        printf("(to) ");
+        (void) fgets(&line[strlen(line)], sizeof(line) - strlen(line), stdin);
+        makeargv();
+        argc = margc;
+        argv = margv;
+    }
+    cmd = *argv;
+    --argc; ++argv;
+    while (argc) {
+        /* 
+         * Having "telnet h" print usage is really stupid... 
+         * suppose your hostname is h?
+         */
+        if (/*isprefix(*argv, "help") ||*/ isprefix(*argv, "?"))
+            goto usage;
+        if (strcmp(*argv, "-l") == 0) {
+            --argc; ++argv;
+            if (argc == 0)
+                goto usage;
+            user = *argv++;
+            --argc;
+            continue;
+        }
+        if (strcmp(*argv, "-a") == 0) {
+            --argc; ++argv;
+            autologin = 1;
+            continue;
+        }
+        if (strcmp(*argv, "-6") == 0) {
+            --argc; ++argv;
+#ifdef AF_INET6
+            family = AF_INET6;
+#else
+            puts("IPv6 unsupported");
+#endif
+            continue;
+        }
+        if (strcmp(*argv, "-4") == 0) {
+            --argc; ++argv;
+            family = AF_INET;
+            continue;
+        }
+        if (hostp == 0) {
+            /* this leaks memory - FIXME */
+            hostp = strdup(*argv++);
+            --argc;
+            continue;
+        }
+        if (portp == 0) {
+            portp = *argv++;
+            --argc;
+            continue;
+        }
+    usage:
+        printf("usage: %s [-l user] [-a] host-name [port]\n", cmd);
+        return 0;
+    }
+    if (hostp == 0)
+        goto usage;
+
+#if defined(IP_OPTIONS) && defined(HAS_IPPROTO_IP)
+    resolv_hostp = hostp;
+    if (hostp[0] == '@' || hostp[0] == '!') {
+        if ((hostname = strrchr(hostp, ':')) == NULL)
+            hostname = strrchr(hostp, '@');
+        hostname++;
+        srp = 0;
+        int temp = sourceroute(hostp, &srp, &srlen);
+        if (temp == 0) {
+            herror(srp);
+            return 0;
+        } else if (temp == -1) {
+            printf("Bad source route option: %s\n", hostp);
+            return 0;
+        } else {
+            sn.sin_addr.s_addr = temp;
+            sn.sin_family = AF_INET;
+            /*
+             * For source route we just make sure to get the IP given
+             * on the command line when looking up the port.
+             */
+            resolv_hostp = inet_ntoa(sn.sin_addr);
+        }
+    } 
+#endif
+
+    /* User port or the default name of telnet. */
+    if (portp) {
+        if (*portp == '-') {
+            portp++;
+            telnetport = 1;
+        } else
+            telnetport = 0;
+    }
+    else {
+        portp = "telnet";
+        telnetport = 1;
+    }
+
+    /* We only understand SOCK_STREAM sockets. */
+    memset(&hints, 0, sizeof(hints));
+    hints.ai_socktype = SOCK_STREAM;
+    hints.ai_flags = AI_NUMERICHOST;
+    hints.ai_family = family;
+        
+    /* Resolve both the host and service simultaneously. */
+    res = getaddrinfo(resolv_hostp, portp, &hints, &hostaddr);
+    if (res == EAI_NONAME) {
+        hints.ai_flags = AI_CANONNAME;
+        res = getaddrinfo(resolv_hostp, portp, &hints, &hostaddr);
+    } else if (hostaddr) {
+        hostaddr->ai_canonname = 0;
+    }
+    if (res || !hostaddr) {
+        fprintf(stderr, "telnet: could not resolve %s/%s: %s\n", resolv_hostp, portp, gai_strerror(res));
+        return 0;
+    }
+     
+    /* Try to connect to every listed round robin IP. */
+    tmpaddr = hostaddr;
+    errno = 0;
+    do {
+        int x;
+
+        if (!tmpaddr) {
+            if (errno)
+                perror("telnet: Unable to connect to remote host");
+            else
+                fputs("telnet: Unable to connect to remote host: "
+                      "Bad port number\n", stderr);
+err:
+            freeaddrinfo(hostaddr);
+            return 0;
+        }
+
+        if (tmpaddr->ai_family == AF_UNIX) {
+nextaddr:
+            tmpaddr = tmpaddr->ai_next;
+            continue;
+        }
+
+        getnameinfo(tmpaddr->ai_addr, tmpaddr->ai_addrlen,
+                    name, sizeof(name), service, sizeof(service),
+                    NI_NUMERICHOST | NI_NUMERICSERV);
+
+        printf("Trying %s...\n", name);
+        x = nlink.connect(debug, tmpaddr, srp, srlen, tos);
+        if (!x)
+            goto err;
+        else if (x==1)
+            goto nextaddr;
+
+        connected++;
+    } while (connected == 0);
+    if (hostaddr->ai_canonname == 0) {
+        hostname = new char[strlen(hostp)+1];
+        strcpy(hostname, hostp);
+    }
+    else {
+        hostname = new char[strlen(hostaddr->ai_canonname)+1];
+        strcpy(hostname, hostaddr->ai_canonname);
+    }
+
+    cmdrc(hostp, hostname);
+    freeaddrinfo(hostaddr);
+    if (autologin && user == NULL) {
+        struct passwd *pw;
+
+        user = getenv("USER");
+        if (user == NULL ||
+            ((pw = getpwnam(user))!=NULL && pw->pw_uid != getuid())) {
+                if ((pw = getpwuid(getuid()))!=NULL)
+                        user = pw->pw_name;
+                else
+                        user = NULL;
+        }
+    }
+    if (user) {
+        env_define("USER", user);
+        env_export("USER");
+    }
+    dostatus(1);
+    if (sigsetjmp(peerdied, 1) == 0)
+        telnet(user);
+    nlink.close(0);
+    ExitString("Connection closed by foreign host.\n",1);
+    /*NOTREACHED*/
+    return 0;
+}
+
+static char
+        openhelp[] =    "connect to a site",
+        closehelp[] =   "close current connection",
+        logouthelp[] =  "forcibly logout remote user and close the connection",
+        quithelp[] =    "exit telnet",
+        statushelp[] =  "print status information",
+        sendhelp[] =    "transmit special characters ('send ?' for more)",
+        sethelp[] =     "set operating parameters ('set ?' for more)",
+        unsethelp[] =   "unset operating parameters ('unset ?' for more)",
+        togglestring[] ="toggle operating parameters ('toggle ?' for more)",
+        displayhelp[] = "display operating parameters",
+#ifdef TN3270
+        transcomhelp[] = "specify Unix command for transparent mode pipe",
+#endif /* TN3270 */
+        zhelp[] =       "suspend telnet",
+/*      shellhelp[] =   "invoke a subshell", */
+        envhelp[] =     "change environment variables ('environ ?' for more)",
+        modestring[] = "try to enter line or character mode ('mode ?' for more)";
+
+static char     crmodhelp[] =   "deprecated command -- use 'toggle crmod' instead";
+static char     escapehelp[] =  "deprecated command -- use 'set escape' instead";
+
+static int help(command_table *, int, const char **);
+
+static int doquit(void) {
+    quit();
+    return 0;
+}
+
+static int slc_mode_import_0(void) {
+    slc_mode_import(0);
+    return 1;
+}
+
+static int slc_mode_import_1(void) {
+    slc_mode_import(1);
+    return 1;
+}
+
+static int do_slc_mode_export(void) {
+    slc_mode_export();
+    return 1;
+}
+
+static ptrarray<command_entry> cmdtab;
+static ptrarray<command_entry> cmdtab2;
+static ptrarray<command_entry> slctab;
+
+#define BIND(a,b,c) cmdtab.add(new command_entry(a,b,c))
+#define BIND2(a,b,c) cmdtab2.add(new command_entry(a,b,c))
+#define BINDS(a,b,c) slctab.add(new command_entry(a,b,c))
+
+
+void cmdtab_init(void) {
+    BIND("close",   closehelp,    bye);
+    BIND("logout",  logouthelp,   logout);
+    BIND("display", displayhelp,  display);
+    BIND("mode",    modestring,   modecmd);
+    BIND("open",    openhelp,     tn);
+    BIND("quit",    quithelp,     doquit);
+    BIND("send",    sendhelp,     sendcmd);
+    BIND("set",     sethelp,      setcmd);
+    BIND("unset",   unsethelp,    unsetcmd);
+    BIND("status",  statushelp,   status);
+    BIND("toggle",  togglestring, toggle);
+    BIND("slc", "set treatment of special characters\n", &slctab);
+
+#ifdef TN3270
+    BIND("transcom", transcomhelp, settranscom);
+#endif /* TN3270 */
+
+    // BIND("auth", authhelp, auth_cmd);
+    // BIND("encrypt", encrypthelp, encrypt_cmd);
+
+    BIND("z", zhelp, suspend);
+
+#if defined(TN3270)   /* why?! */
+    BIND("!", shellhelp, shell);
+#endif
+
+    BIND("environ", envhelp, env_cmd);
+
+    BINDS("export", "Use local special character definitions",
+         do_slc_mode_export);
+    BINDS("import", "Use remote special character definitions",
+         slc_mode_import_1);
+    BINDS("check", "Verify remote special character definitions",
+         slc_mode_import_0);
+
+    BIND2("escape", escapehelp, setescape);
+    BIND2("crmod", crmodhelp, togcrmod);
+}
+
+
+static command_entry *getcmd(command_table *tab, const char *name) {
+    if (!strcasecmp(name, "?") || 
+        !strcasecmp(name, "h") ||
+        !strcasecmp(name, "help")) return (command_entry *)HELP;
+
+    command_entry *found = NULL;
+
+    for (int i=0; i<tab->num(); i++) {
+        command_entry *c = (*tab)[i];
+        if (!strcasecmp(c->getname(), name)) return c;
+        if (!strncasecmp(c->getname(), name, strlen(name))) {
+            if (found) return (command_entry *)AMBIGUOUS;
+            found = c;
+        }
+    }
+    if (tab==&cmdtab && !found) return getcmd(&cmdtab2, name);
+
+    return found;
+}
+
+static int process_command(command_table *tab, int argc, const char **argv) {
+    command_entry *c;
+    c = getcmd(tab, argv[0]);
+    if (c == HELP) {
+        help(tab, argc, argv);
+    }
+    else if (c == AMBIGUOUS) {
+        printf("?Ambiguous command\n");
+    }
+    else if (c == NULL) {
+        printf("?Invalid command\n");
+    }
+    else {
+        if (c->call(argc, argv)) return 1;
+    }
+    return 0;
+}
+
+void command(int top, const char *tbuf, int cnt) {
+
+    setcommandmode();
+    if (!top) {
+        putchar('\n');
+    } 
+    else {
+        signal(SIGINT, SIG_DFL);
+        signal(SIGQUIT, SIG_DFL);
+    }
+    for (;;) {
+        if (rlogin == _POSIX_VDISABLE)
+                printf("%s> ", prompt);
+        if (tbuf) {
+            char *cp = line;
+            while (cnt > 0 && (*cp++ = *tbuf++) != '\n')
+                cnt--;
+            tbuf = 0;
+            if (cp == line || *--cp != '\n' || cp == line)
+                goto getline;
+            *cp = '\0';
+            if (rlogin == _POSIX_VDISABLE)
+                printf("%s\n", line);
+        } 
+        else {
+         getline:
+            if (rlogin != _POSIX_VDISABLE)
+                printf("%s> ", prompt);
+            if (fgets(line, sizeof(line), stdin) == NULL) {
+                if (feof(stdin) || ferror(stdin)) {
+                    quit();
+                    /*NOTREACHED*/
+                }
+                break;
+            }
+        }
+        if (line[0] == 0)
+            break;
+        makeargv();
+        if (margv[0] == 0) {
+            break;
+        }
+        if (process_command(&cmdtab, margc, margv)) break;
+    }
+    if (!top) {
+        if (!connected) {
+            siglongjmp(toplevel, 1);
+            /*NOTREACHED*/
+        }
+#if     defined(TN3270)
+        if (shell_active == 0) {
+            setconnmode(0);
+        }
+#else   /* defined(TN3270) */
+        setconnmode(0);
+#endif  /* defined(TN3270) */
+    }
+}
+
+/*
+ * Help command.
+ */
+static int help(command_table *tab, int argc, const char *argv[]) {
+    int i;
+    
+    if (argc == 1) {
+        printf("Commands may be abbreviated.  Commands are:\n\n");
+        for (i = 0; i<tab->num(); i++) (*tab)[i]->describe();
+        return 0;
+    }
+    for (i=1; i<argc; i++) {
+        command_entry *c = getcmd(tab, argv[i]);
+        if (c == HELP) {
+            printf("Print help information\n");
+        }
+        else if (c == AMBIGUOUS) {
+            printf("?Ambiguous help command %s\n", argv[i]);
+        }
+        else if (c == NULL) {
+            printf("?Invalid help command %s\n", argv[i]);
+        }
+        else {
+            c->gethelp();
+        }
+    }
+    return 0;
+}
+
+static void readrc(const char *m1, const char *m2, const char *rcname) {
+    FILE *rcfile;
+    int gotmachine = 0;
+    int l1 = strlen(m1);
+    int l2 = strlen(m2);
+    char m1save[strlen(m1) + 1];
+
+    strcpy(m1save, m1);
+    m1 = m1save;
+
+    rcfile = fopen(rcname, "r");
+    if (!rcfile) return;
+
+    while (fgets(line, sizeof(line), rcfile)) {
+        if (line[0] == 0)
+            break;
+        if (line[0] == '#')
+            continue;
+        if (gotmachine) {
+            if (!isspace(line[0]))
+                gotmachine = 0;
+        }
+        if (gotmachine == 0) {
+            if (isspace(line[0]))
+                continue;
+            if (strncasecmp(line, m1, l1) == 0)
+                strncpy(line, &line[l1], sizeof(line) - l1);
+            else if (strncasecmp(line, m2, l2) == 0)
+                strncpy(line, &line[l2], sizeof(line) - l2);
+            else if (strncasecmp(line, "DEFAULT", 7) == 0)
+                strncpy(line, &line[7], sizeof(line) - 7);
+            else
+                continue;
+            if (line[0] != ' ' && line[0] != '\t' && line[0] != '\n')
+                continue;
+            gotmachine = 1;
+        }
+        makeargv();
+        if (margv[0] == 0)
+            continue;
+        process_command(&cmdtab, margc, margv);
+    }
+    fclose(rcfile);
+}
+
+void cmdrc(const char *m1, const char *m2) {
+    static char *rcname = 0;
+    static char rcbuf[128];
+
+    if (skiprc) return;
+
+    readrc(m1, m2, "/etc/telnetrc");
+    if (rcname == 0) {
+        rcname = getenv("HOME");
+        if (rcname)
+            strcpy(rcbuf, rcname);
+        else
+            rcbuf[0] = '\0';
+        strcat(rcbuf, "/.telnetrc");
+        rcname = rcbuf;
+    }
+    readrc(m1, m2, rcname);
+}
+
+#if defined(IP_OPTIONS) && defined(HAS_IPPROTO_IP)
+
+/*
+ * Source route is handed in as
+ *      [!]@hop1@hop2...[@|:]dst
+ * If the leading ! is present, it is a
+ * strict source route, otherwise it is
+ * assmed to be a loose source route.
+ *
+ * We fill in the source route option as
+ *      hop1,hop2,hop3...dest
+ * and return a pointer to hop1, which will
+ * be the address to connect() to.
+ *
+ * Arguments:
+ *      arg:    pointer to route list to decipher
+ *
+ *      cpp:    If *cpp is not equal to NULL, this is a
+ *              pointer to a pointer to a character array
+ *              that should be filled in with the option.
+ *
+ *      lenp:   pointer to an integer that contains the
+ *              length of *cpp if *cpp != NULL.
+ *
+ * Return values:
+ *
+ *      Returns the address of the host to connect to.  If the
+ *      return value is -1, there was a syntax error in the
+ *      option, either unknown characters, or too many hosts.
+ *      If the return value is 0, one of the hostnames in the
+ *      path is unknown, and *cpp is set to point to the bad
+ *      hostname.
+ *
+ *      *cpp:   If *cpp was equal to NULL, it will be filled
+ *              in with a pointer to our static area that has
+ *              the option filled in.  This will be 32bit aligned.
+ * 
+ *      *lenp:  This will be filled in with how long the option
+ *              pointed to by *cpp is.
+ *      
+ */
+static unsigned long sourceroute(char *arg, char **cpp, int *lenp) {
+        static char lsr[44];
+        char *cp, *cp2, *lsrp, *lsrep;
+        struct in_addr sin_addr;
+        register struct hostent *host = 0;
+        register char c;
+
+        /*
+         * Verify the arguments, and make sure we have
+         * at least 7 bytes for the option.
+         */
+        if (cpp == NULL || lenp == NULL)
+                return((unsigned long)-1);
+        if (*cpp != NULL && *lenp < 7)
+                return((unsigned long)-1);
+        /*
+         * Decide whether we have a buffer passed to us,
+         * or if we need to use our own static buffer.
+         */
+        if (*cpp) {
+                lsrp = *cpp;
+                lsrep = lsrp + *lenp;
+        } 
+        else {
+                *cpp = lsrp = lsr;
+                lsrep = lsrp + 44;
+        }
+
+        cp = arg;
+
+        /*
+         * Next, decide whether we have a loose source
+         * route or a strict source route, and fill in
+         * the begining of the option.
+         */
+        if (*cp == '!') {
+                cp++;
+                *lsrp++ = IPOPT_SSRR;
+        } 
+        else *lsrp++ = IPOPT_LSRR;
+
+        if (*cp != '@')
+                return((unsigned long)-1);
+
+        lsrp++;         /* skip over length, we'll fill it in later */
+        *lsrp++ = 4;
+
+        cp++;
+
+        sin_addr.s_addr = 0;
+
+        for (c = 0;;) {
+                if (c == ':')
+                        cp2 = 0;
+                else for (cp2 = cp; (c = *cp2) != 0; cp2++) {
+                        if (c == ',') {
+                                *cp2++ = '\0';
+                                if (*cp2 == '@')
+                                        cp2++;
+                        } else if (c == '@') {
+                                *cp2++ = '\0';
+                        } else if (c == ':') {
+                                *cp2++ = '\0';
+                        } else
+                                continue;
+                        break;
+                }
+                if (!c)
+                        cp2 = 0;
+
+                if (inet_aton(cp, &sin_addr)) ;  /* nothing */
+                else if ((host = gethostbyname(cp))!=NULL) {
+                    if (host->h_length > (int)sizeof(sin_addr)) {
+                        host->h_length = sizeof(sin_addr);
+                    }
+#if defined(h_addr)
+                    memcpy(&sin_addr, host->h_addr_list[0], host->h_length);
+#else
+                    memcpy(&sin_addr, host->h_addr, host->h_length);
+#endif
+                } else {
+                        *cpp = cp;
+                        return(0);
+                }
+                memcpy(lsrp, (char *)&sin_addr, 4);
+                lsrp += 4;
+                if (cp2)
+                        cp = cp2;
+                else
+                        break;
+                /*
+                 * Check to make sure there is space for next address
+                 */
+                if (lsrp + 4 > lsrep)
+                        return((unsigned long)-1);
+        }
+        if ((*(*cpp+IPOPT_OLEN) = lsrp - *cpp) <= 7) {
+                *cpp = 0;
+                *lenp = 0;
+                return((unsigned long)-1);
+        }
+        *lsrp++ = IPOPT_NOP; /* 32 bit word align it */
+        *lenp = lsrp - *cpp;
+        return(sin_addr.s_addr);
+}
+#endif
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/defines.h b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/defines.h
new file mode 100644
index 0000000..2784400
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/defines.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1988 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *      from: @(#)defines.h     5.1 (Berkeley) 9/14/90
+ *      $Id: defines.h,v 1.5 1996/08/04 23:44:43 dholland Exp $
+ */
+
+#define ENV_VAR NEW_ENV_VAR
+#define ENV_VALUE NEW_ENV_VALUE
+#define TELOPT_ENVIRON TELOPT_NEW_ENVIRON
+
+#define settimer(x)     clocks.x = clocks.system++
+
+#if !defined(TN3270)
+#define SetIn3270()
+#endif
+
+/* Various modes */
+#define MODE_LOCAL_CHARS(m)     ((m)&(MODE_EDIT|MODE_TRAPSIG))
+#define MODE_LOCAL_ECHO(m)      ((m)&MODE_ECHO)
+#define MODE_COMMAND_LINE(m)    ((m)==-1)
+
+#define CONTROL(x)      ((x)&0x1f)              /* CTRL(x) is not portable */
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/depend.mk b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/depend.mk
new file mode 100644
index 0000000..fe6eaa0
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/depend.mk
@@ -0,0 +1,17 @@
+commands.o: commands.cc ring.h externs.h defines.h types.h genget.h \
+ environ.h proto.h ptrarray.h netlink.h
+main.o: main.cc ../version.h ring.h externs.h defines.h proto.h
+network.o: network.cc ring.h defines.h externs.h proto.h netlink.h
+ring.o: ring.cc ring.h
+sys_bsd.o: sys_bsd.cc ring.h defines.h externs.h types.h proto.h \
+ netlink.h terminal.h
+telnet.o: telnet.cc ring.h defines.h externs.h types.h environ.h \
+ proto.h ptrarray.h netlink.h terminal.h
+terminal.o: terminal.cc ring.h defines.h externs.h types.h proto.h \
+ terminal.h
+tn3270.o: tn3270.cc defines.h ring.h externs.h proto.h
+utilities.o: utilities.cc ring.h defines.h externs.h proto.h \
+ terminal.h
+genget.o: genget.cc genget.h
+environ.o: environ.cc ring.h defines.h externs.h environ.h array.h
+netlink.o: netlink.cc netlink.h proto.h ring.h
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/environ.cc b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/environ.cc
new file mode 100644
index 0000000..62d45fe
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/environ.cc
@@ -0,0 +1,201 @@
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <netdb.h>
+#include <arpa/telnet.h>
+#include "ring.h"
+#include "defines.h"
+#include "externs.h"
+#include "environ.h"
+#include "array.h"
+
+class enviro {
+ protected:
+    char *var;          /* pointer to variable name */
+    char *value;        /* pointer to variable's value */
+    int doexport;       /* 1 -> export with default list of variables */
+
+    void clean() { if (var) delete []var; if (value) delete []value; }
+ public:
+    enviro() { var = value = NULL; doexport = 0; }
+    ~enviro() { clean(); }
+
+    const char *getname() const { return var; }
+    const char *getval() const { return value; }
+
+    void define(const char *vr, const char *vl) {
+        clean();
+        var = strcpy(new char[strlen(vr)+1], vr);
+        value = strcpy(new char[strlen(vl)+1], vl);
+    }
+
+    void clear() { clean(); var = value = NULL; }
+
+    void setexport(int ex) { doexport = ex; }
+    int getexport() const { return doexport; }
+};
+
+static array<enviro> vars;
+
+static enviro *env_find(const char *var) {
+    for (int i=0; i<vars.num(); i++) if (vars[i].getname()) {
+        if (!strcmp(vars[i].getname(), var))
+            return &vars[i];
+    }
+    return NULL;
+}
+
+static void env_put(const char *var, const char *val, int exp) {
+    enviro *ep = env_find(var);
+    if (!ep) {
+        int x = vars.num();
+        vars.setsize(x+1);
+        ep = &vars[x];
+    }   
+    ep->define(var, val);
+    ep->setexport(exp);
+}
+
+static void env_copy(void) {
+    extern char **environ;
+
+    char *s;
+    int i;
+    
+    for (i=0; environ[i]; i++) {
+        s = strchr(environ[i], '=');
+        if (s) {
+            *s=0;
+            env_put(environ[i], s+1, 0);
+            *s='=';
+        }
+    }
+}
+
+/*
+ * Special case for DISPLAY variable.  If it is ":0.0" or
+ * "unix:0.0", we have to get rid of "unix" and insert our
+ * hostname.
+ */
+static void env_fix_display(void) {
+    enviro *ep = env_find("DISPLAY");
+    if (!ep) return;
+    ep->setexport(1);
+
+    if (strncmp(ep->getval(), ":", 1) && strncmp(ep->getval(), "unix:", 5)) {
+        return;
+    }
+    char hbuf[256];
+    const char *cp2 = strrchr(ep->getval(), ':');
+    int maxlen = sizeof(hbuf)-strlen(cp2)-1;
+    gethostname(hbuf, maxlen);
+    hbuf[maxlen] = 0;  /* ensure null termination */
+
+    /*
+     * dholland 7/30/96 if not a FQDN ask DNS
+     */
+    if (!strchr(hbuf, '.')) {
+        struct hostent *h = gethostbyname(hbuf);
+        if (h) {
+            strncpy(hbuf, h->h_name, maxlen);
+            hbuf[maxlen] = 0; /* ensure null termination */
+        }
+    }
+
+    strcat(hbuf, cp2);
+
+    ep->define("DISPLAY", hbuf);
+}
+
+/*********************************************** interface ***********/
+
+void env_init(void) {
+    env_copy();
+    env_fix_display();
+
+    /*
+     * If USER is not defined, but LOGNAME is, then add
+     * USER with the value from LOGNAME.  By default, we
+     * don't export the USER variable.
+     */
+    if (!env_find("USER")) {
+        enviro *ep = env_find("LOGNAME");
+        if (ep) env_put("USER", ep->getval(), 0);
+    }
+
+    enviro *ep = env_find("PRINTER");
+    if (ep) ep->setexport(1);
+}
+
+void env_define(const char *var, const char *value) {
+    env_put(var, value, 1);
+}
+
+void env_undefine(const char *var) {
+    enviro *ep = env_find(var);
+    if (ep) {
+        /*
+         * We don't make any effort to reuse cleared environment spaces.
+         * It's highly unlikely to be worth the trouble.
+         */
+        ep->clear();
+    }
+}
+
+void env_export(const char *var) {
+    enviro *ep = env_find(var);
+    if (ep) ep->setexport(1);
+}
+
+void env_unexport(const char *var) {
+    enviro *ep = env_find(var);
+    if (ep) ep->setexport(0);
+}
+
+void env_send(const char *var) {
+    if (my_state_is_wont(TELOPT_ENVIRON)) {
+        fprintf(stderr, "Cannot send '%s': Telnet ENVIRON option disabled\n",
+                var);
+        return;
+    }
+
+    enviro *ep = env_find(var);
+    if (!ep) {
+        fprintf(stderr, "Cannot send '%s': variable not defined\n", var);
+        return;
+    }
+    env_opt_start_info();
+    env_opt_add(ep->getname());
+    env_opt_end(0);
+}
+
+void env_list(void) {
+    for (int i=0; i<vars.num(); i++) if (vars[i].getname()) {
+        printf("%c %-20s %s\n", vars[i].getexport() ? '*' : ' ',
+               vars[i].getname(), vars[i].getval());
+    }
+}
+
+void env_iterate(int *iter, int /*exported_only*/) {
+    *iter = 0;
+}
+
+const char *env_next(int *iter, int exported_only) {
+    while (*iter>=0 && *iter<vars.num()) {
+        int k = (*iter)++;
+
+        if (!vars[k].getname()) continue; // deleted variable
+
+        if (vars[k].getexport() || !exported_only) {
+            return vars[k].getname();
+        }
+    }
+    return NULL;
+}
+
+const char *env_getvalue(const char *var, int exported_only) {
+    enviro *ep = env_find(var);
+    if (ep && (!exported_only || ep->getexport()))
+        return ep->getval();
+    return NULL;
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/environ.h b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/environ.h
new file mode 100644
index 0000000..81ad751
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/environ.h
@@ -0,0 +1,10 @@
+void env_define(const char *var, const char *val);
+void env_undefine(const char *var);
+void env_export(const char *var);
+void env_unexport(const char *);
+void env_send(const char *);
+void env_list(void);
+const char *env_getvalue(const char *, int exported_only);
+
+void env_iterate(int *, int exported_only);
+const char *env_next(int *, int exported_only);
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/externs.h b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/externs.h
new file mode 100644
index 0000000..955df79
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/externs.h
@@ -0,0 +1,365 @@
+/*
+ * Copyright (c) 1988, 1990 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *      from: @(#)externs.h     5.3 (Berkeley) 3/22/91
+ *      $Id: externs.h,v 1.20 1999/08/19 09:34:15 dholland Exp $
+ */
+
+#ifndef BSD
+#define BSD 43
+#endif
+
+#include <stdio.h>
+#include <setjmp.h>
+#include <sys/ioctl.h>
+#include <features.h>
+#include <termios.h>
+
+#if defined(NO_CC_T)
+typedef unsigned char cc_t;
+#endif
+
+#ifdef __linux__
+#include <unistd.h>   /* get _POSIX_VDISABLE */
+#endif
+
+#ifndef _POSIX_VDISABLE
+#error "Please fix externs.h to define _POSIX_VDISABLE"
+#endif
+
+#define SUBBUFSIZE      256
+
+extern int autologin;           /* Autologin enabled */
+extern int skiprc;              /* Don't process the ~/.telnetrc file */
+extern int eight;               /* use eight bit mode (binary in and/or out */
+extern int flushout;            /* flush output */
+extern int connected;           /* Are we connected to the other side? */
+extern int globalmode;          /* Mode tty should be in */
+extern int In3270;                      /* Are we in 3270 mode? */
+extern int telnetport;          /* Are we connected to the telnet port? */
+extern int localflow;           /* Flow control handled locally */
+extern int localchars;          /* we recognize interrupt/quit */
+extern int donelclchars;                /* the user has set "localchars" */
+extern int showoptions;
+
+extern int crlf;        /* Should '\r' be mapped to <CR><LF> (or <CR><NUL>)? */
+extern int autoflush;           /* flush output when interrupting? */
+extern int autosynch;           /* send interrupt characters with SYNCH? */
+extern int SYNCHing;            /* Is the stream in telnet SYNCH mode? */
+extern int donebinarytoggle;    /* the user has put us in binary */
+extern int dontlecho;           /* do we suppress local echoing right now? */
+extern int crmod;
+//extern int netdata;           /* Print out network data flow */
+//extern int prettydump;        /* Print "netdata" output in user readable format */
+extern int debug;                       /* Debug level */
+
+#ifdef TN3270
+extern int cursesdata;          /* Print out curses data flow */
+#endif /* unix and TN3270 */
+
+extern cc_t escapechar;  /* Escape to command mode */
+extern cc_t rlogin;      /* Rlogin mode escape character */
+#ifdef  KLUDGELINEMODE
+extern cc_t echoc;      /* Toggle local echoing */
+#endif
+
+extern char *prompt;            /* Prompt for command. */
+
+extern char doopt[];
+extern char dont[];
+extern char will[];
+extern char wont[];
+extern char options[];          /* All the little options */
+extern char *hostname;          /* Who are we connected to? */
+
+/*
+ * We keep track of each side of the option negotiation.
+ */
+
+#define MY_STATE_WILL           0x01
+#define MY_WANT_STATE_WILL      0x02
+#define MY_STATE_DO             0x04
+#define MY_WANT_STATE_DO        0x08
+
+/*
+ * Macros to check the current state of things
+ */
+
+#define my_state_is_do(opt)             (options[opt]&MY_STATE_DO)
+#define my_state_is_will(opt)           (options[opt]&MY_STATE_WILL)
+#define my_want_state_is_do(opt)        (options[opt]&MY_WANT_STATE_DO)
+#define my_want_state_is_will(opt)      (options[opt]&MY_WANT_STATE_WILL)
+
+#define my_state_is_dont(opt)           (!my_state_is_do(opt))
+#define my_state_is_wont(opt)           (!my_state_is_will(opt))
+#define my_want_state_is_dont(opt)      (!my_want_state_is_do(opt))
+#define my_want_state_is_wont(opt)      (!my_want_state_is_will(opt))
+
+#define set_my_state_do(opt)            {options[opt] |= MY_STATE_DO;}
+#define set_my_state_will(opt)          {options[opt] |= MY_STATE_WILL;}
+#define set_my_want_state_do(opt)       {options[opt] |= MY_WANT_STATE_DO;}
+#define set_my_want_state_will(opt)     {options[opt] |= MY_WANT_STATE_WILL;}
+
+#define set_my_state_dont(opt)          {options[opt] &= ~MY_STATE_DO;}
+#define set_my_state_wont(opt)          {options[opt] &= ~MY_STATE_WILL;}
+#define set_my_want_state_dont(opt)     {options[opt] &= ~MY_WANT_STATE_DO;}
+#define set_my_want_state_wont(opt)     {options[opt] &= ~MY_WANT_STATE_WILL;}
+
+/*
+ * Make everything symmetric
+ */
+
+#define HIS_STATE_WILL                  MY_STATE_DO
+#define HIS_WANT_STATE_WILL             MY_WANT_STATE_DO
+#define HIS_STATE_DO                    MY_STATE_WILL
+#define HIS_WANT_STATE_DO               MY_WANT_STATE_WILL
+
+#define his_state_is_do                 my_state_is_will
+#define his_state_is_will               my_state_is_do
+#define his_want_state_is_do            my_want_state_is_will
+#define his_want_state_is_will          my_want_state_is_do
+
+#define his_state_is_dont               my_state_is_wont
+#define his_state_is_wont               my_state_is_dont
+#define his_want_state_is_dont          my_want_state_is_wont
+#define his_want_state_is_wont          my_want_state_is_dont
+
+#define set_his_state_do                set_my_state_will
+#define set_his_state_will              set_my_state_do
+#define set_his_want_state_do           set_my_want_state_will
+#define set_his_want_state_will         set_my_want_state_do
+
+#define set_his_state_dont              set_my_state_wont
+#define set_his_state_wont              set_my_state_dont
+#define set_his_want_state_dont         set_my_want_state_wont
+#define set_his_want_state_wont         set_my_want_state_dont
+
+
+extern FILE *NetTrace;          /* Where debugging output goes */
+extern char NetTraceFile[];     /* Name of file where debugging output goes */
+
+void SetNetTrace(const char *); /* Function to change where debugging goes */
+
+extern sigjmp_buf peerdied;
+extern sigjmp_buf toplevel;             /* For error conditions. */
+
+void command(int, const char *, int);
+void Dump (int, char *, int);
+void init_3270 (void);
+void printoption(const char *, int, int);
+void printsub (int, unsigned char *, int);
+void sendnaws (void);
+void setconnmode(int);
+void setcommandmode (void);
+void setneturg (void);
+void sys_telnet_init (void);
+void telnet(const char *);
+void tel_enter_binary(int);
+void TerminalFlushOutput(void);
+void TerminalNewMode(int);
+void TerminalRestoreState(void);
+void TerminalSaveState(void);
+void tninit(void);
+void upcase(char *);
+void willoption(int);
+void wontoption(int);
+
+void lm_will(unsigned char *, int);
+void lm_wont(unsigned char *, int);
+void lm_do(unsigned char *, int);
+void lm_dont(unsigned char *, int);
+void lm_mode(unsigned char *, int, int);
+
+void slc_init(void);
+void slcstate(void);
+void slc_mode_export(void);
+void slc_mode_import(int);
+void slc_import(int);
+void slc_export(void);
+void slc(unsigned char *, int);
+void slc_check(void);
+void slc_start_reply(void);
+void slc_add_reply(int, int, int);
+void slc_end_reply(void);
+int slc_update(void);
+
+void env_opt(unsigned char *, int);
+void env_opt_start(void);
+void env_opt_start_info(void);
+void env_opt_add(const char *);
+void env_opt_end(int);
+
+int get_status(const char *, const char *);
+int dosynch(void);
+
+cc_t *tcval(int);
+
+//#if 0
+extern struct termios new_tc;
+
+#define termEofChar             new_tc.c_cc[VEOF]
+#define termEraseChar           new_tc.c_cc[VERASE]
+#define termIntChar             new_tc.c_cc[VINTR]
+#define termKillChar            new_tc.c_cc[VKILL]
+#define termQuitChar            new_tc.c_cc[VQUIT]
+
+#ifndef VSUSP
+extern cc_t termSuspChar;
+#else
+#define termSuspChar            new_tc.c_cc[VSUSP]
+#endif
+
+#if defined(VFLUSHO) && !defined(VDISCARD)
+#define VDISCARD VFLUSHO
+#endif
+#ifndef VDISCARD
+extern cc_t termFlushChar;
+#else
+#define termFlushChar           new_tc.c_cc[VDISCARD]
+#endif
+
+#ifndef VWERASE
+extern cc_t termWerasChar;
+#else
+#define termWerasChar           new_tc.c_cc[VWERASE]
+#endif
+
+#ifndef VREPRINT
+extern cc_t termRprntChar;
+#else
+#define termRprntChar           new_tc.c_cc[VREPRINT]
+#endif
+
+#ifndef VLNEXT
+extern cc_t termLiteralNextChar;
+#else
+#define termLiteralNextChar     new_tc.c_cc[VLNEXT]
+#endif
+
+#ifndef VSTART
+extern cc_t termStartChar;
+#else
+#define termStartChar           new_tc.c_cc[VSTART]
+#endif
+
+#ifndef VSTOP
+extern cc_t termStopChar;
+#else
+#define termStopChar            new_tc.c_cc[VSTOP]
+#endif
+
+#ifndef VEOL
+extern cc_t termForw1Char;
+#else
+#define termForw1Char           new_tc.c_cc[VEOL]
+#endif
+
+#ifndef VEOL2
+extern cc_t termForw2Char;
+#else
+#define termForw2Char           new_tc.c_cc[VEOL]
+#endif
+
+#ifndef VSTATUS
+extern cc_t termAytChar;
+#else
+#define termAytChar             new_tc.c_cc[VSTATUS]
+#endif
+
+//#endif /* 0 */
+
+//#if 0
+#if !defined(CRAY) || defined(__STDC__)
+#define termEofCharp    &termEofChar
+#define termEraseCharp  &termEraseChar
+#define termIntCharp    &termIntChar
+#define termKillCharp   &termKillChar
+#define termQuitCharp   &termQuitChar
+#define termSuspCharp   &termSuspChar
+#define termFlushCharp  &termFlushChar
+#define termWerasCharp  &termWerasChar
+#define termRprntCharp  &termRprntChar
+#define termLiteralNextCharp    &termLiteralNextChar
+#define termStartCharp  &termStartChar
+#define termStopCharp   &termStopChar
+#define termForw1Charp  &termForw1Char
+#define termForw2Charp  &termForw2Char
+#define termAytCharp    &termAytChar
+#else
+        /* Work around a compiler bug */
+#define termEofCharp            0
+#define termEraseCharp          0
+#define termIntCharp            0
+#define termKillCharp           0
+#define termQuitCharp           0
+#define termSuspCharp           0
+#define termFlushCharp          0
+#define termWerasCharp          0
+#define termRprntCharp          0
+#define termLiteralNextCharp    0
+#define termStartCharp          0
+#define termStopCharp           0
+#define termForw1Charp          0
+#define termForw2Charp          0
+#define termAytCharp            0
+#endif
+
+//#endif /* 0 */
+
+
+/* Ring buffer structures which are shared */
+
+extern ringbuf netoring;
+extern ringbuf netiring;
+extern ringbuf ttyoring;
+extern ringbuf ttyiring;
+
+/* Tn3270 section */
+#if defined(TN3270)
+
+extern int HaveInput;   /* Whether an asynchronous I/O indication came in */
+extern int noasynchtty; /* Don't do signals on I/O (SIGURG, SIGIO) */
+extern int noasynchnet; /* Don't do signals on I/O (SIGURG, SIGIO) */
+extern int sigiocount;          /* Count of SIGIO receptions */
+extern int shell_active;        /* Subshell is active */
+
+extern char *Ibackp;            /* Oldest byte of 3270 data */
+extern char Ibuf[];             /* 3270 buffer */
+extern char *Ifrontp;           /* Where next 3270 byte goes */
+extern char tline[];
+extern char *transcom;          /* Transparent command */
+
+void settranscom(int, char**);
+int shell(int, char**);
+void inputAvailable(void);
+
+#endif  /* defined(TN3270) */
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/fdset.h b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/fdset.h
new file mode 100644
index 0000000..7542166
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/fdset.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 1988 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *      from: @(#)fdset.h       5.1 (Berkeley) 9/14/90
+ *      $Id: fdset.h,v 1.1 1996/07/16 05:17:22 dholland Exp $
+ */
+
+/*
+ * The following is defined just in case someone should want to run
+ * this telnet on a 4.2 system.
+ *
+ */
+
+#ifndef FD_SETSIZE
+
+#define FD_SET(n, p)    ((p)->fds_bits[0] |= (1<<(n)))
+#define FD_CLR(n, p)    ((p)->fds_bits[0] &= ~(1<<(n)))
+#define FD_ISSET(n, p)  ((p)->fds_bits[0] & (1<<(n)))
+#define FD_ZERO(p)      ((p)->fds_bits[0] = 0)
+
+#endif
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/general.h b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/general.h
new file mode 100644
index 0000000..1d9df66
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/general.h
@@ -0,0 +1,46 @@
+/*
+ * Copyright (c) 1988 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *      from: @(#)general.h     5.2 (Berkeley) 3/1/91
+ *      $Id: general.h,v 1.1 1996/07/16 05:17:22 dholland Exp $
+ */
+
+/*
+ * Some general definitions.
+ */
+
+
+#define numberof(x)     (sizeof x/sizeof x[0])
+#define highestof(x)    (numberof(x)-1)
+
+#define ClearElement(x)         memset((char *)&x, 0, sizeof x)
+#define ClearArray(x)           memset((char *)x, 0, sizeof x)
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/genget.cc b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/genget.cc
new file mode 100644
index 0000000..3f835b3
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/genget.cc
@@ -0,0 +1,91 @@
+/*-
+ * Copyright (c) 1991 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)genget.c   5.1 (Berkeley) 2/28/91
+ */
+char gg_rcsid[] = 
+  "$Id: genget.cc,v 1.3 1996/07/26 09:54:09 dholland Exp $";
+
+#include <string.h>
+#include <ctype.h>
+
+#include "genget.h"
+
+#define LOWER(x) (isupper(x) ? tolower(x) : (x))
+/*
+ * The prefix function returns 0 if *s1 is not a prefix
+ * of *s2.  If *s1 exactly matches *s2, the negative of
+ * the length is returned.  If *s1 is a prefix of *s2,
+ * the length of *s1 is returned.
+ */
+int isprefix(const char *s1, const char *s2) {
+        const char *os1;
+        char c1, c2;
+
+        if (*s1 == 0) return -1;
+
+        os1 = s1;
+        c1 = *s1;
+        c2 = *s2;
+
+        while (LOWER(c1) == LOWER(c2)) {
+                if (c1 == 0) break;
+                c1 = *++s1;
+                c2 = *++s2;
+        }
+        if (*s1) return 0;
+        return *s2 ? (s1 - os1) : (os1 - s1);
+}
+
+/*
+ * name: name to match
+ * table: name entry in table
+ */
+char **genget(const char *name, char **table, int stlen) {
+        char **c, **found;
+        int n;
+
+        if (!name) return NULL;
+
+        found = NULL;
+        for (c = table; *c; c = (char **)((char *)c + stlen)) {
+                n = isprefix(name, *c);
+                if (n == 0) continue;
+                if (n < 0) return c;    /* exact match */
+                if (found) return (char **)AMBIGUOUS;
+                found = c;
+        }
+        return found;
+}
+
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/genget.h b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/genget.h
new file mode 100644
index 0000000..891a42f
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/genget.h
@@ -0,0 +1,5 @@
+int isprefix(const char *, const char *);
+char **genget(const char *, char **, int);
+
+#define AMBIGUOUS ((void *)1)
+#define HELP ((void *)2)
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/main.cc b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/main.cc
new file mode 100644
index 0000000..97028d9
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/main.cc
@@ -0,0 +1,275 @@
+/*
+ * Copyright (c) 1988, 1990 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+char copyright[] =
+  "@(#) Copyright (c) 1988, 1990 Regents of the University of California.\n"
+  "All rights reserved.\n";
+
+/*
+ * From: @(#)main.c     5.4 (Berkeley) 3/22/91
+ */
+char main_rcsid[] = 
+  "$Id: main.cc,v 1.14 1999/08/01 05:06:37 dholland Exp $";
+
+#include "../version.h"
+
+#include <sys/types.h>
+#include <getopt.h>
+#include <stdlib.h>
+#include <string.h>
+#include <netdb.h>
+
+#include "ring.h"
+#include "externs.h"
+#include "defines.h"
+#include "proto.h"
+
+/*
+ * Initialize variables.
+ */
+void
+tninit(void)
+{
+    init_terminal();
+
+    init_network();
+    
+    init_telnet();
+
+    init_sys();
+
+#if defined(TN3270)
+    init_3270();
+#endif
+}
+
+/*
+ * note: -x should mean use encryption
+ *       -k <realm> to set kerberos realm
+ *       -K don't auto-login
+ *       -X <atype> disable specified auth type
+ */ 
+void usage(void) {
+    fprintf(stderr, "Usage: %s %s%s%s%s\n",
+            prompt,
+            "[-4] [-6] [-8] [-E] [-L] [-a] [-d] [-e char] [-l user]",
+            "\n\t[-n tracefile]",
+#ifdef TN3270
+            "\n\t"
+            "[-noasynch] [-noasynctty] [-noasyncnet] [-r] [-t transcom]\n\t",
+#else
+            " [-r] ",
+#endif
+            "[host-name [port]]"
+        );
+        exit(1);
+}
+
+/*
+ * main.  Parse arguments, invoke the protocol or command parser.
+ */
+
+int
+main(int argc, char *argv[])
+{
+        extern char *optarg;
+        extern int optind;
+        int ch;
+        char *user;
+        int family;
+
+        tninit();               /* Clear out things */
+#if     defined(CRAY) && !defined(__STDC__)
+        _setlist_init();        /* Work around compiler bug */
+#endif
+
+        TerminalSaveState();
+
+        if ((prompt = strrchr(argv[0], '/'))!=NULL)
+                ++prompt;
+        else
+                prompt = argv[0];
+
+        user = NULL;
+        family = 0;
+
+        rlogin = (strncmp(prompt, "rlog", 4) == 0) ? '~' : _POSIX_VDISABLE;
+        autologin = -1;
+
+        while ((ch = getopt(argc, argv, "468EKLS:X:ade:k:l:n:rt:x")) != EOF) {
+                switch(ch) {
+                case '4':
+                        family = AF_INET;
+                        break;
+                case '6':
+#ifdef AF_INET6
+                        family = AF_INET6;
+#else
+                        fputs("IPv6 unsupported\n", stderr);
+#endif
+                        break;
+                case '8':
+                        eight = 3;      /* binary output and input */
+                        break;
+                case 'E':
+                        rlogin = escapechar = _POSIX_VDISABLE;
+                        break;
+                case 'K':
+                        //autologin = 0;
+                        break;
+                case 'L':
+                        eight |= 2;     /* binary output only */
+                        break;
+                case 'S':
+                    {
+#ifdef  HAS_GETTOS
+                        extern int tos;
+
+                        if ((tos = parsetos(optarg, "tcp")) < 0)
+                                fprintf(stderr, "%s%s%s%s\n",
+                                        prompt, ": Bad TOS argument '",
+                                        optarg,
+                                        "; will try to use default TOS");
+#else
+                        fprintf(stderr,
+                           "%s: Warning: -S ignored, no parsetos() support.\n",
+                                                                prompt);
+#endif
+                    }
+                        break;
+                case 'X':
+                        // disable authentication type "optarg"
+                        break;
+                case 'a':
+                        autologin = 1;
+                        break;
+                case 'c':
+                        skiprc = 1;
+                        break;
+                case 'd':
+                        debug = 1;
+                        break;
+                case 'e':
+                        set_escape_char(optarg);
+                        break;
+                case 'k':
+                        fprintf(stderr,
+                                "%s: -k ignored, no Kerberos V4 support.\n",
+                                prompt);
+                        break;
+                case 'l':
+                        autologin = 1;
+                        user = optarg;
+                        break;
+                case 'n':
+#ifdef TN3270
+                        /* distinguish between "-n oasynch" and "-noasynch" */
+                        if (argv[optind - 1][0] == '-' && argv[optind - 1][1]
+                            == 'n' && argv[optind - 1][2] == 'o') {
+                                if (!strcmp(optarg, "oasynch")) {
+                                        noasynchtty = 1;
+                                        noasynchnet = 1;
+                                } else if (!strcmp(optarg, "oasynchtty"))
+                                        noasynchtty = 1;
+                                else if (!strcmp(optarg, "oasynchnet"))
+                                        noasynchnet = 1;
+                        } else
+#endif  /* TN3270 */
+                                SetNetTrace(optarg);
+                        break;
+                case 'r':
+                        rlogin = '~';
+                        break;
+                case 't':
+#ifdef TN3270
+                        transcom = tline;
+                        (void)strcpy(transcom, optarg);
+#else
+                        fprintf(stderr,
+                           "%s: Warning: -t ignored, no TN3270 support.\n",
+                                                                prompt);
+#endif
+                        break;
+                case 'x':
+                        fprintf(stderr,
+                                "%s: -x ignored, no encryption support.\n",
+                                prompt);
+                        break;
+                case '?':
+                default:
+                        usage();
+                        /* NOTREACHED */
+                }
+        }
+        if (autologin == -1)
+                autologin = (rlogin == _POSIX_VDISABLE) ? 0 : 1;
+
+        argc -= optind;
+        argv += optind;
+
+        if (argc) {
+                const char *args[7];
+                const char **volatile argp = args;
+
+                if (argc > 2)
+                        usage();
+                *argp++ = prompt;
+                if (user) {
+                        *argp++ = "-l";
+                        *argp++ = user;
+                }
+                if (family) {
+                        *argp++ = family == AF_INET ? "-4" : "-6";
+                }
+                *argp++ = argv[0];              /* host */
+                if (argc > 1)
+                        *argp++ = argv[1];      /* port */
+                *argp = 0;
+
+                if (sigsetjmp(toplevel, 1) != 0)
+                        Exit(0);
+                if (tn(argp - args, args) == 1)
+                        return (0);
+                else
+                        return (1);
+        }
+        (void)sigsetjmp(toplevel, 1);
+        for (;;) {
+#ifdef TN3270
+                if (shell_active)
+                        shell_continue();
+                else
+#endif
+                        command(1, 0, 0);
+        }
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/netlink.cc b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/netlink.cc
new file mode 100644
index 0000000..95c0d74
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/netlink.cc
@@ -0,0 +1,177 @@
+#include <errno.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/ioctl.h>
+#include <sys/time.h>
+#include <netdb.h>
+#include "netlink.h"
+#include "proto.h"
+#include "ring.h"
+
+/* In Linux, this is an enum */
+#if defined(__linux__) || defined(IPPROTO_IP)
+#define HAS_IPPROTO_IP
+#endif
+
+netlink nlink;
+
+class netchannel : public ringbuf::source {
+  public:
+    virtual int read(char *buf, int maxlen) {
+        int net = nlink.getfd();
+        int l = recv(net, buf, maxlen, 0);
+        if (l<0 && errno == EWOULDBLOCK) l = 0;
+        return l;
+    }
+};
+
+class netchannel2 : public datasink {
+  public:
+    virtual int write(const char *buf, int len) {
+        int r = nlink.send(buf, len, 0);
+        if (r==-1 && (errno==ENOBUFS || errno==EWOULDBLOCK)) return 0;
+        return r;
+    }
+    virtual int writeurg(const char *buf, int len) {
+            /*
+             * In 4.2 (and 4.3) systems, there is some question about
+             * what byte in a sendOOB operation is the "OOB" data.
+             * To make ourselves compatible, we only send ONE byte
+             * out of band, the one WE THINK should be OOB (though
+             * we really have more the TCP philosophy of urgent data
+             * rather than the Unix philosophy of OOB data).
+             */
+        if (len==0) return 0;
+        int r = nlink.send(buf, 1, MSG_OOB);
+        if (r==-1 && (errno==ENOBUFS || errno==EWOULDBLOCK)) r = 0;
+        if (r<=0) return r;
+        int rr = nlink.send(buf+1, len-r, 0);
+        if (rr==-1 && (errno==ENOBUFS || errno==EWOULDBLOCK)) rr = 0;
+        if (rr<=0) return r;   /* less than ideal */
+        return r+rr;
+    }
+};
+
+static netchannel chan;
+static netchannel2 chan2;
+datasink *netsink = &chan2;
+ringbuf::source *netsrc = &chan;
+
+
+netlink::netlink() { net = -1; }
+netlink::~netlink() { ::close(net); }
+
+
+int netlink::setdebug(int debug) {
+    if (net > 0 &&
+        (setsockopt(net, SOL_SOCKET, SO_DEBUG, &debug, sizeof(debug))) < 0) {
+        perror("setsockopt (SO_DEBUG)");
+    }
+    return 1;
+}
+
+void netlink::close(int doshutdown) {
+    if (doshutdown) {
+        shutdown(net, 2);
+    }
+    ::close(net);
+}
+
+int netlink::connect(int debug, struct addrinfo *addr, 
+                     char *srcroute, int srlen, int tos) 
+{
+    int on=1;
+
+    net = socket(addr->ai_family, SOCK_STREAM, 0);
+    if (net < 0) {
+        if (errno == EAFNOSUPPORT || errno == EINVAL)
+            return 1;
+        perror("telnet: socket");
+        return 0;
+    }
+
+#if defined(IP_OPTIONS) && defined(HAS_IPPROTO_IP)
+    if (srcroute) {
+        if (addr->ai_family != AF_INET)
+            fputs("Source route is only supported for IPv4\n", stderr);
+        if (setsockopt(net, IPPROTO_IP, IP_OPTIONS, srcroute, srlen) < 0)
+            perror("setsockopt (IP_OPTIONS)");
+    }
+#endif
+
+#if defined(HAS_IPPROTO_IP) && defined(IP_TOS)
+#if defined(HAS_GETTOS)
+    struct tosent *tp;
+    if (tos < 0 && (tp = gettosbyname("telnet", "tcp")))
+        tos = tp->t_tos;
+#endif
+    if (tos < 0) tos = 020;     /* Low Delay bit */
+    if (tos && (setsockopt(net, IPPROTO_IP, IP_TOS, &tos, sizeof(int)) < 0)
+        && (errno != ENOPROTOOPT) && (errno != EOPNOTSUPP))
+        perror("telnet: setsockopt (IP_TOS) (ignored)");
+#endif  /* defined(IPPROTO_IP) && defined(IP_TOS) */
+
+    if (debug && setsockopt(net, SOL_SOCKET, SO_DEBUG, &on, sizeof(on)) < 0) {
+        perror("setsockopt (SO_DEBUG)");
+    }
+    
+    if (::connect(net, addr->ai_addr, addr->ai_addrlen) < 0) {
+        return 1;
+    }
+    return 2;
+}
+
+
+void netlink::oobinline() {
+    int on=1;
+
+    /* Systems without SO_OOBINLINE probably won't work */
+    if (setsockopt(net, SOL_SOCKET, SO_OOBINLINE, &on, sizeof(on)) == -1) {
+        perror("setsockopt");
+    }
+}
+
+
+/*
+ * Check to see if any out-of-band data exists on a socket (for
+ * Telnet "synch" processing).
+ */
+
+int netlink::stilloob(void) {
+    static struct timeval timeout = { 0, 0 };
+    fd_set excepts;
+    int value;
+
+    do {
+        FD_ZERO(&excepts);
+        FD_SET(net, &excepts);
+        value = select(net+1, NULL, NULL, &excepts, &timeout);
+    } while ((value == -1) && (errno == EINTR));
+
+    if (value < 0) {
+        perror("select");
+        quit();
+        /* NOTREACHED */
+    }
+    if (FD_ISSET(net, &excepts)) {
+        return 1;
+    } else {
+        return 0;
+    }
+}
+
+int netlink::send(const char *s, int n, int f) {
+    return ::send(net, s, n, f);
+}
+
+void netlink::nonblock(int onoff) {
+    ioctl(net, FIONBIO, &onoff);
+}
+
+int netlink::getfd() {
+    return net;
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/netlink.h b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/netlink.h
new file mode 100644
index 0000000..095bac5
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/netlink.h
@@ -0,0 +1,25 @@
+
+class netlink {
+ protected:
+    int net;
+ public:
+    netlink();
+    ~netlink();
+
+    int connect(int debug, struct addrinfo *hostaddr, 
+                char *srcroute, int srlen,
+                int tos);
+    void close(int doshutdown);
+
+    int setdebug(int debug);
+    void oobinline();
+    void nonblock(int onoff);
+
+    int stilloob();
+
+    int send(const char *buf, int len, int flags);
+
+    int getfd();
+};
+
+extern netlink nlink;
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/network.cc b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/network.cc
new file mode 100644
index 0000000..0dcf3e2
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/network.cc
@@ -0,0 +1,92 @@
+/*
+ * Copyright (c) 1988 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)network.c  5.2 (Berkeley) 3/1/91
+ */
+char net_rcsid[] = 
+  "$Id: network.cc,v 1.15 1996/08/13 08:09:58 dholland Exp $";
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/time.h>
+#include <stdlib.h>
+#include <errno.h>
+#include <arpa/telnet.h>
+
+#include "ring.h"
+#include "defines.h"
+#include "externs.h"
+#include "proto.h"
+#include "netlink.h"
+
+ringbuf netoring;
+ringbuf netiring;
+
+/*
+ * Initialize internal network data structures.
+ */
+
+void init_network(void) {
+    if (netoring.init(2*BUFSIZ, netsink, NULL) != 1) {
+        exit(1);
+    }
+    if (netiring.init(BUFSIZ, NULL, netsrc) != 1) {
+        exit(1);
+    }
+    NetTrace = stdout;
+}
+
+
+/*
+ *  netflush
+ *              Send as much data as possible to the network,
+ *      handling requests for urgent data.
+ *
+ *              The return value indicates whether we did any
+ *      useful work.
+ */
+
+
+int netflush(void) {
+    int r = netoring.flush();
+    if (r < -1) {
+        setcommandmode();
+        perror(hostname);
+        nlink.close(0);
+        netoring.clear_mark();
+        siglongjmp(peerdied, -1);
+        /*NOTREACHED*/
+    }
+    return r>0;
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/proto.h b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/proto.h
new file mode 100644
index 0000000..8be4a39
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/proto.h
@@ -0,0 +1,41 @@
+#if 0
+void auth_encrypt_connect(void);
+void auth_encrypt_init(void);
+#endif
+
+void Exit(int);
+void ExitString(const char *, int);
+int TerminalAutoFlush(void);
+void TerminalDefaultChars(void);
+int TerminalSpecialChars(int);
+void TerminalSpeeds(long *ispeed, long *ospeed);
+int TerminalWindowSize(long *rows, long *cols);
+void auth_encrypt_user(char *);
+void auth_name(unsigned char *, int);
+void auth_printsub(unsigned char *, int, unsigned char *, int);
+void cmdrc(const char *m1, const char *m2);
+void env_init(void);
+int getconnmode(void);
+void init_network(void);
+void init_sys(void);
+void init_telnet(void);
+void init_terminal(void);
+int netflush(void);
+void optionstatus(void);
+int process_rings(int, int, int, int, int, int);
+void quit(void);
+int rlogin_susp(void);
+int send_tncmd(int (*func)(int, int), const char *cmd, const char *name);
+void sendeof(void);
+void sendsusp(void);
+void set_escape_char(char *);
+void tel_leave_binary(int);
+int telrcv(void);
+int tn(int argc, const char *argv[]);
+int ttyflush(int);
+void sendayt(void);
+void ayt_status(int);
+void ayt(int sig);
+
+/* commands.c */
+void cmdtab_init(void);
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/ptrarray.h b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/ptrarray.h
new file mode 100644
index 0000000..3a5d12f
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/ptrarray.h
@@ -0,0 +1,92 @@
+//
+//      File:        ptrarray.h
+//      Date:        16-Jul-95
+//      Description: Array of pointers
+//
+/*
+ * Copyright (c) 1995 David A. Holland.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. Neither the name of the Author nor the names of any contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifndef PTRARRAY_H
+#define PTRARRAY_H
+
+#ifndef assert
+#include <assert.h>
+#endif
+
+#ifndef NULL
+#define NULL 0
+#endif
+
+template <class T>
+class ptrarray {
+  protected:
+    T **v;
+    int n, max;
+    void reallocto(int x) {
+        while (max<x) max += 16;
+        T **q = new T* [max];
+        for (int i=0; i<n; i++) q[i] = v[i];
+        delete []v;
+        v = q;
+    }
+  public:
+    ptrarray() { v=NULL; n=max=0; }
+    ~ptrarray() { delete []v; }
+
+    int num() const { return n; }
+
+    void setsize(int newsize) {
+      if (newsize>max) reallocto(newsize);
+      if (newsize>n) {
+        for (int i=n; i<newsize; i++) v[i] = NULL;
+      }
+      else {
+        // do nothing
+      }
+      n = newsize;
+    }
+
+    T *&operator [] (int ix) const {
+      assert(ix>=0 && ix<n);
+      return v[ix];
+    }
+
+    int add(T *val) {
+      int ix = n;
+      setsize(n+1);
+      v[ix] = val;
+      return ix;
+    }
+
+    void push(T *val) { add(val); }
+
+    void pop() { setsize(n-1); }
+};
+
+#endif
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/ring.cc b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/ring.cc
new file mode 100644
index 0000000..772c6c5
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/ring.cc
@@ -0,0 +1,213 @@
+/*
+ * Copyright (c) 1988 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)ring.c     5.2 (Berkeley) 3/1/91
+ */
+char ring_rcsid[] =
+  "$Id: ring.cc,v 1.23 2000/07/23 03:25:09 dholland Exp $";
+
+/*
+ * This defines a structure for a ring buffer. 
+ */
+
+#include <stdio.h>
+#include <stdarg.h>
+#include <assert.h>
+#include "ring.h"
+
+class devnull : public datasink {
+    virtual int write(const char *, int n) { return n; }
+    virtual int writeurg(const char *, int n) { return n; }
+};
+static devnull nullsink_obj;
+datasink *nullsink = &nullsink_obj;
+
+
+
+int ringbuf::init(int sz, datasink *sink, source *src) {
+    buf = new char[sz];
+    size = sz;
+    head = tail = 0;
+    count = 0;
+    marked = -1;
+
+    binding = sink;
+    srcbinding = src;
+
+    return 1;
+}
+
+/////////////////////////////////////////////////// consume //////////////
+
+int ringbuf::gets(char *rbuf, int max) {
+    int i=0, ch;
+    assert(max>0);
+    while (getch(&ch)>0 && i<max-1) rbuf[i++] = ch;
+    rbuf[i]=0;
+    return i;
+}
+
+int ringbuf::getch(int *ch) {
+    int rv = 0;
+    if (count > 0) {
+        if (tail==marked) {
+            rv = 2;
+            marked = -1;
+        }
+        else rv = 1;
+        *ch = (unsigned char) buf[tail++];
+        if (tail>=size) tail -= size;
+        count--;
+    }
+    return rv;   /* 0 = no more chars available */
+}
+
+void ringbuf::ungetch(int ch) {
+    int x = tail;
+    x--;
+    if (x<0) x += size;
+    int och = buf[x];   /* avoid sign-extension and other such problems */
+    if ((och&0xff) == (ch&0xff)) {
+        tail = x;
+        count++;
+    }
+    else {
+        //assert(!"Bad ungetch");
+        tail = x;
+        count++;
+    }
+}
+
+/*
+ * Return value:
+ *   -2: Significant error occurred.
+ *   -1: No useful work done, data waiting to go out.
+ *    0: No data was waiting, so nothing was done.
+ *    1: All waiting data was written out.
+ *    n: Some data written, n-1 bytes left.
+ */
+int ringbuf::flush() {
+    assert(binding);
+    assert(count>=0);
+    if (count==0) return 0;
+    
+    static int busy=0;
+    if (busy) {
+        return -1;
+    }
+    busy=1;
+
+    /* should always be true */
+    /* assert(((size+head-tail)%size)==count); */
+    /* Nope! The above fails if the buffer is full; then:
+     * head == tail (so LHS is 0), but count == size.
+     * The following formula should be better. --okir */
+    assert(((head - tail - count) % size) == 0);
+
+    while (count > 0) {
+        int bot = tail;
+        int top = head;
+        if (top < bot) top = size;
+        if (marked > bot) top = marked;
+        assert(top-bot > 0 && top-bot <= count);
+
+        int n;
+        if (marked==bot) n = binding->writeurg(buf+bot, top-bot);
+        else n = binding->write(buf+bot, top-bot);
+        if (n < 0) { busy=0; return -2; }
+        else if (n==0) { busy=0; return -1; }
+        
+        if (marked==bot) marked = -1;
+        tail += n;
+        if (tail >= size) tail -= size;
+        count -= n;
+        assert(((size+head-tail)%size)==count);
+        
+        if (n > 0 && n < top-bot) { busy=0; return n+1; }
+        /* otherwise (if we wrote all data) loop */
+    }
+    assert(((size+head-tail)%size)==count);
+    busy=0;
+    return 1;
+}
+
+
+/////////////////////////////////////////////////// supply //////////////
+
+void ringbuf::xprintf(const char *format, ...) {
+    char xbuf[256];
+    va_list ap;
+    va_start(ap, format);
+    int l = vsnprintf(xbuf, sizeof(xbuf), format, ap);
+    va_end(ap);
+    write(xbuf, l);
+}
+
+void ringbuf::write(const char *buffer, int ct) {
+    if (ct > size - count) {
+        // Oops. We're about to overflow our buffer.
+        // In practice this shouldn't ever actually happen.
+        // We could return a short count, but then we'd have to check
+        // and retry every call, which ranges somewhere between painful
+        // and impossible.
+        // Instead, we drop the data on the floor. This should only happen 
+        // if (1) the tty hangs, (2) the network hangs while we're trying 
+        // to send large volumes of data, or (3) massive internal logic errors.
+        fprintf(stderr, "\n\ntelnet: buffer overflow, losing data, sorry\n");
+        ct = size - count;
+    }
+    for (int i=0; i<ct; i++) {
+        buf[head++] = buffer[i];
+        if (head>=size) head -= size;
+        count++;
+    }
+}
+
+int ringbuf::read_source() {
+    int bot = head;
+    int top = tail-1; /* leave room for an ungetc */
+    if (top<0) top += size;
+    if (top < bot) top = size;
+
+    if (top==bot) return 0;
+
+    int l = srcbinding->read(buf+bot, top-bot);
+    if (l>=0) {
+        head += l;
+        if (head>=size) head -= size;
+        count += l;
+    }
+    if (l==0) l = -1;
+    return l;
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/ring.h b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/ring.h
new file mode 100644
index 0000000..049377e
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/ring.h
@@ -0,0 +1,111 @@
+/*
+ * Copyright (c) 1988 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *      from: @(#)ring.h        5.2 (Berkeley) 3/1/91
+ *      $Id: ring.h,v 1.13 1996/08/13 08:43:28 dholland Exp $
+ */
+
+class datasink {
+ public:
+    virtual ~datasink() {}
+    virtual int write(const char *buf, int len) = 0;
+    virtual int writeurg(const char *buf, int len) = 0;
+};
+
+/*
+ * This defines a structure for a ring buffer.
+ */
+class ringbuf {
+ public:
+    class source {
+     public:
+        virtual ~source() {}
+        virtual int read(char *buf, int len) = 0;
+    };
+ protected:
+    datasink *binding;
+    source *srcbinding;
+
+    char *buf;
+    int size;   /* total size of buffer */
+    int head;   /* next input character goes here */
+    int tail;   /* next output character comes from here */
+    int count;  /* chars presently stored in buffer */
+    // The buffer is empty when head==tail.
+
+    int marked;   /* this character is marked */
+
+ public:
+    /////// consume end
+
+    // manual consume
+    int gets(char *buf, int max);
+    int getch(int *ch);
+    void ungetch(int ch);
+    int full_count() {
+        return count;
+    }
+
+    // automatic consume
+    int flush();
+
+    /////// supply end
+
+    // manual supply
+    void putch(char c) { write(&c, 1); }
+    void write(const char *buffer, int ct);
+    void xprintf(const char *format, ...);
+    int empty_count() { return size - count; }
+
+    // automatic supply
+    int read_source();
+
+    /////// others
+    void clear_mark() { marked = -1; }
+    void set_mark() { marked = head; }
+
+    int init(int size, datasink *sink, source *src);
+
+    datasink *setsink(datasink *nu) {
+        datasink *old = binding;
+        binding = nu;
+        return old;
+    }
+
+};
+
+extern datasink *netsink, *ttysink, *nullsink;
+extern ringbuf::source *netsrc, *ttysrc;
+
+#define NETADD(c)       { netoring.putch(c); }
+#define NET2ADD(c1,c2)  { NETADD(c1); NETADD(c2); }
+
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/sys_bsd.cc b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/sys_bsd.cc
new file mode 100644
index 0000000..a8c9aab
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/sys_bsd.cc
@@ -0,0 +1,413 @@
+/*
+ * Copyright (c) 1988, 1990 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)sys_bsd.c  5.2 (Berkeley) 3/1/91
+ */
+char bsd_rcsid[] = 
+  "$Id: sys_bsd.cc,v 1.24 1999/09/28 16:29:24 dholland Exp $";
+
+/*
+ * The following routines try to encapsulate what is system dependent
+ * (at least between 4.x and dos) which is used in telnet.c.
+ */
+
+#include <fcntl.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <signal.h>
+#include <errno.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
+#include <arpa/telnet.h>
+
+#include "ring.h"
+
+#include "defines.h"
+#include "externs.h"
+#include "types.h"
+#include "proto.h"
+#include "netlink.h"
+#include "terminal.h"
+
+static fd_set ibits, obits, xbits;
+
+void init_sys(void)
+{
+    tlink_init();
+    FD_ZERO(&ibits);
+    FD_ZERO(&obits);
+    FD_ZERO(&xbits);
+
+    errno = 0;
+}
+
+
+#ifdef  KLUDGELINEMODE
+extern int kludgelinemode;
+#endif
+/*
+ * TerminalSpecialChars()
+ *
+ * Look at an input character to see if it is a special character
+ * and decide what to do.
+ *
+ * Output:
+ *
+ *      0       Don't add this character.
+ *      1       Do add this character
+ */
+
+void intp(), sendbrk(), sendabort();
+
+int
+TerminalSpecialChars(int c)
+{
+    void xmitAO(), xmitEL(), xmitEC();
+
+    if (c == termIntChar) {
+        intp();
+        return 0;
+    } else if (c == termQuitChar) {
+#ifdef  KLUDGELINEMODE
+        if (kludgelinemode)
+            sendbrk();
+        else
+#endif
+            sendabort();
+        return 0;
+    } else if (c == termEofChar) {
+        if (my_want_state_is_will(TELOPT_LINEMODE)) {
+            sendeof();
+            return 0;
+        }
+        return 1;
+    } else if (c == termSuspChar) {
+        sendsusp();
+        return(0);
+    } else if (c == termFlushChar) {
+        xmitAO();               /* Transmit Abort Output */
+        return 0;
+    } else if (!MODE_LOCAL_CHARS(globalmode)) {
+        if (c == termKillChar) {
+            xmitEL();
+            return 0;
+        } else if (c == termEraseChar) {
+            xmitEC();           /* Transmit Erase Character */
+            return 0;
+        }
+    }
+    return 1;
+}
+
+
+
+cc_t *tcval(int func) {
+    switch(func) {
+    case SLC_IP:        return(&termIntChar);
+    case SLC_ABORT:     return(&termQuitChar);
+    case SLC_EOF:       return(&termEofChar);
+    case SLC_EC:        return(&termEraseChar);
+    case SLC_EL:        return(&termKillChar);
+    case SLC_XON:       return(&termStartChar);
+    case SLC_XOFF:      return(&termStopChar);
+    case SLC_FORW1:     return(&termForw1Char);
+    case SLC_FORW2:     return(&termForw2Char);
+#ifdef  VDISCARD
+    case SLC_AO:        return(&termFlushChar);
+#endif
+#ifdef  VSUSP
+    case SLC_SUSP:      return(&termSuspChar);
+#endif
+#ifdef  VWERASE
+    case SLC_EW:        return(&termWerasChar);
+#endif
+#ifdef  VREPRINT
+    case SLC_RP:        return(&termRprntChar);
+#endif
+#ifdef  VLNEXT
+    case SLC_LNEXT:     return(&termLiteralNextChar);
+#endif
+#ifdef  VSTATUS
+    case SLC_AYT:       return(&termAytChar);
+#endif
+
+    case SLC_SYNCH:
+    case SLC_BRK:
+    case SLC_EOR:
+    default:
+        return NULL;
+    }
+}
+
+#if defined(TN3270)
+void NetSigIO(int fd, int onoff) {
+    ioctl(fd, FIOASYNC, (char *)&onoff);        /* hear about input */
+}
+
+void NetSetPgrp(int fd) {
+    int myPid;
+
+    myPid = getpid();
+    fcntl(fd, F_SETOWN, myPid);
+}
+#endif  /*defined(TN3270)*/
+
+/*
+ * Various signal handling routines.
+ */
+
+#if 0
+static void deadpeer(int /*sig*/) {
+    setcommandmode();
+    siglongjmp(peerdied, -1);
+}
+#endif
+
+static void intr(int /*sig*/) {
+    if (localchars) {
+        intp();
+    }
+    else {
+#if 0
+        setcommandmode();
+        siglongjmp(toplevel, -1);
+#else
+        signal(SIGINT, SIG_DFL);
+        raise(SIGINT);
+#endif
+    }
+}
+
+static void intr2(int /*sig*/) {
+    if (localchars) {
+#ifdef  KLUDGELINEMODE
+        if (kludgelinemode)
+            sendbrk();
+        else
+#endif
+            sendabort();
+        return;
+    }
+    signal(SIGQUIT, SIG_DFL);
+    raise(SIGQUIT);
+}
+
+#ifdef  SIGWINCH
+static void sendwin(int /*sig*/) {
+    if (connected) {
+        sendnaws();
+    }
+}
+#endif
+
+#ifdef  SIGINFO
+void ayt(int sig) {
+    (void)sig;
+
+    if (connected)
+        sendayt();
+    else
+        ayt_status(0);
+}
+#endif
+
+void sys_telnet_init(void) {
+    signal(SIGINT, intr);
+    signal(SIGQUIT, intr2);
+#if 0
+    signal(SIGPIPE, deadpeer);
+#endif
+#ifdef  SIGWINCH
+    signal(SIGWINCH, sendwin);
+#endif
+#ifdef  SIGINFO
+    signal(SIGINFO, ayt);
+#endif
+
+    setconnmode(0);
+
+    nlink.nonblock(1);
+
+#if defined(TN3270)
+    if (noasynchnet == 0) {                     /* DBX can't handle! */
+        NetSigIO(net, 1);
+        NetSetPgrp(net);
+    }
+#endif  /* defined(TN3270) */
+
+    nlink.oobinline();
+}
+
+/*
+ * Process rings -
+ *
+ *      This routine tries to fill up/empty our various rings.
+ *
+ *      The parameter specifies whether this is a poll operation,
+ *      or a block-until-something-happens operation.
+ *
+ *      The return value is 1 if something happened, 0 if not.
+ */
+
+int process_rings(int netin, int netout, int netex, int ttyin, int ttyout, 
+                  int poll /* If 0, then block until something to do */)
+{
+    register int c, maxfd;
+                /* One wants to be a bit careful about setting returnValue
+                 * to one, since a one implies we did some useful work,
+                 * and therefore probably won't be called to block next
+                 * time (TN3270 mode only).
+                 */
+    int returnValue = 0;
+    static struct timeval TimeValue = { 0, 0 };
+    
+    int net = nlink.getfd();
+    int tin = tlink_getifd();
+    int tout = tlink_getofd();
+
+    if (netout) {
+        FD_SET(net, &obits);
+    } 
+    if (ttyout) {
+        FD_SET(tout, &obits);
+    }
+    if (ttyin) {
+        FD_SET(tin, &ibits);
+    }
+    if (netin) {
+        FD_SET(net, &ibits);
+    }
+    if (netex) {
+        FD_SET(net, &xbits);
+    }
+
+    maxfd = net;
+    if (maxfd < tin) maxfd=tin;
+    if (maxfd < tout) maxfd=tout;
+
+    if ((c = select(maxfd+1, &ibits, &obits, &xbits,
+                        (poll == 0)? (struct timeval *)0 : &TimeValue)) < 0) {
+        if (c == -1) {
+                    /*
+                     * we can get EINTR if we are in line mode,
+                     * and the user does an escape (TSTP), or
+                     * some other signal generator.
+                     */
+            if (errno == EINTR) {
+                return 0;
+            }
+#if defined(TN3270)
+                    /*
+                     * we can get EBADF if we were in transparent
+                     * mode, and the transcom process died.
+                    */
+            if (errno == EBADF) {
+                        /*
+                         * zero the bits (even though kernel does it)
+                         * to make sure we are selecting on the right
+                         * ones.
+                        */
+                FD_ZERO(&ibits);
+                FD_ZERO(&obits);
+                FD_ZERO(&xbits);
+                return 0;
+            }
+#endif /* TN3270 */
+                    /* I don't like this, does it ever happen? */
+            printf("sleep(5) from telnet, after select\r\n");
+            sleep(5);
+        }
+        return 0;
+    }
+
+    /*
+     * Any urgent data?
+     */
+    if (FD_ISSET(net, &xbits)) {
+        FD_CLR(net, &xbits);
+        SYNCHing = 1;
+        (void) ttyflush(1);     /* flush already enqueued data */
+    }
+
+    /*
+     * Should flush output buffers first to make room for new input. --okir
+     */
+    if (FD_ISSET(net, &obits)) {
+        FD_CLR(net, &obits);
+        returnValue |= netflush();
+    }
+    if (FD_ISSET(tout, &obits)) {
+        FD_CLR(tout, &obits);
+        returnValue |= (ttyflush(SYNCHing|flushout) > 0);
+    }
+
+    /*
+     * Something to read from the network...
+     */
+    if (FD_ISSET(net, &ibits)) {
+        /* hacks for systems without SO_OOBINLINE removed */
+
+        FD_CLR(net, &ibits);
+        /* Only call network input routine if there is room. Otherwise
+         * we will try a 0 byte read, which we happily interpret as the
+         * server having dropped the connection...
+         * NB the input routine reserves 1 byte for ungetc.
+         *                              12.3.97 --okir */
+        returnValue = 1;
+        if (netiring.empty_count() > 1) {
+                c = netiring.read_source();
+                if (c <= 0)
+                    return -1;
+                else if (c == 0)
+                    returnValue = 0;
+        }
+    }
+
+    /*
+     * Something to read from the tty...
+     */
+    if (FD_ISSET(tin, &ibits)) {
+        FD_CLR(tin, &ibits);
+        c = ttyiring.read_source();
+        if (c < 0) {
+            return -1;
+        }
+        else if (c==0) returnValue = 0;
+        else returnValue = 1;           /* did something useful */
+    }
+
+    return returnValue;
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/telnet.1 b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/telnet.1
new file mode 100644
index 0000000..c939de9
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/telnet.1
@@ -0,0 +1,1267 @@
+.\" Copyright (c) 1983, 1990 The Regents of the University of California.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"     This product includes software developed by the University of
+.\"     California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"     from: @(#)telnet.1      6.16 (Berkeley) 7/27/91
+.\"     $Id: telnet.1,v 1.15 2000/07/30 23:57:08 dholland Exp $
+.\"
+.Dd August 15, 1999
+.Dt TELNET 1
+.Os "Linux NetKit (0.17)"
+.Sh NAME
+.Nm telnet
+.Nd user interface to the 
+.Tn TELNET
+protocol
+.Sh SYNOPSIS
+.Nm telnet
+.Op Fl 8ELadr
+.Op Fl S Ar tos
+.Op Fl e Ar escapechar
+.Op Fl l Ar user
+.Op Fl n Ar tracefile
+.Oo
+.Ar host
+.Op Ar port
+.Oc
+.Sh DESCRIPTION
+The
+.Nm telnet
+command
+is used for interactive communication with another host using the 
+.Tn TELNET
+protocol. It begins in command mode, where it prints a telnet prompt 
+("telnet\&> "). If
+.Nm telnet
+is invoked with a
+.Ar host
+argument, it performs an
+.Ic open
+command implicitly; see the description below.
+.Pp
+Options:
+.Bl -tag -width indent
+.It Fl 8
+Request 8-bit operation. This causes an attempt to negotiate the
+.Dv TELNET BINARY
+option for both input and output. By default telnet is not 8-bit
+clean. 
+.It Fl E
+Disables the escape character functionality; that is, sets the escape
+character to ``no character''.
+.It Fl L
+Specifies an 8-bit data path on output.  This causes the 
+.Dv TELNET BINARY 
+option to be negotiated on just output.
+.It Fl a
+Attempt automatic login.  Currently, this sends the user name via the
+.Ev USER
+variable
+of the
+.Ev ENVIRON
+option if supported by the remote system. The username is retrieved
+via
+.Xr getlogin 3 .
+.It Fl d
+Sets the initial value of the
+.Ic debug
+toggle to
+.Dv TRUE.
+.It Fl r
+Emulate 
+.Xr rlogin 1 .
+In this mode, the default escape character is a tilde. Also, the
+interpretation of the escape character is changed: an escape character
+followed by a dot causes
+.Nm telnet 
+to disconnect from the remote host. A ^Z instead of a dot suspends
+.Nm telnet ,
+and a ^] (the default
+.Nm telnet
+escape character) generates a normal telnet prompt. These codes are
+accepted only at the beginning of a line. 
+.It Fl S Ar tos
+Sets the IP type-of-service (TOS) option for the telnet
+connection to the value
+.Ar tos .
+.It Fl e Ar escapechar
+Sets the escape character to
+.Ar escapechar.
+If no character is supplied, no escape character will be used.
+Entering the escape character while connected causes telnet to drop to
+command mode.
+.It Fl l Ar user
+Specify 
+.Ar user
+as the user to log in as on the remote system. This is accomplished by
+sending the specified name as the 
+.Dv USER
+environment variable, so it requires that the remote system support the
+.Ev TELNET ENVIRON
+option. This option implies the
+.Fl a
+option, and may also be used with the
+.Ic open
+command.
+.It Fl n Ar tracefile
+Opens
+.Ar tracefile
+for recording trace information.
+See the
+.Ic set tracefile
+command below.
+.It Ar host
+Specifies a host to contact over the network.
+.It Ar port
+Specifies a port number or service name to contact. If not specified,
+the 
+.Nm telnet
+port (23) is used.
+.El
+.Pp
+Protocol:
+.Pp
+Once a connection has been opened,
+.Nm telnet
+will attempt to enable the
+.Dv TELNET LINEMODE
+option.
+If this fails, then
+.Nm telnet
+will revert to one of two input modes:
+either \*(Lqcharacter at a time\*(Rq
+or \*(Lqold line by line\*(Rq
+depending on what the remote system supports.
+.Pp
+When 
+.Dv LINEMODE
+is enabled, character processing is done on the
+local system, under the control of the remote system.  When input
+editing or character echoing is to be disabled, the remote system
+will relay that information.  The remote system will also relay
+changes to any special characters that happen on the remote
+system, so that they can take effect on the local system.
+.Pp
+In \*(Lqcharacter at a time\*(Rq mode, most
+text typed is immediately sent to the remote host for processing.
+.Pp
+In \*(Lqold line by line\*(Rq mode, all text is echoed locally,
+and (normally) only completed lines are sent to the remote host.
+The \*(Lqlocal echo character\*(Rq (initially \*(Lq^E\*(Rq) may be used
+to turn off and on the local echo
+(this would mostly be used to enter passwords
+without the password being echoed).
+.Pp
+If the 
+.Dv LINEMODE
+option is enabled, or if the
+.Ic localchars
+toggle is
+.Dv TRUE
+(the default for \*(Lqold line by line\*(Lq; see below),
+the user's
+.Ic quit  ,
+.Ic intr ,
+and
+.Ic flush
+characters are trapped locally, and sent as
+.Tn TELNET
+protocol sequences to the remote side.
+If 
+.Dv LINEMODE
+has ever been enabled, then the user's
+.Ic susp
+and
+.Ic eof
+are also sent as
+.Tn TELNET
+protocol sequences,
+and
+.Ic quit
+is sent as a 
+.Dv TELNET ABORT
+instead of 
+.Dv BREAK
+There are options (see
+.Ic toggle
+.Ic autoflush
+and
+.Ic toggle
+.Ic autosynch
+below)
+which cause this action to flush subsequent output to the terminal
+(until the remote host acknowledges the
+.Tn TELNET
+sequence) and flush previous terminal input
+(in the case of
+.Ic quit
+and
+.Ic intr  ) .
+.Pp
+Commands:
+.Pp
+The following
+.Nm telnet
+commands are available. Unique prefixes are understood as abbreviations.
+.Pp
+.Bl -tag -width "mode type"
+.It Ic auth Ar argument ... 
+The
+.Ic auth
+command controls the
+.Dv TELNET AUTHENTICATE
+protocol option.  If 
+.Nm telnet
+was compiled without authentication, the 
+.Ic auth
+command will not be supported. 
+Valid arguments are as follows:
+.Bl -tag -width "disable type"
+.It Ic disable Ar type
+Disable the specified type of authentication.  To
+obtain a list of available types, use the
+.Ic auth disable \&?
+command.
+.It Ic enable Ar type
+Enable the specified type of authentication.  To
+obtain a list of available types, use the
+.Ic auth enable \&?
+command.
+.It Ic status
+List the current status of the various types of
+authentication.
+.El
+.Pp
+Note that the current version of 
+.Nm telnet
+does not support authentication.
+.It Ic close
+Close the connection to the remote host, if any, and return to command
+mode.
+.It Ic display Ar argument ... 
+Display all, or some, of the
+.Ic set
+and
+.Ic toggle
+values (see below).
+.It Ic encrypt Ar argument ...
+The encrypt command controls the
+.Dv TELNET ENCRYPT
+protocol option. If 
+.Nm telnet
+was compiled without encryption, the
+.Ic encrypt
+command will not be supported. 
+.Pp
+Valid arguments are as follows:
+.Bl -tag -width Ar
+.It Ic disable Ar type Ic [input|output]
+Disable the specified type of encryption.  If you do not specify input
+or output, encryption of both is disabled.  To obtain a list of
+available types, use ``encrypt disable \&?''.
+.It Ic enable Ar type Ic [input|output]
+Enable the specified type of encryption.  If you do not specify input
+or output, encryption of both is enabled.  To obtain a list of
+available types, use ``encrypt enable \&?''.
+.It Ic input
+This is the same as ``encrypt start input''.
+.It Ic -input
+This is the same as ``encrypt stop input''.
+.It Ic output
+This is the same as ``encrypt start output''.
+.It Ic -output
+This is the same as ``encrypt stop output''.
+.It Ic start Ic [input|output]
+Attempt to begin encrypting.  If you do not specify input or output, 
+encryption of both input and output is started. 
+.It Ic status
+Display the current status of the encryption module.
+.It Ic stop Ic [input|output]
+Stop encrypting.  If you do not specify input or output, encryption of
+both is stopped.
+.It Ic type Ar type
+Sets the default type of encryption to be used with later ``encrypt start''
+or ``encrypt stop'' commands.
+.El
+.Pp
+Note that the current version of 
+.Nm telnet
+does not support encryption.
+.It Ic environ Ar arguments... 
+The
+.Ic environ
+command is used to propagate environment variables across the 
+.Nm telnet
+link using the
+.Dv TELNET ENVIRON
+protocol option.
+All variables exported from the shell are defined, but only the 
+.Ev DISPLAY
+and
+.Ev PRINTER
+variables are marked to be sent by default.  The
+.Ev USER
+variable is marked to be sent if the
+.Fl a
+or 
+.Fl l
+command-line options were used.
+.Pp
+Valid arguments for the
+.Ic environ
+command are:
+.Bl -tag -width Fl
+.It Ic define Ar variable value 
+Define the variable
+.Ar variable
+to have a value of
+.Ar value.
+Any variables defined by this command are automatically marked for
+propagation (``exported'').
+The
+.Ar value
+may be enclosed in single or double quotes so
+that tabs and spaces may be included.
+.It Ic undefine Ar variable 
+Remove any existing definition of
+.Ar variable .
+.It Ic export Ar variable 
+Mark the specified variable for propagation to the remote host.
+.It Ic unexport Ar variable 
+Do not mark the specified variable for propagation to the remote
+host. The remote host may still ask explicitly for variables that are
+not exported.
+.It Ic list
+List the current set of environment variables.
+Those marked with a
+.Cm *
+will be propagated to the remote host. The remote host may still ask
+explicitly for the rest.
+.It Ic \&?
+Prints out help information for the
+.Ic environ
+command.
+.El
+.It Ic logout
+Send the
+.Dv TELNET LOGOUT
+protocol option to the remote host.
+This command is similar to a
+.Ic close
+command. If the remote host does not support the
+.Dv LOGOUT
+option, nothing happens.  But if it does, this command should cause it
+to close the connection.  If the remote side also supports the concept
+of suspending a user's session for later reattachment, the logout
+command indicates that the session should be terminated immediately.
+.It Ic mode Ar type 
+.Ar Type
+is one of several options, depending on the state of the session.
+.Tn Telnet
+asks the remote host to go into the requested mode. If the remote host
+says it can, that mode takes effect.
+.Bl -tag -width Ar
+.It Ic character
+Disable the
+.Dv TELNET LINEMODE
+option, or, if the remote side does not understand the
+.Dv LINEMODE
+option, then enter \*(Lqcharacter at a time\*(Lq mode.
+.It Ic line
+Enable the
+.Dv TELNET LINEMODE
+option, or, if the remote side does not understand the
+.Dv LINEMODE
+option, then attempt to enter \*(Lqold-line-by-line\*(Lq mode.
+.It Ic isig Pq Ic \-isig 
+Attempt to enable (disable) the 
+.Dv TRAPSIG
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic edit Pq Ic \-edit 
+Attempt to enable (disable) the 
+.Dv EDIT
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic softtabs Pq Ic \-softtabs 
+Attempt to enable (disable) the 
+.Dv SOFT_TAB
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic litecho Pq Ic \-litecho 
+Attempt to enable (disable) the 
+.Dv LIT_ECHO
+mode of the 
+.Dv LINEMODE
+option.
+This requires that the 
+.Dv LINEMODE
+option be enabled.
+.It Ic \&?
+Prints out help information for the
+.Ic mode
+command.
+.El
+.It Xo
+.Ic open Ar host
+.Oo Op Fl l
+.Ar user
+.Oc Ns Oo Fl
+.Ar port Oc
+.Xc
+Open a connection to the named host.  If no port number is specified,
+.Nm telnet
+will attempt to contact a
+.Tn telnet
+daemon at the standard port (23).
+The host specification may be a host name or IP address.
+The
+.Fl l
+option may be used to specify a user name to be passed to the remote
+system, like the
+.Fl l
+command-line option.
+.Pp
+When connecting to ports other than the 
+.Nm telnet
+port,
+.Nm telnet
+does not attempt 
+.Tn telnet
+protocol negotiations. This makes it possible to connect to services
+that do not support the
+.Tn telnet
+protocol without making a mess. Protocol negotiation can be forced by
+placing a dash before the port number.
+.Pp
+After establishing a connection, any commands associated with the
+remote host in
+.Pa /etc/telnetrc
+and the user's
+.Pa .telnetrc
+file are executed, in that order.
+.Pp
+The format of the telnetrc files is as follows: Lines beginning with a
+#, and blank lines, are ignored.  The rest of the file should consist
+of hostnames and sequences of
+.Nm telnet
+commands to use with that host. Commands should be one per line,
+indented by whitespace; lines beginning without whitespace are
+interpreted as hostnames.  Lines beginning with the special hostname
+.Ql DEFAULT
+will apply to all hosts.  Upon connecting to a particular host, the
+commands associated with that host are executed.
+.It Ic quit
+Close any open session and exit
+.Nm telnet .
+An end of file condition on input, when in command mode, will trigger
+this operation as well.
+.It Ic send Ar arguments 
+Send one or more special 
+.Tn telnet
+protocol character sequences to the remote host.  The following are
+the codes which may be specified (more than one may be used in one
+command):
+.Pp
+.Bl -tag -width escape
+.It Ic abort
+Sends the
+.Dv TELNET ABORT
+(Abort Processes) sequence.
+.It Ic ao
+Sends the
+.Dv TELNET AO
+(Abort Output) sequence, which should cause the remote system to flush
+all output
+.Em from
+the remote system
+.Em to
+the user's terminal.
+.It Ic ayt
+Sends the
+.Dv TELNET AYT
+(Are You There?) sequence, to which the remote system may or may not
+choose to respond.
+.It Ic brk
+Sends the
+.Dv TELNET BRK
+(Break) sequence, which may have significance to the remote
+system.
+.It Ic ec
+Sends the
+.Dv TELNET EC
+(Erase Character)
+sequence, which should cause the remote system to erase the last character
+entered.
+.It Ic el
+Sends the
+.Dv TELNET EL
+(Erase Line)
+sequence, which should cause the remote system to erase the line currently
+being entered.
+.It Ic eof
+Sends the
+.Dv TELNET EOF
+(End Of File)
+sequence.
+.It Ic eor
+Sends the
+.Dv TELNET EOR
+(End of Record)
+sequence.
+.It Ic escape
+Sends the current
+.Nm telnet
+escape character.
+.It Ic ga
+Sends the
+.Dv TELNET GA
+(Go Ahead)
+sequence, which likely has no significance to the remote system.
+.It Ic getstatus
+If the remote side supports the
+.Dv TELNET STATUS
+command,
+.Ic getstatus
+will send the subnegotiation to request that the server send
+its current option status.
+.It Ic ip
+Sends the
+.Dv TELNET IP
+(Interrupt Process) sequence, which should cause the remote
+system to abort the currently running process.
+.It Ic nop
+Sends the
+.Dv TELNET NOP
+(No Operation)
+sequence.
+.It Ic susp
+Sends the
+.Dv TELNET SUSP
+(Suspend Process)
+sequence.
+.It Ic synch
+Sends the
+.Dv TELNET SYNCH
+sequence.
+This sequence causes the remote system to discard all previously typed
+(but not yet read) input.
+This sequence is sent as
+.Tn TCP
+urgent
+data (and may not work if the remote system is a
+.Bx 4.2
+system -- if
+it doesn't work, a lower case \*(Lqr\*(Rq may be echoed on the terminal).
+.It Ic do Ar cmd
+.It Ic dont Ar cmd
+.It Ic will Ar cmd
+.It Ic wont Ar cmd
+Sends the
+.Dv TELNET DO
+.Ar cmd
+sequence.
+.Ar cmd
+can be either a decimal number between 0 and 255,
+or a symbolic name for a specific
+.Dv TELNET
+command.
+.Ar cmd
+can also be either
+.Ic help
+or
+.Ic \&?
+to print out help information, including
+a list of known symbolic names.
+.It Ic \&?
+Prints out help information for the
+.Ic send
+command.
+.El
+.It Ic set Ar argument value 
+.It Ic unset Ar argument value 
+The
+.Ic set
+command will set any one of a number of
+.Nm telnet
+variables to a specific value or to
+.Dv TRUE .
+The special value
+.Ic off
+turns off the function associated with
+the variable. This is equivalent to using the
+.Ic unset
+command.
+The
+.Ic unset
+command will disable or set to
+.Dv FALSE
+any of the specified variables.
+The values of variables may be interrogated with the
+.Ic display
+command.
+The variables which may be set or unset, but not toggled, are
+listed here.  In addition, any of the variables for the
+.Ic toggle
+command may be explicitly set or unset.
+.Bl -tag -width escape
+.It Ic ayt
+If
+.Tn telnet
+is in localchars mode, or
+.Dv LINEMODE
+is enabled, and the status character is typed, a
+.Dv TELNET AYT
+sequence is sent to the remote host.  The initial value for the "Are
+You There" character is the terminal's status character.
+.It Ic echo
+This is the value (initially \*(Lq^E\*(Rq) which, when in
+\*(Lqline by line\*(Rq mode, toggles between doing local echoing
+of entered characters (for normal processing), and suppressing
+echoing of entered characters (for entering, say, a password).
+.It Ic eof
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Rq mode, entering this character
+as the first character on a line will cause this character to be
+sent to the remote system.
+The initial value of the eof character is taken to be the terminal's
+.Ic eof
+character.
+.It Ic erase
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below),
+.Sy and
+if
+.Nm telnet
+is operating in \*(Lqcharacter at a time\*(Rq mode, then when this
+character is typed, a
+.Dv TELNET EC
+sequence (see
+.Ic send
+.Ic ec
+above)
+is sent to the remote system.
+The initial value for the erase character is taken to be
+the terminal's
+.Ic erase
+character.
+.It Ic escape
+This is the
+.Nm telnet
+escape character (initially \*(Lq^[\*(Rq) which causes entry
+into
+.Nm telnet
+command mode (when connected to a remote system).
+.It Ic flushoutput
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below)
+and the
+.Ic flushoutput
+character is typed, a
+.Dv TELNET AO
+sequence (see
+.Ic send
+.Ic ao
+above)
+is sent to the remote host.
+The initial value for the flush character is taken to be
+the terminal's
+.Ic flush
+character.
+.It Ic forw1
+.It Ic forw2
+If
+.Tn TELNET
+is operating in
+.Dv LINEMODE ,
+these are the
+characters that, when typed, cause partial lines to be
+forwarded to the remote system.  The initial value for
+the forwarding characters are taken from the terminal's
+eol and eol2 characters.
+.It Ic interrupt
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below)
+and the
+.Ic interrupt
+character is typed, a
+.Dv TELNET IP
+sequence (see
+.Ic send
+.Ic ip
+above)
+is sent to the remote host.
+The initial value for the interrupt character is taken to be
+the terminal's
+.Ic intr
+character.
+.It Ic kill
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below),
+.Ic and
+if
+.Nm telnet
+is operating in \*(Lqcharacter at a time\*(Rq mode, then when this
+character is typed, a
+.Dv TELNET EL
+sequence (see
+.Ic send
+.Ic el
+above)
+is sent to the remote system.
+The initial value for the kill character is taken to be
+the terminal's
+.Ic kill
+character.
+.It Ic lnext
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Lq mode, then this character is taken to
+be the terminal's
+.Ic lnext
+character.
+The initial value for the lnext character is taken to be
+the terminal's
+.Ic lnext
+character.
+.It Ic quit
+If
+.Nm telnet
+is in
+.Ic localchars
+mode (see
+.Ic toggle
+.Ic localchars
+below)
+and the
+.Ic quit
+character is typed, a
+.Dv TELNET BRK
+sequence (see
+.Ic send
+.Ic brk
+above)
+is sent to the remote host.
+The initial value for the quit character is taken to be
+the terminal's
+.Ic quit
+character.
+.It Ic reprint
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Lq mode, then this character is taken to
+be the terminal's
+.Ic reprint
+character.
+The initial value for the reprint character is taken to be
+the terminal's
+.Ic reprint
+character.
+.It Ic rlogin
+This is the rlogin mode escape character. Setting it enables rlogin
+mode, as with the
+.Ar r
+command-line option (q.v.)
+.It Ic start
+If the
+.Dv TELNET TOGGLE-FLOW-CONTROL
+option has been enabled,
+then this character is taken to
+be the terminal's
+.Ic start
+character.
+The initial value for the kill character is taken to be
+the terminal's
+.Ic start
+character.
+.It Ic stop
+If the
+.Dv TELNET TOGGLE-FLOW-CONTROL
+option has been enabled,
+then this character is taken to
+be the terminal's
+.Ic stop
+character.
+The initial value for the kill character is taken to be
+the terminal's
+.Ic stop
+character.
+.It Ic susp
+If
+.Nm telnet
+is in
+.Ic localchars
+mode, or
+.Dv LINEMODE
+is enabled, and the
+.Ic suspend
+character is typed, a
+.Dv TELNET SUSP
+sequence (see
+.Ic send
+.Ic susp
+above)
+is sent to the remote host.
+The initial value for the suspend character is taken to be
+the terminal's
+.Ic suspend
+character.
+.It Ic tracefile
+This is the file to which the output, caused by
+.Ic netdata
+or
+.Ic option
+tracing being
+.Dv TRUE ,
+will be written.  If it is set to
+.Dq Fl ,
+then tracing information will be written to standard output (the default).
+.It Ic worderase
+If
+.Nm telnet
+is operating in
+.Dv LINEMODE
+or \*(Lqold line by line\*(Lq mode, then this character is taken to
+be the terminal's
+.Ic worderase
+character.
+The initial value for the worderase character is taken to be
+the terminal's
+.Ic worderase
+character.
+.It Ic \&?
+Displays the legal
+.Ic set
+.Pq Ic unset
+commands.
+.El
+.It Ic slc Ar state 
+The
+.Ic slc
+command (Set Local Characters) is used to set
+or change the state of the the special
+characters when the 
+.Dv TELNET LINEMODE
+option has
+been enabled.  Special characters are characters that get
+mapped to 
+.Tn TELNET
+commands sequences (like
+.Ic ip
+or
+.Ic quit  )
+or line editing characters (like
+.Ic erase
+and
+.Ic kill  ) .
+By default, the local special characters are exported.
+.Bl -tag -width Fl
+.It Ic check
+Verify the current settings for the current special characters.
+The remote side is requested to send all the current special
+character settings, and if there are any discrepancies with
+the local side, the local side will switch to the remote value.
+.It Ic export
+Switch to the local defaults for the special characters.  The
+local default characters are those of the local terminal at
+the time when
+.Nm telnet
+was started.
+.It Ic import
+Switch to the remote defaults for the special characters.
+The remote default characters are those of the remote system
+at the time when the 
+.Tn TELNET
+connection was established.
+.It Ic \&?
+Prints out help information for the
+.Ic slc
+command.
+.El
+.It Ic status
+Show the current status of
+.Nm telnet .
+This includes the name of the remote host, if any, as well as the
+current mode.
+.It Ic toggle Ar arguments ... 
+Toggle (between
+.Dv TRUE
+and
+.Dv FALSE )
+various flags that control how
+.Nm telnet
+responds to events.
+These flags may be set explicitly to
+.Dv TRUE
+or
+.Dv FALSE
+using the
+.Ic set
+and
+.Ic unset
+commands.
+More than one flag may be toggled at once.
+The state of these flags may be examined with the
+.Ic display
+command.
+Valid flags are:
+.Bl -tag -width Ar
+.It Ic authdebug
+Turns on debugging for the authentication code. This flag only exists
+if authentication support is enabled.
+.It Ic autoflush
+If
+.Ic autoflush
+and
+.Ic localchars
+are both
+.Dv TRUE ,
+then when the
+.Ic ao  ,
+or
+.Ic quit
+characters are recognized (and transformed into
+.Tn TELNET
+sequences; see
+.Ic set
+above for details),
+.Nm telnet
+refuses to display any data on the user's terminal
+until the remote system acknowledges (via a
+.Dv TELNET TIMING MARK
+option)
+that it has processed those
+.Tn TELNET
+sequences.
+The initial value for this toggle is
+.Dv TRUE
+if the terminal user had not
+done an "stty noflsh", otherwise
+.Dv FALSE
+(see
+.Xr stty  1  ) .
+.It Ic autodecrypt
+When the
+.Dv TELNET ENCRYPT
+option is negotiated, by
+default the actual encryption (decryption) of the data
+stream does not start automatically.  The autoencrypt
+(autodecrypt) command states that encryption of the
+output (input) stream should be enabled as soon as
+possible.
+.Pp
+Note that this flag exists only if encryption support is enabled.
+.It Ic autologin
+If the remote side supports the
+.Dv TELNET AUTHENTICATION
+option,
+.Tn telnet
+attempts to use it to perform automatic authentication.  If the
+.Dv TELNET AUTHENTICATION
+option is not supported, the user's login name is propagated using the
+.Dv TELNET ENVIRON
+option.
+Setting this flag is the same as specifying the
+.Ar a
+option to the
+.Ic open
+command or on the command line.
+.It Ic autosynch
+If
+.Ic autosynch
+and
+.Ic localchars
+are both
+.Dv TRUE ,
+then when either the
+.Ic intr
+or
+.Ic quit
+characters is typed (see
+.Ic set
+above for descriptions of the
+.Ic intr
+and
+.Ic quit
+characters), the resulting
+.Tn telnet
+sequence sent is followed by the
+.Dv TELNET SYNCH
+sequence.
+This procedure
+.Ic should
+cause the remote system to begin throwing away all previously
+typed input until both of the
+.Tn telnet
+sequences have been read and acted upon.
+The initial value of this toggle is
+.Dv FALSE .
+.It Ic binary
+Enable or disable the
+.Dv TELNET BINARY
+option on both input and output.
+.It Ic inbinary
+Enable or disable the
+.Dv TELNET BINARY
+option on input.
+.It Ic outbinary
+Enable or disable the
+.Dv TELNET BINARY
+option on output.
+.It Ic crlf
+If this is
+.Dv TRUE ,
+then carriage returns will be sent as
+.Li <CR><LF> .
+If this is
+.Dv FALSE ,
+then carriage returns will be send as
+.Li <CR><NUL> .
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic crmod
+Toggle carriage return mode.
+When this mode is enabled, most carriage return characters received from
+the remote host will be mapped into a carriage return followed by
+a line feed.
+This mode does not affect those characters typed by the user, only
+those received from the remote host.
+This mode is not very useful unless the remote host
+only sends carriage return, but never line feed.
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic debug
+Toggles socket level debugging (useful only to the
+.Ic super user ) .
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic encdebug
+Turns on debugging information for the encryption code.
+Note that this flag only exists if encryption support is available.
+.It Ic localchars
+If this is
+.Dv TRUE ,
+then the
+.Ic flush  ,
+.Ic interrupt ,
+.Ic quit  ,
+.Ic erase ,
+and
+.Ic kill
+characters (see
+.Ic set
+above) are recognized locally, and transformed into (hopefully) appropriate
+.Tn TELNET
+control sequences
+(respectively
+.Ic ao  ,
+.Ic ip ,
+.Ic brk  ,
+.Ic ec ,
+and
+.Ic el  ;
+see
+.Ic send
+above).
+The initial value for this toggle is
+.Dv TRUE
+in \*(Lqold line by line\*(Rq mode,
+and
+.Dv FALSE
+in \*(Lqcharacter at a time\*(Rq mode.
+When the
+.Dv LINEMODE
+option is enabled, the value of
+.Ic localchars
+is ignored, and assumed to always be
+.Dv TRUE .
+If
+.Dv LINEMODE
+has ever been enabled, then
+.Ic quit
+is sent as
+.Ic abort  ,
+and
+.Ic eof and
+.B suspend
+are sent as
+.Ic eof and
+.Ic susp ,
+see
+.Ic send
+above).
+.It Ic netdata
+Toggles the display of all network data (in hexadecimal format).
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic options
+Toggles the display of some internal
+.Nm telnet
+protocol processing (having to do with
+.Tn telnet
+options).
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic prettydump
+When the
+.Ic netdata
+toggle is enabled, if
+.Ic prettydump
+is enabled the output from the
+.Ic netdata
+command will be formatted in a more user-readable format.
+Spaces are put between each character in the output, and the
+beginning of
+.Tn telnet
+escape sequences are preceded by a '*' to aid in locating them.
+.It Ic skiprc
+When the skiprc toggle is
+.Dv TRUE ,
+.Tn telnet
+does not read the telnetrc files.  The initial value for this toggle is
+.Dv FALSE.
+.It Ic termdata
+Toggles the display of all terminal data (in hexadecimal format).
+The initial value for this toggle is
+.Dv FALSE .
+.It Ic verbose_encrypt
+When the
+.Ic verbose_encrypt
+toggle is
+.Dv TRUE ,
+.Tn TELNET
+prints out a message each time encryption is enabled or
+disabled.  The initial value for this toggle is
+.Dv FALSE.
+This flag only exists if encryption support is available.
+.It Ic \&?
+Displays the legal
+.Ic toggle
+commands.
+.El
+.It Ic z
+Suspend
+.Nm telnet  .
+This command only works when the user is using the
+.Xr csh  1  .
+.It Ic \&! Op Ar command 
+Execute a single command in a subshell on the local
+system.  If
+.Ic command
+is omitted, then an interactive subshell is invoked.
+.It Ic \&? Op Ar command 
+Get help.  With no arguments,
+.Nm telnet
+prints a help summary.
+If a command is specified,
+.Nm telnet
+will print the help information for just that command.
+.El
+.Sh ENVIRONMENT
+.Nm Telnet
+uses at least the
+.Ev HOME ,
+.Ev SHELL ,
+.Ev DISPLAY ,
+and
+.Ev TERM
+environment variables.
+Other environment variables may be propagated
+to the other side via the
+.Dv TELNET ENVIRON
+option.
+.Sh FILES
+.Bl -tag -width /etc/telnetrc -compact
+.It Pa /etc/telnetrc
+global telnet startup values
+.It Pa ~/.telnetrc
+user customized telnet startup values
+.El
+.Sh HISTORY
+The
+.Nm Telnet
+command appeared in
+.Bx 4.2 .
+.Sh NOTES
+.Pp
+On some remote systems, echo has to be turned off manually when in
+\*(Lqold line by line\*(Rq mode.
+.Pp
+In \*(Lqold line by line\*(Rq mode or 
+.Dv LINEMODE
+the terminal's
+.Ic eof
+character is only recognized (and sent to the remote system)
+when it is the first character on a line.
+.Sh BUGS
+The source code is not comprehensible.
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/telnet.cc b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/telnet.cc
new file mode 100644
index 0000000..e5c613d
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/telnet.cc
@@ -0,0 +1,2071 @@
+/*
+ * Copyright (c) 1988, 1990 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)telnet.c   5.53 (Berkeley) 3/22/91
+ */
+char telnet_rcsid[] = 
+"$Id: telnet.cc,v 1.36 2000/07/23 03:24:53 dholland Exp $";
+
+#include <string.h>
+#include <sys/types.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+
+#include <arpa/telnet.h>
+
+#include <ctype.h>
+
+#include "ring.h"
+#include "defines.h"
+#include "externs.h"
+#include "types.h"
+#include "environ.h"
+#include "proto.h"
+#include "ptrarray.h"
+#include "netlink.h"
+#include "terminal.h"
+
+/*
+ * Due to lossage in some linux distributions/kernel releases/libc versions
+ * this must come *after* termios.h (which is included in externs.h)
+ */
+#include <termcap.h>
+
+#ifdef USE_NCURSES
+#include <term.h>
+#endif
+
+
+#define strip(x)        ((x)&0x7f)
+
+static unsigned char subbuffer[SUBBUFSIZE];
+static unsigned char *subpointer, *subend;       /* buffer for sub-options */
+#define SB_CLEAR()      subpointer = subbuffer;
+#define SB_TERM()       { subend = subpointer; SB_CLEAR(); }
+#define SB_ACCUM(c)     if (subpointer < (subbuffer+sizeof subbuffer)) { \
+  *subpointer++ = (c); \
+                         }
+
+#define SB_GET()        (*subpointer++)
+#define SB_PEEK()       (*subpointer)
+#define SB_EOF()        (subpointer >= subend)
+#define SB_LEN()        (subend - subpointer)
+
+char    options[256];           /* The combined options */
+char    do_dont_resp[256];
+char    will_wont_resp[256];
+
+int
+eight = 0,
+  autologin = 0,        /* Autologin anyone? */
+  skiprc = 0,
+  connected,
+  showoptions,
+  In3270,               /* Are we in 3270 mode? */
+  ISend,                /* trying to send network data in */
+  debug = 0,
+  crmod,
+  crlf,         /* Should '\r' be mapped to <CR><LF> (or <CR><NUL>)? */
+#if     defined(TN3270)
+  noasynchtty = 0,/* User specified "-noasynch" on command line */
+  noasynchnet = 0,/* User specified "-noasynch" on command line */
+  askedSGA = 0, /* We have talked about suppress go ahead */
+#endif  /* defined(TN3270) */
+  telnetport,
+  SYNCHing,     /* we are in TELNET SYNCH mode */
+  flushout,     /* flush output */
+  autoflush = 0,        /* flush output when interrupting? */
+  autosynch,    /* send interrupt characters with SYNCH? */
+  localflow,    /* we handle flow control locally */
+  localchars,   /* we recognize interrupt/quit */
+  donelclchars, /* the user has set "localchars" */
+  donebinarytoggle,     /* the user has put us in binary */
+  dontlecho,    /* do we suppress local echoing right now? */
+  globalmode;
+
+char *prompt = 0;
+
+cc_t escapechar;
+cc_t rlogin;
+#ifdef  KLUDGELINEMODE
+cc_t echoc;
+#endif
+
+/*
+ * Telnet receiver states for fsm
+ */
+#define TS_DATA         0
+#define TS_IAC          1
+#define TS_WILL         2
+#define TS_WONT         3
+#define TS_DO           4
+#define TS_DONT         5
+#define TS_CR           6
+#define TS_SB           7               /* sub-option collection */
+#define TS_SE           8               /* looking for sub-option end */
+
+static int telrcv_state;
+
+sigjmp_buf toplevel;
+sigjmp_buf peerdied;
+
+int flushline;
+int linemode;
+
+#ifdef  KLUDGELINEMODE
+int kludgelinemode = 1;
+#endif
+
+/*
+ * The following are some clocks used to decide how to interpret
+ * the relationship between various variables.
+ */
+
+Clocks clocks;
+
+#ifdef  notdef
+Modelist modelist[] = {
+  { "telnet command mode", COMMAND_LINE },
+  { "character-at-a-time mode", 0 },
+  { "character-at-a-time mode (local echo)", LOCAL_ECHO|LOCAL_CHARS },
+  { "line-by-line mode (remote echo)", LINE | LOCAL_CHARS },
+  { "line-by-line mode", LINE | LOCAL_ECHO | LOCAL_CHARS },
+  { "line-by-line mode (local echoing suppressed)", LINE | LOCAL_CHARS },
+  { "3270 mode", 0 },
+};
+#endif
+
+/*
+ * Initialize telnet environment.
+ */
+void init_telnet(void) {
+  env_init();
+  cmdtab_init();
+  
+  SB_CLEAR();
+  memset(options, 0, sizeof(options));
+  
+  connected = In3270 = ISend = localflow = donebinarytoggle = 0;
+  
+  SYNCHing = 0;
+  
+  /* Don't change NetTrace */
+  
+  escapechar = CONTROL(']');
+  rlogin = _POSIX_VDISABLE;
+#ifdef  KLUDGELINEMODE
+  echoc = CONTROL('E');
+#endif
+  
+  flushline = 1;
+  telrcv_state = TS_DATA;
+}
+
+
+#if 0
+#include <stdarg.h>
+
+static void printring(Ring *ring, const char *format, ...) {
+  va_list ap;
+  char buffer[100];             /* where things go */
+  char *ptr;
+  char *string;
+  int i;
+  
+  va_start(ap, format);
+  
+  ptr = buffer;
+  
+  while ((i = *format++) != 0) {
+    if (i == '%') {
+      i = *format++;
+      switch (i) {
+      case 'c':
+        *ptr++ = va_arg(ap, int);
+        break;
+      case 's':
+        string = va_arg(ap, char *);
+        ring->supply_data(buffer, ptr-buffer);
+        ring->supply_data(string, strlen(string));
+        ptr = buffer;
+        break;
+      case 0:
+        ExitString("printring: trailing %%.\n", 1);
+        /*NOTREACHED*/
+      default:
+        ExitString("printring: unknown format character.\n", 1);
+        /*NOTREACHED*/
+      }
+    } 
+    else {
+      *ptr++ = i;
+    }
+  }
+  ring->supply_data(buffer, ptr-buffer);
+}
+#endif
+
+/*
+ * These routines are in charge of sending option negotiations
+ * to the other side.
+ *
+ * The basic idea is that we send the negotiation if either side
+ * is in disagreement as to what the current state should be.
+ */
+
+void send_do(int c, int init) {
+  if (init) {
+    if (((do_dont_resp[c] == 0) && my_state_is_do(c)) ||
+        my_want_state_is_do(c))
+      return;
+    set_my_want_state_do(c);
+    do_dont_resp[c]++;
+  }
+  NET2ADD(IAC, DO);
+  NETADD(c);
+  printoption("SENT", DO, c);
+}
+
+void send_dont(int c, int init) {
+  if (init) {
+    if (((do_dont_resp[c] == 0) && my_state_is_dont(c)) ||
+        my_want_state_is_dont(c))
+      return;
+    set_my_want_state_dont(c);
+    do_dont_resp[c]++;
+  }
+  NET2ADD(IAC, DONT);
+  NETADD(c);
+  printoption("SENT", DONT, c);
+}
+
+void send_will(int c, int init) {
+  if (init) {
+    if (((will_wont_resp[c] == 0) && my_state_is_will(c)) ||
+        my_want_state_is_will(c))
+      return;
+    set_my_want_state_will(c);
+    will_wont_resp[c]++;
+  }
+  NET2ADD(IAC, WILL);
+  NETADD(c);
+  printoption("SENT", WILL, c);
+}
+
+void send_wont(int c, int init) {
+  if (init) {
+    if (((will_wont_resp[c] == 0) && my_state_is_wont(c)) ||
+        my_want_state_is_wont(c))
+      return;
+    set_my_want_state_wont(c);
+    will_wont_resp[c]++;
+  }
+  NET2ADD(IAC, WONT);
+  NETADD(c);
+  printoption("SENT", WONT, c);
+}
+
+
+void willoption(int option) {
+  int new_state_ok = 0;
+  
+  if (do_dont_resp[option]) {
+    --do_dont_resp[option];
+    if (do_dont_resp[option] && my_state_is_do(option))
+      --do_dont_resp[option];
+  }
+  
+  if ((do_dont_resp[option] == 0) && my_want_state_is_dont(option)) {
+    switch (option) {
+    case TELOPT_ECHO:
+#if defined(TN3270)
+      /*
+       * The following is a pain in the rear-end.
+       * Various IBM servers (some versions of Wiscnet,
+       * possibly Fibronics/Spartacus, and who knows who
+       * else) will NOT allow us to send "DO SGA" too early
+       * in the setup proceedings.  On the other hand,
+       * 4.2 servers (telnetd) won't set SGA correctly.
+       * So, we are stuck.  Empirically (but, based on
+       * a VERY small sample), the IBM servers don't send
+       * out anything about ECHO, so we postpone our sending
+       * "DO SGA" until we see "WILL ECHO" (which 4.2 servers
+       * DO send).
+       */
+      {
+        if (askedSGA == 0) {
+          askedSGA = 1;
+          if (my_want_state_is_dont(TELOPT_SGA))
+            send_do(TELOPT_SGA, 1);
+        }
+      }
+      /* Fall through */
+    case TELOPT_EOR:
+#endif /* TN3270 */
+    case TELOPT_BINARY:
+    case TELOPT_SGA:
+      settimer(modenegotiated);
+      /* FALL THROUGH */
+    case TELOPT_STATUS:
+      new_state_ok = 1;
+      break;
+      
+    case TELOPT_TM:
+      if (flushout)
+        flushout = 0;
+      /*
+       * Special case for TM.  If we get back a WILL,
+       * pretend we got back a WONT.
+       */
+      set_my_want_state_dont(option);
+      set_my_state_dont(option);
+      return;                   /* Never reply to TM will's/wont's */
+      
+    case TELOPT_LINEMODE:
+    default:
+      break;
+    }
+    
+    if (new_state_ok) {
+      set_my_want_state_do(option);
+      send_do(option, 0);
+      setconnmode(0);           /* possibly set new tty mode */
+    } 
+    else {
+      do_dont_resp[option]++;
+      send_dont(option, 0);
+    }
+  }
+  set_my_state_do(option);
+}
+
+void wontoption(int option) {
+  if (do_dont_resp[option]) {
+    --do_dont_resp[option];
+    if (do_dont_resp[option] && my_state_is_dont(option))
+      --do_dont_resp[option];
+  }
+  
+  if ((do_dont_resp[option] == 0) && my_want_state_is_do(option)) {
+    
+    switch (option) {
+      
+#ifdef  KLUDGELINEMODE
+    case TELOPT_SGA:
+      if (!kludgelinemode)
+        break;
+      /* FALL THROUGH */
+#endif
+    case TELOPT_ECHO:
+      settimer(modenegotiated);
+      break;
+      
+    case TELOPT_TM:
+      if (flushout)
+        flushout = 0;
+      set_my_want_state_dont(option);
+      set_my_state_dont(option);
+      return;           /* Never reply to TM will's/wont's */
+      
+    default:
+      break;
+    }
+    set_my_want_state_dont(option);
+    if (my_state_is_do(option))
+      send_dont(option, 0);
+    setconnmode(0);                     /* Set new tty mode */
+  } 
+  else if (option == TELOPT_TM) {
+    /*
+     * Special case for TM.
+     */
+    if (flushout)
+      flushout = 0;
+    set_my_want_state_dont(option);
+  }
+  set_my_state_dont(option);
+}
+
+static void dooption(int option) {
+  int new_state_ok = 0;
+  
+  if (will_wont_resp[option]) {
+    --will_wont_resp[option];
+    if (will_wont_resp[option] && my_state_is_will(option))
+      --will_wont_resp[option];
+  }
+  
+  if (will_wont_resp[option] == 0) {
+    if (my_want_state_is_wont(option)) {
+      
+      switch (option) {
+        
+      case TELOPT_TM:
+        /*
+         * Special case for TM.  We send a WILL, but pretend
+         * we sent WONT.
+         */
+        send_will(option, 0);
+        set_my_want_state_wont(TELOPT_TM);
+        set_my_state_wont(TELOPT_TM);
+        return;
+        
+#       if defined(TN3270)
+      case TELOPT_EOR:          /* end of record */
+#       endif   /* defined(TN3270) */
+      case TELOPT_BINARY:               /* binary mode */
+      case TELOPT_NAWS:         /* window size */
+      case TELOPT_TSPEED:               /* terminal speed */
+      case TELOPT_LFLOW:                /* local flow control */
+      case TELOPT_TTYPE:                /* terminal type option */
+      case TELOPT_SGA:          /* no big deal */
+      case TELOPT_ENVIRON:      /* environment variable option */
+        new_state_ok = 1;
+        break;
+        
+      case TELOPT_XDISPLOC:     /* X Display location */
+        if (env_getvalue("DISPLAY", 0))
+          new_state_ok = 1;
+        break;
+        
+      case TELOPT_LINEMODE:
+#ifdef  KLUDGELINEMODE
+        kludgelinemode = 0;
+        send_do(TELOPT_SGA, 1);
+#endif
+        set_my_want_state_will(TELOPT_LINEMODE);
+        send_will(option, 0);
+        set_my_state_will(TELOPT_LINEMODE);
+        slc_init();
+        return;
+        
+      case TELOPT_ECHO:         /* We're never going to echo... */
+      default:
+        break;
+      }
+      
+      if (new_state_ok) {
+        set_my_want_state_will(option);
+        send_will(option, 0);
+        setconnmode(0);                 /* Set new tty fmode */
+      } 
+      else {
+        will_wont_resp[option]++;
+        send_wont(option, 0);
+      }
+    } 
+    else {
+      /*
+       * Handle options that need more things done after the
+       * other side has acknowledged the option.
+       */
+      switch (option) {
+      case TELOPT_LINEMODE:
+#ifdef  KLUDGELINEMODE
+        kludgelinemode = 0;
+        send_do(TELOPT_SGA, 1);
+#endif
+        set_my_state_will(option);
+        slc_init();
+        send_do(TELOPT_SGA, 0);
+        return;
+      }
+    }
+  }
+  set_my_state_will(option);
+}
+
+static void dontoption(int option) {
+  if (will_wont_resp[option]) {
+    --will_wont_resp[option];
+    if (will_wont_resp[option] && my_state_is_wont(option))
+      --will_wont_resp[option];
+  }
+  
+  if ((will_wont_resp[option] == 0) && my_want_state_is_will(option)) {
+    switch (option) {
+    case TELOPT_LINEMODE:
+      linemode = 0;     /* put us back to the default state */
+      break;
+    }
+    /* we always accept a DONT */
+    set_my_want_state_wont(option);
+    if (my_state_is_will(option))
+      send_wont(option, 0);
+    setconnmode(0);                     /* Set new tty mode */
+  }
+  set_my_state_wont(option);
+}
+
+/*
+ * Given a buffer returned by tgetent(), this routine will turn
+ * the pipe seperated list of names in the buffer into an array
+ * of pointers to null terminated names.  We toss out any bad,
+ * duplicate, or verbose names (names with spaces).
+ */
+
+typedef ptrarray<const char> stringarray;
+
+static int is_unique(const char *name, const stringarray &ar) {
+  for (int i=0; i<ar.num(); i++) if (!strcasecmp(ar[i], name)) return 0;
+  return 1;
+}
+
+static void mklist(char *buf, const char *name, stringarray &fill) {
+  char *cp; 
+  
+  fill.setsize(0);
+  cp = strchr(buf, ':');
+  if (cp) *cp = 0;
+  for (cp = strtok(buf, "|:"); cp; cp = strtok(NULL, "|:")) {
+    /*
+     * Skip entries longer than 40 characters.
+     * Skip entries with spaces or non-ascii values.
+     * Convert lower case letters to upper case.
+     */
+    if (strlen(cp)>40) continue;
+    int bad = 0;
+    for (int i=0; cp[i]; i++) if (!isascii(cp[i]) || cp[i]==' ') bad=1;
+    if (bad) continue;
+    upcase(cp);
+    if (is_unique(cp, fill)) fill.add(cp);
+  }
+  
+  /*
+   * Move the name we were passed to the beginning if it's not already
+   * there.
+   */
+  for (int j=1; j<fill.num(); j++) if (!strcasecmp(name, fill[j])) {
+    const char *temp = fill[j];
+    fill[j] = fill[0];
+    fill[0] = temp;
+  }
+  
+  /*
+   * Check for an old V6 2 character name. If present,
+   * move it to the end of the array.
+   */
+  for (int k=1; k<fill.num()-1; k++) {
+    if (strlen(fill[k])==2 && fill[k]==buf) {
+      const char *temp = fill[fill.num()-1];
+      fill[fill.num()-1] = fill[k];
+      fill[k] = temp;
+    }
+  }
+  
+  /*
+   * If we got nothing, add in what we were passed
+   */
+  if (fill.num()==0) {
+    if (name && strlen(name)<40) fill.add(name);
+    else fill.add("UNKNOWN");
+  }
+  
+  /*
+   * Duplicate last name, for TTYPE option, and null
+   * terminate the array.  If we didn't find a match on
+   * our terminal name, put that name at the beginning.
+   */
+  
+  fill.add(fill[fill.num()-1]);
+
+  /* dholland 21-May-2000 I think this is bogus */
+  /*fill.add(NULL);*/
+}
+
+char termbuf[2048];
+
+static int my_setupterm(const char *tname, int /*fd*/, int *errp) {
+  if (tgetent(termbuf, tname) == 1) {
+    /* its Sun Mar 15 00:03:36 PST 1998 this could never have worked with
+     * ncurses.  The ncurses tgetent() ignores its first parameter
+     */
+    
+#ifndef USE_NCURSES
+    termbuf[1023] = '\0';
+#else
+    strncpy(termbuf, CUR term_names, sizeof(termbuf));
+#endif
+    
+    if (errp)
+      *errp = 1;
+    return 0;
+  }
+  if (errp) *errp = 0;
+  return -1;
+}
+
+int resettermname = 1;
+
+static const char *gettermname(void) {
+  static stringarray termtypes;
+  static int next;
+  
+  const char *tname;
+  int err;
+  
+  if (resettermname) {
+    resettermname = 0;
+    tname = env_getvalue("TERM", 0);
+    if (!tname || my_setupterm(tname, 1, &err)) {
+      termbuf[0] = 0;
+      tname = "UNKNOWN";
+    }
+    mklist(termbuf, tname, termtypes);
+    next = 0;
+  }
+  if (next==termtypes.num()-1) next = 0;
+  return termtypes[next++];
+}
+/*
+ * suboption()
+ *
+ *      Look at the sub-option buffer, and try to be helpful to the other
+ * side.
+ *
+ *      Currently we recognize:
+ *
+ *              Terminal type, send request.
+ *              Terminal speed (send request).
+ *              Local flow control (is request).
+ *              Linemode
+ */
+
+static void suboption(void) {
+  printsub('<', subbuffer, SB_LEN()+2);
+  switch (SB_GET()) {
+  case TELOPT_TTYPE:
+    if (my_want_state_is_wont(TELOPT_TTYPE))
+      return;
+    if (SB_EOF() || SB_GET() != TELQUAL_SEND) {
+      return;
+    } 
+    else {
+      const char *name;
+      
+#if defined(TN3270)
+      if (tn3270_ttype()) {
+        return;
+      }
+#endif /* TN3270 */
+      name = gettermname();
+      netoring.xprintf("%c%c%c%c%s%c%c", IAC, SB, TELOPT_TTYPE,
+                      TELQUAL_IS, name, IAC, SE);
+    }
+    break;
+  case TELOPT_TSPEED:
+    if (my_want_state_is_wont(TELOPT_TSPEED))
+      return;
+    if (SB_EOF())
+      return;
+    if (SB_GET() == TELQUAL_SEND) {
+      long oospeed, iispeed;
+      TerminalSpeeds(&iispeed, &oospeed);
+      netoring.xprintf("%c%c%c%c%ld,%ld%c%c", IAC, SB, TELOPT_TSPEED, 
+                      TELQUAL_IS, oospeed, iispeed, IAC, SE);
+    }
+    break;
+  case TELOPT_LFLOW:
+    if (my_want_state_is_wont(TELOPT_LFLOW))
+      return;
+    if (SB_EOF())
+      return;
+    switch(SB_GET()) {
+    case 1:
+      localflow = 1;
+      break;
+    case 0:
+      localflow = 0;
+      break;
+    default:
+      return;
+    }
+    setcommandmode();
+    setconnmode(0);
+    break;
+    
+  case TELOPT_LINEMODE:
+    if (my_want_state_is_wont(TELOPT_LINEMODE))
+      return;
+    if (SB_EOF())
+      return;
+    switch (SB_GET()) {
+    case WILL:
+      lm_will(subpointer, SB_LEN());
+      break;
+    case WONT:
+      lm_wont(subpointer, SB_LEN());
+      break;
+    case DO:
+      lm_do(subpointer, SB_LEN());
+      break;
+    case DONT:
+      lm_dont(subpointer, SB_LEN());
+      break;
+    case LM_SLC:
+      slc(subpointer, SB_LEN());
+      break;
+    case LM_MODE:
+      lm_mode(subpointer, SB_LEN(), 0);
+      break;
+    default:
+      break;
+    }
+    break;
+    
+  case TELOPT_ENVIRON:
+    if (SB_EOF())
+      return;
+    switch(SB_PEEK()) {
+    case TELQUAL_IS:
+    case TELQUAL_INFO:
+      if (my_want_state_is_dont(TELOPT_ENVIRON))
+        return;
+      break;
+    case TELQUAL_SEND:
+      if (my_want_state_is_wont(TELOPT_ENVIRON)) {
+        return;
+      }
+      break;
+    default:
+      return;
+    }
+    env_opt(subpointer, SB_LEN());
+    break;
+    
+  case TELOPT_XDISPLOC:
+    if (my_want_state_is_wont(TELOPT_XDISPLOC))
+      return;
+    if (SB_EOF())
+      return;
+    if (SB_GET() == TELQUAL_SEND) {
+      const char *dp = env_getvalue("DISPLAY", 0);
+      if (dp == NULL) {
+        /*
+         * Something happened, we no longer have a DISPLAY
+         * variable.  So, turn off the option.
+         */
+        send_wont(TELOPT_XDISPLOC, 1);
+        break;
+      }
+      netoring.xprintf("%c%c%c%c%s%c%c", IAC, SB, TELOPT_XDISPLOC,
+                      TELQUAL_IS, dp, IAC, SE);
+    }
+    break;
+    
+  default:
+    break;
+  }
+}
+
+//static char str_lm[] = { IAC, SB, TELOPT_LINEMODE, 0, 0, IAC, SE };
+
+void lm_will(unsigned char *cmd, int len) {
+  if (len < 1) {
+    /*@*/       printf("lm_will: no command!!!\n");     /* Should not happen... */
+    return;
+  }
+  
+  netoring.xprintf("%c%c%c%c%c%c%c", IAC, SB, TELOPT_LINEMODE, 
+                  DONT, cmd[0], IAC, SE);
+}
+
+void lm_wont(unsigned char * /*cmd*/, int len) {
+  if (len < 1) {
+    /*@*/       printf("lm_wont: no command!!!\n");     /* Should not happen... */
+    return;
+  }
+  /* We are always DONT, so don't respond */
+}
+
+void lm_do(unsigned char *cmd, int len) {
+  if (len < 1) {
+    /*@*/       printf("lm_do: no command!!!\n");       /* Should not happen... */
+    return;
+  }
+  netoring.xprintf("%c%c%c%c%c%c%c", IAC, SB, TELOPT_LINEMODE, 
+                  WONT, cmd[0], IAC, SE);
+}
+
+void lm_dont(unsigned char * /*cmd*/, int len) {
+  if (len < 1) {
+    /*@*/       printf("lm_dont: no command!!!\n");     /* Should not happen... */
+    return;
+  }
+  /* we are always WONT, so don't respond */
+}
+
+void lm_mode(unsigned char *cmd, int len, int init) {
+  if (len != 1) return;
+  if ((linemode&MODE_MASK&~MODE_ACK) == *cmd) return;
+  if (*cmd&MODE_ACK) return;
+  
+  linemode = *cmd&(MODE_MASK&~MODE_ACK);
+  int k = linemode;
+  if (!init) {
+    k |= MODE_ACK;
+  }
+  
+  netoring.xprintf("%c%c%c%c%c%c%c", IAC, SB, TELOPT_LINEMODE, LM_MODE,
+                  k, IAC, SE);
+  
+  setconnmode(0);       /* set changed mode */
+}
+
+
+/*
+ * slc()
+ * Handle special character suboption of LINEMODE.
+ */
+
+struct spc {
+  cc_t val;
+  cc_t *valp;
+  char flags;   /* Current flags & level */
+  char mylevel; /* Maximum level & flags */
+} spc_data[NSLC+1];
+
+#define SLC_IMPORT      0
+#define SLC_EXPORT      1
+#define SLC_RVALUE      2
+static int slc_mode = SLC_EXPORT;
+
+void slc_init(void) {
+  register struct spc *spcp;
+  
+  localchars = 1;
+  for (spcp = spc_data; spcp < &spc_data[NSLC+1]; spcp++) {
+    spcp->val = 0;
+    spcp->valp = 0;
+    spcp->flags = spcp->mylevel = SLC_NOSUPPORT;
+  }
+  
+#define initfunc(func, flags) { \
+                                                            spcp = &spc_data[func]; \
+                                                                                      if ((spcp->valp = tcval(func))) { \
+                                                                                                                          spcp->val = *spcp->valp; \
+                                                                                                                                                     spcp->mylevel = SLC_VARIABLE|flags; \
+                                                                                                                                                                                           } else { \
+                                                                                                                                                                                                      spcp->val = 0; \
+                                                                                                                                                                                                                       spcp->mylevel = SLC_DEFAULT; \
+                                                                                                                                                                                                                                                      } \
+                                                                                                                                                                                                                                                          }
+  
+  initfunc(SLC_SYNCH, 0);
+  /* No BRK */
+  initfunc(SLC_AO, 0);
+  initfunc(SLC_AYT, 0);
+  /* No EOR */
+  initfunc(SLC_ABORT, SLC_FLUSHIN|SLC_FLUSHOUT);
+  initfunc(SLC_EOF, 0);
+  initfunc(SLC_SUSP, SLC_FLUSHIN);
+  
+  initfunc(SLC_EC, 0);
+  initfunc(SLC_EL, 0);
+  
+  initfunc(SLC_XON, 0);
+  initfunc(SLC_XOFF, 0);
+  
+  initfunc(SLC_FORW1, 0);
+  initfunc(SLC_FORW2, 0);
+  /* No FORW2 */
+  
+  initfunc(SLC_IP, SLC_FLUSHIN|SLC_FLUSHOUT);
+#undef  initfunc
+  
+  if (slc_mode == SLC_EXPORT)
+    slc_export();
+  else
+    slc_import(1);
+  
+}
+
+void slcstate(void) {
+  printf("Special characters are %s values\n",
+         slc_mode == SLC_IMPORT ? "remote default" :
+         slc_mode == SLC_EXPORT ? "local" :
+         "remote");
+}
+
+void slc_mode_export(void) {
+  slc_mode = SLC_EXPORT;
+  if (my_state_is_will(TELOPT_LINEMODE))
+    slc_export();
+}
+
+void slc_mode_import(int def) {
+  slc_mode = def ? SLC_IMPORT : SLC_RVALUE;
+  if (my_state_is_will(TELOPT_LINEMODE))
+    slc_import(def);
+}
+
+void slc_import(int def) {
+  if (def) {
+    netoring.xprintf("%c%c%c%c%c%c%c%c%c", IAC, SB, TELOPT_LINEMODE,
+                    LM_SLC, 0, SLC_DEFAULT, 0, IAC, SE);
+  }
+  else {
+    netoring.xprintf("%c%c%c%c%c%c%c%c%c", IAC, SB, TELOPT_LINEMODE,
+                    LM_SLC, 0, SLC_VARIABLE, 0, IAC, SE);
+  }
+}
+
+void slc_export(void) {
+  register struct spc *spcp;
+  
+  TerminalDefaultChars();
+  
+  slc_start_reply();
+  for (spcp = &spc_data[1]; spcp < &spc_data[NSLC+1]; spcp++) {
+    if (spcp->mylevel != SLC_NOSUPPORT) {
+      if (spcp->val == (cc_t)(_POSIX_VDISABLE))
+        spcp->flags = SLC_NOSUPPORT;
+      else
+        spcp->flags = spcp->mylevel;
+      if (spcp->valp)
+        spcp->val = *spcp->valp;
+      slc_add_reply(spcp - spc_data, spcp->flags, spcp->val);
+    }
+  }
+  slc_end_reply();
+  (void)slc_update();
+  setconnmode(1);       /* Make sure the character values are set */
+}
+
+void slc(unsigned char *cp, int len) {
+  register struct spc *spcp;
+  register int func,level;
+  
+  slc_start_reply();
+  
+  for (; len >= 3; len -=3, cp +=3) {
+    
+    func = cp[SLC_FUNC];
+    
+    if (func == 0) {
+      /*
+       * Client side: always ignore 0 function.
+       */
+      continue;
+    }
+    if (func > NSLC) {
+      if ((cp[SLC_FLAGS] & SLC_LEVELBITS) != SLC_NOSUPPORT)
+        slc_add_reply(func, SLC_NOSUPPORT, 0);
+      continue;
+    }
+    
+    spcp = &spc_data[func];
+    
+    level = cp[SLC_FLAGS]&(SLC_LEVELBITS|SLC_ACK);
+    
+    if ((cp[SLC_VALUE] == spcp->val) &&
+        ((level&SLC_LEVELBITS) == (spcp->flags&SLC_LEVELBITS))) {
+      continue;
+    }
+    
+    if (level == (SLC_DEFAULT|SLC_ACK)) {
+      /*
+       * This is an error condition, the SLC_ACK
+       * bit should never be set for the SLC_DEFAULT
+       * level.  Our best guess to recover is to
+       * ignore the SLC_ACK bit.
+       */
+      cp[SLC_FLAGS] &= ~SLC_ACK;
+    }
+    
+    if (level == ((spcp->flags&SLC_LEVELBITS)|SLC_ACK)) {
+      spcp->val = (cc_t)cp[SLC_VALUE];
+      spcp->flags = cp[SLC_FLAGS];      /* include SLC_ACK */
+      continue;
+    }
+    
+    level &= ~SLC_ACK;
+    
+    if (level <= (spcp->mylevel&SLC_LEVELBITS)) {
+      spcp->flags = cp[SLC_FLAGS]|SLC_ACK;
+      spcp->val = (cc_t)cp[SLC_VALUE];
+    }
+    if (level == SLC_DEFAULT) {
+      if ((spcp->mylevel&SLC_LEVELBITS) != SLC_DEFAULT)
+        spcp->flags = spcp->mylevel;
+      else
+        spcp->flags = SLC_NOSUPPORT;
+    }
+    slc_add_reply(func, spcp->flags, spcp->val);
+  }
+  slc_end_reply();
+  if (slc_update())
+    setconnmode(1);     /* set the  new character values */
+}
+
+void slc_check(void) {
+  register struct spc *spcp;
+  
+  slc_start_reply();
+  for (spcp = &spc_data[1]; spcp < &spc_data[NSLC+1]; spcp++) {
+    if (spcp->valp && spcp->val != *spcp->valp) {
+      spcp->val = *spcp->valp;
+      if (spcp->val == (cc_t)(_POSIX_VDISABLE))
+        spcp->flags = SLC_NOSUPPORT;
+      else
+        spcp->flags = spcp->mylevel;
+      slc_add_reply(spcp - spc_data, spcp->flags, spcp->val);
+    }
+  }
+  slc_end_reply();
+  setconnmode(1);
+}
+
+
+unsigned char slc_reply[128];
+unsigned char *slc_replyp;
+
+void slc_start_reply(void) {
+  slc_replyp = slc_reply;
+  *slc_replyp++ = IAC;
+  *slc_replyp++ = SB;
+  *slc_replyp++ = TELOPT_LINEMODE;
+  *slc_replyp++ = LM_SLC;
+}
+
+void slc_add_reply(int func, int flags, int value) {
+  if ((*slc_replyp++ = func) == IAC)
+    *slc_replyp++ = IAC;
+  if ((*slc_replyp++ = flags) == IAC)
+    *slc_replyp++ = IAC;
+  if ((*slc_replyp++ = value) == IAC)
+    *slc_replyp++ = IAC;
+}
+
+void slc_end_reply(void) {
+  register int len;
+  
+  *slc_replyp++ = IAC;
+  *slc_replyp++ = SE;
+  len = slc_replyp - slc_reply;
+  if (len <= 6) return;
+  
+  printsub('>', &slc_reply[2], len - 2);
+  netoring.write((char *)slc_reply, len);
+}
+
+int slc_update(void) {
+  struct spc *spcp;
+  int need_update = 0;
+  
+  for (spcp = &spc_data[1]; spcp < &spc_data[NSLC+1]; spcp++) {
+    if (!(spcp->flags&SLC_ACK))
+      continue;
+    spcp->flags &= ~SLC_ACK;
+    if (spcp->valp && (*spcp->valp != spcp->val)) {
+      *spcp->valp = spcp->val;
+      need_update = 1;
+    }
+  }
+  return(need_update);
+}
+
+void env_opt(unsigned char *buf, int len) {
+  unsigned char *ep = 0, *epc = 0;
+  int i;
+  
+  switch(buf[0]) {
+  case TELQUAL_SEND:
+    env_opt_start();
+    if (len == 1) {
+      env_opt_add(NULL);
+    } 
+    else for (i = 1; i < len; i++) {
+      switch (buf[i]) {
+      case ENV_VALUE:
+        if (ep) {
+          *epc = 0;
+          env_opt_add((const char *)ep);
+        }
+        ep = epc = &buf[i+1];
+        break;
+      case ENV_ESC:
+        i++;
+                                /*FALL THROUGH*/
+      default:
+        if (epc)
+          *epc++ = buf[i];
+        break;
+      }
+      if (ep) {
+        *epc = 0;
+        env_opt_add((const char *)ep);
+      }
+    }
+    env_opt_end(1);
+    break;
+    
+  case TELQUAL_IS:
+  case TELQUAL_INFO:
+    /* Ignore for now.  We shouldn't get it anyway. */
+    break;
+    
+  default:
+    break;
+  }
+}
+
+/* OPT_REPLY_SIZE must be a multiple of 2. */
+#define OPT_REPLY_SIZE  256
+unsigned char *opt_reply;
+unsigned char *opt_replyp;
+unsigned char *opt_replyend;
+
+void env_opt_start(void) {
+  if (opt_reply)
+    opt_reply = (unsigned char *)realloc(opt_reply, OPT_REPLY_SIZE);
+  else
+    opt_reply = (unsigned char *)malloc(OPT_REPLY_SIZE);
+  if (opt_reply == NULL) {
+    /*@*/               printf("env_opt_start: malloc()/realloc() failed!!!\n");
+    opt_reply = opt_replyp = opt_replyend = NULL;
+    return;
+  }
+  opt_replyp = opt_reply;
+  opt_replyend = opt_reply + OPT_REPLY_SIZE;
+  *opt_replyp++ = IAC;
+  *opt_replyp++ = SB;
+  *opt_replyp++ = TELOPT_ENVIRON;
+  *opt_replyp++ = TELQUAL_IS;
+}
+
+void env_opt_start_info(void) {
+  env_opt_start();
+  if (opt_replyp)
+    opt_replyp[-1] = TELQUAL_INFO;
+}
+
+void env_opt_add(const char *ep) {
+  const char *vp;
+  const unsigned char *tp;
+  unsigned char c;
+  
+  if (opt_reply == NULL)                /*XXX*/
+    return;                     /*XXX*/
+  
+  if (ep == NULL || *ep == '\0') {
+    int i;
+    env_iterate(&i, 1);
+    for (ep = env_next(&i,1); ep; ep = env_next(&i,1)) env_opt_add(ep);
+    return;
+  }
+  vp = env_getvalue(ep, 1);
+  tp = opt_replyp + (vp ? strlen(vp) * 2 : 0) + strlen(ep) * 2 + 6;
+  if (tp > opt_replyend)
+    {
+      register int len;
+      len = ((tp - opt_reply) + OPT_REPLY_SIZE - 1) & ~(OPT_REPLY_SIZE - 1);
+      opt_replyend = opt_reply + len;
+      opt_reply = (unsigned char *)realloc(opt_reply, len);
+      if (opt_reply == NULL) {
+        /*@*/                   printf("env_opt_add: realloc() failed!!!\n");
+        opt_reply = opt_replyp = opt_replyend = NULL;
+        return;
+      }
+      opt_replyp = opt_reply + len - (opt_replyend - opt_replyp);
+      opt_replyend = opt_reply + len;
+    }
+  *opt_replyp++ = ENV_VAR;
+  for (;;) {
+    while ((c = *ep++)!=0) {
+      switch(c) {
+      case IAC:
+        *opt_replyp++ = IAC;
+        break;
+      case ENV_VALUE:
+      case ENV_VAR:
+      case ENV_ESC:
+        *opt_replyp++ = ENV_ESC;
+        break;
+      }
+      *opt_replyp++ = c;
+    }
+    if ((ep = vp)!=NULL) {
+      *opt_replyp++ = ENV_VALUE;
+      vp = NULL;
+    } else
+      break;
+  }
+}
+
+void env_opt_end(int emptyok) {
+  register int len;
+  
+  len = opt_replyp - opt_reply + 2;
+  if (emptyok || len > 6) {
+    *opt_replyp++ = IAC;
+    *opt_replyp++ = SE;
+    printsub('>', &opt_reply[2], len - 2);
+    netoring.write((char *)opt_reply, len);
+  }
+  if (opt_reply) {
+    free(opt_reply);
+    opt_reply = opt_replyp = opt_replyend = NULL;
+  }
+}
+
+
+int telrcv(void) {
+  int c;
+  int returnValue = 0;
+  
+  while (TTYROOM() > 2) {
+    if (!netiring.getch(&c)) {
+      /* No more data coming in */
+      break;
+    }
+    returnValue = 1;
+    
+    switch (telrcv_state) {
+    case TS_CR:
+      telrcv_state = TS_DATA;
+      if (c == '\0') {
+        break;  /* Ignore \0 after CR */
+      }
+      else if ((c == '\n') && 
+               my_want_state_is_dont(TELOPT_ECHO) && 
+               !crmod) 
+        {
+          TTYADD(c);
+          break;
+        }
+      /* Else, fall through */
+      
+    case TS_DATA:
+      if (c == IAC) {
+        telrcv_state = TS_IAC;
+        break;
+      }
+#if defined(TN3270)
+      if (In3270) {
+        *Ifrontp++ = c;
+        while (netiring.getch(&c)) {
+          if (c == IAC) {
+            telrcv_state = TS_IAC;
+            break;
+          }
+          *Ifrontp++ = c;
+        }
+      } else
+#endif /* defined(TN3270) */
+        /*
+         * The 'crmod' hack (see following) is needed
+         * since we can't * set CRMOD on output only.
+         * Machines like MULTICS like to send \r without
+         * \n; since we must turn off CRMOD to get proper
+         * input, the mapping is done here (sigh).
+         */
+        if ((c == '\r') && my_want_state_is_dont(TELOPT_BINARY)) {
+          if (netiring.getch(&c)) {
+            if (c == 0) {
+              /* a "true" CR */
+              TTYADD('\r');
+            } 
+            else if (my_want_state_is_dont(TELOPT_ECHO) &&
+                     (c == '\n')) {
+              TTYADD('\n');
+            } 
+            else {
+              netiring.ungetch(c);
+              TTYADD('\r');
+              if (crmod) TTYADD('\n');
+            }
+          } 
+          else {
+            telrcv_state = TS_CR;
+            TTYADD('\r');
+            if (crmod) TTYADD('\n');
+          }
+        } 
+        else {
+          TTYADD(c);
+        }
+      continue;
+      
+    case TS_IAC:
+    process_iac:
+    switch (c) {
+    case WILL:
+      telrcv_state = TS_WILL;
+      continue;
+    case WONT:
+      telrcv_state = TS_WONT;
+      continue;
+    case DO:
+      telrcv_state = TS_DO;
+      continue;
+    case DONT:
+      telrcv_state = TS_DONT;
+      continue;
+    case DM:
+      /*
+       * We may have missed an urgent notification,
+       * so make sure we flush whatever is in the
+       * buffer currently.
+       */
+      printoption("RCVD", IAC, DM);
+      SYNCHing = 1;
+      ttyflush(1);
+      SYNCHing = nlink.stilloob();
+      settimer(gotDM);
+      break;
+    case SB:
+      SB_CLEAR();
+      telrcv_state = TS_SB;
+      continue;
+      
+#if defined(TN3270)
+    case EOR:
+      if (In3270) {
+        if (Ibackp == Ifrontp) {
+          Ibackp = Ifrontp = Ibuf;
+          ISend = 0;    /* should have been! */
+        } 
+        else {
+          Ibackp += DataFromNetwork(Ibackp, Ifrontp-Ibackp, 1);
+          ISend = 1;
+        }
+      }
+      printoption("RCVD", IAC, EOR);
+      break;
+#endif /* defined(TN3270) */
+      
+    case IAC:
+#if !defined(TN3270)
+      TTYADD(IAC);
+#else /* !defined(TN3270) */
+      if (In3270) {
+        *Ifrontp++ = IAC;
+      } 
+      else {
+        TTYADD(IAC);
+      }
+#endif /* !defined(TN3270) */
+      break;
+      
+    case NOP:
+    case GA:
+    default:
+      printoption("RCVD", IAC, c);
+      break;
+    }
+    telrcv_state = TS_DATA;
+    continue;
+    
+    case TS_WILL:
+      printoption("RCVD", WILL, c);
+      willoption(c);
+      SetIn3270();
+      telrcv_state = TS_DATA;
+      continue;
+      
+    case TS_WONT:
+      printoption("RCVD", WONT, c);
+      wontoption(c);
+      SetIn3270();
+      telrcv_state = TS_DATA;
+      continue;
+      
+    case TS_DO:
+      printoption("RCVD", DO, c);
+      dooption(c);
+      SetIn3270();
+      if (c == TELOPT_NAWS) {
+        sendnaws();
+      } 
+      else if (c == TELOPT_LFLOW) {
+        localflow = 1;
+        setcommandmode();
+        setconnmode(0);
+      }
+      telrcv_state = TS_DATA;
+      continue;
+      
+    case TS_DONT:
+      printoption("RCVD", DONT, c);
+      dontoption(c);
+      flushline = 1;
+      setconnmode(0);   /* set new tty mode (maybe) */
+      SetIn3270();
+      telrcv_state = TS_DATA;
+      continue;
+      
+    case TS_SB:
+      if (c == IAC) {
+        telrcv_state = TS_SE;
+      } 
+      else {
+        SB_ACCUM(c);
+      }
+      continue;
+      
+    case TS_SE:
+      if (c != SE) {
+        if (c != IAC) {
+          /*
+           * This is an error.  We only expect to get
+           * "IAC IAC" or "IAC SE".  Several things may
+           * have happend.  An IAC was not doubled, the
+           * IAC SE was left off, or another option got
+           * inserted into the suboption are all possibilities.
+           * If we assume that the IAC was not doubled,
+           * and really the IAC SE was left off, we could
+           * get into an infinate loop here.  So, instead,
+           * we terminate the suboption, and process the
+           * partial suboption if we can.
+           */
+          SB_ACCUM(IAC);
+          SB_ACCUM(c);
+          subpointer -= 2;
+          SB_TERM();
+          
+          printoption("In SUBOPTION processing, RCVD", IAC, c);
+          suboption();  /* handle sub-option */
+          SetIn3270();
+          telrcv_state = TS_IAC;
+          goto process_iac;
+        }
+        SB_ACCUM(c);
+        telrcv_state = TS_SB;
+      } 
+      else {
+        SB_ACCUM(IAC);
+        SB_ACCUM(SE);
+        subpointer -= 2;
+        SB_TERM();
+        suboption();    /* handle sub-option */
+        SetIn3270();
+        telrcv_state = TS_DATA;
+      }
+    }
+    
+  }
+  return returnValue;
+}
+
+static int bol = 1, local = 0;
+
+int rlogin_susp(void) {
+  if (local) {
+    local = 0;
+    bol = 1;
+    command(0, "z\n", 2);
+    return(1);
+  }
+  return(0);
+}
+
+static int telsnd(void) {
+  //    int tcc;
+  //    int count;
+  int returnValue = 0;
+  //    const char *tbp = NULL;
+  
+  //    tcc = 0;
+  //    count = 0;
+  while (netoring.empty_count() > 2) {
+    int c, sc;
+    
+    if (!ttyiring.getch(&c)) {
+      break;
+    }
+    returnValue = 1;
+    
+    sc = strip(c);
+    
+    if (rlogin != _POSIX_VDISABLE) {
+      if (bol) {
+        bol = 0;
+        if (sc == rlogin) {
+          local = 1;
+          continue;
+        }
+      } 
+      else if (local) {
+        local = 0;
+        if (sc == '.' || c == termEofChar) {
+          bol = 1;
+          command(0, "close\n", 6);
+          continue;
+        }
+        if (sc == termSuspChar) {
+          bol = 1;
+          command(0, "z\n", 2);
+          continue;
+        }
+        if (sc == escapechar && escapechar !=_POSIX_VDISABLE) {
+          int l;
+          char buf[128];
+          l = ttyiring.gets(buf, sizeof(buf));
+          command(0, buf, l);
+          bol = 1;
+          flushline = 1;
+          break;
+        }
+        if (sc != rlogin) {
+          ttyiring.ungetch(c);
+          c = sc = rlogin;
+        }
+      }
+      if ((sc == '\n') || (sc == '\r'))
+        bol = 1;
+    } 
+    else if (sc == escapechar && escapechar != _POSIX_VDISABLE) {
+      int ignore = 0;
+      /*
+       * Double escape is a pass through of a single escape character.
+       */
+      if (ttyiring.getch(&c)) {
+        if (strip(c) != escapechar) ttyiring.ungetch(c);
+        else {
+          bol = 0;
+          ignore = 1;
+        }
+      } 
+      if (!ignore) {
+        int l;
+        char buf[128];
+        l = ttyiring.gets(buf, sizeof(buf));
+        command(0, buf, l);
+        bol = 1;
+        flushline = 1;
+        break;
+      }
+    } 
+    else {
+      bol = 0;
+    }
+#ifdef  KLUDGELINEMODE
+    if (kludgelinemode && (globalmode&MODE_EDIT) && (sc == echoc)) {
+      int ignore=0;
+      if (ttyiring.getch(&c) > 0) {
+        if (strip(c) != echoc) ttyiring.ungetch(c);
+        else ignore=1;
+      } 
+      if (!ignore) {
+        dontlecho = !dontlecho;
+        settimer(echotoggle);
+        setconnmode(0);
+        flushline = 1;
+        break;
+      }
+    }
+#endif
+    if (MODE_LOCAL_CHARS(globalmode)) {
+      if (TerminalSpecialChars(sc) == 0) {
+        bol = 1;
+        break;
+      }
+    }
+    if (my_want_state_is_wont(TELOPT_BINARY)) {
+      switch (c) {
+      case '\n':
+        /*
+         * If we are in CRMOD mode (\r ==> \n)
+         * on our local machine, then probably
+         * a newline (unix) is CRLF (TELNET).
+         */
+        if (MODE_LOCAL_CHARS(globalmode)) {
+          NETADD('\r');
+        }
+        NETADD('\n');
+        bol = flushline = 1;
+        break;
+      case '\r':
+        if (!crlf) {
+          NET2ADD('\r', '\0');
+        } 
+        else {
+          NET2ADD('\r', '\n');
+        }
+        bol = flushline = 1;
+        break;
+      case IAC:
+        NET2ADD(IAC, IAC);
+        break;
+      default:
+        NETADD(c);
+        break;
+      }
+    } 
+    else if (c == IAC) {
+      NET2ADD(IAC, IAC);
+    } 
+    else {
+      NETADD(c);
+    }
+  }
+  
+  return returnValue;           /* Non-zero if we did anything */
+}
+
+/*
+ * Scheduler()
+ *
+ * Try to do something.
+ *
+ * If we do something useful, return 1; else return 0.
+ *
+ */
+
+/* block: should we block in the select ? */
+int Scheduler(int block) {
+  /* One wants to be a bit careful about setting returnValue
+   * to one, since a one implies we did some useful work,
+   * and therefore probably won't be called to block next
+   * time (TN3270 mode only).
+   */
+  int returnValue;
+  int netin, netout, netex, ttyin, ttyout;
+  
+  /* Decide which rings should be processed */
+  
+  netout = netoring.full_count() &&
+    (flushline ||
+     (my_want_state_is_wont(TELOPT_LINEMODE)
+#ifdef  KLUDGELINEMODE
+      && (!kludgelinemode || my_want_state_is_do(TELOPT_SGA))
+#endif
+      ) ||
+     my_want_state_is_will(TELOPT_BINARY));
+  ttyout = ttyoring.full_count();
+  
+#if     defined(TN3270)
+  ttyin = ttyiring.empty_count() && (shell_active == 0);
+#else   /* defined(TN3270) */
+  ttyin = ttyiring.empty_count();
+#endif  /* defined(TN3270) */
+  
+#if defined(TN3270)
+  netin = netiring.empty_count();
+#else /* !defined(TN3270) */
+  netin = !ISend && netiring.empty_count();
+#endif /* !defined(TN3270) */
+  
+  netex = !SYNCHing;
+  
+  /* If we have seen a signal recently, reset things */
+#ifdef TN3270
+  if (HaveInput) {
+    HaveInput = 0;
+    (void) signal(SIGIO, inputAvailable);
+  }
+#endif  /* TN3270 */
+  
+  /* Call to system code to process rings */
+  
+  returnValue = process_rings(netin, netout, netex, ttyin, ttyout, !block);
+  
+  /* Now, look at the input rings, looking for work to do. */
+  
+  if (ttyiring.full_count()) {
+#if defined(TN3270)
+    if (In3270) {
+      int c;
+      
+      c = DataFromTerminal(ttyiring.consume,
+                           ring_full_consecutive(&ttyiring));
+      if (c) {
+        returnValue = 1;
+        ring_consumed(&ttyiring, c);
+      }
+    } else {
+#endif /* defined(TN3270) */
+      returnValue |= telsnd();
+#if defined(TN3270)
+    }
+#endif /* defined(TN3270) */
+  }
+  
+  if (netiring.full_count()) {
+#       if !defined(TN3270)
+    returnValue |= telrcv();
+#       else /* !defined(TN3270) */
+    returnValue = Push3270();
+#       endif /* !defined(TN3270) */
+  }
+  return returnValue;
+}
+
+/*
+ * Select from tty and network...
+ */
+void telnet(const char * /*user*/) {
+  sys_telnet_init();
+  
+  
+#if !defined(TN3270)
+  if (telnetport) {
+    send_do(TELOPT_SGA, 1);
+    send_will(TELOPT_TTYPE, 1);
+    send_will(TELOPT_NAWS, 1);
+    send_will(TELOPT_TSPEED, 1);
+    send_will(TELOPT_LFLOW, 1);
+    send_will(TELOPT_LINEMODE, 1);
+    send_will(TELOPT_ENVIRON, 1);
+    send_do(TELOPT_STATUS, 1);
+    if (env_getvalue("DISPLAY", 0))
+      send_will(TELOPT_XDISPLOC, 1);
+    if (eight)
+      tel_enter_binary(eight);
+  }
+#endif /* !defined(TN3270) */
+  
+#if !defined(TN3270)
+  for (;;) {
+    int schedValue;
+    
+    while ((schedValue = Scheduler(0)) != 0) {
+      if (schedValue == -1) {
+        setcommandmode();
+        return;
+      }
+    }
+    
+    if (Scheduler(1) == -1) {
+      setcommandmode();
+      return;
+    }
+  }
+#else /* !defined(TN3270) */
+  for (;;) {
+    int schedValue;
+    
+    while (!In3270 && !shell_active) {
+      if (Scheduler(1) == -1) {
+        setcommandmode();
+        return;
+      }
+    }
+    
+    while ((schedValue = Scheduler(0)) != 0) {
+      if (schedValue == -1) {
+        setcommandmode();
+        return;
+      }
+    }
+    /* If there is data waiting to go out to terminal, don't
+     * schedule any more data for the terminal.
+     */
+    if (ring_full_count(&ttyoring)) {
+      schedValue = 1;
+    } else {
+      if (shell_active) {
+        if (shell_continue() == 0) {
+          ConnectScreen();
+        }
+      } else if (In3270) {
+        schedValue = DoTerminalOutput();
+      }
+    }
+    if (schedValue && (shell_active == 0)) {
+      if (Scheduler(1) == -1) {
+        setcommandmode();
+        return;
+      }
+    }
+  }
+#endif /* !defined(TN3270) */
+}
+
+#if     0       /* XXX - this not being in is a bug */
+/*
+ * nextitem()
+ *
+ *      Return the address of the next "item" in the TELNET data
+ * stream.  This will be the address of the next character if
+ * the current address is a user data character, or it will
+ * be the address of the character following the TELNET command
+ * if the current address is a TELNET IAC ("I Am a Command")
+ * character.
+ */
+
+static unsigned char *nextitem(unsigned char *current) {
+  if (*current != IAC) {
+    return current+1;
+  }
+  switch (current[1]) {
+  case DO:
+  case DONT:
+  case WILL:
+  case WONT:
+    return current+3;
+  case SB:              /* loop forever looking for the SE */
+    {
+      unsigned char *look = current+2;
+      
+      for (;;) {
+        if (*look++ == IAC) {
+          if (*look++ == SE) {
+            return look;
+          }
+        }
+      }
+    }
+  default:
+    return current+2;
+  }
+}
+#endif  /* 0 */
+
+/*
+ * netclear()
+ *
+ *      We are about to do a TELNET SYNCH operation.  Clear
+ * the path to the network.
+ *
+ *      Things are a bit tricky since we may have sent the first
+ * byte or so of a previous TELNET command into the network.
+ * So, we have to scan the network buffer from the beginning
+ * until we are up to where we want to be.
+ *
+ *      A side effect of what we do, just to keep things
+ * simple, is to clear the urgent data pointer.  The principal
+ * caller should be setting the urgent data pointer AFTER calling
+ * us in any case.
+ */
+
+static void netclear(void) {
+#if     0       /* XXX */
+  register char *thisitem, *next;
+  char *good;
+#define wewant(p)       ((nfrontp > p) && (*p == IAC) && \
+                         (p[1] != EC) && (p[1] != EL))
+    
+    thisitem = netobuf;
+    
+    while ((next = nextitem(thisitem)) <= netobuf.send) {
+      thisitem = next;
+    }
+    
+    /* Now, thisitem is first before/at boundary. */
+    
+    good = netobuf;     /* where the good bytes go */
+    
+    while (netoring.add > thisitem) {
+      if (wewant(thisitem)) {
+        int length;
+        
+        next = thisitem;
+        do {
+          next = nextitem(next);
+        } while (wewant(next) && (nfrontp > next));
+        length = next-thisitem;
+        memcpy(good, thisitem, length);
+        good += length;
+        thisitem = next;
+      } else {
+        thisitem = nextitem(thisitem);
+      }
+    }
+    
+#endif  /* 0 */
+}
+
+/*
+ * These routines add various telnet commands to the data stream.
+ */
+
+static void doflush(void) {
+  NET2ADD(IAC, DO);
+  NETADD(TELOPT_TM);
+  flushline = 1;
+  flushout = 1;
+  (void) ttyflush(1);                   /* Flush/drop output */
+  /* do printoption AFTER flush, otherwise the output gets tossed... */
+  printoption("SENT", DO, TELOPT_TM);
+}
+
+void xmitAO(void) {
+  NET2ADD(IAC, AO);
+  printoption("SENT", IAC, AO);
+  if (autoflush) {
+    doflush();
+  }
+}
+
+
+void xmitEL(void) {
+  NET2ADD(IAC, EL);
+  printoption("SENT", IAC, EL);
+}
+
+void xmitEC(void) {
+  NET2ADD(IAC, EC);
+  printoption("SENT", IAC, EC);
+}
+
+
+int dosynch(void) {
+  netclear();                   /* clear the path to the network */
+  NETADD(IAC);
+  netoring.set_mark();
+  NETADD(DM);
+  printoption("SENT", IAC, DM);
+  return 1;
+}
+
+int want_status_response = 0;
+
+int get_status(const char *, const char *) {
+  unsigned char tmp[16];
+  unsigned char *cp;
+  
+  if (my_want_state_is_dont(TELOPT_STATUS)) {
+    printf("Remote side does not support STATUS option\n");
+    return 0;
+  }
+  cp = tmp;
+  
+  *cp++ = IAC;
+  *cp++ = SB;
+  *cp++ = TELOPT_STATUS;
+  *cp++ = TELQUAL_SEND;
+  *cp++ = IAC;
+  *cp++ = SE;
+  printsub('>', tmp+2, cp - tmp - 2);
+  netoring.write((char *)tmp, cp-tmp);
+  ++want_status_response;
+  return 1;
+}
+
+void intp(void) {
+  NET2ADD(IAC, IP);
+  printoption("SENT", IAC, IP);
+  flushline = 1;
+  if (autoflush) {
+    doflush();
+  }
+  if (autosynch) {
+    dosynch();
+  }
+}
+
+void sendbrk(void) {
+  NET2ADD(IAC, BREAK);
+  printoption("SENT", IAC, BREAK);
+  flushline = 1;
+  if (autoflush) {
+    doflush();
+  }
+  if (autosynch) {
+    dosynch();
+  }
+}
+
+void sendabort(void) {
+  NET2ADD(IAC, ABORT);
+  printoption("SENT", IAC, ABORT);
+  flushline = 1;
+  if (autoflush) {
+    doflush();
+  }
+  if (autosynch) {
+    dosynch();
+  }
+}
+
+void sendsusp(void) {
+  NET2ADD(IAC, SUSP);
+  printoption("SENT", IAC, SUSP);
+  flushline = 1;
+  if (autoflush) {
+    doflush();
+  }
+  if (autosynch) {
+    dosynch();
+  }
+}
+
+void sendeof(void) {
+  NET2ADD(IAC, xEOF);
+  printoption("SENT", IAC, xEOF);
+}
+
+void sendayt(void) {
+  NET2ADD(IAC, AYT);
+  printoption("SENT", IAC, AYT);
+}
+
+/*
+ * Send a window size update to the remote system.
+ */
+
+void sendnaws(void) {
+  long rows, cols;
+  unsigned char tmp[16];
+  unsigned char *cp;
+  
+  if (my_state_is_wont(TELOPT_NAWS))
+    return;
+  
+#define PUTSHORT(cp, x) { if ((*cp++ = ((x)>>8)&0xff) == IAC) *cp++ = IAC; \
+      if ((*cp++ = ((x))&0xff) == IAC) *cp++ = IAC; }
+  
+  if (TerminalWindowSize(&rows, &cols) == 0) {  /* Failed */
+    return;
+  }
+  
+  cp = tmp;
+  
+  *cp++ = IAC;
+  *cp++ = SB;
+  *cp++ = TELOPT_NAWS;
+  PUTSHORT(cp, cols);
+  PUTSHORT(cp, rows);
+  *cp++ = IAC;
+  *cp++ = SE;
+  printsub('>', tmp+2, cp - tmp - 2);
+  netoring.write((char *)tmp, cp-tmp);
+}
+
+void tel_enter_binary(int rw) {
+  if (rw&1)
+    send_do(TELOPT_BINARY, 1);
+  if (rw&2)
+    send_will(TELOPT_BINARY, 1);
+}
+
+void tel_leave_binary(int rw) {
+  if (rw&1)
+    send_dont(TELOPT_BINARY, 1);
+  if (rw&2)
+    send_wont(TELOPT_BINARY, 1);
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/terminal.cc b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/terminal.cc
new file mode 100644
index 0000000..c1adf18
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/terminal.cc
@@ -0,0 +1,720 @@
+/*
+ * Copyright (c) 1988, 1990 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)terminal.c 5.3 (Berkeley) 3/22/91
+ */
+char terminal_rcsid[] = 
+  "$Id: terminal.cc,v 1.25 1999/12/12 19:48:05 dholland Exp $";
+
+#include <arpa/telnet.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <termios.h>
+#include <unistd.h>
+#include <signal.h>
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "ring.h"
+#include "defines.h"
+#include "externs.h"
+#include "types.h"
+#include "proto.h"
+#include "terminal.h"
+
+static int TerminalWrite(const char *buf, int n);
+static int TerminalRead(char *buf, int n);
+
+ringbuf ttyoring, ttyiring;
+
+#ifndef VDISCARD
+cc_t termFlushChar;
+#endif
+
+#ifndef VLNEXT
+cc_t termLiteralNextChar;
+#endif
+
+#ifndef VSUSP
+cc_t termSuspChar;
+#endif
+
+#ifndef VWERASE
+cc_t termWerasChar;
+#endif
+
+#ifndef VREPRINT
+cc_t termRprntChar;
+#endif
+
+#ifndef VSTART
+cc_t termStartChar;
+#endif
+
+#ifndef VSTOP
+cc_t termStopChar;
+#endif
+
+#ifndef VEOL
+cc_t termForw1Char;
+#endif
+
+#ifndef VEOL2
+cc_t termForw2Char;
+#endif
+
+#ifndef VSTATUS
+cc_t termAytChar;
+#endif
+
+/*
+ * initialize the terminal data structures.
+ */
+void init_terminal(void) {
+    if (ttyoring.init(2*BUFSIZ, ttysink, NULL) != 1) {
+        exit(1);
+    }
+    if (ttyiring.init(BUFSIZ, NULL, ttysrc) != 1) {
+        exit(1);
+    }
+    autoflush = TerminalAutoFlush();
+}
+
+
+/*
+ *              Send as much data as possible to the terminal.
+ *              if arg "drop" is nonzero, drop data on the floor instead.
+ *
+ *              Return value:
+ *                      -1: No useful work done, data waiting to go out.
+ *                       0: No data was waiting, so nothing was done.
+ *                       1: All waiting data was written out.
+ *                       n: All data - n was written out.
+ */
+int ttyflush(int drop) {
+    datasink *s = NULL;
+    if (drop) {
+        TerminalFlushOutput();
+        s = ttyoring.setsink(nullsink);
+    }
+    int rv = ttyoring.flush();
+    if (s) ttyoring.setsink(s);
+    return rv;
+}
+
+
+
+/*
+ * These routines decides on what the mode should be (based on the values
+ * of various global variables).
+ */
+int getconnmode(void) {
+    extern int linemode;
+    int mode = 0;
+#ifdef  KLUDGELINEMODE
+    extern int kludgelinemode;
+#endif
+
+    if (In3270)
+        return(MODE_FLOW);
+
+    if (my_want_state_is_dont(TELOPT_ECHO))
+        mode |= MODE_ECHO;
+
+    if (localflow)
+        mode |= MODE_FLOW;
+
+    if (my_want_state_is_will(TELOPT_BINARY))
+        mode |= MODE_INBIN;
+
+    if (his_want_state_is_will(TELOPT_BINARY))
+        mode |= MODE_OUTBIN;
+
+#ifdef  KLUDGELINEMODE
+    if (kludgelinemode) {
+        if (my_want_state_is_dont(TELOPT_SGA)) {
+            mode |= (MODE_TRAPSIG|MODE_EDIT);
+            if (dontlecho && (clocks.echotoggle > clocks.modenegotiated)) {
+                mode &= ~MODE_ECHO;
+            }
+        }
+        return(mode);
+    }
+#endif
+    if (my_want_state_is_will(TELOPT_LINEMODE))
+        mode |= linemode;
+    return(mode);
+}
+
+void setconnmode(int force) {
+    int newmode;
+
+    newmode = getconnmode()|(force?MODE_FORCE:0);
+
+    TerminalNewMode(newmode);
+
+}
+
+
+void setcommandmode(void) {
+    TerminalNewMode(-1);
+}
+
+
+/*********************/
+
+static int tout;                /* Output file descriptor */
+static int tin;                 /* Input file descriptor */
+
+
+class ttysynk : public datasink {
+  public:
+    virtual int write(const char *buf, int len) {
+        return TerminalWrite(buf, len);
+    }
+    virtual int writeurg(const char *buf, int len) {
+        return TerminalWrite(buf, len);
+    }
+};
+
+class ttysorc : public ringbuf::source {
+    virtual int read(char *buf, int maxlen) {
+        int l = TerminalRead(buf, maxlen);
+        if (l<0 && errno==EWOULDBLOCK) l = 0;
+        else if (l==0 && MODE_LOCAL_CHARS(globalmode) && isatty(tin)) {
+            /* EOF detection for line mode!!!! */
+            /* must be an EOF... */
+            *buf = termEofChar;
+            l = 1;
+        }
+        return l;
+    }
+};
+
+static ttysynk chan1;
+static ttysorc chan2;
+datasink *ttysink = &chan1;
+ringbuf::source *ttysrc = &chan2;
+
+
+struct termios old_tc;
+struct termios new_tc;
+
+#ifndef TCSANOW
+
+#if defined(TCSETS)
+#define TCSANOW         TCSETS
+#define TCSADRAIN       TCSETSW
+#define tcgetattr(f, t) ioctl(f, TCGETS, (char *)t)
+
+#elif defined(TCSETA)
+#define TCSANOW         TCSETA
+#define TCSADRAIN       TCSETAW
+#define tcgetattr(f, t) ioctl(f, TCGETA, (char *)t)
+
+#else
+#define TCSANOW         TIOCSETA
+#define TCSADRAIN       TIOCSETAW
+#define tcgetattr(f, t) ioctl(f, TIOCGETA, (char *)t)
+
+#endif
+
+#define tcsetattr(f, a, t) ioctl(f, a, (char *)t)
+#define cfgetospeed(ptr)        ((ptr)->c_cflag&CBAUD)
+#ifdef CIBAUD
+#define cfgetispeed(ptr)        (((ptr)->c_cflag&CIBAUD) >> IBSHIFT)
+#else
+#define cfgetispeed(ptr)        cfgetospeed(ptr)
+#endif
+
+#endif /* no TCSANOW */
+
+
+static void susp(int sig);
+
+void tlink_init(void) {
+#ifdef  SIGTSTP
+    signal(SIGTSTP, susp);
+#endif
+    tout = fileno(stdout);
+    tin = fileno(stdin);
+}
+
+int tlink_getifd(void) {
+    return tin;
+}
+
+int tlink_getofd(void) {
+    return tout;
+}
+
+static int TerminalWrite(const char *buf, int n) {
+    int r;
+    do {
+        r = write(tout, buf, n);
+    } while (r<0 && errno==EINTR);
+    if (r<0 && (errno==ENOBUFS || errno==EWOULDBLOCK)) r = 0;
+    return r;
+}
+
+static int TerminalRead(char *buf, int n) {
+    int r;
+    do {
+        r = read(tin, buf, n);
+    } while (r<0 && errno==EINTR);
+    return r;
+}
+
+#ifdef  SIGTSTP
+static void susp(int /*sig*/) {
+    if ((rlogin != _POSIX_VDISABLE) && rlogin_susp())
+        return;
+    if (localchars)
+        sendsusp();
+}
+#endif
+
+/*
+ * TerminalNewMode - set up terminal to a specific mode.
+ *      MODE_ECHO: do local terminal echo
+ *      MODE_FLOW: do local flow control
+ *      MODE_TRAPSIG: do local mapping to TELNET IAC sequences
+ *      MODE_EDIT: do local line editing
+ *
+ *      Command mode:
+ *              MODE_ECHO|MODE_EDIT|MODE_FLOW|MODE_TRAPSIG
+ *              local echo
+ *              local editing
+ *              local xon/xoff
+ *              local signal mapping
+ *
+ *      Linemode:
+ *              local/no editing
+ *      Both Linemode and Single Character mode:
+ *              local/remote echo
+ *              local/no xon/xoff
+ *              local/no signal mapping
+ */
+
+void TerminalNewMode(int f)
+{
+    static int prevmode = 0;
+    struct termios tmp_tc;
+
+    int onoff;
+    int old;
+    cc_t esc;
+
+    globalmode = f&~MODE_FORCE;
+    if (prevmode == f)
+        return;
+
+    /*
+     * Write any outstanding data before switching modes
+     * ttyflush() returns 0 only when there is no more data
+     * left to write out, it returns -1 if it couldn't do
+     * anything at all, otherwise it returns 1 + the number
+     * of characters left to write.
+     */
+    old = ttyflush(SYNCHing|flushout);
+    if (old < 0 || old > 1) {
+        tcgetattr(tin, &tmp_tc);
+        do {
+            /*
+             * Wait for data to drain, then flush again.
+             */
+            tcsetattr(tin, TCSADRAIN, &tmp_tc);
+            old = ttyflush(SYNCHing|flushout);
+        } while (old < 0 || old > 1);
+    }
+
+    old = prevmode;
+    prevmode = f&~MODE_FORCE;
+    tmp_tc = new_tc;
+
+    if (f&MODE_ECHO) {
+        tmp_tc.c_lflag |= ECHO;
+        tmp_tc.c_oflag |= ONLCR;
+        if (crlf)
+                tmp_tc.c_iflag |= ICRNL;
+    } 
+    else {
+        tmp_tc.c_lflag &= ~ECHO;
+        tmp_tc.c_oflag &= ~ONLCR;
+        if (crlf) tmp_tc.c_iflag &= ~ICRNL;
+    }
+
+    if ((f&MODE_FLOW) == 0) {
+        tmp_tc.c_iflag &= ~(IXANY|IXOFF|IXON);
+    } 
+    else {
+        tmp_tc.c_iflag |= IXANY|IXOFF|IXON;
+    }
+
+    if ((f&MODE_TRAPSIG) == 0) {
+        tmp_tc.c_lflag &= ~ISIG;
+        localchars = 0;
+    } 
+    else {
+        tmp_tc.c_lflag |= ISIG;
+        localchars = 1;
+    }
+
+    if (f&MODE_EDIT) {
+        tmp_tc.c_lflag |= ICANON;
+    } 
+    else {
+        tmp_tc.c_lflag &= ~ICANON;
+        tmp_tc.c_iflag &= ~ICRNL;
+        tmp_tc.c_cc[VMIN] = 1;
+        tmp_tc.c_cc[VTIME] = 0;
+    }
+
+    if ((f&(MODE_EDIT|MODE_TRAPSIG)) == 0) {
+#ifdef VLNEXT
+        tmp_tc.c_cc[VLNEXT] = (cc_t)(_POSIX_VDISABLE);
+#endif
+    }
+
+    if (f&MODE_SOFT_TAB) {
+#ifdef OXTABS
+        tmp_tc.c_oflag |= OXTABS;
+#endif
+#ifdef TABDLY
+        tmp_tc.c_oflag &= ~TABDLY;
+        tmp_tc.c_oflag |= TAB3;
+#endif
+    } 
+    else {
+#ifdef OXTABS
+        tmp_tc.c_oflag &= ~OXTABS;
+#endif
+#ifdef TABDLY
+        tmp_tc.c_oflag &= ~TABDLY;
+#endif
+    }
+
+    if (f&MODE_LIT_ECHO) {
+#ifdef ECHOCTL
+        tmp_tc.c_lflag &= ~ECHOCTL;
+#endif
+    } 
+    else {
+#ifdef ECHOCTL
+        tmp_tc.c_lflag |= ECHOCTL;
+#endif
+    }
+
+    if (f == -1) {
+        onoff = 0;
+    } 
+    else {
+        if (f & MODE_INBIN) {
+                tmp_tc.c_iflag &= ~ISTRIP;
+        }
+        else {
+                // Commented this out 5/97 so it works with 8-bit characters
+                // ...and put it back 12/99 because it violates the RFC and
+                // breaks SunOS.
+                tmp_tc.c_iflag |= ISTRIP;
+        }
+        if (f & MODE_OUTBIN) {
+                tmp_tc.c_cflag &= ~(CSIZE|PARENB);
+                tmp_tc.c_cflag |= CS8;
+                tmp_tc.c_oflag &= ~OPOST;
+        } else {
+                tmp_tc.c_cflag &= ~(CSIZE|PARENB);
+                tmp_tc.c_cflag |= old_tc.c_cflag & (CSIZE|PARENB);
+                tmp_tc.c_oflag |= OPOST;
+        }
+        onoff = 1;
+    }
+
+    if (f != -1) {
+#ifdef  SIGTSTP
+        signal(SIGTSTP, susp);
+#endif  /* SIGTSTP */
+
+#ifdef  SIGINFO
+        signal(SIGINFO, ayt);
+#endif  SIGINFO
+
+#if defined(NOKERNINFO)
+        tmp_tc.c_lflag |= NOKERNINFO;
+#endif
+        /*
+         * We don't want to process ^Y here.  It's just another
+         * character that we'll pass on to the back end.  It has
+         * to process it because it will be processed when the
+         * user attempts to read it, not when we send it.
+         */
+#ifdef VDSUSP
+        tmp_tc.c_cc[VDSUSP] = (cc_t)(_POSIX_VDISABLE);
+#endif
+        /*
+         * If the VEOL character is already set, then use VEOL2,
+         * otherwise use VEOL.
+         */
+        esc = (rlogin != _POSIX_VDISABLE) ? rlogin : escapechar;
+        if ((tmp_tc.c_cc[VEOL] != esc)
+#ifdef VEOL2
+            && (tmp_tc.c_cc[VEOL2] != esc)
+#endif
+            ) {
+                if (tmp_tc.c_cc[VEOL] == (cc_t)(_POSIX_VDISABLE))
+                    tmp_tc.c_cc[VEOL] = esc;
+#ifdef VEOL2
+                else if (tmp_tc.c_cc[VEOL2] == (cc_t)(_POSIX_VDISABLE))
+                    tmp_tc.c_cc[VEOL2] = esc;
+#endif
+        }
+    } 
+    else {
+
+#ifdef  SIGINFO
+        signal(SIGINFO, ayt_status);
+#endif  SIGINFO
+
+#ifdef  SIGTSTP
+        signal(SIGTSTP, SIG_DFL);
+/*      (void) sigsetmask(sigblock(0) & ~(1<<(SIGTSTP-1))); */
+#endif  /* SIGTSTP */
+
+        tmp_tc = old_tc;
+    }
+    if (tcsetattr(tin, TCSADRAIN, &tmp_tc) < 0)
+        tcsetattr(tin, TCSANOW, &tmp_tc);
+
+    ioctl(tin, FIONBIO, (char *)&onoff);
+    ioctl(tout, FIONBIO, (char *)&onoff);
+
+#if defined(TN3270)
+    if (noasynchtty == 0) {
+        ioctl(tin, FIOASYNC, (char *)&onoff);
+    }
+#endif  /* defined(TN3270) */
+
+}
+
+#ifndef B19200
+#define B19200 B9600
+#endif
+
+#ifndef B38400
+#define B38400 B19200
+#endif
+
+#ifndef B57600
+#define B57600 B38400
+#endif
+
+#ifndef B115200
+#define B115200 B57600
+#endif
+
+/*
+ * This code assumes that the values B0, B50, B75...
+ * are in ascending order.  They do not have to be
+ * contiguous.
+ */
+struct termspeeds {
+        long speed;
+        long value;
+} termspeeds[] = {
+        { 0,      B0 },      { 50,     B50 },    { 75,     B75 },
+        { 110,    B110 },    { 134,    B134 },   { 150,    B150 },
+        { 200,    B200 },    { 300,    B300 },   { 600,    B600 },
+        { 1200,   B1200 },   { 1800,   B1800 },  { 2400,   B2400 },
+        { 4800,   B4800 },   { 9600,   B9600 },  { 19200,  B19200 },
+        { 38400,  B38400 },  { 57600,  B57600 }, { 115200, B115200 },
+        { -1,     B115200 }
+};
+
+void TerminalSpeeds(long *ispeed, long *ospeed) {
+    register struct termspeeds *tp;
+    register long in, out;
+
+    out = cfgetospeed(&old_tc);
+    in = cfgetispeed(&old_tc);
+    if (in == 0)
+        in = out;
+
+    tp = termspeeds;
+    while ((tp->speed != -1) && (tp->value < in))
+        tp++;
+    *ispeed = tp->speed;
+
+    tp = termspeeds;
+    while ((tp->speed != -1) && (tp->value < out))
+        tp++;
+    *ospeed = tp->speed;
+}
+
+int TerminalWindowSize(long *rows, long *cols) {
+#ifdef  TIOCGWINSZ
+    struct winsize ws;
+
+    if (ioctl(fileno(stdin), TIOCGWINSZ, (char *)&ws) >= 0) {
+        *rows = ws.ws_row;
+        *cols = ws.ws_col;
+        return 1;
+    }
+#endif  /* TIOCGWINSZ */
+    return 0;
+}
+
+
+/*
+ * EmptyTerminal - called to make sure that the terminal buffer is 
+ * empty. Note that we consider the buffer to run all the way to the 
+ * kernel (thus the select).
+ */
+void EmptyTerminal(void) {
+    fd_set o;
+    FD_ZERO(&o);
+    
+    if (TTYBYTES() == 0) {
+        FD_SET(tout, &o);
+        select(tout+1, NULL, &o, NULL, NULL);   /* wait for TTLOWAT */
+    } 
+    else {
+        while (TTYBYTES()) {
+            ttyflush(0);
+            FD_SET(tout, &o);
+            select(tout+1, NULL, &o, NULL, NULL); /* wait for TTLOWAT */
+        }
+    }
+}
+
+int
+TerminalAutoFlush(void)
+{
+#if     defined(LNOFLSH)
+    int flush;
+
+    ioctl(tin, TIOCLGET, (char *)&flush);
+    return !(flush&LNOFLSH);    /* if LNOFLSH, no autoflush */
+#else   /* LNOFLSH */
+    return 1;
+#endif  /* LNOFLSH */
+}
+
+/*
+ * Flush output to the terminal
+ */
+    void
+TerminalFlushOutput()
+{
+#ifdef  TIOCFLUSH
+    (void) ioctl(fileno(stdout), TIOCFLUSH, (char *) 0);
+#else
+    (void) ioctl(fileno(stdout), TCFLSH, (char *) 0);
+#endif
+}
+
+    void
+TerminalSaveState()
+{
+#ifndef USE_TERMIO
+    ioctl(0, TIOCGETP, (char *)&ottyb);
+    ioctl(0, TIOCGETC, (char *)&otc);
+    ioctl(0, TIOCGLTC, (char *)&oltc);
+    ioctl(0, TIOCLGET, (char *)&olmode);
+
+    ntc = otc;
+    nltc = oltc;
+    nttyb = ottyb;
+
+#else   /* USE_TERMIO */
+    tcgetattr(0, &old_tc);
+
+    new_tc = old_tc;
+
+#ifndef VDISCARD
+    termFlushChar = CONTROL('O');
+#endif
+#ifndef VWERASE
+    termWerasChar = CONTROL('W');
+#endif
+#ifndef VREPRINT
+    termRprntChar = CONTROL('R');
+#endif
+#ifndef VLNEXT
+    termLiteralNextChar = CONTROL('V');
+#endif
+#ifndef VSTART
+    termStartChar = CONTROL('Q');
+#endif
+#ifndef VSTOP
+    termStopChar = CONTROL('S');
+#endif
+#ifndef VSTATUS
+    termAytChar = CONTROL('T');
+#endif
+#endif  /* USE_TERMIO */
+}
+
+void TerminalDefaultChars(void) {
+#ifndef USE_TERMIO
+    ntc = otc;
+    nltc = oltc;
+    nttyb.sg_kill = ottyb.sg_kill;
+    nttyb.sg_erase = ottyb.sg_erase;
+#else   /* USE_TERMIO */
+    memcpy(new_tc.c_cc, old_tc.c_cc, sizeof(old_tc.c_cc));
+#ifndef VDISCARD
+    termFlushChar = CONTROL('O');
+#endif
+#ifndef VWERASE
+    termWerasChar = CONTROL('W');
+#endif
+#ifndef VREPRINT
+    termRprntChar = CONTROL('R');
+#endif
+#ifndef VLNEXT
+    termLiteralNextChar = CONTROL('V');
+#endif
+#ifndef VSTART
+    termStartChar = CONTROL('Q');
+#endif
+#ifndef VSTOP
+    termStopChar = CONTROL('S');
+#endif
+#ifndef VSTATUS
+    termAytChar = CONTROL('T');
+#endif
+#endif  /* USE_TERMIO */
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/terminal.h b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/terminal.h
new file mode 100644
index 0000000..8fcfb83
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/terminal.h
@@ -0,0 +1,11 @@
+#define TTYADD(c)       { if (!(SYNCHing||flushout)) ttyoring.putch(c); }
+#define TTYBYTES()      (ttyoring.full_count())
+#define TTYROOM()       (ttyoring.empty_count())
+
+void tlink_init(void);
+
+void EmptyTerminal(void);
+
+
+int tlink_getifd(void);
+int tlink_getofd(void);
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/tn3270.cc b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/tn3270.cc
new file mode 100644
index 0000000..19f13fe
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/tn3270.cc
@@ -0,0 +1,366 @@
+/*
+ * Copyright (c) 1988 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)tn3270.c   5.2 (Berkeley) 3/1/91
+ */
+char tn3270_rcsid[] = 
+  "$Id: tn3270.cc,v 1.9 1996/08/13 09:08:34 dholland Exp $";
+
+#include <sys/types.h>
+#include <arpa/telnet.h>
+
+#include "defines.h"
+#include "ring.h"
+#include "externs.h"
+#include "proto.h"
+
+#if defined(TN3270)
+
+#include "../tn3270/ctlr/screen.h"
+#include "../tn3270/general/globals.h"
+
+#include "../tn3270/telextrn.h"
+#include "../tn3270/ctlr/externs.h"
+
+int HaveInput;          /* There is input available to scan */
+int cursesdata;         /* Do we dump curses data? */
+int sigiocount;         /* Number of times we got a SIGIO */
+
+char tline[200];
+char *transcom = 0;     /* transparent mode command (default: none) */
+
+char Ibuf[8*BUFSIZ], *Ifrontp, *Ibackp;
+
+static char sb_terminal[] = { IAC, SB,
+                              TELOPT_TTYPE, TELQUAL_IS,
+                              'I', 'B', 'M', '-', '3', '2', '7', '8', '-', '2',
+                              IAC, SE };
+#define SBTERMMODEL     13
+
+static int Sent3270TerminalType;        /* Have we said we are a 3270? */
+
+#endif  /* defined(TN3270) */
+
+
+void init_3270(void) {
+#if defined(TN3270)
+    HaveInput = 0;
+    sigiocount = 0;
+    Sent3270TerminalType = 0;
+    Ifrontp = Ibackp = Ibuf;
+    init_ctlr();                /* Initialize some things */
+    init_keyboard();
+    init_screen();
+    init_system();
+#endif  /* TN3270 */
+}
+
+#if defined(TN3270)
+
+/*
+ * DataToNetwork - queue up some data to go to network.  If "done" is set,
+ * then when last byte is queued, we add on an IAC EOR sequence (so,
+ * don't call us with "done" until you want that done...)
+ *
+ * We actually do send all the data to the network buffer, since our
+ * only client needs for us to do that.
+ */
+
+/*
+ * buffer:      where the data is
+ * count:       how much to send
+ * done:        is this the last of a logical block
+ */
+int DataToNetwork(char *buffer, int count, int done) {
+    register int loop, c;
+    int origCount;
+    
+    origCount = count;
+
+    while (count) {
+        /* If not enough room for EORs, IACs, etc., wait */
+        if (NETROOM() < 6) {
+            fd_set o;
+            
+            FD_ZERO(&o);
+            netflush();
+            while (NETROOM() < 6) {
+                FD_SET(net, &o);
+                select(net+1, (fd_set *) 0, &o, (fd_set *) 0,
+                       (struct timeval *) 0);
+                netflush();
+            }
+        }
+        c = ring_empty_count(&netoring);
+        if (c > count) {
+            c = count;
+        }
+        loop = c;
+        while (loop) {
+            if (((unsigned char)*buffer) == IAC) {
+                break;
+            }
+            buffer++;
+            loop--;
+        }
+        if ((c = c-loop)) {
+            netoring.supply_data(buffer-c, c);
+            count -= c;
+        }
+        if (loop) {
+            NET2ADD(IAC, IAC);
+            count--;
+            buffer++;
+        }
+    }
+    
+    if (done) {
+        NET2ADD(IAC, EOR);
+        netflush();             /* try to move along as quickly as ... */
+    }
+    return(origCount - count);
+}
+
+void inputAvailable(void) {
+    HaveInput = 1;
+    sigiocount++;
+}
+
+void outputPurge(void) {
+    ttyflush(1);
+}
+
+
+/*
+ * The following routines are places where the various tn3270
+ * routines make calls into telnet.c.
+ */
+
+/*
+ * DataToTerminal - queue up some data to go to terminal.
+ *
+ * Note: there are people who call us and depend on our processing
+ * *all* the data at one time (thus the select).
+ */
+
+/*
+ * buffer:      where the data is
+ * count:       how much to send
+ */
+int DataToTerminal(char *buffer, int count) {
+    register int c;
+    int origCount;
+
+    origCount = count;
+
+    while (count) {
+        if (TTYROOM() == 0) {
+
+            fd_set o;
+            FD_ZERO(&o);
+            ttyflush(0);
+            while (TTYROOM() == 0) {
+                FD_SET(tout, &o);
+                select(tout+1, NULL, &o, NULL, NULL);
+                ttyflush(0);
+            }
+        }
+        c = TTYROOM();
+        if (c > count) {
+            c = count;
+        }
+        ttyoring.supply_data(buffer, c);
+        count -= c;
+        buffer += c;
+    }
+    return origCount;
+}
+
+
+/*
+ * Push3270 - Try to send data along the 3270 output (to screen) direction.
+ */
+int Push3270(void) {
+    int save = ring_full_count(&netiring);
+
+    if (save) {
+        if (Ifrontp+save > Ibuf+sizeof Ibuf) {
+            if (Ibackp != Ibuf) {
+                memcpy(Ibuf, Ibackp, Ifrontp-Ibackp);
+                Ifrontp -= (Ibackp-Ibuf);
+                Ibackp = Ibuf;
+            }
+        }
+        if (Ifrontp+save < Ibuf+sizeof Ibuf) {
+            (void)telrcv();
+        }
+    }
+    return save != ring_full_count(&netiring);
+}
+
+
+/*
+ * Finish3270 - get the last dregs of 3270 data out to the terminal
+ *              before quitting.
+ */
+void Finish3270(void) {
+    while (Push3270() || !DoTerminalOutput()) {
+        HaveInput = 0;
+    }
+}
+
+
+/* StringToTerminal - output a null terminated string to the terminal */
+void StringToTerminal(char *s) {
+    int count = strlen(s);
+    if (count) {
+        DataToTerminal(s, count);       /* we know it always goes... */
+    }
+}
+
+
+#if ((!defined(NOT43)) || defined(PUTCHAR))
+/* _putchar - output a single character to the terminal.  This name is so that
+ *      curses(3x) can call us to send out data.
+ */
+
+void _putchar(char c) {
+#if defined(sun)                /* SunOS 4.0 bug */
+    c &= 0x7f;
+#endif
+    if (cursesdata) {
+        Dump('>', &c, 1);
+    }
+    if (!TTYROOM()) {
+        DataToTerminal(&c, 1);
+    } 
+    else {
+        TTYADD(c);
+    }
+}
+#endif  /* ((!defined(NOT43)) || defined(PUTCHAR)) */
+
+void SetIn3270(void) {
+    if (Sent3270TerminalType && my_want_state_is_will(TELOPT_BINARY)
+        && my_want_state_is_do(TELOPT_BINARY) && !donebinarytoggle) 
+    {
+        if (!In3270) {
+            In3270 = 1;
+            Init3270();         /* Initialize 3270 functions */
+            /* initialize terminal key mapping */
+            InitTerminal();     /* Start terminal going */
+            setconnmode(0);
+        }
+    } 
+    else {
+        if (In3270) {
+            StopScreen(1);
+            In3270 = 0;
+            Stop3270();         /* Tell 3270 we aren't here anymore */
+            setconnmode(0);
+        }
+    }
+}
+
+/*
+ * tn3270_ttype()
+ *
+ *      Send a response to a terminal type negotiation.
+ *
+ *      Return '0' if no more responses to send; '1' if a response sent.
+ */
+
+int tn3270_ttype(void) {
+    /*
+     * Try to send a 3270 type terminal name.  Decide which one based
+     * on the format of our screen, and (in the future) color
+     * capaiblities.
+     */
+    InitTerminal();             /* Sets MaxNumberColumns, MaxNumberLines */
+    if ((MaxNumberLines >= 24) && (MaxNumberColumns >= 80)) {
+        Sent3270TerminalType = 1;
+        if ((MaxNumberLines >= 27) && (MaxNumberColumns >= 132)) {
+            MaxNumberLines = 27;
+            MaxNumberColumns = 132;
+            sb_terminal[SBTERMMODEL] = '5';
+        } 
+        else if (MaxNumberLines >= 43) {
+            MaxNumberLines = 43;
+            MaxNumberColumns = 80;
+            sb_terminal[SBTERMMODEL] = '4';
+        } 
+        else if (MaxNumberLines >= 32) {
+            MaxNumberLines = 32;
+            MaxNumberColumns = 80;
+            sb_terminal[SBTERMMODEL] = '3';
+        } 
+        else {
+            MaxNumberLines = 24;
+            MaxNumberColumns = 80;
+            sb_terminal[SBTERMMODEL] = '2';
+        }
+        NumberLines = 24;               /* before we start out... */
+        NumberColumns = 80;
+        ScreenSize = NumberLines*NumberColumns;
+        if ((MaxNumberLines*MaxNumberColumns) > MAXSCREENSIZE) {
+            ExitString("Programming error:  MAXSCREENSIZE too small.\n",
+                                                                1);
+            /*NOTREACHED*/
+        }
+        printsub('>', sb_terminal+2, sizeof sb_terminal-2);
+        netoring.supply_data(sb_terminal, sizeof(sb_terminal));
+        return 1;
+    } 
+    else {
+        return 0;
+    }
+}
+
+int settranscom(int argc, char *argv[]) {
+    int i;
+    if (argc == 1 && transcom) {
+        transcom = 0;
+    }
+    if (argc == 1) {
+        return;
+    }
+    transcom = tline;
+    strcpy(transcom, argv[1]);
+    for (i = 2; i < argc; ++i) {
+        strcat(transcom, " ");
+        strcat(transcom, argv[i]);
+    }
+}
+
+#endif  /* defined(TN3270) */
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/types.h b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/types.h
new file mode 100644
index 0000000..00cddfb
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/types.h
@@ -0,0 +1,52 @@
+/*
+ * Copyright (c) 1988 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *      from: @(#)types.h       5.1 (Berkeley) 9/14/90
+ *      $Id: types.h,v 1.2 1996/07/27 00:45:54 dholland Exp $
+ */
+
+typedef struct {
+    char *modedescriptions;
+    char modetype;
+} Modelist;
+
+extern Modelist modelist[];
+
+typedef struct {
+    int system;                 /* what the current time is */
+    int echotoggle;             /* last time user entered echo character */
+    int modenegotiated;         /* last time operating mode negotiated */
+    int didnetreceive;          /* last time we read data from network */
+    int gotDM;                  /* when did we last see a data mark */
+} Clocks;
+
+extern Clocks clocks;
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnet/utilities.cc b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/utilities.cc
new file mode 100644
index 0000000..66839ab
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnet/utilities.cc
@@ -0,0 +1,675 @@
+/*
+ * Copyright (c) 1988 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)utilities.c        5.3 (Berkeley) 3/22/91
+ */
+char util_rcsid[] = 
+  "$Id: utilities.cc,v 1.19 1999/12/12 15:33:40 dholland Exp $";
+
+#define TELOPTS
+#define TELCMDS
+#define SLC_NAMES
+
+#include <arpa/telnet.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <unistd.h>
+#include <ctype.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include "ring.h"
+#include "defines.h"
+#include "externs.h"
+#include "proto.h"
+#include "terminal.h"
+
+FILE *NetTrace = 0;             /* Not in bss, since needs to stay */ /* ? */
+char NetTraceFile[256] = "(standard output)";
+
+/*
+ * upcase()
+ *
+ *      Upcase (in place) the argument.
+ */
+void upcase(char *str) {
+    for (int i=0; str[i]; i++) {
+        if (islower(str[i])) str[i] = toupper(str[i]);
+    }
+}
+
+/*
+ * The following are routines used to print out debugging information.
+ */
+
+void SetNetTrace(const char *file) {
+    if (NetTrace && NetTrace != stdout)
+        fclose(NetTrace);
+    if (file && strcmp(file, "-")) {
+        NetTrace = fopen(file, "w");
+        if (NetTrace) {
+            strcpy((char *)NetTraceFile, file);
+            return;
+        }
+        fprintf(stderr, "Cannot open %s.\n", file);
+    }
+    NetTrace = stdout;
+    strcpy((char *)NetTraceFile, "(standard output)");
+}
+
+#define BYTES_PER_LINE  32
+#define min(x,y) ((x<y)? x:y)
+
+void Dump(int direction, char *buffer, int length) {
+    char *pThis;
+    int offset;
+
+    offset = 0;
+
+    while (length) {
+        /* print one line */
+        fprintf(NetTrace, "%c 0x%x\t", direction, offset);
+        pThis = buffer;
+        if (0 /*prettydump*/) {
+            buffer = buffer + min(length, BYTES_PER_LINE/2);
+            while (pThis < buffer) {
+                fprintf(NetTrace, "%c%.2x",
+                        (((*pThis)&0xff) == 0xff) ? '*' : ' ',
+                        (*pThis)&0xff);
+                pThis++;
+            }
+            length -= BYTES_PER_LINE/2;
+            offset += BYTES_PER_LINE/2;
+        } 
+        else {
+            buffer = buffer + min(length, BYTES_PER_LINE);
+            while (pThis < buffer) {
+                fprintf(NetTrace, "%.2x", (*pThis)&0xff);
+                pThis++;
+            }
+            length -= BYTES_PER_LINE;
+            offset += BYTES_PER_LINE;
+        }
+        if (NetTrace == stdout) {
+            fprintf(NetTrace, "\r\n");
+        } 
+        else {
+            fprintf(NetTrace, "\n");
+        }
+        if (length < 0) {
+            fflush(NetTrace);
+            return;
+        }
+        /* find next unique line */
+    }
+    fflush(NetTrace);
+}
+
+
+void printoption(const char *direction, int cmd, int option) {
+    if (!showoptions)
+        return;
+    if (cmd == IAC) {
+        if (TELCMD_OK(option))
+            fprintf(NetTrace, "%s IAC %s", direction, TELCMD(option));
+        else
+            fprintf(NetTrace, "%s IAC %d", direction, option);
+    } 
+    else {
+        const char *fmt;
+        fmt = (cmd == WILL) ? "WILL" : (cmd == WONT) ? "WONT" :
+            (cmd == DO) ? "DO" : (cmd == DONT) ? "DONT" : 0;
+        if (fmt) {
+            fprintf(NetTrace, "%s %s ", direction, fmt);
+            if (TELOPT_OK(option))
+                fprintf(NetTrace, "%s", TELOPT(option));
+            else if (option == TELOPT_EXOPL)
+                fprintf(NetTrace, "EXOPL");
+            else
+                fprintf(NetTrace, "%d", option);
+        } 
+        else
+            fprintf(NetTrace, "%s %d %d", direction, cmd, option);
+    }
+    if (NetTrace == stdout)
+        fprintf(NetTrace, "\r\n");
+    else
+        fprintf(NetTrace, "\n");
+    return;
+}
+
+void optionstatus(void) {
+    int i;
+    extern char will_wont_resp[], do_dont_resp[];
+
+    for (i = 0; i < 256; i++) {
+        if (do_dont_resp[i]) {
+            if (TELOPT_OK(i))
+                printf("resp DO_DONT %s: %d\n", TELOPT(i), do_dont_resp[i]);
+            else if (TELCMD_OK(i))
+                printf("resp DO_DONT %s: %d\n", TELCMD(i), do_dont_resp[i]);
+            else
+                printf("resp DO_DONT %d: %d\n", i, do_dont_resp[i]);
+            if (my_want_state_is_do(i)) {
+                if (TELOPT_OK(i))
+                    printf("want DO   %s\n", TELOPT(i));
+                else if (TELCMD_OK(i))
+                    printf("want DO   %s\n", TELCMD(i));
+                else
+                    printf("want DO   %d\n", i);
+            } 
+            else {
+                if (TELOPT_OK(i))
+                    printf("want DONT %s\n", TELOPT(i));
+                else if (TELCMD_OK(i))
+                    printf("want DONT %s\n", TELCMD(i));
+                else
+                    printf("want DONT %d\n", i);
+            }
+        } 
+        else {
+            if (my_state_is_do(i)) {
+                if (TELOPT_OK(i))
+                    printf("     DO   %s\n", TELOPT(i));
+                else if (TELCMD_OK(i))
+                    printf("     DO   %s\n", TELCMD(i));
+                else
+                    printf("     DO   %d\n", i);
+            }
+        }
+        if (will_wont_resp[i]) {
+            if (TELOPT_OK(i))
+                printf("resp WILL_WONT %s: %d\n", TELOPT(i), will_wont_resp[i]);
+            else if (TELCMD_OK(i))
+                printf("resp WILL_WONT %s: %d\n", TELCMD(i), will_wont_resp[i]);
+            else
+                printf("resp WILL_WONT %d: %d\n",
+                                i, will_wont_resp[i]);
+            if (my_want_state_is_will(i)) {
+                if (TELOPT_OK(i))
+                    printf("want WILL %s\n", TELOPT(i));
+                else if (TELCMD_OK(i))
+                    printf("want WILL %s\n", TELCMD(i));
+                else
+                    printf("want WILL %d\n", i);
+            } 
+            else {
+                if (TELOPT_OK(i))
+                    printf("want WONT %s\n", TELOPT(i));
+                else if (TELCMD_OK(i))
+                    printf("want WONT %s\n", TELCMD(i));
+                else
+                    printf("want WONT %d\n", i);
+            }
+        } 
+        else {
+            if (my_state_is_will(i)) {
+                if (TELOPT_OK(i))
+                    printf("     WILL %s\n", TELOPT(i));
+                else if (TELCMD_OK(i))
+                    printf("     WILL %s\n", TELCMD(i));
+                else
+                    printf("     WILL %d\n", i);
+            }
+        }
+    }
+
+}
+
+/* direction: '<' or '>' */
+/* pointer: where suboption data sits */
+/* length: length of suboption data */
+void printsub(int direction, unsigned char *pointer, int length) {
+    register int i = 0;
+
+    extern int want_status_response;
+
+    if (showoptions || direction == 0 ||
+        (want_status_response && (pointer[0] == TELOPT_STATUS))) {
+        if (direction) {
+            fprintf(NetTrace, "%s IAC SB ",
+                                (direction == '<')? "RCVD":"SENT");
+            if (length >= 3) {
+                register int j;
+
+                i = pointer[length-2];
+                j = pointer[length-1];
+
+                if (i != IAC || j != SE) {
+                    fprintf(NetTrace, "(terminated by ");
+                    if (TELOPT_OK(i))
+                        fprintf(NetTrace, "%s ", TELOPT(i));
+                    else if (TELCMD_OK(i))
+                        fprintf(NetTrace, "%s ", TELCMD(i));
+                    else
+                        fprintf(NetTrace, "%d ", i);
+                    if (TELOPT_OK(j))
+                        fprintf(NetTrace, "%s", TELOPT(j));
+                    else if (TELCMD_OK(j))
+                        fprintf(NetTrace, "%s", TELCMD(j));
+                    else
+                        fprintf(NetTrace, "%d", j);
+                    fprintf(NetTrace, ", not IAC SE!) ");
+                }
+            }
+            length -= 2;
+        }
+        if (length < 1) {
+            fprintf(NetTrace, "(Empty suboption???)");
+            return;
+        }
+        switch ((unsigned char)(pointer[0])) {
+        case TELOPT_TTYPE:
+            fprintf(NetTrace, "TERMINAL-TYPE ");
+            switch (pointer[1]) {
+            case TELQUAL_IS:
+                fprintf(NetTrace, "IS \"%.*s\"", length-2, (char *)pointer+2);
+                break;
+            case TELQUAL_SEND:
+                fprintf(NetTrace, "SEND");
+                break;
+            default:
+                fprintf(NetTrace,
+                                "- unknown qualifier %d (0x%x).",
+                                pointer[1], pointer[1]);
+            }
+            break;
+        case TELOPT_TSPEED:
+            fprintf(NetTrace, "TERMINAL-SPEED");
+            if (length < 2) {
+                fprintf(NetTrace, " (empty suboption???)");
+                break;
+            }
+            switch (pointer[1]) {
+            case TELQUAL_IS:
+                fprintf(NetTrace, " IS ");
+                fprintf(NetTrace, "%.*s", length-2, (char *)pointer+2);
+                break;
+            default:
+                if (pointer[1] == 1)
+                    fprintf(NetTrace, " SEND");
+                else
+                    fprintf(NetTrace, " %d (unknown)", pointer[1]);
+                for (i = 2; i < length; i++)
+                    fprintf(NetTrace, " ?%d?", pointer[i]);
+                break;
+            }
+            break;
+
+        case TELOPT_LFLOW:
+            fprintf(NetTrace, "TOGGLE-FLOW-CONTROL");
+            if (length < 2) {
+                fprintf(NetTrace, " (empty suboption???)");
+                break;
+            }
+            switch (pointer[1]) {
+            case 0:
+                fprintf(NetTrace, " OFF"); break;
+            case 1:
+                fprintf(NetTrace, " ON"); break;
+            default:
+                fprintf(NetTrace, " %d (unknown)", pointer[1]);
+            }
+            for (i = 2; i < length; i++)
+                fprintf(NetTrace, " ?%d?", pointer[i]);
+            break;
+
+        case TELOPT_NAWS:
+            fprintf(NetTrace, "NAWS");
+            if (length < 2) {
+                fprintf(NetTrace, " (empty suboption???)");
+                break;
+            }
+            if (length == 2) {
+                fprintf(NetTrace, " ?%d?", pointer[1]);
+                break;
+            }
+            fprintf(NetTrace, " %d %d (%d)",
+                pointer[1], pointer[2],
+                (int)((((unsigned int)pointer[1])<<8)|((unsigned int)pointer[2])));
+            if (length == 4) {
+                fprintf(NetTrace, " ?%d?", pointer[3]);
+                break;
+            }
+            fprintf(NetTrace, " %d %d (%d)",
+                pointer[3], pointer[4],
+                (int)((((unsigned int)pointer[3])<<8)|((unsigned int)pointer[4])));
+            for (i = 5; i < length; i++)
+                fprintf(NetTrace, " ?%d?", pointer[i]);
+            break;
+
+        case TELOPT_LINEMODE:
+            fprintf(NetTrace, "LINEMODE ");
+            if (length < 2) {
+                fprintf(NetTrace, " (empty suboption???)");
+                break;
+            }
+            switch ((unsigned char)(pointer[1])) {
+            case WILL:
+                fprintf(NetTrace, "WILL ");
+                goto common;
+            case WONT:
+                fprintf(NetTrace, "WONT ");
+                goto common;
+            case DO:
+                fprintf(NetTrace, "DO ");
+                goto common;
+            case DONT:
+                fprintf(NetTrace, "DONT ");
+            common:
+                if (length < 3) {
+                    fprintf(NetTrace, "(no option???)");
+                    break;
+                }
+                switch ((unsigned char)(pointer[2])) {
+                case LM_FORWARDMASK:
+                    fprintf(NetTrace, "Forward Mask");
+                    for (i = 3; i < length; i++)
+                        fprintf(NetTrace, " %x", pointer[i]);
+                    break;
+                default:
+                    fprintf(NetTrace, "%d (unknown)", pointer[2]);
+                    for (i = 3; i < length; i++)
+                        fprintf(NetTrace, " %d", pointer[i]);
+                    break;
+                }
+                break;
+                
+            case LM_SLC:
+                fprintf(NetTrace, "SLC");
+                for (i = 2; i < length - 2; i += 3) {
+                    if (SLC_NAME_OK(pointer[i+SLC_FUNC]))
+                        fprintf(NetTrace, " %s", SLC_NAME(pointer[i+SLC_FUNC]));
+                    else
+                        fprintf(NetTrace, " %d", pointer[i+SLC_FUNC]);
+                    switch (pointer[i+SLC_FLAGS]&SLC_LEVELBITS) {
+                    case SLC_NOSUPPORT:
+                        fprintf(NetTrace, " NOSUPPORT"); break;
+                    case SLC_CANTCHANGE:
+                        fprintf(NetTrace, " CANTCHANGE"); break;
+                    case SLC_VARIABLE:
+                        fprintf(NetTrace, " VARIABLE"); break;
+                    case SLC_DEFAULT:
+                        fprintf(NetTrace, " DEFAULT"); break;
+                    }
+                    fprintf(NetTrace, "%s%s%s",
+                        pointer[i+SLC_FLAGS]&SLC_ACK ? "|ACK" : "",
+                        pointer[i+SLC_FLAGS]&SLC_FLUSHIN ? "|FLUSHIN" : "",
+                        pointer[i+SLC_FLAGS]&SLC_FLUSHOUT ? "|FLUSHOUT" : "");
+                    if (pointer[i+SLC_FLAGS]& ~(SLC_ACK|SLC_FLUSHIN|
+                                                SLC_FLUSHOUT| SLC_LEVELBITS))
+                        fprintf(NetTrace, "(0x%x)", pointer[i+SLC_FLAGS]);
+                    fprintf(NetTrace, " %d;", pointer[i+SLC_VALUE]);
+                    if ((pointer[i+SLC_VALUE] == IAC) &&
+                        (pointer[i+SLC_VALUE+1] == IAC))
+                                i++;
+                }
+                for (; i < length; i++)
+                    fprintf(NetTrace, " ?%d?", pointer[i]);
+                break;
+
+            case LM_MODE:
+                fprintf(NetTrace, "MODE ");
+                if (length < 3) {
+                    fprintf(NetTrace, "(no mode???)");
+                    break;
+                }
+                {
+                    char tbuf[64];
+                    snprintf(tbuf, sizeof(tbuf), "%s%s%s%s%s",
+                        pointer[2]&MODE_EDIT ? "|EDIT" : "",
+                        pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "",
+                        pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "",
+                        pointer[2]&MODE_LIT_ECHO ? "|LIT_ECHO" : "",
+                        pointer[2]&MODE_ACK ? "|ACK" : "");
+                    fprintf(NetTrace, "%s", tbuf[1] ? &tbuf[1] : "0");
+                }
+                if (pointer[2]&~(MODE_MASK))
+                    fprintf(NetTrace, " (0x%x)", pointer[2]);
+                for (i = 3; i < length; i++)
+                    fprintf(NetTrace, " ?0x%x?", pointer[i]);
+                break;
+            default:
+                fprintf(NetTrace, "%d (unknown)", pointer[1]);
+                for (i = 2; i < length; i++)
+                    fprintf(NetTrace, " %d", pointer[i]);
+            }
+            break;
+
+        case TELOPT_STATUS: {
+            const char *cp;
+            int j, k;
+
+            fprintf(NetTrace, "STATUS");
+
+            switch (pointer[1]) {
+            default:
+                if (pointer[1] == TELQUAL_SEND)
+                    fprintf(NetTrace, " SEND");
+                else
+                    fprintf(NetTrace, " %d (unknown)", pointer[1]);
+                for (i = 2; i < length; i++)
+                    fprintf(NetTrace, " ?%d?", pointer[i]);
+                break;
+            case TELQUAL_IS:
+                if (--want_status_response < 0)
+                    want_status_response = 0;
+                if (NetTrace == stdout)
+                    fprintf(NetTrace, " IS\r\n");
+                else
+                    fprintf(NetTrace, " IS\n");
+
+                for (i = 2; i < length; i++) {
+                    switch((unsigned char)(pointer[i])) {
+                    case DO:    cp = "DO"; goto common2;
+                    case DONT:  cp = "DONT"; goto common2;
+                    case WILL:  cp = "WILL"; goto common2;
+                    case WONT:  cp = "WONT"; goto common2;
+                    common2:
+                        i++;
+                        if (TELOPT_OK((int)pointer[i]))
+                            fprintf(NetTrace, " %s %s", cp, TELOPT(pointer[i]));
+                        else
+                            fprintf(NetTrace, " %s %d", cp, pointer[i]);
+
+                        if (NetTrace == stdout)
+                            fprintf(NetTrace, "\r\n");
+                        else
+                            fprintf(NetTrace, "\n");
+                        break;
+
+                    case SB:
+                        fprintf(NetTrace, " SB ");
+                        i++;
+                        j = k = i;
+                        while (j < length) {
+                            if (pointer[j] == SE) {
+                                if (j+1 == length)
+                                    break;
+                                if (pointer[j+1] == SE)
+                                    j++;
+                                else
+                                    break;
+                            }
+                            pointer[k++] = pointer[j++];
+                        }
+                        printsub(0, &pointer[i], k - i);
+                        if (i < length) {
+                            fprintf(NetTrace, " SE");
+                            i = j;
+                        } else
+                            i = j - 1;
+
+                        if (NetTrace == stdout)
+                            fprintf(NetTrace, "\r\n");
+                        else
+                            fprintf(NetTrace, "\n");
+
+                        break;
+                                
+                    default:
+                        fprintf(NetTrace, " %d", pointer[i]);
+                        break;
+                    }
+                }
+                break;
+            }
+            break;
+          }
+
+        case TELOPT_XDISPLOC:
+            fprintf(NetTrace, "X-DISPLAY-LOCATION ");
+            switch (pointer[1]) {
+            case TELQUAL_IS:
+                fprintf(NetTrace, "IS \"%.*s\"", length-2, (char *)pointer+2);
+                break;
+            case TELQUAL_SEND:
+                fprintf(NetTrace, "SEND");
+                break;
+            default:
+                fprintf(NetTrace, "- unknown qualifier %d (0x%x).",
+                                pointer[1], pointer[1]);
+            }
+            break;
+
+        case TELOPT_ENVIRON:
+            fprintf(NetTrace, "ENVIRON ");
+            switch (pointer[1]) {
+            case TELQUAL_IS:
+                fprintf(NetTrace, "IS ");
+                goto env_common;
+            case TELQUAL_SEND:
+                fprintf(NetTrace, "SEND ");
+                goto env_common;
+            case TELQUAL_INFO:
+                fprintf(NetTrace, "INFO ");
+            env_common:
+                {
+                    register int noquote = 2;
+                    for (i = 2; i < length; i++ ) {
+                        switch (pointer[i]) {
+                        case ENV_VAR:
+                            if (pointer[1] == TELQUAL_SEND)
+                                goto def_case;
+                            fprintf(NetTrace, "\" VAR " + noquote);
+                            noquote = 2;
+                            break;
+
+                        case ENV_VALUE:
+                            fprintf(NetTrace, "\" VALUE " + noquote);
+                            noquote = 2;
+                            break;
+
+                        case ENV_ESC:
+                            fprintf(NetTrace, "\" ESC " + noquote);
+                            noquote = 2;
+                            break;
+
+                        default:
+                        def_case:
+                            if (isprint(pointer[i]) && pointer[i] != '"') {
+                                if (noquote) {
+                                    putc('"', NetTrace);
+                                    noquote = 0;
+                                }
+                                putc(pointer[i], NetTrace);
+                            } else {
+                                fprintf(NetTrace, "\" %03o " + noquote,
+                                                        pointer[i]);
+                                noquote = 2;
+                            }
+                            break;
+                        }
+                    }
+                    if (!noquote)
+                        putc('"', NetTrace);
+                    break;
+                }
+            }
+            break;
+
+        default:
+            if (TELOPT_OK(pointer[0]))
+                fprintf(NetTrace, "%s (unknown)", TELOPT(pointer[0]));
+            else
+                fprintf(NetTrace, "%d (unknown)", pointer[i]);
+            for (i = 1; i < length; i++)
+                fprintf(NetTrace, " %d", pointer[i]);
+            break;
+        }
+        if (direction) {
+            if (NetTrace == stdout)
+                fprintf(NetTrace, "\r\n");
+            else
+                fprintf(NetTrace, "\n");
+        }
+    }
+}
+
+void SetForExit(void) {
+    setconnmode(0);
+#if defined(TN3270)
+    if (In3270) {
+        Finish3270();
+    }
+#else   /* defined(TN3270) */
+    do {
+        telrcv();                       /* Process any incoming data */
+        EmptyTerminal();
+    } while (netiring.full_count());    /* While there is any */
+#endif  /* defined(TN3270) */
+    setcommandmode();
+    fflush(stdout);
+    fflush(stderr);
+#if defined(TN3270)
+    if (In3270) {
+        StopScreen(1);
+    }
+#endif  /* defined(TN3270) */
+    setconnmode(0);
+    EmptyTerminal();                    /* Flush the path to the tty */
+    setcommandmode();
+}
+
+void Exit(int returnCode) {
+    SetForExit();
+    exit(returnCode);
+}
+
+void ExitString(const char *string, int returnCode) {
+    SetForExit();
+    fwrite(string, 1, strlen(string), stderr);
+    exit(returnCode);
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/Makefile b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/Makefile
new file mode 100644
index 0000000..8ebd78e
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/Makefile
@@ -0,0 +1,38 @@
+all: telnetd
+
+include ../MCONFIG
+include ../MRULES
+
+# -DAUTHENTICATE
+
+# If having unused tty devices root.root and mode 600 bugs you,
+# take out -DPARANOID_TTYS.
+
+CFLAGS += '-DISSUE_FILE="/etc/issue.net"' -DPARANOID_TTYS \
+           -DNO_REVOKE -DKLUDGELINEMODE -DDIAGNOSTICS \
+           -DLOGIN_WRAPPER=\"/usr/lib/telnetlogin\"
+# LIBS += $(LIBTERMCAP)
+
+OBJS = telnetd.o state.o termstat.o slc.o sys_term.o utility.o \
+        global.o setproctitle.o
+
+# authenc.o (empty)
+
+# logout.o logwtmp.o (now from -lutil)
+
+
+telnetd: $(OBJS)
+        $(CC) $(LDFLAGS) $^ $(LIBS) -o $@
+
+$(OBJS): defs.h ext.h pathnames.h telnetd.h logwtmp.h logout.h setproctitle.h
+telnetd.o: ../version.h
+
+install: telnetd
+        install -s -m$(DAEMONMODE) telnetd $(INSTALLROOT)$(SBINDIR)/in.telnetd
+        install -m$(MANMODE) issue.net.5 $(INSTALLROOT)$(MANDIR)/man5/
+        install -m$(MANMODE) telnetd.8 $(INSTALLROOT)$(MANDIR)/man8/in.telnetd.8
+        ln -sf in.telnetd.8 $(INSTALLROOT)$(MANDIR)/man8/telnetd.8
+
+clean:
+        rm -f *.o telnetd 
+
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/authenc.c b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/authenc.c
new file mode 100644
index 0000000..c01dfbc
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/authenc.c
@@ -0,0 +1,71 @@
+/*-
+ * Copyright (c) 1991 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms are permitted provided
+ * that: (1) source distributions retain this entire copyright notice and
+ * comment, and (2) distributions including binaries display the following
+ * acknowledgement:  ``This product includes software developed by the
+ * University of California, Berkeley and its contributors'' in the
+ * documentation or other materials provided with the distribution and in
+ * all advertising materials mentioning features or use of this software.
+ * Neither the name of the University nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#if 0 /* dead code */
+
+/*
+ * From: @(#)authenc.c  5.1 (Berkeley) 3/1/91
+ */
+char authenc_rcsid[] =
+  "$Id: authenc.c,v 1.5 1999/12/12 14:59:44 dholland Exp $";
+
+#if     defined(ENCRYPT) || defined(AUTHENTICATE)
+#include "telnetd.h"
+#include <libtelnet/misc.h>
+
+int
+net_write(str, len)
+    unsigned char *str;
+    int len;
+{
+    if (nfrontp + len < netobuf + BUFSIZ) {
+        bcopy((void *)str, (void *)nfrontp, len);
+        nfrontp += len;
+        return(len);
+    }
+    return(0);
+}
+
+int
+telnet_spin()
+{
+    ttloop();
+    return(0);
+}
+
+char *
+telnet_getenv(val)
+    char *val;
+{
+    extern char *getenv();
+    return(getenv(val));
+}
+
+char *
+telnet_gets(prompt, result, length, echo)
+    char *prompt;
+    char *result;
+    int length;
+    int echo;
+{
+    return((char *)0);
+}
+#endif
+
+#endif /* 0 */
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/defs.h b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/defs.h
new file mode 100644
index 0000000..397948c
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/defs.h
@@ -0,0 +1,216 @@
+/*
+ * Copyright (c) 1989 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *      from: @(#)defs.h        5.10 (Berkeley) 3/1/91
+ *      $Id: defs.h,v 1.7 1999/08/02 03:14:03 dholland Exp $
+ */
+
+/*
+ * Telnet server defines
+ */
+#include <sys/types.h>
+#include <sys/param.h>
+
+#define ENV_VAR         NEW_ENV_VAR
+#define ENV_VALUE       NEW_ENV_VALUE
+#define TELOPT_ENVIRON  TELOPT_NEW_ENVIRON
+
+#if defined(PRINTOPTIONS) && defined(DIAGNOSTICS)
+#define TELOPTS
+#define TELCMDS
+#define SLC_NAMES
+#endif
+
+#include <sys/socket.h>
+#include <sys/wait.h>
+#include <fcntl.h>
+#include <sys/file.h>
+#include <sys/stat.h>
+#include <time.h>
+#include <sys/ioctl.h>
+#include <netinet/in.h>
+#include <arpa/telnet.h>
+#include <sys/uio.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <signal.h>
+#include <errno.h>
+#include <netdb.h>
+#include <syslog.h>
+
+#ifndef LOG_DAEMON
+#define LOG_DAEMON      0
+#endif
+
+#ifndef LOG_ODELAY
+#define LOG_ODELAY      0
+#endif
+
+#include <ctype.h>
+#include <string.h>
+#include <termios.h>
+
+#ifdef  __STDC__
+#include <unistd.h>
+#endif
+
+#ifndef _POSIX_VDISABLE
+#ifdef VDISABLE
+#define _POSIX_VDISABLE VDISABLE
+#else
+#define _POSIX_VDISABLE ((unsigned char)'\377')
+#endif
+#endif
+
+/*
+ * I/O data buffers defines
+ */
+#define NETSLOP 64
+
+#define NIACCUM(c)      {   *netip++ = c; \
+                            ncc++; \
+                        }
+
+/* clock manipulations */
+#define settimer(x)     (clocks.x = ++clocks.system)
+#define sequenceIs(x,y) (clocks.x < clocks.y)
+
+/*
+ * Linemode support states, in decreasing order of importance
+ */
+#define REAL_LINEMODE   0x02
+#define KLUDGE_LINEMODE 0x01
+#define NO_LINEMODE     0x00
+
+/*
+ * Structures of information for each special character function.
+ */
+typedef struct {
+        unsigned char flag;             /* the flags for this function */
+        cc_t val;               /* the value of the special character */
+} slcent, *Slcent;
+
+typedef struct {
+        slcent          defset;         /* the default settings */
+        slcent          current;        /* the current settings */
+        cc_t            *sptr;          /* a pointer to the char in */
+                                        /* system data structures */
+} slcfun, *Slcfun;
+
+#ifdef DIAGNOSTICS
+/*
+ * Diagnostics capabilities
+ */
+#define TD_REPORT       0x01    /* Report operations to client */
+#define TD_EXERCISE     0x02    /* Exercise client's implementation */
+#define TD_NETDATA      0x04    /* Display received data stream */
+#define TD_PTYDATA      0x08    /* Display data passed to pty */
+#define TD_OPTIONS      0x10    /* Report just telnet options */
+#endif /* DIAGNOSTICS */
+
+/*
+ * We keep track of each side of the option negotiation.
+ */
+
+#define MY_STATE_WILL           0x01
+#define MY_WANT_STATE_WILL      0x02
+#define MY_STATE_DO             0x04
+#define MY_WANT_STATE_DO        0x08
+
+/*
+ * Macros to check the current state of things
+ */
+
+#define my_state_is_do(opt)             (options[opt]&MY_STATE_DO)
+#define my_state_is_will(opt)           (options[opt]&MY_STATE_WILL)
+#define my_want_state_is_do(opt)        (options[opt]&MY_WANT_STATE_DO)
+#define my_want_state_is_will(opt)      (options[opt]&MY_WANT_STATE_WILL)
+
+#define my_state_is_dont(opt)           (!my_state_is_do(opt))
+#define my_state_is_wont(opt)           (!my_state_is_will(opt))
+#define my_want_state_is_dont(opt)      (!my_want_state_is_do(opt))
+#define my_want_state_is_wont(opt)      (!my_want_state_is_will(opt))
+
+#define set_my_state_do(opt)            (options[opt] |= MY_STATE_DO)
+#define set_my_state_will(opt)          (options[opt] |= MY_STATE_WILL)
+#define set_my_want_state_do(opt)       (options[opt] |= MY_WANT_STATE_DO)
+#define set_my_want_state_will(opt)     (options[opt] |= MY_WANT_STATE_WILL)
+
+#define set_my_state_dont(opt)          (options[opt] &= ~MY_STATE_DO)
+#define set_my_state_wont(opt)          (options[opt] &= ~MY_STATE_WILL)
+#define set_my_want_state_dont(opt)     (options[opt] &= ~MY_WANT_STATE_DO)
+#define set_my_want_state_wont(opt)     (options[opt] &= ~MY_WANT_STATE_WILL)
+
+/*
+ * Tricky code here.  What we want to know is if the MY_STATE_WILL
+ * and MY_WANT_STATE_WILL bits have the same value.  Since the two
+ * bits are adjacent, a little arithmatic will show that by adding
+ * in the lower bit, the upper bit will be set if the two bits were
+ * different, and clear if they were the same.
+ */
+#define my_will_wont_is_changing(opt) \
+                        ((options[opt]+MY_STATE_WILL) & MY_WANT_STATE_WILL)
+
+#define my_do_dont_is_changing(opt) \
+                        ((options[opt]+MY_STATE_DO) & MY_WANT_STATE_DO)
+
+/*
+ * Make everything symetrical
+ */
+
+#define HIS_STATE_WILL                  MY_STATE_DO
+#define HIS_WANT_STATE_WILL             MY_WANT_STATE_DO
+#define HIS_STATE_DO                    MY_STATE_WILL
+#define HIS_WANT_STATE_DO               MY_WANT_STATE_WILL
+
+#define his_state_is_do                 my_state_is_will
+#define his_state_is_will               my_state_is_do
+#define his_want_state_is_do            my_want_state_is_will
+#define his_want_state_is_will          my_want_state_is_do
+
+#define his_state_is_dont               my_state_is_wont
+#define his_state_is_wont               my_state_is_dont
+#define his_want_state_is_dont          my_want_state_is_wont
+#define his_want_state_is_wont          my_want_state_is_dont
+
+#define set_his_state_do                set_my_state_will
+#define set_his_state_will              set_my_state_do
+#define set_his_want_state_do           set_my_want_state_will
+#define set_his_want_state_will         set_my_want_state_do
+
+#define set_his_state_dont              set_my_state_wont
+#define set_his_state_wont              set_my_state_dont
+#define set_his_want_state_dont         set_my_want_state_wont
+#define set_his_want_state_wont         set_my_want_state_dont
+
+#define his_will_wont_is_changing       my_do_dont_is_changing
+#define his_do_dont_is_changing         my_will_wont_is_changing
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/ext.h b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/ext.h
new file mode 100644
index 0000000..c21587f
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/ext.h
@@ -0,0 +1,214 @@
+/*
+ * Copyright (c) 1989 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *      from: @(#)ext.h 5.7 (Berkeley) 3/1/91
+ *      $Id: ext.h,v 1.9 1999/12/12 14:59:44 dholland Exp $
+ */
+
+/*
+ * Telnet server variable declarations
+ */
+extern char options[256];
+extern char do_dont_resp[256];
+extern char will_wont_resp[256];
+extern int linemode;    /* linemode on/off */
+
+#ifdef LINEMODE
+extern int uselinemode; /* what linemode to use (on/off) */
+extern int editmode;    /* edit modes in use */
+extern int useeditmode; /* edit modes to use */
+extern int alwayslinemode;      /* command line option */
+#ifdef KLUDGELINEMODE
+extern int lmodetype;   /* Client support for linemode */
+#endif  /* KLUDGELINEMODE */
+#endif  /* LINEMODE */
+
+extern int flowmode;    /* current flow control state */
+
+#ifdef DIAGNOSTICS
+extern int diagnostic;  /* telnet diagnostic capabilities */
+#endif /* DIAGNOSTICS */
+
+#ifdef BFTPDAEMON
+extern int bftpd;               /* behave as bftp daemon */
+#endif /* BFTPDAEMON */
+
+#if defined(SecurID)
+extern int require_SecurID;
+#endif
+
+#if defined(AUTHENTICATE)
+extern int auth_level;
+#endif
+
+extern slcfun slctab[NSLC + 1]; /* slc mapping table */
+
+extern char *terminaltype;
+
+extern char *loginprg;
+
+/*
+ * I/O data buffers, pointers, and counters.
+ */
+extern char ptyobuf[BUFSIZ+NETSLOP], *pfrontp, *pbackp;
+extern char netibuf[BUFSIZ], *netip;
+extern int pcc, ncc;
+extern FILE *netfile;
+
+/* printf into netobuf */
+#define netoprintf(fmt, ...) fprintf(netfile, fmt, ## __VA_ARGS__)
+
+extern int pty, net;
+extern char *line;
+extern int SYNCHing;            /* we are in TELNET SYNCH mode */
+
+void _termstat(void);
+void add_slc(int, int, int);
+void check_slc(void);
+void change_slc(int, int, int);
+void cleanup(int) __attribute__ ((noreturn));
+void clientstat(int, int, int);
+void copy_termbuf(char *, int);
+void deferslc(void);
+void defer_terminit(void);
+void do_opt_slc(unsigned char *, int);
+void doeof(void);
+void dooption(int);
+void dontoption(int);
+void edithost(const char *, const char *);
+void fatal(int, const char *);
+void fatalperror(int, const char *);
+void get_slc_defaults(void);
+void init_env(void);
+void init_termbuf(void);
+void interrupt(void);
+void localstat(void);
+void netclear(void);
+void netflush(void);
+size_t netbuflen(int);
+void sendurg(const char *, size_t);
+
+#ifdef DIAGNOSTICS
+void printoption(const char *, int);
+void printdata(const char *, const char *, int);
+void printsub(char, unsigned char *, int);
+#endif
+
+void ptyflush(void);
+void putchr(int);
+void putf(const char *, char *);
+void recv_ayt(void);
+void send_do(int, int);
+void send_dont(int, int);
+void send_slc(void);
+void send_status(void);
+void send_will(int, int);
+void send_wont(int, int);
+void sendbrk(void);
+void sendsusp(void);
+void set_termbuf(void);
+void start_login(const char *, int, const char *);
+void start_slc(int);
+void startslave(const char *host, int autologin, char *autoname);
+
+#if defined(AUTHENTICATE)
+void start_slave(char *);
+#else
+void start_slave(char *, int, char *);
+#endif
+
+void suboption(void);
+void telrcv(void);
+void ttloop(void);
+void tty_binaryin(int);
+void tty_binaryout(int);
+
+int end_slc(unsigned char **);
+int getnpty(void);
+int getpty(void);
+int login_tty(int);
+int spcset(int, cc_t *, cc_t **);
+int stilloob(int);
+int terminit(void);
+int termstat(void);
+int tty_flowmode(void);
+int tty_isbinaryin(void);
+int tty_isbinaryout(void);
+int tty_iscrnl(void);
+int tty_isecho(void);
+int tty_isediting(void);
+int tty_islitecho(void);
+int tty_isnewmap(void);
+int tty_israw(void);
+int tty_issofttab(void);
+int tty_istrapsig(void);
+int tty_linemode(void);
+
+void tty_rspeed(int);
+void tty_setecho(int);
+void tty_setedit(int);
+void tty_setlinemode(int);
+void tty_setlitecho(int);
+void tty_setsig(int);
+void tty_setsofttab(int);
+void tty_tspeed(int);
+void willoption(int);
+void wontoption(int);
+#define writenet(b, l) fwrite(b, 1, l, netfile)
+void netopen(void);
+
+#if defined(ENCRYPT)
+extern void (*encrypt_output)(const unsigned char *, int);
+extern int (*decrypt_input)(int);
+extern char *nclearto;
+#endif
+
+
+/*
+ * The following are some clocks used to decide how to interpret
+ * the relationship between various variables.
+ */
+
+extern struct _clocks {
+    int system;                 /* what the current time is */
+    int echotoggle;             /* last time user entered echo character */
+    int modenegotiated;         /* last time operating mode negotiated */
+    int didnetreceive;          /* last time we read data from network */
+    int ttypesubopt;            /* ttype subopt is received */
+    int tspeedsubopt;           /* tspeed subopt is received */
+    int environsubopt;          /* environ subopt is received */
+    int xdisplocsubopt;         /* xdisploc subopt is received */
+    int baseline;               /* time started to do timed action */
+    int gotDM;                  /* when did we last see a data mark */
+} clocks;
+
+#define DEFAULT_IM      "%i\r\n%s %r (%h) (%t)\r\n\r\n"
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/getent.c b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/getent.c
new file mode 100644
index 0000000..9e0d0f3
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/getent.c
@@ -0,0 +1,71 @@
+/*-
+ * Copyright (c) 1991 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)getent.c   5.1 (Berkeley) 2/28/91
+ */
+char ge_rcsid[] = 
+  "$Id: getent.c,v 1.3 1996/08/15 06:23:28 dholland Exp $";
+
+/*
+ * Copyright (c) 1991 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms are permitted provided
+ * that: (1) source distributions retain this entire copyright notice and
+ * comment, and (2) distributions including binaries display the following
+ * acknowledgement:  ``This product includes software developed by the
+ * University of California, Berkeley and its contributors'' in the
+ * documentation or other materials provided with the distribution and in
+ * all advertising materials mentioning features or use of this software.
+ * Neither the name of the University nor the names of its contributors may
+ * be used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
+ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+#include <stdlib.h>
+
+int getent(char *cp, char *name) {
+    (void)cp;
+    (void)name;
+    return 0;
+}
+
+char *getstr(char *cp, char **cpp) {
+    (void)cp;
+    (void)cpp;
+    return NULL;
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/global.c b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/global.c
new file mode 100644
index 0000000..c8d1d2b
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/global.c
@@ -0,0 +1,97 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)global.c   5.2 (Berkeley) 6/1/90
+ */
+char global_rcsid[] = 
+  "$Id: global.c,v 1.4 1999/12/12 14:59:44 dholland Exp $";
+
+/*
+ * Allocate global variables.  
+ */
+
+#include "defs.h"
+#include "ext.h"
+
+/*
+ * Telnet server variable declarations
+ */
+char    options[256];
+char    do_dont_resp[256];
+char    will_wont_resp[256];
+int     linemode;       /* linemode on/off */
+
+#ifdef  LINEMODE
+int     uselinemode;    /* what linemode to use (on/off) */
+int     editmode;       /* edit modes in use */
+int     useeditmode;    /* edit modes to use */
+int     alwayslinemode; /* command line option */
+# ifdef KLUDGELINEMODE
+int     lmodetype;      /* Client support for linemode */
+# endif /* KLUDGELINEMODE */
+#endif  /* LINEMODE */
+
+int     flowmode;       /* current flow control state */
+
+#ifdef DIAGNOSTICS
+int     diagnostic;     /* telnet diagnostic capabilities */
+#endif /* DIAGNOSTICS */
+
+#ifdef BFTPDAEMON
+int     bftpd;          /* behave as bftp daemon */
+#endif /* BFTPDAEMON */
+
+#if     defined(SecurID)
+int     require_SecurID;
+#endif
+
+slcfun  slctab[NSLC + 1];       /* slc mapping table */
+
+char    *terminaltype;
+
+/*
+ * I/O data buffers, pointers, and counters.
+ */
+char    ptyobuf[BUFSIZ+NETSLOP], *pfrontp, *pbackp;
+
+char    netibuf[BUFSIZ], *netip;
+
+int     pcc, ncc;
+
+FILE    *netfile;
+
+int     pty, net;
+int     SYNCHing;               /* we are in TELNET SYNCH mode */
+
+struct _clocks clocks;
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/issue.net.5 b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/issue.net.5
new file mode 100644
index 0000000..ff5de09
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/issue.net.5
@@ -0,0 +1,43 @@
+.\" Copyright (c) 1994 Peter Tobias <tobias@server.et-inf.fho-emden.de>
+.\" This file may be distributed under the GNU General Public License.
+.\" 
+.\" Changed to -mdoc by David A. Holland <dholland@ftp.uk.linux.org>
+.\" in order to work better with some NetKit maintenance scripts.
+.\"
+.Dd May 22, 1994
+.Dt ISSUE.NET 5 
+.Os "Linux NetKit (0.17)"
+.Sh NAME
+.Nm issue.net 
+.Nd identification file for telnet sessions
+.Sh DESCRIPTION
+The file 
+.Pa /etc/issue.net
+is a text file which contains a message or system identification to be
+printed before the login prompt of a telnet session. It may contain
+various `%-char' sequences. The following sequences are supported by
+.Ic telnetd :
+.Bl -tag -offset indent -compact -width "abcde"
+.It %t
+- show the current tty
+.It %h
+- show the system node name (FQDN)
+.It %D
+- show the name of the NIS domain
+.It %d
+- show the current time and date
+.It %s
+- show the name of the operating system
+.It %m
+- show the machine (hardware) type
+.It %r
+- show the operating system release
+.It %v
+- show the operating system version
+.It %%
+- display a single '%' character
+.El
+.Sh FILES
+.Pa /etc/issue.net
+.Sh "SEE ALSO"
+.Xr in.telnetd 8
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/login.3 b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/login.3
new file mode 100644
index 0000000..5a8d20b
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/login.3
@@ -0,0 +1,107 @@
+.\" Copyright (c) 1995
+.\"     The Regents of the University of California.  All rights reserved.
+.\"
+.\" This code is derived from software developed by the Computer Systems
+.\" Engineering group at Lawrence Berkeley Laboratory under DARPA contract
+.\" BG 91-66 and contributed to Berkeley.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"     This product includes software developed by the University of
+.\"     California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd December 14, 1995
+.Dt LOGIN 3
+.Os "Linux NetKit (0.17)"
+.Sh NAME
+.Nm login ,
+.Nm logout ,
+.Nm logwtmp
+.Nd login utility functions
+.Sh SYNOPSIS
+.Fd #include <util.h>
+.Ft void
+.Fn login "struct utmp *ut"
+.Ft int
+.Fn logout "const char *line"
+.Ft void
+.Fn logwtmp "const char *line" "const char *name" "const char *host"
+.Sh DESCRIPTION
+The
+.Fn login ,
+.Fn logout ,
+and
+.Fn logwtmp
+functions operate on the database of current users in
+.Pa /var/run/utmp
+and on the logfile
+.Pa /var/log/wtmp
+of logins and logouts.
+.Pp
+The
+.Fn login
+function updates the
+.Pa /var/run/utmp
+and
+.Pa /var/log/wtmp
+files with user information contained in
+.Fa ut .
+.Pp
+The
+.Fn logout
+function removes the entry from
+.Pa /var/run/utmp
+corresponding to the device
+.Fa line .
+.Pp
+The
+.Fn logwtmp
+function adds an entry to
+.Pa /var/log/wtmp .
+Since
+.Fn login
+will add the appropriate entry for
+.Pa /var/log/wtmp
+during a login,
+.Fn logwtmp
+is usually used for logouts.
+.Sh RETURN VALUES
+.Fn logout
+returns non-zero if it was able to find and delete an entry for
+.Fa line ,
+and zero if there is no entry for
+.Fa line
+in
+.Pa /var/run/utmp .
+.Sh FILES
+.Bl -tag -width /var/run/wtmp -compact
+.It Pa /dev/\(**
+.It Pa /etc/ttys
+.It Pa /var/run/utmp
+.It Pa /var/log/wtmp
+.El
+.Sh SEE ALSO
+.Xr utmp 5
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/logout.h b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/logout.h
new file mode 100644
index 0000000..4141e31
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/logout.h
@@ -0,0 +1 @@
+int logout(const char *line);
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/logwtmp.h b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/logwtmp.h
new file mode 100644
index 0000000..3843a31
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/logwtmp.h
@@ -0,0 +1,5 @@
+/*
+ * Put this here instead of including <util.h>, since Linux is messed up
+ * and doesn't have <util.h>.
+ */
+void logwtmp(const char *_line, const char *name, const char *host);
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/pathnames.h b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/pathnames.h
new file mode 100644
index 0000000..7af84bd
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/pathnames.h
@@ -0,0 +1,41 @@
+/*
+ * Copyright (c) 1989 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *      from: @(#)pathnames.h   5.5 (Berkeley) 6/28/90
+ *      $Id: pathnames.h,v 1.3 1996/08/29 22:31:24 dholland Exp $
+ */
+
+#include <paths.h>
+
+#ifndef _PATH_LOGIN
+#define _PATH_LOGIN  "/bin/login"
+#endif
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/setproctitle.3 b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/setproctitle.3
new file mode 100644
index 0000000..9eb43e8
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/setproctitle.3
@@ -0,0 +1,73 @@
+.\"     OpenBSD: setproctitle.3,v 1.4 1996/10/08 01:20:08 michaels Exp 
+.\"     $Id: setproctitle.3,v 1.13 2000/07/30 23:57:09 dholland Exp $
+.\"
+.\" Copyright (c) 1994, 1995 Christopher G. Demetriou
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"      This product includes software developed by Christopher G. Demetriou
+.\"      for the NetBSD Project.
+.\" 3. The name of the author may not be used to endorse or promote products
+.\"    derived from this software without specific prior written permission
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+.\" IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+.\" OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+.\" IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd April 13, 1994
+.Dt SETPROCTITLE 3
+.Os "Linux NetKit (0.17)"
+.Sh NAME
+.Nm setproctitle
+.Nd set process title
+.Sh SYNOPSIS
+.Fd #include <stdlib.h>
+.Ft void
+.Fn setproctitle "const char *fmt" "..."
+.Sh DESCRIPTION
+The
+.Fn setproctitle
+function sets the invoking process's title.
+The process title is set to the last component of the program
+name, followed by a colon and the formatted string specified
+by
+.Va fmt .
+If
+.Va fmt
+is NULL, the colon and formatted string are omitted.
+The length of a process title is limited to 2048 bytes.
+.Sh EXAMPLES
+Set the process title to the program name, with no further information:
+.Bd -literal -offset indent
+setproctitle(NULL);
+.Ed
+.Pp
+Set the process title to the program name, an informational string,
+and the process id:
+.Bd -literal -offset indent
+setproctitle("foo! (%d)", getpid());
+.Ed
+.Sh SEE ALSO
+.Xr ps 1 ,
+.Xr w 1 ,
+.Xr printf 3
+.Sh HISTORY
+The
+.Fn setproctitle
+function first appeared in NetBSD 0.9a.
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/setproctitle.c b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/setproctitle.c
new file mode 100644
index 0000000..c207d05
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/setproctitle.c
@@ -0,0 +1,145 @@
+/*
+ * setproctitle implementation for linux.
+ * Stolen from sendmail 8.7.4 and bashed around by David A. Holland
+ */
+
+/*
+ * Copyright (c) 1983, 1995 Eric P. Allman
+ * Copyright (c) 1988, 1993
+ *      The Regents of the University of California.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * From: @(#)conf.c     8.243 (Berkeley) 11/20/95
+ */
+char setproctitle_rcsid[] =
+  "$Id: setproctitle.c,v 1.3 1999/12/10 23:06:39 bryce Exp $";
+
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <stdarg.h>
+#include <stdio.h>
+
+#include "setproctitle.h"
+/*
+**  SETPROCTITLE -- set process title for ps
+**
+**      Parameters:
+**              fmt -- a printf style format string.
+**              a, b, c -- possible parameters to fmt.
+**
+**      Returns:
+**              none.
+**
+**      Side Effects:
+**              Clobbers argv of our main procedure so ps(1) will
+**              display the title.
+*/
+
+
+/*
+**  Pointers for setproctitle.
+**      This allows "ps" listings to give more useful information.
+*/
+
+static char **Argv = NULL;              /* pointer to argument vector */
+static char *LastArgv = NULL;           /* end of argv */
+static char Argv0[128];                 /* program name */
+
+void
+initsetproctitle(int argc, char **argv, char **envp)
+{
+        register int i;
+        char *tmp;
+
+        /*
+        **  Move the environment so setproctitle can use the space at
+        **  the top of memory.
+        */
+
+        for (i = 0; envp[i] != NULL; i++)
+                continue;
+        __environ = (char **) malloc(sizeof (char *) * (i + 1));
+        for (i = 0; envp[i] != NULL; i++)
+                __environ[i] = strdup(envp[i]);
+        __environ[i] = NULL;
+
+        /*
+        **  Save start and extent of argv for setproctitle.
+        */
+
+        Argv = argv;
+        if (i > 0)
+                LastArgv = envp[i - 1] + strlen(envp[i - 1]);
+        else
+                LastArgv = argv[argc - 1] + strlen(argv[argc - 1]);
+
+        tmp = strrchr(argv[0], '/');
+        if (!tmp) tmp = argv[0];
+        else tmp++;
+        strncpy(Argv0, tmp, sizeof(Argv0));
+        Argv0[sizeof(Argv0)-1] = 0;
+}
+
+void
+setproctitle(const char *fmt, ...)
+{
+        register char *p;
+        register int i=0;
+        static char buf[2048];
+        va_list ap;
+
+        p = buf;
+
+        /* print progname: heading for grep */
+        /* This can't overflow buf due to the relative size of Argv0. */
+        (void) strcpy(p, Argv0);
+        (void) strcat(p, ": ");
+        p += strlen(p);
+
+        /* print the argument string */
+        va_start(ap, fmt);
+        (void) vsnprintf(p, sizeof(buf) - (p - buf), fmt, ap);
+        va_end(ap);
+
+        i = strlen(buf);
+
+        if (i > LastArgv - Argv[0] - 2)
+        {
+                i = LastArgv - Argv[0] - 2;
+                buf[i] = '\0';
+        }
+        (void) strcpy(Argv[0], buf);
+        p = &Argv[0][i];
+        while (p < LastArgv)
+                *p++ = '\0';
+        Argv[1] = NULL;
+}
+
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/setproctitle.h b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/setproctitle.h
new file mode 100644
index 0000000..8652ee8
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/setproctitle.h
@@ -0,0 +1,4 @@
+/* Call this from main. */
+void initsetproctitle(int argc, char **argv, char **envp);
+
+void setproctitle(const char *fmt, ...);
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/slc.c b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/slc.c
new file mode 100644
index 0000000..54579ea
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/slc.c
@@ -0,0 +1,456 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)slc.c      5.7 (Berkeley) 3/1/91
+ */
+char slc_rcsid[] = 
+  "$Id: slc.c,v 1.5 1999/12/12 14:59:44 dholland Exp $";
+
+#include "telnetd.h"
+
+#ifdef LINEMODE
+/*
+ * local varibles
+ */
+static unsigned char *def_slcbuf = (unsigned char *)0;
+static int def_slclen = 0;
+static int slcchange;   /* change to slc is requested */
+static int slcoff;                      /* offset into slc buffer */
+static unsigned char slcbuf[NSLC*6];    /* buffer for slc negotiation */
+
+static void add_slcbuf_raw_char(unsigned char ch) {
+   if (slcoff < sizeof(slcbuf)) {
+      slcbuf[slcoff++] = ch;
+   }
+}
+
+static void add_slcbuf_char(unsigned char ch) {
+   add_slcbuf_raw_char(ch);
+   if (ch==0xff) {
+      add_slcbuf_raw_char(0xff);
+   }
+}
+
+/*
+ * send_slc
+ *
+ * Write out the current special characters to the client.
+ */
+void send_slc(void) {
+    int i;
+
+    /*
+     * Send out list of triplets of special characters
+     * to client.  We only send info on the characters
+     * that are currently supported.
+     */
+    for (i = 1; i <= NSLC; i++) {
+        if ((slctab[i].defset.flag & SLC_LEVELBITS) == SLC_NOSUPPORT)
+            continue;
+        add_slc((unsigned char)i, slctab[i].current.flag,
+                slctab[i].current.val);
+    }
+}
+
+/*
+ * default_slc
+ *
+ * Set pty special characters to all the defaults.
+ */
+void default_slc(void) {
+    int i;
+    for (i = 1; i <= NSLC; i++) {
+        slctab[i].current.val = slctab[i].defset.val;
+        if (slctab[i].current.val == (cc_t)(_POSIX_VDISABLE)) {
+            slctab[i].current.flag = SLC_NOSUPPORT;
+        }
+        else {
+            slctab[i].current.flag = slctab[i].defset.flag;
+        }
+        if (slctab[i].sptr) {
+            *(slctab[i].sptr) = slctab[i].defset.val;
+        }
+    }
+    slcchange = 1;
+}
+
+#endif  /* LINEMODE */
+
+/*
+ * get_slc_defaults
+ *
+ * Initialize the slc mapping table.
+ */
+void get_slc_defaults(void) {
+    int i;
+    init_termbuf();
+    for (i = 1; i <= NSLC; i++) {
+        slctab[i].defset.flag = spcset(i, &slctab[i].defset.val, 
+                                       &slctab[i].sptr);
+        slctab[i].current.flag = SLC_NOSUPPORT; 
+        slctab[i].current.val = 0; 
+    }
+}
+
+#ifdef LINEMODE
+/*
+ * add_slc
+ *
+ * Add an slc triplet to the slc buffer.
+ */
+void add_slc(char func, char flag, cc_t val) {
+    add_slcbuf_char(func);
+    add_slcbuf_char(flag);
+    add_slcbuf_char(val);
+}
+
+/*
+ * start_slc
+ *
+ * Get ready to process incoming slc's and respond to them.
+ *
+ * The parameter getit is non-zero if it is necessary to grab a copy
+ * of the terminal control structures.
+ */
+void start_slc(int getit) {
+    slcchange = 0;
+    if (getit) init_termbuf();
+    snprintf(slcbuf, sizeof(slcbuf), "%c%c%c%c", 
+             IAC, SB, TELOPT_LINEMODE, LM_SLC);
+    slcoff = 4;
+}
+
+/*
+ * end_slc
+ *
+ * Finish up the slc negotiation.  If something to send, then send it.
+ */
+int end_slc(unsigned char **bufp) {
+    /*
+     * If a change has occured, store the new terminal control
+     * structures back to the terminal driver.
+     */
+    if (slcchange) {
+        set_termbuf();
+    }
+
+    /*
+     * If the pty state has not yet been fully processed and there is a
+     * deferred slc request from the client, then do not send any
+     * sort of slc negotiation now.  We will respond to the client's
+     * request very soon.
+     */
+    if (def_slcbuf && (terminit() == 0)) {
+        return 0;
+    }
+
+    if (slcoff > 4) {
+        if (bufp) {
+            *bufp = &slcbuf[4];
+            return(slcoff - 4);
+        } 
+        else {
+            snprintf(slcbuf+slcoff, sizeof(slcbuf)-slcoff, "%c%c", IAC, SE);
+            slcoff += 2;
+            writenet(slcbuf, slcoff);
+            netflush();  /* force it out immediately */
+        }
+    }
+    return 0;
+}
+
+/*
+ * process_slc
+ *
+ * Figure out what to do about the client's slc
+ */
+void process_slc(unsigned char func, unsigned char flag, cc_t val) {
+    register int hislevel, mylevel, ack;
+
+    /*
+     * Ensure that we know something about this function
+     */
+    if (func > NSLC) {
+        add_slc(func, SLC_NOSUPPORT, 0);
+        return;
+    }
+
+    /*
+     * Process the special case requests of 0 SLC_DEFAULT 0
+     * and 0 SLC_VARIABLE 0.  Be a little forgiving here, don't
+     * worry about whether the value is actually 0 or not.
+     */
+    if (func == 0) {
+        if ((flag = flag & SLC_LEVELBITS) == SLC_DEFAULT) {
+            default_slc();
+            send_slc();
+        } 
+        else if (flag == SLC_VARIABLE) {
+            send_slc();
+        }
+        return;
+    }
+
+    /*
+     * Appears to be a function that we know something about.  So
+     * get on with it and see what we know.
+     */
+    
+    hislevel = flag & SLC_LEVELBITS;
+    mylevel = slctab[func].current.flag & SLC_LEVELBITS;
+    ack = flag & SLC_ACK;
+    /*
+     * ignore the command if:
+     * the function value and level are the same as what we already have;
+     * or the level is the same and the ack bit is set
+     */
+    if (hislevel == mylevel && (val == slctab[func].current.val || ack)) {
+        return;
+    } 
+    else if (ack) {
+        /*
+         * If we get here, we got an ack, but the levels don't match.
+         * This shouldn't happen.  If it does, it is probably because
+         * we have sent two requests to set a variable without getting
+         * a response between them, and this is the first response.
+         * So, ignore it, and wait for the next response.
+         */
+        return;
+    } 
+    else {
+        change_slc(func, flag, val);
+    }
+}
+
+/*
+ * change_slc
+ *
+ * Process a request to change one of our special characters.
+ * Compare client's request with what we are capable of supporting.
+ */
+void change_slc(char func, char flag, cc_t val) {
+    register int hislevel, mylevel;
+    
+    hislevel = flag & SLC_LEVELBITS;
+    mylevel = slctab[func].defset.flag & SLC_LEVELBITS;
+    /*
+     * If client is setting a function to NOSUPPORT
+     * or DEFAULT, then we can easily and directly
+     * accomodate the request.
+     */
+    if (hislevel == SLC_NOSUPPORT) {
+        slctab[func].current.flag = flag;
+        slctab[func].current.val = (cc_t)_POSIX_VDISABLE;
+        flag |= SLC_ACK;
+        add_slc(func, flag, val);
+        return;
+    }
+    if (hislevel == SLC_DEFAULT) {
+        /*
+         * Special case here.  If client tells us to use
+         * the default on a function we don't support, then
+         * return NOSUPPORT instead of what we may have as a
+         * default level of DEFAULT.
+         */
+        if (mylevel == SLC_DEFAULT) {
+            slctab[func].current.flag = SLC_NOSUPPORT;
+        } 
+        else {
+            slctab[func].current.flag = slctab[func].defset.flag;
+        }
+        slctab[func].current.val = slctab[func].defset.val;
+        add_slc(func, slctab[func].current.flag,
+                slctab[func].current.val);
+        return;
+    }
+    
+    /*
+     * Client wants us to change to a new value or he
+     * is telling us that he can't change to our value.
+     * Some of the slc's we support and can change,
+     * some we do support but can't change,
+     * and others we don't support at all.
+     * If we can change it then we have a pointer to
+     * the place to put the new value, so change it,
+     * otherwise, continue the negotiation.
+     */
+    if (slctab[func].sptr) {
+        /*
+         * We can change this one.
+         */
+        slctab[func].current.val = val;
+        *(slctab[func].sptr) = val;
+        slctab[func].current.flag = flag;
+        flag |= SLC_ACK;
+        slcchange = 1;
+        add_slc(func, flag, val);
+    } 
+    else {
+        /*
+         * It is not possible for us to support this
+         * request as he asks.
+         *
+         * If our level is DEFAULT, then just ack whatever was
+         * sent. 
+         *
+         * If he can't change and we can't change,
+         * then degenerate to NOSUPPORT.
+         *
+         * Otherwise we send our level back to him, (CANTCHANGE
+         * or NOSUPPORT) and if CANTCHANGE, send
+         * our value as well.
+         */
+        if (mylevel == SLC_DEFAULT) {
+            slctab[func].current.flag = flag;
+            slctab[func].current.val = val;
+            flag |= SLC_ACK;
+        } 
+        else if (hislevel == SLC_CANTCHANGE && mylevel == SLC_CANTCHANGE) {
+            flag &= ~SLC_LEVELBITS;
+            flag |= SLC_NOSUPPORT;
+            slctab[func].current.flag = flag;
+        } 
+        else {
+            flag &= ~SLC_LEVELBITS;
+            flag |= mylevel;
+            slctab[func].current.flag = flag;
+            if (mylevel == SLC_CANTCHANGE) {
+                slctab[func].current.val = slctab[func].defset.val;
+                val = slctab[func].current.val;
+            }
+        }
+        add_slc(func, flag, val);
+    }
+}
+
+#if (VEOF == VMIN)
+cc_t oldeofc = '\004';
+#endif
+
+/*
+ * check_slc
+ *
+ * Check the special characters in use and notify the client if any have
+ * changed.  Only those characters that are capable of being changed are
+ * likely to have changed.  If a local change occurs, kick the support level
+ * and flags up to the defaults.
+ */
+void check_slc(void) {
+    int i;
+    for (i = 1; i <= NSLC; i++) {
+#if (VEOF == VMIN)
+        /*
+         * In a perfect world this would be a neat little
+         * function.  But in this world, we should not notify
+         * client of changes to the VEOF char when
+         * ICANON is off, because it is not representing
+         * a special character.
+         */
+        if (i == SLC_EOF) {
+            if (!tty_isediting()) continue;
+            else if (slctab[i].sptr) oldeofc = *(slctab[i].sptr);
+        }
+#endif  /* VEOF==VMIN */
+
+        if (slctab[i].sptr && (*(slctab[i].sptr) != slctab[i].current.val)) {
+            slctab[i].current.val = *(slctab[i].sptr);
+            if (*(slctab[i].sptr) == (cc_t)_POSIX_VDISABLE) {
+                slctab[i].current.flag = SLC_NOSUPPORT;
+            }
+            else {
+                slctab[i].current.flag = slctab[i].defset.flag;
+            }
+            add_slc((unsigned char)i, slctab[i].current.flag,
+                    slctab[i].current.val);
+        }
+    }
+}
+
+/*
+ * do_opt_slc
+ *
+ * Process an slc option buffer.  Defer processing of incoming slc's
+ * until after the terminal state has been processed.  Save the first slc
+ * request that comes along, but discard all others.
+ *
+ * ptr points to the beginning of the buffer, len is the length.
+ */
+void do_opt_slc(unsigned char  *ptr, int len) {
+    unsigned char func, flag;
+    cc_t val;
+    unsigned char *end = ptr + len;
+
+    if (terminit()) {  /* go ahead */
+        while (ptr < end) {
+            func = *ptr++;
+            if (ptr >= end) break;
+            flag = *ptr++;
+            if (ptr >= end) break;
+            val = (cc_t)*ptr++;
+
+            process_slc(func, flag, val);
+            
+        }
+    } 
+    else {
+        /*
+         * save this slc buffer if it is the first, otherwise dump
+         * it.
+         */
+        if (def_slcbuf == NULL) {
+            def_slclen = len;
+            def_slcbuf = malloc((unsigned)len);
+            if (def_slcbuf == NULL) return;  /* too bad */
+            bcopy(ptr, def_slcbuf, len);
+        }
+    }
+}
+
+/*
+ * deferslc
+ *
+ * Do slc stuff that was deferred.
+ */
+void deferslc(void) {
+    if (def_slcbuf) {
+        start_slc(1);
+        do_opt_slc(def_slcbuf, def_slclen);
+        end_slc(0);
+        free(def_slcbuf);
+        def_slcbuf = (unsigned char *)0;
+        def_slclen = 0;
+    }
+}
+
+#endif  /* LINEMODE */
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/state.c b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/state.c
new file mode 100644
index 0000000..0054ce9
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/state.c
@@ -0,0 +1,1407 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)state.c    5.10 (Berkeley) 3/22/91
+ */
+char state_rcsid[] = 
+  "$Id: state.c,v 1.12 1999/12/12 19:41:44 dholland Exp $";
+
+#include "telnetd.h"
+
+int not42 = 1;
+
+static int envvarok(char *varp);
+
+static unsigned char doopt[] = { IAC, DO, '%', 'c', 0 };
+static unsigned char dont[] = { IAC, DONT, '%', 'c', 0 };
+unsigned char   will[] = { IAC, WILL, '%', 'c', 0 };
+unsigned char   wont[] = { IAC, WONT, '%', 'c', 0 };
+
+/*
+ * Buffer for sub-options, and macros
+ * for suboptions buffer manipulations
+ */
+unsigned char subbuffer[512], *subpointer=subbuffer, *subend=subbuffer;
+
+#define SB_CLEAR()      subpointer = subbuffer;
+#define SB_TERM()       { subend = subpointer; SB_CLEAR(); }
+#define SB_ACCUM(c)     if (subpointer < (subbuffer + sizeof(subbuffer)-1)) { \
+                                *subpointer++ = (c); \
+                        }
+#define SB_GET()        ((*subpointer++)&0xff)
+#define SB_EOF()        (subpointer >= subend)
+#define SB_LEN()        (subend - subpointer)
+
+
+
+/*
+ * State for recv fsm
+ */
+#define TS_DATA         0       /* base state */
+#define TS_IAC          1       /* look for double IAC's */
+#define TS_CR           2       /* CR-LF ->'s CR */
+#define TS_SB           3       /* throw away begin's... */
+#define TS_SE           4       /* ...end's (suboption negotiation) */
+#define TS_WILL         5       /* will option negotiation */
+#define TS_WONT         6       /* wont " */
+#define TS_DO           7       /* do " */
+#define TS_DONT         8       /* dont " */
+
+void telrcv(void) {
+    register int c;
+    static int state = TS_DATA;
+
+    while (ncc > 0) {
+        if ((&ptyobuf[BUFSIZ] - pfrontp) < 2) break;
+        c = *netip++ & 0377;
+        ncc--;
+
+#if defined(ENCRYPT)
+        if (decrypt_input) {
+            c = (*decrypt_input)(c);
+        }
+#endif
+        switch (state) {
+         case TS_CR:
+             state = TS_DATA;
+             /* Strip off \n or \0 after a \r */
+             if ((c == 0) || (c == '\n')) {
+                 break;
+             }
+             /* FALL THROUGH */
+
+         case TS_DATA:
+             if (c == IAC) {
+                 state = TS_IAC;
+                 break;
+             }
+             /*
+              * We now map \r\n ==> \r for pragmatic reasons.
+              * Many client implementations send \r\n when
+              * the user hits the CarriageReturn key.
+              *
+              * We USED to map \r\n ==> \n, since \r\n says
+              * that we want to be in column 1 of the next
+              * printable line, and \n is the standard
+              * unix way of saying that (\r is only good
+              * if CRMOD is set, which it normally is).
+              */
+             if ((c == '\r') && his_state_is_wont(TELOPT_BINARY)) {
+#if defined(ENCRYPT)
+                 int nc = *netip;
+                 if (decrypt_input) {
+                     nc = (*decrypt_input)(nc & 0xff);
+                 }
+#endif
+#ifdef  LINEMODE
+                 /*
+                  * If we are operating in linemode,
+                  * convert to local end-of-line.
+                  */
+                 if (linemode && (ncc > 0) && (('\n' == nc) ||
+                                               ((0 == nc) && tty_iscrnl())) ) {
+                     netip++; ncc--;
+                     c = '\n';
+                 } 
+                 else 
+#endif
+                 {
+#if defined(ENCRYPT)
+                     if (decrypt_input)
+                         (void)(*decrypt_input)(-1);
+#endif
+                     state = TS_CR;
+                 }
+             }
+             *pfrontp++ = c;
+             break;
+
+         case TS_IAC:
+         gotiac:
+             switch (c) {
+                 
+                 /*
+                  * Send the process on the pty side an
+                  * interrupt.  Do this with a NULL or
+                  * interrupt char; depending on the tty mode.
+                  */
+              case IP:
+                  DIAG(TD_OPTIONS, printoption("td: recv IAC", c));
+                  interrupt();
+                  break;
+              case BREAK:
+                  DIAG(TD_OPTIONS, printoption("td: recv IAC", c));
+                  sendbrk();
+                  break;
+                  
+                  /*
+                   * Are You There?
+                   */
+              case AYT:
+                 DIAG(TD_OPTIONS,
+                      printoption("td: recv IAC", c));
+                  recv_ayt();
+                  break;
+
+                  /*
+                   * Abort Output
+                   */
+              case AO:
+                  {
+                      static const char msg[] = { IAC, DM };
+                      DIAG(TD_OPTIONS, printoption("td: recv IAC", c));
+                      ptyflush();       /* half-hearted */
+                      init_termbuf();
+                      
+                      if (slctab[SLC_AO].sptr &&
+                          *slctab[SLC_AO].sptr != (cc_t)(_POSIX_VDISABLE)) 
+                      {
+                          *pfrontp++ =
+                              (unsigned char)*slctab[SLC_AO].sptr;
+                      }
+
+                      netclear();       /* clear buffer back */
+                      sendurg(msg, sizeof(msg));
+                      DIAG(TD_OPTIONS, printoption("td: send IAC", DM));
+                      break;
+                  }
+
+                  /*
+                   * Erase Character and
+                   * Erase Line
+                   */
+              case EC:
+              case EL:
+                 {
+                     cc_t ch;
+                     DIAG(TD_OPTIONS, printoption("td: recv IAC", c));
+                     ptyflush();        /* half-hearted */
+                     init_termbuf();
+                     if (c == EC) ch = *slctab[SLC_EC].sptr;
+                     else ch = *slctab[SLC_EL].sptr;
+                     if (ch != (cc_t)(_POSIX_VDISABLE))
+                         *pfrontp++ = (unsigned char)ch;
+                     break;
+                 }
+                  
+                  /*
+                   * Check for urgent data...
+                   */
+              case DM:
+                  DIAG(TD_OPTIONS, printoption("td: recv IAC", c));
+                  SYNCHing = stilloob(net);
+                  settimer(gotDM);
+                  break;
+                  
+                  /*
+                   * Begin option subnegotiation...
+                   */
+              case SB:
+                  state = TS_SB;
+                  SB_CLEAR();
+                  continue;
+
+              case WILL:
+                  state = TS_WILL;
+                  continue;
+
+              case WONT:
+                  state = TS_WONT;
+                  continue;
+
+              case DO:
+                  state = TS_DO;
+                  continue;
+                  
+              case DONT:
+                  state = TS_DONT;
+                  continue;
+
+              case EOR:
+                  if (his_state_is_will(TELOPT_EOR)) doeof();
+                  break;
+                  
+                  /*
+                   * Handle RFC 10xx Telnet linemode option additions
+                   * to command stream (EOF, SUSP, ABORT).
+                   */
+              case xEOF:
+                  doeof();
+                  break;
+                  
+              case SUSP:
+                  sendsusp();
+                  break;
+
+              case ABORT:
+                  sendbrk();
+                  break;
+
+              case IAC:
+                 *pfrontp++ = c;
+                  break;
+             }
+             state = TS_DATA;
+             break;
+
+         case TS_SB:
+             if (c == IAC) {
+                 state = TS_SE;
+             } 
+             else {
+                 SB_ACCUM(c);
+             }
+             break;
+             
+         case TS_SE:
+             if (c != SE) {
+                 if (c != IAC) {
+                                /*
+                                 * bad form of suboption negotiation.
+                                 * handle it in such a way as to avoid
+                                 * damage to local state.  Parse
+                                 * suboption buffer found so far,
+                                 * then treat remaining stream as
+                                 * another command sequence.
+                                 */
+                     
+                                /* for DIAGNOSTICS */
+                     SB_ACCUM(IAC);
+                     SB_ACCUM(c);
+                     subpointer -= 2;
+                     
+                     SB_TERM();
+                     suboption();
+                     state = TS_IAC;
+                     goto gotiac;
+                 }
+                 SB_ACCUM(c);
+                 state = TS_SB;
+             }
+             else {
+                 /* for DIAGNOSTICS */
+                 SB_ACCUM(IAC);
+                 SB_ACCUM(SE);
+                 subpointer -= 2;
+                 
+                 SB_TERM();
+                 suboption();   /* handle sub-option */
+                 state = TS_DATA;
+             }
+             break;
+             
+         case TS_WILL:
+             willoption(c);
+             state = TS_DATA;
+             continue;
+
+         case TS_WONT:
+             wontoption(c);
+             state = TS_DATA;
+             continue;
+
+         case TS_DO:
+             dooption(c);
+             state = TS_DATA;
+             continue;
+             
+         case TS_DONT:
+             dontoption(c);
+             state = TS_DATA;
+             continue;
+             
+         default:
+             syslog(LOG_ERR, "telnetd: panic state=%d\n", state);
+             printf("telnetd: panic state=%d\n", state);
+             exit(1);
+        }
+    }
+}
+
+/*
+ * The will/wont/do/dont state machines are based on Dave Borman's
+ * Telnet option processing state machine.
+ *
+ * These correspond to the following states:
+ *      my_state = the last negotiated state
+ *      want_state = what I want the state to go to
+ *      want_resp = how many requests I have sent
+ * All state defaults are negative, and resp defaults to 0.
+ *
+ * When initiating a request to change state to new_state:
+ * 
+ * if ((want_resp == 0 && new_state == my_state) || want_state == new_state) {
+ *      do nothing;
+ * } else {
+ *      want_state = new_state;
+ *      send new_state;
+ *      want_resp++;
+ * }
+ *
+ * When receiving new_state:
+ *
+ * if (want_resp) {
+ *      want_resp--;
+ *      if (want_resp && (new_state == my_state))
+ *              want_resp--;
+ * }
+ * if ((want_resp == 0) && (new_state != want_state)) {
+ *      if (ok_to_switch_to new_state)
+ *              want_state = new_state;
+ *      else
+ *              want_resp++;
+ *      send want_state;
+ * }
+ * my_state = new_state;
+ *
+ * Note that new_state is implied in these functions by the function itself.
+ * will and do imply positive new_state, wont and dont imply negative.
+ *
+ * Finally, there is one catch.  If we send a negative response to a
+ * positive request, my_state will be the positive while want_state will
+ * remain negative.  my_state will revert to negative when the negative
+ * acknowlegment arrives from the peer.  Thus, my_state generally tells
+ * us not only the last negotiated state, but also tells us what the peer
+ * wants to be doing as well.  It is important to understand this difference
+ * as we may wish to be processing data streams based on our desired state
+ * (want_state) or based on what the peer thinks the state is (my_state).
+ *
+ * This all works fine because if the peer sends a positive request, the data
+ * that we receive prior to negative acknowlegment will probably be affected
+ * by the positive state, and we can process it as such (if we can; if we
+ * can't then it really doesn't matter).  If it is that important, then the
+ * peer probably should be buffering until this option state negotiation
+ * is complete.
+ *
+ */
+void send_do(int option, int init) {
+    if (init) {
+        if ((do_dont_resp[option] == 0 && his_state_is_will(option)) ||
+            his_want_state_is_will(option))
+            return;
+        /*
+         * Special case for TELOPT_TM:  We send a DO, but pretend
+         * that we sent a DONT, so that we can send more DOs if
+         * we want to.
+         */
+        if (option == TELOPT_TM)
+            set_his_want_state_wont(option);
+        else
+            set_his_want_state_will(option);
+        do_dont_resp[option]++;
+    }
+    netoprintf((char *)doopt, option);
+    
+    DIAG(TD_OPTIONS, printoption("td: send do", option));
+}
+
+#ifdef  AUTHENTICATE
+extern void auth_request();
+#endif
+
+#ifdef  LINEMODE
+static void doclientstat(void);
+#endif
+
+#ifdef  ENCRYPT
+extern void encrypt_send_support();
+#endif
+
+void willoption(int option) {
+    int changeok = 0;
+    void (*func)(void) = 0;
+    
+    /*
+     * process input from peer.
+     */
+    
+    DIAG(TD_OPTIONS, printoption("td: recv will", option));
+    
+    if (do_dont_resp[option]) {
+        do_dont_resp[option]--;
+        if (do_dont_resp[option] && his_state_is_will(option))
+            do_dont_resp[option]--;
+    }
+    if (do_dont_resp[option] == 0) {
+        if (his_want_state_is_wont(option)) {
+            switch (option) {
+                
+            case TELOPT_BINARY:
+                init_termbuf();
+                tty_binaryin(1);
+                set_termbuf();
+                changeok++;
+                break;
+                
+            case TELOPT_ECHO:
+                /*
+                 * See comments below for more info.
+                 */
+                not42 = 0;      /* looks like a 4.2 system */
+                break;
+                
+            case TELOPT_TM:
+#if defined(LINEMODE) && defined(KLUDGELINEMODE)
+                /*
+                 * This telnetd implementation does not really
+                 * support timing marks, it just uses them to
+                 * support the kludge linemode stuff.  If we
+                 * receive a will or wont TM in response to our
+                 * do TM request that may have been sent to
+                 * determine kludge linemode support, process
+                 * it, otherwise TM should get a negative
+                 * response back.
+                 */
+                /*
+                 * Handle the linemode kludge stuff.
+                 * If we are not currently supporting any
+                 * linemode at all, then we assume that this
+                 * is the client telling us to use kludge
+                 * linemode in response to our query.  Set the
+                 * linemode type that is to be supported, note
+                 * that the client wishes to use linemode, and
+                 * eat the will TM as though it never arrived.
+                 */
+                if (lmodetype < KLUDGE_LINEMODE) {
+                    lmodetype = KLUDGE_LINEMODE;
+                    clientstat(TELOPT_LINEMODE, WILL, 0);
+                    send_wont(TELOPT_SGA, 1);
+                }
+#endif  /* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+                /*
+                 * We never respond to a WILL TM, and
+                 * we leave the state WONT.
+                 */
+                return;
+
+            case TELOPT_LFLOW:
+                 /*
+                  * If we are going to support flow control
+                  * option, then don't worry peer that we can't
+                  * change the flow control characters.
+                  */
+                slctab[SLC_XON].defset.flag &= ~SLC_LEVELBITS;
+                slctab[SLC_XON].defset.flag |= SLC_DEFAULT;
+                slctab[SLC_XOFF].defset.flag &= ~SLC_LEVELBITS;
+                slctab[SLC_XOFF].defset.flag |= SLC_DEFAULT;
+            case TELOPT_TTYPE:
+            case TELOPT_SGA:
+            case TELOPT_NAWS:
+            case TELOPT_TSPEED:
+            case TELOPT_XDISPLOC:
+            case TELOPT_ENVIRON:
+                changeok++;
+                break;
+                
+#ifdef LINEMODE
+            case TELOPT_LINEMODE:
+#ifdef KLUDGELINEMODE
+                /*
+                 * Note client's desire to use linemode.
+                 */
+                lmodetype = REAL_LINEMODE;
+#endif  /* KLUDGELINEMODE */
+                func = doclientstat;
+                changeok++;
+                break;
+#endif  /* LINEMODE */
+                
+#ifdef  AUTHENTICATE
+            case TELOPT_AUTHENTICATION:
+                func = auth_request;
+                changeok++;
+                break;
+#endif
+                
+#ifdef ENCRYPT
+            case TELOPT_ENCRYPT:
+                func = encrypt_send_support;
+                changeok++;
+                break;
+#endif
+
+            default:
+                break;
+            }
+            if (changeok) {
+                set_his_want_state_will(option);
+                send_do(option, 0);
+            } 
+            else {
+                do_dont_resp[option]++;
+                send_dont(option, 0);
+            }
+        } 
+        else {
+            /*
+             * Option processing that should happen when
+             * we receive conformation of a change in
+             * state that we had requested.
+             */
+            switch (option) {
+             case TELOPT_ECHO:
+                not42 = 0;      /* looks like a 4.2 system */
+                /*
+                 * Egads, he responded "WILL ECHO".  Turn
+                 * it off right now!
+                 */
+                send_dont(option, 1);
+                /*
+                 * "WILL ECHO".  Kludge upon kludge!
+                 * A 4.2 client is now echoing user input at
+                 * the tty.  This is probably undesireable and
+                 * it should be stopped.  The client will
+                 * respond WONT TM to the DO TM that we send to
+                 * check for kludge linemode.  When the WONT TM
+                 * arrives, linemode will be turned off and a
+                 * change propogated to the pty.  This change
+                 * will cause us to process the new pty state
+                 * in localstat(), which will notice that
+                 * linemode is off and send a WILL ECHO
+                 * so that we are properly in character mode and
+                 * all is well.
+                 */
+                break;
+#ifdef  LINEMODE
+             case TELOPT_LINEMODE:
+# ifdef KLUDGELINEMODE
+                 /*
+                  * Note client's desire to use linemode.
+                  */
+                 lmodetype = REAL_LINEMODE;
+# endif /* KLUDGELINEMODE */
+                func = doclientstat;
+                break;
+#endif  /* LINEMODE */
+
+#ifdef  AUTHENTICATE
+            case TELOPT_AUTHENTICATION:
+                func = auth_request;
+                break;
+#endif
+
+#ifdef  ENCRYPT
+            case TELOPT_ENCRYPT:
+                func = encrypt_send_support;
+                break;
+#endif
+            }
+        }
+    }
+    set_his_state_will(option);
+    if (func) (*func)();
+}
+
+void send_dont(int option, int init) {
+    if (init) {
+        if ((do_dont_resp[option] == 0 && his_state_is_wont(option)) ||
+            his_want_state_is_wont(option))
+            return;
+        set_his_want_state_wont(option);
+        do_dont_resp[option]++;
+    }
+    netoprintf((char *) dont, option);
+
+    DIAG(TD_OPTIONS, printoption("td: send dont", option));
+}
+
+void wontoption(int option) {
+    /*
+     * Process client input.
+     */
+
+    DIAG(TD_OPTIONS, printoption("td: recv wont", option));
+    
+    if (do_dont_resp[option]) {
+        do_dont_resp[option]--;
+        if (do_dont_resp[option] && his_state_is_wont(option))
+            do_dont_resp[option]--;
+    }
+    if (do_dont_resp[option] == 0) {
+        if (his_want_state_is_will(option)) {
+            /* it is always ok to change to negative state */
+            switch (option) {
+            case TELOPT_ECHO:
+                not42 = 1; /* doesn't seem to be a 4.2 system */
+                break;
+                
+            case TELOPT_BINARY:
+                init_termbuf();
+                tty_binaryin(0);
+                set_termbuf();
+                break;
+                
+#ifdef LINEMODE
+            case TELOPT_LINEMODE:
+#ifdef KLUDGELINEMODE
+                /*
+                 * If real linemode is supported, then client is
+                 * asking to turn linemode off.
+                 */
+                if (lmodetype != REAL_LINEMODE)
+                    break;
+                lmodetype = KLUDGE_LINEMODE;
+# endif /* KLUDGELINEMODE */
+                clientstat(TELOPT_LINEMODE, WONT, 0);
+                break;
+#endif  /* LINEMODE */
+                
+            case TELOPT_TM:
+                /*
+                 * If we get a WONT TM, and had sent a DO TM,
+                 * don't respond with a DONT TM, just leave it
+                 * as is.  Short circut the state machine to
+                 * achive this.
+                 */
+                set_his_want_state_wont(TELOPT_TM);
+                return;
+                
+            case TELOPT_LFLOW:
+                /*
+                 * If we are not going to support flow control
+                 * option, then let peer know that we can't
+                 * change the flow control characters.
+                 */
+                slctab[SLC_XON].defset.flag &= ~SLC_LEVELBITS;
+                slctab[SLC_XON].defset.flag |= SLC_CANTCHANGE;
+                slctab[SLC_XOFF].defset.flag &= ~SLC_LEVELBITS;
+                slctab[SLC_XOFF].defset.flag |= SLC_CANTCHANGE;
+                break;
+                
+#if defined(AUTHENTICATE)
+             case TELOPT_AUTHENTICATION:
+                auth_finished(0, AUTH_REJECT);
+                break;
+#endif
+
+                /*
+                 * For options that we might spin waiting for
+                 * sub-negotiation, if the client turns off the
+                 * option rather than responding to the request,
+                 * we have to treat it here as if we got a response
+                 * to the sub-negotiation, (by updating the timers)
+                 * so that we'll break out of the loop.
+                 */
+            case TELOPT_TTYPE:
+                settimer(ttypesubopt);
+                break;
+
+            case TELOPT_TSPEED:
+                settimer(tspeedsubopt);
+                break;
+
+            case TELOPT_XDISPLOC:
+                settimer(xdisplocsubopt);
+                break;
+                
+            case TELOPT_ENVIRON:
+                settimer(environsubopt);
+                break;
+
+            default:
+                break;
+            }
+            set_his_want_state_wont(option);
+            if (his_state_is_will(option)) send_dont(option, 0);
+        } 
+        else {
+            switch (option) {
+             case TELOPT_TM:
+#if defined(LINEMODE) && defined(KLUDGELINEMODE)
+                 if (lmodetype < REAL_LINEMODE) {
+                     lmodetype = NO_LINEMODE;
+                     clientstat(TELOPT_LINEMODE, WONT, 0);
+                     send_will(TELOPT_SGA, 1);
+                     send_will(TELOPT_ECHO, 1);
+                 }
+#endif  /* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+                 break;
+
+#if     defined(AUTHENTICATE)
+            case TELOPT_AUTHENTICATION:
+                auth_finished(0, AUTH_REJECT);
+                 break;
+#endif
+            default:
+                break;
+            }
+        }
+    }
+}  /* end of wontoption */
+
+void send_will(int option, int init) {
+    if (init) {
+        if ((will_wont_resp[option] == 0 && my_state_is_will(option))||
+            my_want_state_is_will(option))
+            return;
+        set_my_want_state_will(option);
+        will_wont_resp[option]++;
+    }
+    netoprintf((char *) will, option);
+
+    DIAG(TD_OPTIONS, printoption("td: send will", option));
+}
+
+#if !defined(LINEMODE) || !defined(KLUDGELINEMODE)
+/*
+ * When we get a DONT SGA, we will try once to turn it
+ * back on.  If the other side responds DONT SGA, we
+ * leave it at that.  This is so that when we talk to
+ * clients that understand KLUDGELINEMODE but not LINEMODE,
+ * we'll keep them in char-at-a-time mode.
+ */
+int turn_on_sga = 0;
+#endif
+
+void dooption(int option) {
+    int changeok = 0;
+
+    /*
+     * Process client input.
+     */
+    
+    DIAG(TD_OPTIONS, printoption("td: recv do", option));
+    
+    if (will_wont_resp[option]) {
+        will_wont_resp[option]--;
+        if (will_wont_resp[option] && my_state_is_will(option))
+            will_wont_resp[option]--;
+    }
+    if ((will_wont_resp[option] == 0) && (my_want_state_is_wont(option))) {
+        switch (option) {
+        case TELOPT_ECHO:
+#ifdef  LINEMODE
+#ifdef  KLUDGELINEMODE
+            if (lmodetype == NO_LINEMODE)
+#else
+            if (his_state_is_wont(TELOPT_LINEMODE))
+#endif
+#endif
+            {
+                init_termbuf();
+                tty_setecho(1);
+                set_termbuf();
+            }
+            changeok++;
+            break;
+
+        case TELOPT_BINARY:
+            init_termbuf();
+            tty_binaryout(1);
+            set_termbuf();
+            changeok++;
+            break;
+
+        case TELOPT_SGA:
+#if defined(LINEMODE) && defined(KLUDGELINEMODE)
+            /*
+             * If kludge linemode is in use, then we must
+             * process an incoming do SGA for linemode
+             * purposes.
+             */
+            if (lmodetype == KLUDGE_LINEMODE) {
+                /*
+                 * Receipt of "do SGA" in kludge
+                 * linemode is the peer asking us to
+                 * turn off linemode.  Make note of
+                 * the request.
+                 */
+                clientstat(TELOPT_LINEMODE, WONT, 0);
+                /*
+                 * If linemode did not get turned off
+                 * then don't tell peer that we did.
+                 * Breaking here forces a wont SGA to
+                 * be returned.
+                 */
+                if (linemode)  break;
+            }
+#else
+            turn_on_sga = 0;
+#endif  /* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+            changeok++;
+            break;
+
+        case TELOPT_STATUS:
+            changeok++;
+            break;
+            
+        case TELOPT_TM:
+            /*
+             * Special case for TM.  We send a WILL, but
+             * pretend we sent a WONT.
+             */
+            send_will(option, 0);
+            set_my_want_state_wont(option);
+            set_my_state_wont(option);
+            return;
+            
+        case TELOPT_LOGOUT:
+            /*
+             * When we get a LOGOUT option, respond
+             * with a WILL LOGOUT, make sure that
+             * it gets written out to the network,
+             * and then just go away...
+             */
+            set_my_want_state_will(TELOPT_LOGOUT);
+            send_will(TELOPT_LOGOUT, 0);
+            set_my_state_will(TELOPT_LOGOUT);
+            (void)netflush();
+            cleanup(0);
+            /* NOT REACHED */
+            break;
+
+#if defined(ENCRYPT)
+        case TELOPT_ENCRYPT:
+            changeok++;
+            break;
+#endif
+        case TELOPT_LINEMODE:
+        case TELOPT_TTYPE:
+        case TELOPT_NAWS:
+        case TELOPT_TSPEED:
+        case TELOPT_LFLOW:
+        case TELOPT_XDISPLOC:
+        case TELOPT_ENVIRON:
+        default:
+            break;
+        }
+        if (changeok) {
+            set_my_want_state_will(option);
+            send_will(option, 0);
+        } 
+        else {
+            will_wont_resp[option]++;
+            send_wont(option, 0);
+        }
+    }
+    set_my_state_will(option);
+}
+
+void send_wont(int option, int init) {
+    if (init) {
+        if ((will_wont_resp[option] == 0 && my_state_is_wont(option)) ||
+            my_want_state_is_wont(option))
+            return;
+        set_my_want_state_wont(option);
+        will_wont_resp[option]++;
+    }
+    netoprintf((char *)wont, option);
+    
+    DIAG(TD_OPTIONS, printoption("td: send wont", option));
+}
+
+void dontoption(int option) {
+    /*
+     * Process client input.
+     */
+    DIAG(TD_OPTIONS, printoption("td: recv dont", option));
+
+    if (will_wont_resp[option]) {
+        will_wont_resp[option]--;
+        if (will_wont_resp[option] && my_state_is_wont(option))
+            will_wont_resp[option]--;
+    }
+    if ((will_wont_resp[option] == 0) && (my_want_state_is_will(option))) {
+        switch (option) {
+        case TELOPT_BINARY:
+            init_termbuf();
+            tty_binaryout(0);
+            set_termbuf();
+            break;
+
+        case TELOPT_ECHO:       /* we should stop echoing */
+#ifdef  LINEMODE
+#ifdef  KLUDGELINEMODE
+            if (lmodetype == NO_LINEMODE)
+#else
+            if (his_state_is_wont(TELOPT_LINEMODE))
+#endif
+#endif
+            {
+                init_termbuf();
+                tty_setecho(0);
+                set_termbuf();
+            }
+            break;
+
+        case TELOPT_SGA:
+#if defined(LINEMODE) && defined(KLUDGELINEMODE)
+            /*
+             * If kludge linemode is in use, then we
+             * must process an incoming do SGA for
+             * linemode purposes.
+             */
+            if (lmodetype == KLUDGE_LINEMODE) {
+                /*
+                 * The client is asking us to turn
+                 * linemode on.
+                 */
+                clientstat(TELOPT_LINEMODE, WILL, 0);
+                /*
+                 * If we did not turn line mode on,
+                 * then what do we say?  Will SGA?
+                 * This violates design of telnet.
+                 * Gross.  Very Gross.
+                 */
+            }
+            break;
+#else
+            set_my_want_state_wont(option);
+            if (my_state_is_will(option))
+                send_wont(option, 0);
+            set_my_state_wont(option);
+            if (turn_on_sga ^= 1) send_will(option,1);
+            return;
+#endif  /* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+            
+         default:
+            break;
+        }
+
+        set_my_want_state_wont(option);
+        if (my_state_is_will(option))
+            send_wont(option, 0);
+    }
+    set_my_state_wont(option);
+}
+
+/*
+ * suboption()
+ *
+ *      Look at the sub-option buffer, and try to be helpful to the other
+ * side.
+ *
+ *      Currently we recognize:
+ *
+ *      Terminal type is
+ *      Linemode
+ *      Window size
+ *      Terminal speed
+ */
+void suboption(void) {
+    int subchar;
+
+    DIAG(TD_OPTIONS, {netflush(); printsub('<', subpointer, SB_LEN()+2);});
+
+    subchar = SB_GET();
+    switch (subchar) {
+     case TELOPT_TSPEED: {
+        int xspeed, rspeed;
+        if (his_state_is_wont(TELOPT_TSPEED))   /* Ignore if option disabled */
+            break;
+
+        settimer(tspeedsubopt);
+        if (SB_EOF() || SB_GET() != TELQUAL_IS) return;
+        xspeed = atoi((char *)subpointer);
+
+        while (SB_GET() != ',' && !SB_EOF());
+        if (SB_EOF()) return;
+        
+        rspeed = atoi((char *)subpointer);
+        clientstat(TELOPT_TSPEED, xspeed, rspeed);
+        break;
+    }
+
+    case TELOPT_TTYPE: {                /* Yaaaay! */
+        static char terminalname[41];
+
+        if (his_state_is_wont(TELOPT_TTYPE))    /* Ignore if option disabled */
+            break;
+        settimer(ttypesubopt);
+        
+        if (SB_EOF() || SB_GET() != TELQUAL_IS) {
+            return;             /* ??? XXX but, this is the most robust */
+        }
+
+        terminaltype = terminalname;
+
+        while ((terminaltype < (terminalname + sizeof (terminalname) -1) ) &&
+               !SB_EOF()) 
+        {
+            int c;
+            c = SB_GET();
+            if (isupper(c)) {
+                c = tolower(c);
+            }
+            *terminaltype++ = c;    /* accumulate name */
+        }
+        *terminaltype = 0;
+        terminaltype = terminalname;
+        break;
+    }
+
+    case TELOPT_NAWS: {
+        int xwinsize, ywinsize;
+        if (his_state_is_wont(TELOPT_NAWS))     /* Ignore if option disabled */
+            break;
+
+        if (SB_EOF()) return;
+        xwinsize = SB_GET() << 8;
+        if (SB_EOF()) return;
+        xwinsize |= SB_GET();
+        if (SB_EOF()) return;
+        ywinsize = SB_GET() << 8;
+        if (SB_EOF()) return;
+        ywinsize |= SB_GET();
+        clientstat(TELOPT_NAWS, xwinsize, ywinsize);
+        break;
+    }
+
+#ifdef  LINEMODE
+    case TELOPT_LINEMODE: {
+        register int request;
+
+        if (his_state_is_wont(TELOPT_LINEMODE)) /* Ignore if option disabled */
+                break;
+        /*
+         * Process linemode suboptions.
+         */
+        if (SB_EOF())
+            break;              /* garbage was sent */
+        request = SB_GET();     /* get will/wont */
+
+        if (SB_EOF())
+            break;              /* another garbage check */
+
+        if (request == LM_SLC) {  /* SLC is not preceeded by WILL or WONT */
+                /*
+                 * Process suboption buffer of slc's
+                 */
+                start_slc(1);
+                do_opt_slc(subpointer, subend - subpointer);
+                (void) end_slc(0);
+                break;
+        } else if (request == LM_MODE) {
+                if (SB_EOF())
+                    return;
+                useeditmode = SB_GET();  /* get mode flag */
+                clientstat(LM_MODE, 0, 0);
+                break;
+        }
+
+        if (SB_EOF())
+            break;
+        switch (SB_GET()) {  /* what suboption? */
+        case LM_FORWARDMASK:
+                /*
+                 * According to spec, only server can send request for
+                 * forwardmask, and client can only return a positive response.
+                 * So don't worry about it.
+                 */
+
+        default:
+                break;
+        }
+        break;
+    }  /* end of case TELOPT_LINEMODE */
+#endif
+    case TELOPT_STATUS: {
+        int mode;
+
+        if (SB_EOF())
+            break;
+        mode = SB_GET();
+        switch (mode) {
+        case TELQUAL_SEND:
+            if (my_state_is_will(TELOPT_STATUS))
+                send_status();
+            break;
+
+        case TELQUAL_IS:
+            break;
+
+        default:
+            break;
+        }
+        break;
+    }  /* end of case TELOPT_STATUS */
+
+    case TELOPT_XDISPLOC: {
+        if (SB_EOF() || SB_GET() != TELQUAL_IS)
+                return;
+        settimer(xdisplocsubopt);
+        subpointer[SB_LEN()] = '\0';
+        (void)setenv("DISPLAY", (char *)subpointer, 1);
+        break;
+    }  /* end of case TELOPT_XDISPLOC */
+
+    case TELOPT_ENVIRON: {
+        register int c;
+        register char *cp, *varp, *valp;
+
+        if (SB_EOF())
+                return;
+        c = SB_GET();
+        if (c == TELQUAL_IS)
+                settimer(environsubopt);
+        else if (c != TELQUAL_INFO)
+                return;
+
+        while (!SB_EOF() && SB_GET() != ENV_VAR)
+                ;
+
+        if (SB_EOF())
+                return;
+
+        cp = varp = (char *)subpointer;
+        valp = 0;
+
+        while (!SB_EOF()) {
+            switch (c = SB_GET()) {
+            case ENV_VALUE:
+                *cp = '\0';
+                cp = valp = (char *)subpointer;
+                break;
+                
+            case ENV_VAR:
+                *cp = '\0';
+                if (envvarok(varp)) {
+                    if (valp)
+                        (void)setenv(varp, valp, 1);
+                    else
+                        unsetenv(varp);
+                }
+                cp = varp = (char *)subpointer;
+                valp = 0;
+                break;
+                
+            case ENV_ESC:
+                if (SB_EOF())
+                    break;
+                c = SB_GET();
+                /* FALL THROUGH */
+            default:
+                /* I think this test is correct... */
+                if (cp < subbuffer+sizeof(subbuffer)-1) *cp++ = c;
+                break;
+            }
+        }
+        *cp = '\0';
+        if (envvarok(varp)) {
+            if (valp)
+                (void)setenv(varp, valp, 1);
+            else
+                unsetenv(varp);
+        }
+        break;
+    }  /* end of case TELOPT_ENVIRON */
+#if defined(AUTHENTICATE)
+    case TELOPT_AUTHENTICATION:
+        if (SB_EOF())
+            break;
+        switch(SB_GET()) {
+        case TELQUAL_SEND:
+        case TELQUAL_REPLY:
+            /*
+             * These are sent by us and cannot be sent by
+             * the client.
+             */
+            break;
+        case TELQUAL_IS:
+            auth_is(subpointer, SB_LEN());
+            break;
+        case TELQUAL_NAME:
+            auth_name(subpointer, SB_LEN());
+            break;
+        }
+        break;
+#endif
+#if defined(ENCRYPT)
+    case TELOPT_ENCRYPT:
+        if (SB_EOF())
+            break;
+        switch(SB_GET()) {
+        case ENCRYPT_SUPPORT:
+            encrypt_support(subpointer, SB_LEN());
+            break;
+        case ENCRYPT_IS:
+            encrypt_is(subpointer, SB_LEN());
+            break;
+        case ENCRYPT_REPLY:
+            encrypt_reply(subpointer, SB_LEN());
+            break;
+        case ENCRYPT_START:
+            encrypt_start(subpointer, SB_LEN());
+            break;
+        case ENCRYPT_END:
+            encrypt_end();
+            break;
+        case ENCRYPT_REQSTART:
+            encrypt_request_start(subpointer, SB_LEN());
+            break;
+        case ENCRYPT_REQEND:
+            /*
+             * We can always send an REQEND so that we cannot
+             * get stuck encrypting.  We should only get this
+             * if we have been able to get in the correct mode
+             * anyhow.
+             */
+            encrypt_request_end();
+            break;
+        case ENCRYPT_ENC_KEYID:
+            encrypt_enc_keyid(subpointer, SB_LEN());
+            break;
+        case ENCRYPT_DEC_KEYID:
+            encrypt_dec_keyid(subpointer, SB_LEN());
+            break;
+        default:
+            break;
+        }
+        break;
+#endif
+
+    default:
+        break;
+    }  /* end of switch */
+
+}  /* end of suboption */
+
+#ifdef LINEMODE
+static void doclientstat(void) {
+    clientstat(TELOPT_LINEMODE, WILL, 0);
+}
+#endif
+
+#define ADD(c)   *ncp++ = c;
+#define ADD_DATA(c) { *ncp++ = c; if (c == SE) *ncp++ = c; }
+
+void send_status(void) {
+    unsigned char statusbuf[256];
+    register unsigned char *ncp;
+    register unsigned char i;
+    
+    ncp = statusbuf;
+    
+    netflush(); /* get rid of anything waiting to go out */
+    
+    ADD(IAC);
+    ADD(SB);
+    ADD(TELOPT_STATUS);
+    ADD(TELQUAL_IS);
+    
+    /*
+     * We check the want_state rather than the current state,
+     * because if we received a DO/WILL for an option that we
+     * don't support, and the other side didn't send a DONT/WONT
+     * in response to our WONT/DONT, then the "state" will be
+     * WILL/DO, and the "want_state" will be WONT/DONT.  We
+     * need to go by the latter.
+     */
+    for (i = 0; i < NTELOPTS; i++) {
+        if (my_want_state_is_will(i)) {
+            ADD(WILL);
+            ADD_DATA(i);
+            if (i == IAC) ADD(IAC);
+        }
+        if (his_want_state_is_will(i)) {
+            ADD(DO);
+            ADD_DATA(i);
+            if (i == IAC) ADD(IAC);
+        }
+    }
+
+    if (his_want_state_is_will(TELOPT_LFLOW)) {
+        ADD(SB);
+        ADD(TELOPT_LFLOW);
+        ADD(flowmode);
+        ADD(SE);
+    }
+
+#ifdef LINEMODE
+    if (his_want_state_is_will(TELOPT_LINEMODE)) {
+        unsigned char *cp, *cpe;
+        int len;
+        
+        ADD(SB);
+        ADD(TELOPT_LINEMODE);
+        ADD(LM_MODE);
+        ADD_DATA(editmode);
+        if (editmode == IAC) ADD(IAC);
+        ADD(SE);
+        
+        ADD(SB);
+        ADD(TELOPT_LINEMODE);
+        ADD(LM_SLC);
+        start_slc(0);
+        send_slc();
+        len = end_slc(&cp);
+        for (cpe = cp + len; cp < cpe; cp++) ADD_DATA(*cp);
+        ADD(SE);
+    }
+#endif  /* LINEMODE */
+
+    ADD(IAC);
+    ADD(SE);
+
+    writenet(statusbuf, ncp - statusbuf);
+    netflush(); /* Send it on its way */
+
+    DIAG(TD_OPTIONS, {printsub('>', statusbuf, ncp - statusbuf); netflush();});
+}
+
+/* check that variable is safe to pass to login or shell */
+#if 0  /* insecure version */
+static int envvarok(char *varp) {
+    if (strncmp(varp, "LD_", strlen("LD_")) &&
+        strncmp(varp, "ELF_LD_", strlen("ELF_LD_")) &&
+        strncmp(varp, "AOUT_LD_", strlen("AOUT_LD_")) &&
+        strncmp(varp, "_RLD_", strlen("_RLD_")) &&
+        strcmp(varp, "LIBPATH") &&
+        strcmp(varp, "ENV") &&
+        strcmp(varp, "IFS")) 
+    {
+        return 1;
+    } 
+    else {
+        /* optionally syslog(LOG_INFO) here */
+        return 0;
+    }
+}
+
+#else
+static int envvarok(char *varp) {
+    /*
+     * Allow only these variables.
+     */
+    if (!strcmp(varp, "TERM")) return 1;
+    if (!strcmp(varp, "DISPLAY")) return 1;
+    if (!strcmp(varp, "USER")) return 1;
+    if (!strcmp(varp, "LOGNAME")) return 1;
+    if (!strcmp(varp, "POSIXLY_CORRECT")) return 1;
+
+    /* optionally syslog(LOG_INFO) here */
+    return 0;
+}
+
+#endif
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/sys_term.c b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/sys_term.c
new file mode 100644
index 0000000..4ec45bb
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/sys_term.c
@@ -0,0 +1,744 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)sys_term.c 5.16 (Berkeley) 3/22/91
+ */
+char st_rcsid[] = 
+  "$Id: sys_term.c,v 1.17 1999/12/17 14:28:47 dholland Exp $";
+
+#include <utmp.h>
+
+#include "telnetd.h"
+#include "pathnames.h"
+
+#if defined(__GLIBC__) && (__GLIBC__ >= 2)
+/* mmm, nonstandard */
+#include <pty.h>
+#else
+int openpty(int *, int *, char *, struct termios *, struct winsize *);
+#endif
+
+#define ARCH64 ((sizeof(void *)) == 8)
+#define ARCH32 ((sizeof(void *)) == 4)
+
+#if defined(AUTHENTICATE)
+#include <libtelnet/auth.h>
+#endif
+
+static struct termios termbuf, termbuf2;        /* pty control structure */
+
+/*static int cleanopen(char *line);*/
+
+/*
+ * init_termbuf()
+ * copy_termbuf(cp)
+ * set_termbuf()
+ *
+ * These three routines are used to get and set the "termbuf" structure
+ * to and from the kernel.  init_termbuf() gets the current settings.
+ * copy_termbuf() hands in a new "termbuf" to write to the kernel, and
+ * set_termbuf() writes the structure into the kernel.
+ */
+
+void init_termbuf(void) {
+    tcgetattr(pty, &termbuf);
+    termbuf2 = termbuf;
+}
+
+#if defined(LINEMODE) && defined(TIOCPKT_IOCTL)
+/*
+ * ?
+ */
+void copy_termbuf(char *cp, int len) {
+    if (len > sizeof(termbuf)) len = sizeof(termbuf);
+    bcopy(cp, (char *)&termbuf, len);
+    termbuf2 = termbuf;
+}
+#endif /* defined(LINEMODE) && defined(TIOCPKT_IOCTL) */
+
+void set_termbuf(void) {
+    if (memcmp(&termbuf, &termbuf2, sizeof(termbuf))) {
+        tcsetattr(pty, TCSANOW, &termbuf);
+    }
+}
+
+
+/*
+ * spcset(func, valp, valpp)
+ *
+ * This function takes various special characters (func), and
+ * sets *valp to the current value of that character, and
+ * *valpp to point to where in the "termbuf" structure that
+ * value is kept.
+ *
+ * It returns the SLC_ level of support for this function.
+ */
+
+
+int spcset(int func, cc_t *valp, cc_t **valpp) {
+
+#define setval(a, b)    *valp = termbuf.c_cc[a]; \
+                        *valpp = &termbuf.c_cc[a]; \
+                        return(b);
+#define defval(a) *valp = ((cc_t)a); *valpp = (cc_t *)0; return(SLC_DEFAULT);
+
+    switch(func) {
+    case SLC_EOF:
+        setval(VEOF, SLC_VARIABLE);
+    case SLC_EC:
+        setval(VERASE, SLC_VARIABLE);
+    case SLC_EL:
+        setval(VKILL, SLC_VARIABLE);
+    case SLC_IP:
+        setval(VINTR, SLC_VARIABLE|SLC_FLUSHIN|SLC_FLUSHOUT);
+    case SLC_ABORT:
+        setval(VQUIT, SLC_VARIABLE|SLC_FLUSHIN|SLC_FLUSHOUT);
+    case SLC_XON:
+#ifdef VSTART
+        setval(VSTART, SLC_VARIABLE);
+#else
+        defval(0x13);
+#endif
+    case SLC_XOFF:
+#ifdef  VSTOP
+        setval(VSTOP, SLC_VARIABLE);
+#else
+        defval(0x11);
+#endif
+    case SLC_EW:
+#ifdef  VWERASE
+        setval(VWERASE, SLC_VARIABLE);
+#else
+        defval(0);
+#endif
+    case SLC_RP:
+#ifdef  VREPRINT
+        setval(VREPRINT, SLC_VARIABLE);
+#else
+        defval(0);
+#endif
+    case SLC_LNEXT:
+#ifdef  VLNEXT
+        setval(VLNEXT, SLC_VARIABLE);
+#else
+        defval(0);
+#endif
+    case SLC_AO:
+#if     !defined(VDISCARD) && defined(VFLUSHO)
+# define VDISCARD VFLUSHO
+#endif
+#ifdef  VDISCARD
+        setval(VDISCARD, SLC_VARIABLE|SLC_FLUSHOUT);
+#else
+        defval(0);
+#endif
+    case SLC_SUSP:
+#ifdef  VSUSP
+        setval(VSUSP, SLC_VARIABLE|SLC_FLUSHIN);
+#else
+        defval(0);
+#endif
+#ifdef  VEOL
+    case SLC_FORW1:
+        setval(VEOL, SLC_VARIABLE);
+#endif
+#ifdef  VEOL2
+    case SLC_FORW2:
+        setval(VEOL2, SLC_VARIABLE);
+#endif
+    case SLC_AYT:
+#ifdef  VSTATUS
+        setval(VSTATUS, SLC_VARIABLE);
+#else
+        defval(0);
+#endif
+        
+    case SLC_BRK:
+    case SLC_SYNCH:
+    case SLC_EOR:
+        defval(0);
+        
+    default:
+        *valp = 0;
+        *valpp = 0;
+        return(SLC_NOSUPPORT);
+    }
+}
+
+/*
+ * getpty()
+ *
+ * Allocate a pty.  As a side effect, the external character
+ * array "line" contains the name of the slave side.
+ *
+ * Returns the file descriptor of the opened pty.
+ */
+static char linedata[PATH_MAX];
+char *line = linedata;
+
+static int ptyslavefd=-1;
+
+int getpty(void) {
+    int masterfd;
+
+    if (openpty(&masterfd, &ptyslavefd, line, NULL, NULL)) {
+        return -1;
+    }
+    return masterfd;
+}
+
+#ifdef  LINEMODE
+/*
+ * tty_flowmode()       Find out if flow control is enabled or disabled.
+ * tty_linemode()       Find out if linemode (external processing) is enabled.
+ * tty_setlinemod(on)   Turn on/off linemode.
+ * tty_isecho()         Find out if echoing is turned on.
+ * tty_setecho(on)      Enable/disable character echoing.
+ * tty_israw()          Find out if terminal is in RAW mode.
+ * tty_binaryin(on)     Turn on/off BINARY on input.
+ * tty_binaryout(on)    Turn on/off BINARY on output.
+ * tty_isediting()      Find out if line editing is enabled.
+ * tty_istrapsig()      Find out if signal trapping is enabled.
+ * tty_setedit(on)      Turn on/off line editing.
+ * tty_setsig(on)       Turn on/off signal trapping.
+ * tty_issofttab()      Find out if tab expansion is enabled.
+ * tty_setsofttab(on)   Turn on/off soft tab expansion.
+ * tty_islitecho()      Find out if typed control chars are echoed literally
+ * tty_setlitecho()     Turn on/off literal echo of control chars
+ * tty_tspeed(val)      Set transmit speed to val.
+ * tty_rspeed(val)      Set receive speed to val.
+ */
+
+int tty_flowmode(void) {
+    return (termbuf.c_iflag & IXON ? 1 : 0);
+}
+
+int tty_linemode(void) {
+    return (termbuf.c_lflag & EXTPROC);
+}
+
+void tty_setlinemode(int on) {
+#ifdef TIOCEXT
+    set_termbuf();
+    ioctl(pty, TIOCEXT, (char *)&on);
+    init_termbuf();
+#else   /* !TIOCEXT */
+# ifdef EXTPROC
+    if (on) termbuf.c_lflag |= EXTPROC;
+    else termbuf.c_lflag &= ~EXTPROC;
+# endif
+#endif  /* TIOCEXT */
+}
+
+int tty_isecho(void) {
+    return (termbuf.c_lflag & ECHO);
+}
+#endif  /* LINEMODE */
+
+void tty_setecho(int on) {
+    if (on) termbuf.c_lflag |= ECHO;
+    else termbuf.c_lflag &= ~ECHO;
+}
+
+#if defined(LINEMODE) && defined(KLUDGELINEMODE)
+int tty_israw(void) {
+    return(!(termbuf.c_lflag & ICANON));
+}
+#endif  /* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+
+void tty_binaryin(int on) {
+    if (on) {
+        termbuf.c_iflag &= ~ISTRIP;
+    }
+    else {
+        termbuf.c_iflag |= ISTRIP;
+    }
+}
+
+void tty_binaryout(int on) {
+    if (on) {
+        termbuf.c_cflag &= ~(CSIZE|PARENB);
+        termbuf.c_cflag |= CS8;
+        termbuf.c_oflag &= ~OPOST;
+    } 
+    else {
+        termbuf.c_cflag &= ~CSIZE;
+        termbuf.c_cflag |= CS7|PARENB;
+        termbuf.c_oflag |= OPOST;
+    }
+}
+
+int tty_isbinaryin(void) {
+    return (!(termbuf.c_iflag & ISTRIP));
+}
+
+int tty_isbinaryout(void) {
+    return (!(termbuf.c_oflag&OPOST));
+}
+
+#ifdef  LINEMODE
+int tty_isediting(void) {
+    return(termbuf.c_lflag & ICANON);
+}
+
+int tty_istrapsig(void) {
+    return(termbuf.c_lflag & ISIG);
+}
+
+void tty_setedit(int on) {
+    if (on) termbuf.c_lflag |= ICANON;
+    else termbuf.c_lflag &= ~ICANON;
+}
+
+void tty_setsig(int on) {
+    if (on) termbuf.c_lflag |= ISIG;
+    else termbuf.c_lflag &= ~ISIG;
+}
+#endif  /* LINEMODE */
+
+int tty_issofttab(void) {
+#ifdef OXTABS
+    return (termbuf.c_oflag & OXTABS);
+#endif
+#ifdef TABDLY
+    return ((termbuf.c_oflag & TABDLY) == TAB3);
+#endif
+}
+
+void tty_setsofttab(int on) {
+    if (on) {
+#ifdef  OXTABS
+        termbuf.c_oflag |= OXTABS;
+#endif
+#ifdef  TABDLY
+        termbuf.c_oflag &= ~TABDLY;
+        termbuf.c_oflag |= TAB3;
+#endif
+    } 
+    else {
+#ifdef  OXTABS
+        termbuf.c_oflag &= ~OXTABS;
+#endif
+#ifdef  TABDLY
+        termbuf.c_oflag &= ~TABDLY;
+        termbuf.c_oflag |= TAB0;
+#endif
+    }
+}
+
+int tty_islitecho(void) {
+    return (!(termbuf.c_lflag & ECHOCTL));
+}
+
+void tty_setlitecho(int on) {
+    if (on) termbuf.c_lflag &= ~ECHOCTL;
+    else termbuf.c_lflag |= ECHOCTL;
+}
+
+int tty_iscrnl(void) {
+    return (termbuf.c_iflag & ICRNL);
+}
+
+/*
+ * A table of available terminal speeds
+ */
+struct termspeeds {
+        int     speed;
+        int     value;
+} termspeeds[] = {
+        { 0,     B0 },    { 50,    B50 },   { 75,    B75 },
+        { 110,   B110 },  { 134,   B134 },  { 150,   B150 },
+        { 200,   B200 },  { 300,   B300 },  { 600,   B600 },
+        { 1200,  B1200 }, { 1800,  B1800 }, { 2400,  B2400 },
+        { 4800,  B4800 }, { 9600,  B9600 }, { 19200, B9600 },
+        { 38400, B9600 }, { -1,    B9600 }
+};
+
+void tty_tspeed(int val) {
+    struct termspeeds *tp;
+    for (tp = termspeeds; (tp->speed != -1) && (val > tp->speed); tp++);
+    cfsetospeed(&termbuf, tp->value);
+}
+
+void tty_rspeed(int val) {
+    struct termspeeds *tp;
+    for (tp = termspeeds; (tp->speed != -1) && (val > tp->speed); tp++);
+    cfsetispeed(&termbuf, tp->value);
+}
+
+/*
+ * getptyslave()
+ *
+ * Open the slave side of the pty, and do any initialization
+ * that is necessary.  The return value is a file descriptor
+ * for the slave side.
+ */
+#ifdef  TIOCGWINSZ
+extern int def_row, def_col;
+#endif
+extern int def_tspeed, def_rspeed;
+
+static int getptyslave(void) {
+#if 0
+    register int t = -1;
+
+# ifdef LINEMODE
+    int waslm;
+# endif
+# ifdef TIOCGWINSZ
+    struct winsize ws;
+# endif
+    /*
+     * Opening the slave side may cause initilization of the
+     * kernel tty structure.  We need remember the state of
+     *  if linemode was turned on
+     *  terminal window size
+     *  terminal speed
+     * so that we can re-set them if we need to.
+     */
+# ifdef LINEMODE
+    waslm = tty_linemode();
+# endif
+
+
+    /*
+     * Make sure that we don't have a controlling tty, and
+     * that we are the session (process group) leader.
+     */
+    t = open(_PATH_TTY, O_RDWR);
+    if (t >= 0) {
+        ioctl(t, TIOCNOTTY, (char *)0);
+        close(t);
+    }
+
+    t = cleanopen(line);
+    if (t < 0) fatalperror(net, line);
+#endif /* 0 */
+
+    struct winsize ws;
+    int t = ptyslavefd;
+
+    /*
+     * set up the tty modes as we like them to be.
+     */
+    init_termbuf();
+# ifdef TIOCGWINSZ
+    if (def_row || def_col) {
+        bzero((char *)&ws, sizeof(ws));
+        ws.ws_col = def_col;
+        ws.ws_row = def_row;
+        ioctl(t, TIOCSWINSZ, (char *)&ws);
+    }
+# endif
+
+    /*
+     * Settings for all other termios/termio based
+     * systems, other than 4.4BSD.  In 4.4BSD the
+     * kernel does the initial terminal setup.
+     *
+     * XXX what about linux?
+     */
+#  ifndef       OXTABS
+#   define OXTABS       0
+#  endif
+    termbuf.c_lflag |= ECHO;
+    termbuf.c_oflag |= OPOST|ONLCR|OXTABS;
+    termbuf.c_iflag |= ICRNL;
+    termbuf.c_iflag &= ~IXOFF;
+
+    tty_rspeed((def_rspeed > 0) ? def_rspeed : 9600);
+    tty_tspeed((def_tspeed > 0) ? def_tspeed : 9600);
+# ifdef LINEMODE
+    if (waslm) tty_setlinemode(1);
+# endif /* LINEMODE */
+
+    /*
+     * Set the tty modes, and make this our controlling tty.
+     */
+    set_termbuf();
+    if (login_tty(t) == -1) fatalperror(net, "login_tty");
+
+    if (net > 2) close(net);
+    if (pty > 2) close(pty);
+    return t;
+}
+
+#if 0
+#ifndef O_NOCTTY
+#define O_NOCTTY        0
+#endif
+/*
+ * Open the specified slave side of the pty,
+ * making sure that we have a clean tty.
+ */
+static int cleanopen(char *lyne) {
+    register int t;
+
+    /*
+     * Make sure that other people can't open the
+     * slave side of the connection.
+     */
+    chown(lyne, 0, 0);
+    chmod(lyne, 0600);
+
+#ifndef NO_REVOKE
+    revoke(lyne);
+#endif
+
+    t = open(lyne, O_RDWR|O_NOCTTY);
+    if (t < 0) return(-1);
+
+    /*
+     * Hangup anybody else using this ttyp, then reopen it for
+     * ourselves.
+     */
+# if !defined(__linux__)
+    /* this looks buggy to me, our ctty is really a pty at this point */
+    signal(SIGHUP, SIG_IGN);
+    vhangup();
+    signal(SIGHUP, SIG_DFL);
+    t = open(lyne, O_RDWR|O_NOCTTY);
+    if (t < 0) return(-1);
+# endif
+    return(t);
+}
+#endif /* 0 */
+
+int login_tty(int t) {
+    if (setsid() < 0) fatalperror(net, "setsid()");
+    if (ioctl(t, TIOCSCTTY, (char *)0) < 0) {
+        fatalperror(net, "ioctl(sctty)");
+    }
+    if (t != 0) dup2(t, 0);
+    if (t != 1) dup2(t, 1);
+    if (t != 2) dup2(t, 2);
+    if (t > 2) close(t);
+    return 0;
+}
+
+/*
+ * startslave(host)
+ *
+ * Given a hostname, do whatever
+ * is necessary to startup the login process on the slave side of the pty.
+ */
+
+/* ARGSUSED */
+void startslave(const char *host, int autologin, char *autoname) {
+    int i;
+
+#if defined(AUTHENTICATE)
+    if (!autoname || !autoname[0]) autologin = 0;
+    if (autologin < auth_level) {
+        fatal(net, "Authorization failed");
+        exit(1);
+    }
+#endif
+
+    i = fork();
+    if (i < 0) fatalperror(net, "fork");
+    if (i) {
+        /* parent */
+        signal(SIGHUP,SIG_IGN);
+        close(ptyslavefd);
+    } 
+    else {
+        /* child */
+        signal(SIGHUP,SIG_IGN);
+        getptyslave();
+        start_login(host, autologin, autoname);
+        /*NOTREACHED*/
+    }
+}
+
+char *envinit[3];
+
+void init_env(void) {
+    char **envp;
+    envp = envinit;
+    if ((*envp = getenv("TZ"))!=NULL)
+        *envp++ -= 3;
+    *envp = 0;
+    environ = envinit;
+}
+
+/*
+ * start_login(host)
+ *
+ * Assuming that we are now running as a child processes, this
+ * function will turn us into the login process.
+ */
+
+struct argv_stuff {
+   const char **argv;
+   int argc;
+   int argmax;
+};
+
+static void addarg(struct argv_stuff *, const char *);
+static void initarg(struct argv_stuff *);
+
+void start_login(const char *host, int autologin, const char *name) {
+    struct argv_stuff avs;
+    char *const *argvfoo;
+    (void)autologin;
+
+    initarg(&avs);
+
+    /*
+     * -h : pass on name of host.
+     *          WARNING:  -h is accepted by login if and only if
+     *                  getuid() == 0.
+     * -p : don't clobber the environment (so terminal type stays set).
+     *
+     * -f : force this login, he has already been authenticated
+     */
+    addarg(&avs, loginprg);
+    addarg(&avs, "-h");
+    addarg(&avs, host);
+#if !defined(NO_LOGIN_P)
+    addarg(&avs, "-p");
+#endif
+#ifdef BFTPDAEMON
+    /*
+     * Are we working as the bftp daemon?  If so, then ask login
+     * to start bftp instead of shell.
+     */
+    if (bftpd) {
+        addarg(&avs, "-e");
+        addarg(&avs, BFTPPATH);
+    } 
+    else
+#endif
+    {
+#if defined (SecurID)
+        /*
+         * don't worry about the -f that might get sent.
+         * A -s is supposed to override it anyhow.
+         */
+        if (require_SecurID) addarg(&avs, "-s");
+#endif
+        if (*name=='-') {
+            syslog(LOG_ERR, "Attempt to login with an option!");
+            name = "";
+        }
+#if defined (AUTHENTICATE)
+        if (auth_level >= 0 && autologin == AUTH_VALID) {
+# if !defined(NO_LOGIN_F)
+            addarg(&avs, "-f");
+# endif
+            addarg(&avs, name);
+        } 
+        else
+#endif
+        {
+            if (getenv("USER")) {
+                addarg(&avs, getenv("USER"));
+                if (*getenv("USER") == '-') {
+                    write(1,"I don't hear you!\r\n",19);
+                    syslog(LOG_ERR,"Attempt to login with an option!");
+                    exit(1);
+                }
+            }
+        }
+    }
+    closelog();
+    /* execv() should really take char const* const *, but it can't */ 
+    /*argvfoo = argv*/;
+    memcpy(&argvfoo, &avs.argv, sizeof(argvfoo));
+    execv(loginprg, argvfoo);
+
+    openlog("telnetd", LOG_PID | LOG_ODELAY, LOG_DAEMON);
+    syslog(LOG_ERR, "%s: %m\n", loginprg);
+    closelog();
+    fatalperror(net, loginprg);
+}
+
+static void initarg(struct argv_stuff *avs) {
+   /*
+    * 10 entries and a null
+    */
+   avs->argmax = 11;
+   avs->argv = malloc(sizeof(avs->argv[0]) * avs->argmax);
+   if (avs->argv == NULL) {
+      fprintf(stderr, "Out of memory\n");
+      exit(1);
+   }
+   avs->argc = 0;
+   avs->argv[0] = NULL;
+}
+
+static void addarg(struct argv_stuff *avs, const char *val) {
+   if (avs->argc>=avs->argmax-1) {
+       avs->argmax += 10;
+       avs->argv = realloc(avs->argv, sizeof(avs->argv[0])*avs->argmax);
+       if (avs->argv == NULL) {
+          fprintf(stderr, "Out of memory\n");
+          exit(1);
+       }
+   }
+
+   avs->argv[avs->argc++] = val;
+   avs->argv[avs->argc] = NULL;
+}
+
+/*
+ * cleanup()
+ *
+ * This is the routine to call when we are all through, to
+ * clean up anything that needs to be cleaned up.
+ */
+void cleanup(int sig) {
+    char *p;
+    (void)sig;
+
+    p = line + sizeof("/dev/") - 1;
+    if (logout(p)) logwtmp(p, "", "");
+#ifdef PARANOID_TTYS
+    /*
+     * dholland 16-Aug-96 chmod the tty when not in use
+     * This will make it harder to attach unwanted stuff to it
+     * (which is a security risk) but will break some programs.
+     */
+    chmod(line, 0600);
+#else
+    chmod(line, 0666);
+#endif
+    chown(line, 0, 0);
+    *p = 'p';
+    chmod(line, 0666);
+    chown(line, 0, 0);
+    shutdown(net, 2);
+    exit(0);
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/telnetd.8 b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/telnetd.8
new file mode 100644
index 0000000..794e4f2
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/telnetd.8
@@ -0,0 +1,486 @@
+.\" Copyright (c) 1983 The Regents of the University of California.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"     This product includes software developed by the University of
+.\"     California, Berkeley and its contributors.
+.\" 4. Neither the name of the University nor the names of its contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"     from: @(#)telnetd.8     6.8 (Berkeley) 4/20/91
+.\"     $Id: telnetd.8,v 1.18 2000/07/30 23:57:10 dholland Exp $
+.\"
+.Dd December 29, 1996
+.Dt TELNETD 8
+.Os "Linux NetKit (0.17)"
+.Sh NAME
+.Nm telnetd
+.Nd DARPA
+.Tn telnet
+protocol server
+.Sh SYNOPSIS
+.Nm /usr/sbin/in.telnetd
+.Op Fl hns
+.Op Fl a Ar authmode
+.Op Fl D Ar debugmode
+.Op Fl L Ar loginprg
+.Op Fl S Ar tos
+.Op Fl X Ar authtype
+.Op Fl edebug
+.Op Fl debug Ar port
+.Sh DESCRIPTION
+The
+.Nm telnetd
+program is a server which supports the 
+.Tn DARPA
+.Tn telnet
+interactive communication protocol.
+.Nm Telnetd
+is normally invoked by the internet server (see
+.Xr inetd 8 )
+for requests to connect to the
+.Tn telnet
+port as indicated by the
+.Pa /etc/services
+file (see
+.Xr services 5 ) .
+The
+.Fl debug
+option may be used to start up 
+.Nm telnetd
+manually, instead of through
+.Xr inetd 8 .
+If started up this way, 
+.Ar port
+may be specified to run 
+.Nm telnetd
+on an alternate 
+.Tn TCP 
+port number.
+.Pp
+The 
+.Nm telnetd
+program accepts the following options:
+.Bl -tag -width "-a authmode"
+.It Fl a Ar authmode
+This option may be used for specifying what mode should
+be used for authentication.
+Note that this option is only useful if
+.Nm telnetd
+has been compiled with support for authentication, which is not
+available in the current version.  The following values of
+.Ar authmode 
+are understood:
+.Bl -tag -width debug
+.It debug
+Turns on authentication debugging code.
+.It user
+Only allow connections when the remote user can provide valid
+authentication information to identify the remote user, and is allowed
+access to the specified account without providing a password.
+.It valid
+Only allow connections when the remote user can provide valid
+authentication information to identify the remote user.  The
+.Xr login 1
+command will provide any additional user verification needed if the
+remote user is not allowed automatic access to the specified account.
+.It other
+Only allow connections that supply some authentication information.
+This option is currently not supported by any of the existing
+authentication mechanisms, and is thus the same as specifying
+.Cm valid .
+.It none
+This is the default state.  Authentication information is not
+required.  If no or insufficient authentication information is
+provided, then the
+.Xr login 1
+program will provide the necessary user verification.
+.It off
+This disables the authentication code.  All user verification will
+happen through the
+.Xr login 1
+program.
+.El
+.It Fl D Ar debugmode
+This option may be used for debugging purposes.  This allows
+.Nm telnetd
+to print out debugging information to the connection, allowing the
+user to see what
+.Nm telnetd
+is doing.  There are several possible values for
+.Ar debugmode:
+.Bl -tag -width exercise
+.It Cm options
+Prints information about the negotiation of
+.Tn telnet
+options.
+.It Cm report
+Prints the 
+.Cm options
+information, plus some additional information about what processing is
+going on.
+.It Cm netdata
+Displays the data stream received by
+.Nm telnetd.
+.It Cm ptydata
+Displays data written to the pty.
+.It Cm exercise
+Has not been implemented yet.
+.El
+.It Fl edebug
+If
+.Nm telnetd
+has been compiled with support for encryption, then the
+.Fl edebug
+option may be used to enable encryption debugging code.
+.It Fl h
+Disables the printing of host-specific information before
+login has been completed.
+.It Fl L Ar loginprg
+This option may be used to specify a different login program.
+By default, 
+.Pa /usr/sbin/telnetlogin
+is used.
+.It Fl n
+Disable
+.Dv TCP
+keep-alives.  Normally
+.Nm telnetd
+enables the
+.Tn TCP
+keep-alive mechanism to probe connections that
+have been idle for some period of time to determine
+if the client is still there, so that idle connections
+from machines that have crashed or can no longer
+be reached may be cleaned up.
+.It Fl s
+This option is only enabled if
+.Nm telnetd
+is compiled with support for
+.Tn SecurID
+cards.
+It causes the
+.Fl s
+option to be passed on to
+.Xr login 1 ,
+and thus is only useful if
+.Xr login 1
+supports the
+.Fl s
+flag to indicate that only
+.Tn SecurID
+validated logins are allowed. This is usually useful for controlling
+remote logins from outside of a firewall.
+.It Fl S Ar tos
+Sets the IP type-of-service (TOS) option for the telnet
+connection to the value
+.Ar tos .
+.It Fl X Ar authtype
+This option is only valid if
+.Nm telnetd
+has been built with support for the authentication option.
+It disables the use of
+.Ar authtype
+authentication, and
+can be used to temporarily disable
+a specific authentication type without having to recompile
+.Nm telnetd .
+.El
+.Pp
+If the file
+.Pa /etc/issue.net
+is present,
+.Nm telnetd
+will display its contents before the login prompt of a telnet session (see
+.Xr issue.net 5 ) .
+.Pp
+.Nm Telnetd
+operates by allocating a pseudo-terminal device (see
+.Xr pty 4 )
+for a client, then creating a login process which has
+the slave side of the pseudo-terminal as 
+.Dv stdin ,
+.Dv stdout ,
+and
+.Dv stderr .
+.Nm Telnetd
+manipulates the master side of the pseudo-terminal,
+implementing the
+.Tn telnet
+protocol and passing characters
+between the remote client and the login process.
+.Pp
+When a
+.Tn telnet
+session is started up, 
+.Nm telnetd
+sends
+.Tn telnet
+options to the client side indicating
+a willingness to do the
+following
+.Tn telnet
+options, which are described in more detail below:
+.Bd -literal -offset indent
+DO AUTHENTICATION
+WILL ENCRYPT
+DO TERMINAL TYPE
+DO TSPEED
+DO XDISPLOC
+DO NEW-ENVIRON
+DO ENVIRON
+WILL SUPPRESS GO AHEAD
+DO ECHO
+DO LINEMODE
+DO NAWS
+WILL STATUS
+DO LFLOW
+DO TIMING-MARK
+.Ed
+.Pp
+The pseudo-terminal allocated to the client is configured
+to operate in \*(lqcooked\*(rq mode, and with 
+.Dv XTABS
+.Dv CRMOD
+enabled (see
+.Xr tty 4 ) .
+.Pp
+.Nm Telnetd
+has support for enabling locally the following
+.Tn telnet
+options:
+.Bl -tag -width "DO AUTHENTICATION"
+.It "WILL ECHO"
+When the
+.Dv LINEMODE
+option is enabled, a
+.Dv WILL ECHO
+or
+.Dv WONT ECHO
+will be sent to the client to indicate the
+current state of terminal echoing.
+When terminal echo is not desired, a
+.Dv WILL ECHO
+is sent to indicate that
+.Tn telnetd
+will take care of echoing any data that needs to be
+echoed to the terminal, and then nothing is echoed.
+When terminal echo is desired, a
+.Dv WONT ECHO
+is sent to indicate that
+.Tn telnetd
+will not be doing any terminal echoing, so the
+client should do any terminal echoing that is needed.
+.It "WILL BINARY"
+Indicates that the client is willing to send a
+8 bits of data, rather than the normal 7 bits
+of the Network Virtual Terminal.
+.It "WILL SGA"
+Indicates that it will not be sending
+.Dv IAC GA,
+go ahead, commands.
+.It "WILL STATUS"
+Indicates a willingness to send the client, upon
+request, of the current status of all
+.Tn TELNET
+options.
+.It "WILL TIMING-MARK"
+Whenever a
+.Dv DO TIMING-MARK
+command is received, it is always responded
+to with a
+.Dv WILL TIMING-MARK
+.It "WILL LOGOUT"
+When a
+.Dv DO LOGOUT
+is received, a
+.Dv WILL LOGOUT
+is sent in response, and the
+.Tn TELNET
+session is shut down.
+.It "WILL ENCRYPT"
+Only sent if
+.Nm telnetd
+is compiled with support for data encryption, and
+indicates a willingness to decrypt
+the data stream.
+.El
+.Pp
+.Nm Telnetd
+has support for enabling remotely the following
+.Tn TELNET
+options:
+.Bl -tag -width "DO AUTHENTICATION"
+.It "DO BINARY"
+Sent to indicate that
+.Tn telnetd
+is willing to receive an 8 bit data stream.
+.It "DO LFLOW"
+Requests that the client handle flow control
+characters remotely.
+.It "DO ECHO"
+This is not really supported, but is sent to identify a 4.2BSD
+.Xr telnet 1
+client, which will improperly respond with
+.Dv WILL ECHO.
+If a
+.Dv WILL ECHO
+is received, a
+.Dv DONT ECHO
+will be sent in response.
+.It "DO TERMINAL-TYPE"
+Indicates a desire to be able to request the
+name of the type of terminal that is attached
+to the client side of the connection.
+.It "DO SGA"
+Indicates that it does not need to receive
+.Dv IAC GA,
+the go ahead command.
+.It "DO NAWS"
+Requests that the client inform the server when
+the window (display) size changes.
+.It "DO TERMINAL-SPEED"
+Indicates a desire to be able to request information
+about the speed of the serial line to which
+the client is attached.
+.It "DO XDISPLOC"
+Indicates a desire to be able to request the name
+of the X windows display that is associated with
+the telnet client.
+.It "DO NEW-ENVIRON"
+Indicates a desire to be able to request environment
+variable information, as described in RFC 1572.
+.It "DO ENVIRON"
+Indicates a desire to be able to request environment
+variable information, as described in RFC 1408.
+.It "DO LINEMODE"
+Only sent if
+.Nm telnetd
+is compiled with support for linemode, and
+requests that the client do line by line processing.
+.It "DO TIMING-MARK"
+Only sent if
+.Nm telnetd
+is compiled with support for both linemode and
+kludge linemode, and the client responded with
+.Dv WONT LINEMODE.
+If the client responds with
+.Dv WILL TM,
+the it is assumed that the client supports
+kludge linemode.
+Note that the
+.Op Fl k
+option can be used to disable this.
+.It "DO AUTHENTICATION"
+Only sent if
+.Nm telnetd
+is compiled with support for authentication, and
+indicates a willingness to receive authentication
+information for automatic login.
+.It "DO ENCRYPT"
+Only sent if
+.Nm telnetd
+is compiled with support for data encryption, and
+indicates a willingness to decrypt
+the data stream.
+.Xr issue.net 5 ) .
+.Sh FILES
+.Pa /etc/services ,
+.Pa /etc/issue.net
+.Sh "SEE ALSO"
+.Xr telnet 1 ,
+.Xr login 1 ,
+.Xr issue.net 5 ,
+.Sh STANDARDS
+.Bl -tag -compact -width RFC-1572
+.It Cm RFC-854
+.Tn TELNET
+PROTOCOL SPECIFICATION
+.It Cm RFC-855
+TELNET OPTION SPECIFICATIONS
+.It Cm RFC-856
+TELNET BINARY TRANSMISSION
+.It Cm RFC-857
+TELNET ECHO OPTION
+.It Cm RFC-858
+TELNET SUPPRESS GO AHEAD OPTION
+.It Cm RFC-859
+TELNET STATUS OPTION
+.It Cm RFC-860
+TELNET TIMING MARK OPTION
+.It Cm RFC-861
+TELNET EXTENDED OPTIONS - LIST OPTION
+.It Cm RFC-885
+TELNET END OF RECORD OPTION
+.It Cm RFC-1073
+Telnet Window Size Option
+.It Cm RFC-1079
+Telnet Terminal Speed Option
+.It Cm RFC-1091
+Telnet Terminal-Type Option
+.It Cm RFC-1096
+Telnet X Display Location Option
+.It Cm RFC-1123
+Requirements for Internet Hosts -- Application and Support
+.It Cm RFC-1184
+Telnet Linemode Option
+.It Cm RFC-1372
+Telnet Remote Flow Control Option
+.It Cm RFC-1416
+Telnet Authentication Option
+.It Cm RFC-1411
+Telnet Authentication: Kerberos Version 4
+.It Cm RFC-1412
+Telnet Authentication: SPX
+.It Cm RFC-1571
+Telnet Environment Option Interoperability Issues
+.It Cm RFC-1572
+Telnet Environment Option
+.Sh BUGS
+Some
+.Tn TELNET
+commands are only partially implemented.
+.Pp
+Because of bugs in the original 4.2 BSD
+.Xr telnet 1 ,
+.Nm telnetd
+performs some dubious protocol exchanges to try to discover if the remote
+client is, in fact, a 4.2 BSD
+.Xr telnet 1 .
+.Pp
+Binary mode
+has no common interpretation except between similar operating systems
+(Unix in this case).
+.Pp
+The terminal type name received from the remote client is converted to
+lower case.
+.Pp
+.Nm Telnetd
+never sends
+.Tn TELNET
+.Dv IAC GA
+(go ahead) commands.
+.Pp
+The source code is not comprehensible.
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/telnetd.c b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/telnetd.c
new file mode 100644
index 0000000..7ff330c
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/telnetd.c
@@ -0,0 +1,1208 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+char copyright[] =
+  "@(#) Copyright (c) 1989 Regents of the University of California.\n"
+  "All rights reserved.\n";
+
+/*
+ * From: @(#)telnetd.c  5.48 (Berkeley) 3/1/91
+ */
+char telnetd_rcsid[] = 
+  "$Id: telnetd.c,v 1.24 2000/04/12 21:36:12 dholland Exp $";
+
+#include "../version.h"
+
+#include <sys/socket.h>
+#include <netdb.h>
+#include <termcap.h>
+#include <netinet/in.h>
+/* #include <netinet/ip.h> */ /* Don't think this is used at all here */
+#include <arpa/inet.h>
+#include <assert.h>
+#include <poll.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include "telnetd.h"
+#include "pathnames.h"
+#include "setproctitle.h"
+
+#if     defined(AUTHENTICATE)
+#include <libtelnet/auth.h>
+#include <libtelnet/auth-proto.h>
+#include <libtelnet/misc-proto.h>
+int     auth_level = 0;
+#endif
+#if     defined(SecurID)
+int     require_SecurID = 0;
+#endif
+
+/* In Linux, this is an enum */
+#if defined(__linux__) || defined(IPPROTO_IP)
+#define HAS_IPPROTO_IP
+#endif
+
+static void doit(struct sockaddr *who, socklen_t who_len);
+static int terminaltypeok(const char *s);
+
+/*
+ * I/O data buffers,
+ * pointers, and counters.
+ */
+char    ptyibuf[BUFSIZ], *ptyip = ptyibuf;
+char    ptyibuf2[BUFSIZ];
+
+int     hostinfo = 1;                   /* do we print login banner? */
+
+int debug = 0;
+int keepalive = 1;
+#ifdef LOGIN_WRAPPER
+char *loginprg = LOGIN_WRAPPER;
+#else
+char *loginprg = _PATH_LOGIN;
+#endif
+char *progname;
+
+extern void usage(void);
+
+static void
+wait_for_connection(const char *service)
+{
+        struct addrinfo hints;
+        struct addrinfo *res, *addr;
+        struct pollfd *fds, *fdp;
+        int nfds;
+        int i;
+        int error;
+        int on = 1;
+
+        memset(&hints, 0, sizeof(hints));
+        hints.ai_family = PF_UNSPEC;
+        hints.ai_flags = AI_PASSIVE;
+        hints.ai_socktype = SOCK_STREAM;
+        error = getaddrinfo(NULL, service, &hints, &res);
+        if (error) {
+                fprintf(stderr, "telnetd: getaddrinfo: %s\n",
+                        gai_strerror(error));
+                exit(1);
+        }
+
+        for (addr = res, nfds = 0; addr; addr = addr->ai_next, nfds++)
+                ;
+        fds = malloc(sizeof(struct pollfd) * nfds);
+        for (addr = res, fdp = fds; addr; addr = addr->ai_next, fdp++) {
+                int s;
+
+                if (addr->ai_family == AF_LOCAL) {
+nextaddr:
+                        fdp--;
+                        nfds--;
+                        continue;
+                }
+
+                s = socket(addr->ai_family, SOCK_STREAM, 0);
+                if (s < 0) {
+                        if (errno == EAFNOSUPPORT || errno == EINVAL) {
+                                goto nextaddr;
+                        }
+                        perror("telnetd: socket");
+                        exit(1);
+                }
+                setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on));
+                if (bind(s, addr->ai_addr, addr->ai_addrlen) < 0) {
+                        if (errno == EADDRINUSE) {
+                                /* Must be Linux! */
+                                close(s);
+                                goto nextaddr;
+                        }
+                        perror("bind");
+                        exit(1);
+                }
+                if (listen(s, 1)) {
+                        perror("listen");
+                        exit(1);
+                }
+                if (fcntl(s, F_SETFL, O_NONBLOCK)) {
+                        perror("fcntl");
+                        exit(1);
+                }
+
+                fdp->fd = s;
+                fdp->events = POLLIN;
+        }
+
+        freeaddrinfo(res);
+
+        while (1) {
+                if (poll(fds, nfds, -1) < 0) {
+                        if (errno == EINTR) {
+                                continue;
+                        }
+                        perror("poll");
+                        exit(1);
+                }
+
+                for (i = 0, fdp = fds; i < nfds; i++, fdp++) {
+                        int fd;
+
+                        if (!(fdp->revents & POLLIN)) {
+                                continue;
+                        }
+
+                        fd = accept(fdp->fd, 0, 0);
+                        if (fd >= 0) {
+                                dup2(fd, 0);
+                                close(fd);
+                                goto out;
+                        }
+                        if (errno != EAGAIN) {
+                                perror("accept");
+                                exit(1);
+                        }
+                }
+        }
+
+out:
+        for (i = 0, fdp = fds; i < nfds; i++, fdp++) {
+                close(fdp->fd);
+        }
+        free(fds);
+}
+
+int
+main(int argc, char *argv[], char *env[])
+{
+        struct sockaddr_storage from;
+        int on = 1;
+        socklen_t fromlen;
+        register int ch;
+
+#if     defined(HAS_IPPROTO_IP) && defined(IP_TOS)
+        int tos = -1;
+#endif
+
+        initsetproctitle(argc, argv, env);
+
+        pfrontp = pbackp = ptyobuf;
+        netip = netibuf;
+
+        progname = strdup(*argv);
+
+        while ((ch = getopt(argc, argv, "d:a:e:lhnr:I:D:B:sS:a:X:L:")) != EOF) {
+                switch(ch) {
+
+#ifdef  AUTHENTICATE
+                case 'a':
+                        /*
+                         * Check for required authentication level
+                         */
+                        if (strcmp(optarg, "debug") == 0) {
+                                extern int auth_debug_mode;
+                                auth_debug_mode = 1;
+                        } else if (strcasecmp(optarg, "none") == 0) {
+                                auth_level = 0;
+                        } else if (strcasecmp(optarg, "other") == 0) {
+                                auth_level = AUTH_OTHER;
+                        } else if (strcasecmp(optarg, "user") == 0) {
+                                auth_level = AUTH_USER;
+                        } else if (strcasecmp(optarg, "valid") == 0) {
+                                auth_level = AUTH_VALID;
+                        } else if (strcasecmp(optarg, "off") == 0) {
+                                /*
+                                 * This hack turns off authentication
+                                 */
+                                auth_level = -1;
+                        } else {
+                                fprintf(stderr,
+                            "telnetd: unknown authorization level for -a\n");
+                        }
+                        break;
+#endif  /* AUTHENTICATE */
+
+#ifdef BFTPDAEMON
+                case 'B':
+                        bftpd++;
+                        break;
+#endif /* BFTPDAEMON */
+
+                case 'd':
+                        if (strcmp(optarg, "ebug") == 0) {
+                                debug++;
+                                break;
+                        }
+                        usage();
+                        /* NOTREACHED */
+                        break;
+
+#ifdef DIAGNOSTICS
+                case 'D':
+                        /*
+                         * Check for desired diagnostics capabilities.
+                         */
+                        if (!strcmp(optarg, "report")) {
+                                diagnostic |= TD_REPORT|TD_OPTIONS;
+                        } else if (!strcmp(optarg, "exercise")) {
+                                diagnostic |= TD_EXERCISE;
+                        } else if (!strcmp(optarg, "netdata")) {
+                                diagnostic |= TD_NETDATA;
+                        } else if (!strcmp(optarg, "ptydata")) {
+                                diagnostic |= TD_PTYDATA;
+                        } else if (!strcmp(optarg, "options")) {
+                                diagnostic |= TD_OPTIONS;
+                        } else {
+                                usage();
+                                /* NOT REACHED */
+                        }
+                        break;
+#endif /* DIAGNOSTICS */
+
+#ifdef  AUTHENTICATE
+                case 'e':
+                        if (strcmp(optarg, "debug") == 0) {
+                                extern int auth_debug_mode;
+                                auth_debug_mode = 1;
+                                break;
+                        }
+                        usage();
+                        /* NOTREACHED */
+                        break;
+#endif  /* AUTHENTICATE */
+
+                case 'h':
+                        hostinfo = 0;
+                        break;
+
+#ifdef  LINEMODE
+                case 'l':
+                        alwayslinemode = 1;
+                        break;
+#endif  /* LINEMODE */
+
+                case 'L':
+                        loginprg = strdup(optarg);
+                        /* XXX what if strdup fails? */
+                        break;
+
+                case 'n':
+                        keepalive = 0;
+                        break;
+
+#ifdef  SecurID
+                case 's':
+                        /* SecurID required */
+                        require_SecurID = 1;
+                        break;
+#endif  /* SecurID */
+                case 'S':
+#ifdef  HAS_GETTOS
+                        if ((tos = parsetos(optarg, "tcp")) < 0)
+                                fprintf(stderr, "%s%s%s\n",
+                                        "telnetd: Bad TOS argument '", optarg,
+                                        "'; will try to use default TOS");
+#else
+                        fprintf(stderr, "%s%s\n", "TOS option unavailable; ",
+                                                "-S flag not supported\n");
+#endif
+                        break;
+
+#ifdef  AUTHENTICATE
+                case 'X':
+                        /*
+                         * Check for invalid authentication types
+                         */
+                        auth_disable_name(optarg);
+                        break;
+#endif  /* AUTHENTICATE */
+
+                default:
+                        fprintf(stderr, "telnetd: %c: unknown option\n", ch);
+                        /* FALLTHROUGH */
+                case '?':
+                        usage();
+                        /* NOTREACHED */
+                }
+        }
+
+        argc -= optind;
+        argv += optind;
+
+        if (debug) {
+                if (argc > 1) {
+                        usage();
+                        /* NOTREACHED */
+                }
+
+                wait_for_connection((argc == 1) ? *argv : "telnet");
+        }
+
+        openlog("telnetd", LOG_PID | LOG_ODELAY, LOG_DAEMON);
+        fromlen = sizeof (from);
+        if (getpeername(0, (struct sockaddr *)&from, &fromlen) < 0) {
+                fprintf(stderr, "%s: ", progname);
+                perror("getpeername");
+                _exit(1);
+        }
+        if (keepalive &&
+            setsockopt(0, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof (on)) < 0) {
+                syslog(LOG_WARNING, "setsockopt (SO_KEEPALIVE): %m");
+        }
+
+#if     defined(HAS_IPPROTO_IP) && defined(IP_TOS)
+        {
+# if    defined(HAS_GETTOS)
+                struct tosent *tp;
+                if (tos < 0 && (tp = gettosbyname("telnet", "tcp")))
+                        tos = tp->t_tos;
+# endif
+                if (tos < 0)
+                        tos = 020;      /* Low Delay bit */
+                if (tos
+                   && (setsockopt(0, IPPROTO_IP, IP_TOS, &tos, sizeof(tos)) < 0)
+                   && (errno != ENOPROTOOPT) )
+                        syslog(LOG_WARNING, "setsockopt (IP_TOS): %m");
+        }
+#endif  /* defined(HAS_IPPROTO_IP) && defined(IP_TOS) */
+        net = 0;
+        netopen();
+        doit((struct sockaddr *)&from, fromlen);
+        /* NOTREACHED */
+        return 0;
+}  /* end of main */
+
+void
+usage(void)
+{
+        fprintf(stderr, "Usage: telnetd");
+#ifdef  AUTHENTICATE
+        fprintf(stderr, " [-a (debug|other|user|valid|off)]\n\t");
+#endif
+#ifdef BFTPDAEMON
+        fprintf(stderr, " [-B]");
+#endif
+        fprintf(stderr, " [-debug port]");
+#ifdef DIAGNOSTICS
+        fprintf(stderr, " [-D (options|report|exercise|netdata|ptydata)]\n\t");
+#endif
+#ifdef  AUTHENTICATE
+        fprintf(stderr, " [-edebug]");
+#endif
+        fprintf(stderr, " [-h]");
+#ifdef LINEMODE
+        fprintf(stderr, " [-l]");
+#endif
+        fprintf(stderr, " [-L login_program]");
+        fprintf(stderr, " [-n]");
+#ifdef  SecurID
+        fprintf(stderr, " [-s]");
+#endif
+#ifdef  AUTHENTICATE
+        fprintf(stderr, " [-X auth-type]");
+#endif
+        fprintf(stderr, "\n");
+        exit(1);
+}
+
+/*
+ * getterminaltype
+ *
+ *      Ask the other end to send along its terminal type and speed.
+ * Output is the variable terminaltype filled in.
+ */
+
+static void _gettermname(void);
+
+static
+int
+getterminaltype(char *name)
+{
+    int retval = -1;
+    (void)name;
+
+    settimer(baseline);
+#if defined(AUTHENTICATE)
+    /*
+     * Handle the Authentication option before we do anything else.
+     */
+    send_do(TELOPT_AUTHENTICATION, 1);
+    while (his_will_wont_is_changing(TELOPT_AUTHENTICATION))
+        ttloop();
+    if (his_state_is_will(TELOPT_AUTHENTICATION)) {
+        retval = auth_wait(name);
+    }
+#endif
+
+#if     defined(ENCRYPT)
+    send_will(TELOPT_ENCRYPT, 1);
+#endif
+    send_do(TELOPT_TTYPE, 1);
+    send_do(TELOPT_TSPEED, 1);
+    send_do(TELOPT_XDISPLOC, 1);
+    send_do(TELOPT_ENVIRON, 1);
+    while (
+#if     defined(ENCRYPT)
+           his_do_dont_is_changing(TELOPT_ENCRYPT) ||
+#endif
+           his_will_wont_is_changing(TELOPT_TTYPE) ||
+           his_will_wont_is_changing(TELOPT_TSPEED) ||
+           his_will_wont_is_changing(TELOPT_XDISPLOC) ||
+           his_will_wont_is_changing(TELOPT_ENVIRON)) {
+        ttloop();
+    }
+#if     defined(ENCRYPT)
+    /*
+     * Wait for the negotiation of what type of encryption we can
+     * send with.  If autoencrypt is not set, this will just return.
+     */
+    if (his_state_is_will(TELOPT_ENCRYPT)) {
+        encrypt_wait();
+    }
+#endif
+    if (his_state_is_will(TELOPT_TSPEED)) {
+        netoprintf("%c%c%c%c%c%c", 
+                   IAC, SB, TELOPT_TSPEED, TELQUAL_SEND, IAC, SE);
+    }
+    if (his_state_is_will(TELOPT_XDISPLOC)) {
+        netoprintf("%c%c%c%c%c%c", 
+                   IAC, SB, TELOPT_XDISPLOC, TELQUAL_SEND, IAC, SE);
+    }
+    if (his_state_is_will(TELOPT_ENVIRON)) {
+        netoprintf("%c%c%c%c%c%c", 
+                   IAC, SB, TELOPT_ENVIRON, TELQUAL_SEND, IAC, SE);
+    }
+    if (his_state_is_will(TELOPT_TTYPE)) {
+       netoprintf("%c%c%c%c%c%c", 
+                  IAC, SB, TELOPT_TTYPE, TELQUAL_SEND, IAC, SE);
+    }
+    if (his_state_is_will(TELOPT_TSPEED)) {
+        while (sequenceIs(tspeedsubopt, baseline))
+            ttloop();
+    }
+    if (his_state_is_will(TELOPT_XDISPLOC)) {
+        while (sequenceIs(xdisplocsubopt, baseline))
+            ttloop();
+    }
+    if (his_state_is_will(TELOPT_ENVIRON)) {
+        while (sequenceIs(environsubopt, baseline))
+            ttloop();
+    }
+    if (his_state_is_will(TELOPT_TTYPE)) {
+        char first[256], last[256];
+
+        while (sequenceIs(ttypesubopt, baseline))
+            ttloop();
+
+        /*
+         * If the other side has already disabled the option, then
+         * we have to just go with what we (might) have already gotten.
+         */
+        if (his_state_is_will(TELOPT_TTYPE) && !terminaltypeok(terminaltype)) {
+            /*
+             * Due to state.c, terminaltype points to a static char[41].
+             * Therefore, this assert cannot fail, and therefore, strings
+             * arising from "terminaltype" can be safely strcpy'd into
+             * first[] or last[].
+             */
+            assert(strlen(terminaltype) < sizeof(first));
+
+            strcpy(first, terminaltype);
+
+            for(;;) {
+                /*
+                 * Save the unknown name, and request the next name.
+                 */
+                strcpy(last, terminaltype);
+
+                _gettermname();
+                assert(strlen(terminaltype) < sizeof(first));
+
+                if (terminaltypeok(terminaltype))
+                    break;
+
+                if (!strcmp(last, terminaltype) ||
+                    his_state_is_wont(TELOPT_TTYPE)) {
+                    /*
+                     * We've hit the end.  If this is the same as
+                     * the first name, just go with it.
+                     */
+                    if (!strcmp(first, terminaltype))
+                        break;
+                    /*
+                     * Get the terminal name one more time, so that
+                     * RFC1091 compliant telnets will cycle back to
+                     * the start of the list.
+                     */
+                     _gettermname();
+                    assert(strlen(terminaltype) < sizeof(first));
+
+                    if (strcmp(first, terminaltype)) {
+                        /*
+                         * first[] came from terminaltype, so it must fit
+                         * back in.
+                         */
+                        strcpy(terminaltype, first);
+                    }
+                    break;
+                }
+            }
+        }
+    }
+    return(retval);
+}  /* end of getterminaltype */
+
+static
+void
+_gettermname(void)
+{
+    /*
+     * If the client turned off the option,
+     * we can't send another request, so we
+     * just return.
+     */
+    if (his_state_is_wont(TELOPT_TTYPE))
+        return;
+
+    settimer(baseline);
+    netoprintf("%c%c%c%c%c%c", IAC, SB, TELOPT_TTYPE, TELQUAL_SEND, IAC, SE);
+    while (sequenceIs(ttypesubopt, baseline))
+        ttloop();
+}
+
+static int
+terminaltypeok(const char *s)
+{
+    /* char buf[2048]; */
+
+    if (terminaltype == NULL)
+        return(1);
+
+    /*
+     * Fix from Chris Evans: if it has a / in it, termcap will
+     * treat it as a filename. Oops.
+     */
+    if (strchr(s, '/')) {
+        return 0;
+    }
+
+    /*
+     * If it's absurdly long, accept it without asking termcap.
+     *
+     * This means that it won't get seen again until after login,
+     * at which point exploiting buffer problems in termcap doesn't
+     * gain one anything.
+     *
+     * It's possible this limit ought to be raised to 128, but nothing
+     * in my termcap is more than 64, 64 is _plenty_ for most, and while
+     * buffers aren't likely to be smaller than 64, they might be 80 and
+     * thus less than 128.
+     */
+    if (strlen(s) > 63) {
+       return 0;
+    }
+
+    /*
+     * tgetent() will return 1 if the type is known, and
+     * 0 if it is not known.  If it returns -1, it couldn't
+     * open the database.  But if we can't open the database,
+     * it won't help to say we failed, because we won't be
+     * able to verify anything else.  So, we treat -1 like 1.
+     */
+
+    /*
+     * Don't do this - tgetent is not really trustworthy. Assume
+     * the terminal type is one we know; terminal types are pretty
+     * standard now. And if it isn't, it's unlikely we're going to
+     * know anything else the remote telnet might send as an alias
+     * for it.
+     *
+     * if (tgetent(buf, s) == 0)
+     *    return(0);
+     */
+    return(1);
+}
+
+#ifndef MAXHOSTNAMELEN
+#define MAXHOSTNAMELEN 64
+#endif  /* MAXHOSTNAMELEN */
+
+char host_name[MAXHOSTNAMELEN];
+char remote_host_name[MAXHOSTNAMELEN];
+
+extern void telnet(int, int);
+
+/*
+ * Get a pty, scan input lines.
+ */
+static void
+doit(struct sockaddr *who, socklen_t who_len)
+{
+        const char *host;
+        int level;
+        char user_name[256];
+        int i;
+        struct addrinfo hints, *res;
+
+        /*
+         * Find an available pty to use.
+         */
+        pty = getpty();
+        if (pty < 0)
+                fatalperror(net, "getpty");
+
+        /* get name of connected client */
+        if (getnameinfo(who, who_len, remote_host_name,
+                        sizeof(remote_host_name), 0, 0, 0)) {
+                syslog(LOG_ERR, "doit: getnameinfo: %m");
+                *remote_host_name = 0;
+        }
+
+        /* Disallow funnies. */
+        for (i=0; remote_host_name[i]; i++) {
+            if (remote_host_name[i]<=32 || remote_host_name[i]>126) 
+                remote_host_name[i] = '?';
+        }
+        host = remote_host_name;
+
+        /* Get local host name */
+        gethostname(host_name, sizeof(host_name));
+        memset(&hints, 0, sizeof(hints));
+        hints.ai_family = PF_UNSPEC;
+        hints.ai_flags = AI_CANONNAME;
+        if ((i = getaddrinfo(host_name, 0, &hints, &res)))
+                syslog(LOG_WARNING, "doit: getaddrinfo: %s", gai_strerror(i));
+        else {
+                strncpy(host_name, res->ai_canonname, sizeof(host_name)-1);
+                host_name[sizeof(host_name)-1] = 0;
+        }
+
+#if     defined(AUTHENTICATE) || defined(ENCRYPT)
+        auth_encrypt_init(host_name, host, "TELNETD", 1);
+#endif
+
+        init_env();
+        /*
+         * get terminal type.
+         */
+        *user_name = 0;
+        level = getterminaltype(user_name);
+        setenv("TERM", terminaltype ? terminaltype : "network", 1);
+
+        /* TODO list stuff provided by Laszlo Vecsey <master@internexus.net> */
+
+        /*
+         * Set REMOTEHOST environment variable
+         */
+        setproctitle("%s", host);
+        setenv("REMOTEHOST", host, 0);
+
+        /*
+         * Start up the login process on the slave side of the terminal
+         */
+        startslave(host, level, user_name);
+
+        telnet(net, pty);  /* begin server processing */
+
+        /*NOTREACHED*/
+}  /* end of doit */
+
+/*
+ * Main loop.  Select from pty and network, and
+ * hand data to telnet receiver finite state machine.
+ */
+void telnet(int f, int p)
+{
+    int on = 1;
+    char *HE;
+    const char *IM;
+
+    /*
+     * Initialize the slc mapping table.
+     */
+    get_slc_defaults();
+
+    /*
+     * Do some tests where it is desireable to wait for a response.
+     * Rather than doing them slowly, one at a time, do them all
+     * at once.
+     */
+    if (my_state_is_wont(TELOPT_SGA))
+        send_will(TELOPT_SGA, 1);
+    /*
+     * Is the client side a 4.2 (NOT 4.3) system?  We need to know this
+     * because 4.2 clients are unable to deal with TCP urgent data.
+     *
+     * To find out, we send out a "DO ECHO".  If the remote system
+     * answers "WILL ECHO" it is probably a 4.2 client, and we note
+     * that fact ("WILL ECHO" ==> that the client will echo what
+     * WE, the server, sends it; it does NOT mean that the client will
+     * echo the terminal input).
+     */
+    send_do(TELOPT_ECHO, 1);
+    
+#ifdef  LINEMODE
+    if (his_state_is_wont(TELOPT_LINEMODE)) {
+        /*
+         * Query the peer for linemode support by trying to negotiate
+         * the linemode option.
+         */
+        linemode = 0;
+        editmode = 0;
+        send_do(TELOPT_LINEMODE, 1);  /* send do linemode */
+    }
+#endif  /* LINEMODE */
+
+    /*
+     * Send along a couple of other options that we wish to negotiate.
+     */
+    send_do(TELOPT_NAWS, 1);
+    send_will(TELOPT_STATUS, 1);
+    flowmode = 1;  /* default flow control state */
+    send_do(TELOPT_LFLOW, 1);
+    
+    /*
+     * Spin, waiting for a response from the DO ECHO.  However,
+     * some REALLY DUMB telnets out there might not respond
+     * to the DO ECHO.  So, we spin looking for NAWS, (most dumb
+     * telnets so far seem to respond with WONT for a DO that
+     * they don't understand...) because by the time we get the
+     * response, it will already have processed the DO ECHO.
+     * Kludge upon kludge.
+     */
+    while (his_will_wont_is_changing(TELOPT_NAWS)) {
+        ttloop();
+    }
+    
+    /*
+     * But...
+     * The client might have sent a WILL NAWS as part of its
+     * startup code; if so, we'll be here before we get the
+     * response to the DO ECHO.  We'll make the assumption
+     * that any implementation that understands about NAWS
+     * is a modern enough implementation that it will respond
+     * to our DO ECHO request; hence we'll do another spin
+     * waiting for the ECHO option to settle down, which is
+     * what we wanted to do in the first place...
+     */
+    if (his_want_state_is_will(TELOPT_ECHO) &&
+        his_state_is_will(TELOPT_NAWS)) {
+        while (his_will_wont_is_changing(TELOPT_ECHO))
+            ttloop();
+    }
+    /*
+     * On the off chance that the telnet client is broken and does not
+     * respond to the DO ECHO we sent, (after all, we did send the
+     * DO NAWS negotiation after the DO ECHO, and we won't get here
+     * until a response to the DO NAWS comes back) simulate the
+     * receipt of a will echo.  This will also send a WONT ECHO
+     * to the client, since we assume that the client failed to
+     * respond because it believes that it is already in DO ECHO
+     * mode, which we do not want.
+     */
+    if (his_want_state_is_will(TELOPT_ECHO)) {
+        DIAG(TD_OPTIONS, netoprintf("td: simulating recv\r\n"););
+        willoption(TELOPT_ECHO);
+    }
+    
+    /*
+     * Finally, to clean things up, we turn on our echo.  This
+     * will break stupid 4.2 telnets out of local terminal echo.
+     */
+    
+    if (my_state_is_wont(TELOPT_ECHO))
+        send_will(TELOPT_ECHO, 1);
+    
+    /*
+     * Turn on packet mode
+     */
+    ioctl(p, TIOCPKT, (char *)&on);
+#if defined(LINEMODE) && defined(KLUDGELINEMODE)
+    /*
+     * Continuing line mode support.  If client does not support
+     * real linemode, attempt to negotiate kludge linemode by sending
+     * the do timing mark sequence.
+     */
+    if (lmodetype < REAL_LINEMODE)
+        send_do(TELOPT_TM, 1);
+#endif  /* defined(LINEMODE) && defined(KLUDGELINEMODE) */
+    
+    /*
+     * Call telrcv() once to pick up anything received during
+     * terminal type negotiation, 4.2/4.3 determination, and
+     * linemode negotiation.
+     */
+    telrcv();
+    
+    ioctl(f, FIONBIO, (char *)&on);
+    ioctl(p, FIONBIO, (char *)&on);
+
+#if defined(SO_OOBINLINE)
+    setsockopt(net, SOL_SOCKET, SO_OOBINLINE, &on, sizeof on);
+#endif  /* defined(SO_OOBINLINE) */
+    
+#ifdef  SIGTSTP
+    signal(SIGTSTP, SIG_IGN);
+#endif
+#ifdef  SIGTTOU
+    /*
+     * Ignoring SIGTTOU keeps the kernel from blocking us
+     * in ttioct() in /sys/tty.c.
+     */
+    signal(SIGTTOU, SIG_IGN);
+#endif
+    
+    signal(SIGCHLD, cleanup);
+    
+#ifdef TIOCNOTTY
+    {
+        register int t;
+        t = open(_PATH_TTY, O_RDWR);
+        if (t >= 0) {
+            (void) ioctl(t, TIOCNOTTY, (char *)0);
+            (void) close(t);
+        }
+    }
+#endif
+    
+    /*
+     * Show banner that getty never gave.
+     *
+     * We put the banner in the pty input buffer.  This way, it
+     * gets carriage return null processing, etc., just like all
+     * other pty --> client data.
+     */
+    
+    if (getenv("USER"))
+        hostinfo = 0;
+    
+    IM = DEFAULT_IM;
+    HE = 0;
+
+    edithost(HE, host_name);
+    if (hostinfo && *IM)
+        putf(IM, ptyibuf2);
+    
+    if (pcc) strncat(ptyibuf2, ptyip, pcc+1);
+    ptyip = ptyibuf2;
+    pcc = strlen(ptyip);
+#ifdef LINEMODE
+    /*
+     * Last check to make sure all our states are correct.
+     */
+    init_termbuf();
+    localstat();
+#endif  /* LINEMODE */
+
+    DIAG(TD_REPORT, netoprintf("td: Entering processing loop\r\n"););
+    
+    for (;;) {
+        fd_set ibits, obits, xbits;
+        int c, hifd;
+        
+        if (ncc < 0 && pcc < 0)
+            break;
+        
+        FD_ZERO(&ibits);
+        FD_ZERO(&obits);
+        FD_ZERO(&xbits);
+        hifd=0;
+        /*
+         * Never look for input if there's still
+         * stuff in the corresponding output buffer
+         */
+        if (netbuflen(1) || pcc > 0) {
+            FD_SET(f, &obits);
+            if (f >= hifd) hifd = f+1;
+        } 
+        else {
+            FD_SET(p, &ibits);
+            if (p >= hifd) hifd = p+1;
+        }
+        if (pfrontp - pbackp || ncc > 0) {
+            FD_SET(p, &obits);
+            if (p >= hifd) hifd = p+1;
+        } 
+        else {
+            FD_SET(f, &ibits);
+            if (f >= hifd) hifd = f+1;
+        }
+        if (!SYNCHing) {
+            FD_SET(f, &xbits);
+            if (f >= hifd) hifd = f+1;
+        }
+        if ((c = select(hifd, &ibits, &obits, &xbits,
+                        (struct timeval *)0)) < 1) {
+            if (c == -1) {
+                if (errno == EINTR) {
+                    continue;
+                }
+            }
+            sleep(5);
+            continue;
+        }
+        
+        /*
+         * Any urgent data?
+         */
+        if (FD_ISSET(net, &xbits)) {
+            SYNCHing = 1;
+        }
+        
+        /*
+         * Something to read from the network...
+         */
+        if (FD_ISSET(net, &ibits)) {
+#if !defined(SO_OOBINLINE)
+            /*
+             * In 4.2 (and 4.3 beta) systems, the
+             * OOB indication and data handling in the kernel
+             * is such that if two separate TCP Urgent requests
+             * come in, one byte of TCP data will be overlaid.
+             * This is fatal for Telnet, but we try to live
+             * with it.
+             *
+             * In addition, in 4.2 (and...), a special protocol
+             * is needed to pick up the TCP Urgent data in
+             * the correct sequence.
+             *
+             * What we do is:  if we think we are in urgent
+             * mode, we look to see if we are "at the mark".
+             * If we are, we do an OOB receive.  If we run
+             * this twice, we will do the OOB receive twice,
+             * but the second will fail, since the second
+             * time we were "at the mark", but there wasn't
+             * any data there (the kernel doesn't reset
+             * "at the mark" until we do a normal read).
+             * Once we've read the OOB data, we go ahead
+             * and do normal reads.
+             *
+             * There is also another problem, which is that
+             * since the OOB byte we read doesn't put us
+             * out of OOB state, and since that byte is most
+             * likely the TELNET DM (data mark), we would
+             * stay in the TELNET SYNCH (SYNCHing) state.
+             * So, clocks to the rescue.  If we've "just"
+             * received a DM, then we test for the
+             * presence of OOB data when the receive OOB
+             * fails (and AFTER we did the normal mode read
+             * to clear "at the mark").
+             */
+            if (SYNCHing) {
+                int atmark;
+                
+                ioctl(net, SIOCATMARK, (char *)&atmark);
+                if (atmark) {
+                    ncc = recv(net, netibuf, sizeof (netibuf), MSG_OOB);
+                    if ((ncc == -1) && (errno == EINVAL)) {
+                        ncc = read(net, netibuf, sizeof (netibuf));
+                        if (sequenceIs(didnetreceive, gotDM)) {
+                            SYNCHing = stilloob(net);
+                        }
+                    }
+                } 
+                else {
+                    ncc = read(net, netibuf, sizeof (netibuf));
+                }
+            } 
+            else {
+                ncc = read(net, netibuf, sizeof (netibuf));
+            }
+            settimer(didnetreceive);
+#else   /* !defined(SO_OOBINLINE)) */
+            ncc = read(net, netibuf, sizeof (netibuf));
+#endif  /* !defined(SO_OOBINLINE)) */
+            if (ncc < 0 && errno == EWOULDBLOCK)
+                ncc = 0;
+            else {
+                if (ncc <= 0) {
+                    break;
+                }
+                netip = netibuf;
+            }
+            DIAG((TD_REPORT | TD_NETDATA),
+                 netoprintf("td: netread %d chars\r\n", ncc););
+            DIAG(TD_NETDATA, printdata("nd", netip, ncc));
+        }
+        
+        /*
+         * Something to read from the pty...
+         */
+        if (FD_ISSET(p, &ibits)) {
+            pcc = read(p, ptyibuf, BUFSIZ);
+            /*
+             * On some systems, if we try to read something
+             * off the master side before the slave side is
+             * opened, we get EIO.
+             */
+            if (pcc < 0 && (errno == EWOULDBLOCK || errno == EIO)) {
+                pcc = 0;
+            } 
+            else {
+                if (pcc <= 0)
+                    break;
+#ifdef  LINEMODE
+                                /*
+                                 * If ioctl from pty, pass it through net
+                                 */
+                if (ptyibuf[0] & TIOCPKT_IOCTL) {
+                    copy_termbuf(ptyibuf+1, pcc-1);
+                    localstat();
+                    pcc = 1;
+                }
+#endif  /* LINEMODE */
+                if (ptyibuf[0] & TIOCPKT_FLUSHWRITE) {
+                    static const char msg[] = { IAC, DM };
+                    netclear(); /* clear buffer back */
+#ifndef NO_URGENT
+                    /*
+                     * There are client telnets on some
+                     * operating systems get screwed up
+                     * royally if we send them urgent
+                     * mode data.
+                     */
+                    sendurg(msg, sizeof(msg));
+#endif
+                }
+                if (his_state_is_will(TELOPT_LFLOW) &&
+                    (ptyibuf[0] &
+                     (TIOCPKT_NOSTOP|TIOCPKT_DOSTOP))) {
+                        netoprintf("%c%c%c%c%c%c",
+                                   IAC, SB, TELOPT_LFLOW,
+                                   ptyibuf[0] & TIOCPKT_DOSTOP ? 1 : 0,
+                                   IAC, SE);
+                }
+                pcc--;
+                ptyip = ptyibuf+1;
+            }
+        }
+        
+        while (pcc > 0 && !netbuflen(0)) {
+            c = *ptyip++ & 0377, pcc--;
+            if (c == IAC)
+                putc(c, netfile);
+            putc(c, netfile);
+            if ((c == '\r'  ) && (my_state_is_wont(TELOPT_BINARY))) {
+                if (pcc > 0 && ((*ptyip & 0377) == '\n')) {
+                    putc(*ptyip++ & 0377, netfile);
+                    pcc--;
+                } 
+                else putc('\0', netfile);
+            }
+        }
+
+        if (FD_ISSET(f, &obits))
+            netflush();
+        if (ncc > 0)
+            telrcv();
+        if (FD_ISSET(p, &obits) && (pfrontp - pbackp) > 0)
+            ptyflush();
+    }
+    cleanup(0);
+}  /* end of telnet */
+        
+#ifndef TCSIG
+# ifdef TIOCSIG
+#  define TCSIG TIOCSIG
+# endif
+#endif
+
+/*
+ * Send interrupt to process on other side of pty.
+ * If it is in raw mode, just write NULL;
+ * otherwise, write intr char.
+ */
+void interrupt(void) {
+    ptyflush(); /* half-hearted */
+    
+#ifdef  TCSIG
+    (void) ioctl(pty, TCSIG, (char *)SIGINT);
+#else   /* TCSIG */
+    init_termbuf();
+    *pfrontp++ = slctab[SLC_IP].sptr ?
+         (unsigned char)*slctab[SLC_IP].sptr : '\177';
+#endif  /* TCSIG */
+}
+
+/*
+ * Send quit to process on other side of pty.
+ * If it is in raw mode, just write NULL;
+ * otherwise, write quit char.
+ */
+void sendbrk(void) {
+    ptyflush(); /* half-hearted */
+#ifdef  TCSIG
+    (void) ioctl(pty, TCSIG, (char *)SIGQUIT);
+#else   /* TCSIG */
+    init_termbuf();
+    *pfrontp++ = slctab[SLC_ABORT].sptr ?
+         (unsigned char)*slctab[SLC_ABORT].sptr : '\034';
+#endif  /* TCSIG */
+}
+
+void sendsusp(void) {
+#ifdef  SIGTSTP
+    ptyflush(); /* half-hearted */
+# ifdef TCSIG
+    (void) ioctl(pty, TCSIG, (char *)SIGTSTP);
+# else  /* TCSIG */
+    *pfrontp++ = slctab[SLC_SUSP].sptr ?
+        (unsigned char)*slctab[SLC_SUSP].sptr : '\032';
+# endif /* TCSIG */
+#endif  /* SIGTSTP */
+}
+
+/*
+ * When we get an AYT, if ^T is enabled, use that.  Otherwise,
+ * just send back "[Yes]".
+ */
+void recv_ayt(void) {
+#if     defined(SIGINFO) && defined(TCSIG)
+    if (slctab[SLC_AYT].sptr && *slctab[SLC_AYT].sptr != _POSIX_VDISABLE) {
+        (void) ioctl(pty, TCSIG, (char *)SIGINFO);
+        return;
+    }
+#endif
+    netoprintf("\r\n[%s : yes]\r\n", host_name);
+}
+
+void doeof(void) {
+    init_termbuf();
+
+#if     defined(LINEMODE) && (VEOF == VMIN)
+    if (!tty_isediting()) {
+        extern char oldeofc;
+        *pfrontp++ = oldeofc;
+        return;
+    }
+#endif
+    *pfrontp++ = slctab[SLC_EOF].sptr ?
+             (unsigned char)*slctab[SLC_EOF].sptr : '\004';
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/telnetd.h b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/telnetd.h
new file mode 100644
index 0000000..4c66824
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/telnetd.h
@@ -0,0 +1,50 @@
+/*
+ * Copyright (c) 1989 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ *      from: @(#)telnetd.h     5.3 (Berkeley) 3/1/91
+ *      $Id: telnetd.h,v 1.2 1999/03/27 07:46:21 dholland Exp $
+ */
+
+
+#include "defs.h"
+#include "ext.h"
+#include <errno.h>
+
+#ifdef  DIAGNOSTICS
+#define DIAG(a,b)       if (diagnostic & (a)) b
+#else
+#define DIAG(a,b)
+#endif
+
+/* other external variables */
+extern  char **environ;
+
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/termstat.c b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/termstat.c
new file mode 100644
index 0000000..1871480
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/termstat.c
@@ -0,0 +1,588 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)termstat.c 5.10 (Berkeley) 3/22/91
+ */
+char termstat_rcsid[] = 
+  "$Id: termstat.c,v 1.6 1999/12/12 14:59:45 dholland Exp $";
+
+#include "telnetd.h"
+
+/*
+ * local variables
+ */
+int def_tspeed = -1, def_rspeed = -1;
+#ifdef  TIOCSWINSZ
+int def_row = 0, def_col = 0;
+#endif
+#ifdef  LINEMODE
+static int _terminit = 0;
+#endif  /* LINEMODE */
+
+#ifdef  LINEMODE
+/*
+ * localstat
+ *
+ * This function handles all management of linemode.
+ *
+ * Linemode allows the client to do the local editing of data
+ * and send only complete lines to the server.  Linemode state is
+ * based on the state of the pty driver.  If the pty is set for
+ * external processing, then we can use linemode.  Further, if we
+ * can use real linemode, then we can look at the edit control bits
+ * in the pty to determine what editing the client should do.
+ *
+ * Linemode support uses the following state flags to keep track of
+ * current and desired linemode state.
+ *      alwayslinemode : true if -l was specified on the telnetd
+ *      command line.  It means to have linemode on as much as
+ *      possible.
+ *
+ *      lmodetype: signifies whether the client can
+ *      handle real linemode, or if use of kludgeomatic linemode
+ *      is preferred.  It will be set to one of the following:
+ *              REAL_LINEMODE : use linemode option
+ *              KLUDGE_LINEMODE : use kludge linemode
+ *              NO_LINEMODE : client is ignorant of linemode
+ *
+ *      linemode, uselinemode : linemode is true if linemode
+ *      is currently on, uselinemode is the state that we wish
+ *      to be in.  If another function wishes to turn linemode
+ *      on or off, it sets or clears uselinemode.
+ *
+ *      editmode, useeditmode : like linemode/uselinemode, but
+ *      these contain the edit mode states (edit and trapsig).
+ *
+ * The state variables correspond to some of the state information
+ * in the pty.
+ *      linemode:
+ *              In real linemode, this corresponds to whether the pty
+ *              expects external processing of incoming data.
+ *              In kludge linemode, this more closely corresponds to the
+ *              whether normal processing is on or not.  (ICANON in
+ *              system V, or COOKED mode in BSD.)
+ *              If the -l option was specified (alwayslinemode), then
+ *              an attempt is made to force external processing on at
+ *              all times.
+ *
+ * The following heuristics are applied to determine linemode
+ * handling within the server.
+ *      1) Early on in starting up the server, an attempt is made
+ *         to negotiate the linemode option.  If this succeeds
+ *         then lmodetype is set to REAL_LINEMODE and all linemode
+ *         processing occurs in the context of the linemode option.
+ *      2) If the attempt to negotiate the linemode option failed,
+ *         then we try to use kludge linemode.  We test for this
+ *         capability by sending "do Timing Mark".  If a positive
+ *         response comes back, then we assume that the client
+ *         understands kludge linemode (ech!) and the
+ *         lmodetype flag is set to KLUDGE_LINEMODE.
+ *      3) Otherwise, linemode is not supported at all and
+ *         lmodetype remains set to NO_LINEMODE (which happens
+ *         to be 0 for convenience).
+ *      4) At any time a command arrives that implies a higher
+ *         state of linemode support in the client, we move to that
+ *         linemode support.
+ *
+ * A short explanation of kludge linemode is in order here.
+ *      1) The heuristic to determine support for kludge linemode
+ *         is to send a do timing mark.  We assume that a client
+ *         that supports timing marks also supports kludge linemode.
+ *         A risky proposition at best.
+ *      2) Further negotiation of linemode is done by changing the
+ *         the server's state regarding SGA.  If server will SGA,
+ *         then linemode is off, if server won't SGA, then linemode
+ *         is on.
+ */
+        void
+localstat()
+{
+        void netflush();
+        int need_will_echo = 0;
+
+        /*
+         * Check for state of BINARY options.
+         */
+        if (tty_isbinaryin()) {
+                if (his_want_state_is_wont(TELOPT_BINARY))
+                        send_do(TELOPT_BINARY, 1);
+        } else {
+                if (his_want_state_is_will(TELOPT_BINARY))
+                        send_dont(TELOPT_BINARY, 1);
+        }
+
+        if (tty_isbinaryout()) {
+                if (my_want_state_is_wont(TELOPT_BINARY))
+                        send_will(TELOPT_BINARY, 1);
+        } else {
+                if (my_want_state_is_will(TELOPT_BINARY))
+                        send_wont(TELOPT_BINARY, 1);
+        }
+
+        /*
+         * Check for changes to flow control if client supports it.
+         */
+        if (his_state_is_will(TELOPT_LFLOW)) {
+                if (tty_flowmode() != flowmode) {
+                        flowmode = tty_flowmode();
+                        (void) netoprintf("%c%c%c%c%c%c", IAC, SB,
+                                          TELOPT_LFLOW, flowmode, IAC, SE);
+                }
+        }
+
+        /*
+         * Check linemode on/off state
+         */
+        uselinemode = tty_linemode();
+
+        /*
+         * If alwayslinemode is on, and pty is changing to turn it off, then
+         * force linemode back on.
+         */
+        if (alwayslinemode && linemode && !uselinemode) {
+                uselinemode = 1;
+                tty_setlinemode(uselinemode);
+        }
+
+#if     defined(ENCRYPT)
+        /*
+         * If the terminal is not echoing, but editing is enabled,
+         * something like password input is going to happen, so
+         * if we the other side is not currently sending encrypted
+         * data, ask the other side to start encrypting.
+         */
+        if (his_state_is_will(TELOPT_ENCRYPT)) {
+                static int enc_passwd = 0;
+                if (uselinemode && !tty_isecho() && tty_isediting()
+                    && (enc_passwd == 0) && !decrypt_input) {
+                        encrypt_send_request_start();
+                        enc_passwd = 1;
+                } else if (enc_passwd) {
+                        encrypt_send_request_end();
+                        enc_passwd = 0;
+                }
+        }
+#endif
+
+        /*
+         * Do echo mode handling as soon as we know what the
+         * linemode is going to be.
+         * If the pty has echo turned off, then tell the client that
+         * the server will echo.  If echo is on, then the server
+         * will echo if in character mode, but in linemode the
+         * client should do local echoing.  The state machine will
+         * not send anything if it is unnecessary, so don't worry
+         * about that here.
+         *
+         * If we need to send the WILL ECHO (because echo is off),
+         * then delay that until after we have changed the MODE.
+         * This way, when the user is turning off both editing
+         * and echo, the client will get editing turned off first.
+         * This keeps the client from going into encryption mode
+         * and then right back out if it is doing auto-encryption
+         * when passwords are being typed.
+         */
+        if (uselinemode) {
+                if (tty_isecho())
+                        send_wont(TELOPT_ECHO, 1);
+                else
+                        need_will_echo = 1;
+        }
+
+        /*
+         * If linemode is being turned off, send appropriate
+         * command and then we're all done.
+         */
+         if (!uselinemode && linemode) {
+# ifdef KLUDGELINEMODE
+                if (lmodetype == REAL_LINEMODE) {
+# endif /* KLUDGELINEMODE */
+                        send_dont(TELOPT_LINEMODE, 1);
+# ifdef KLUDGELINEMODE
+                } else if (lmodetype == KLUDGE_LINEMODE)
+                        send_will(TELOPT_SGA, 1);
+# endif /* KLUDGELINEMODE */
+                send_will(TELOPT_ECHO, 1);
+                linemode = uselinemode;
+                goto done;
+        }
+
+# ifdef KLUDGELINEMODE
+        /*
+         * If using real linemode check edit modes for possible later use.
+         * If we are in kludge linemode, do the SGA negotiation.
+         */
+        if (lmodetype == REAL_LINEMODE) {
+# endif /* KLUDGELINEMODE */
+                useeditmode = 0;
+                if (tty_isediting())
+                        useeditmode |= MODE_EDIT;
+                if (tty_istrapsig())
+                        useeditmode |= MODE_TRAPSIG;
+                if (tty_issofttab())
+                        useeditmode |= MODE_SOFT_TAB;
+                if (tty_islitecho())
+                        useeditmode |= MODE_LIT_ECHO;
+# ifdef KLUDGELINEMODE
+        } else if (lmodetype == KLUDGE_LINEMODE) {
+                if (tty_isediting() && uselinemode)
+                        send_wont(TELOPT_SGA, 1);
+                else
+                        send_will(TELOPT_SGA, 1);
+        }
+# endif /* KLUDGELINEMODE */
+
+        /*
+         * Negotiate linemode on if pty state has changed to turn it on.
+         * Send appropriate command and send along edit mode, then all done.
+         */
+        if (uselinemode && !linemode) {
+# ifdef KLUDGELINEMODE
+                if (lmodetype == KLUDGE_LINEMODE) {
+                        send_wont(TELOPT_SGA, 1);
+                } else if (lmodetype == REAL_LINEMODE) {
+# endif /* KLUDGELINEMODE */
+                        send_do(TELOPT_LINEMODE, 1);
+                        /* send along edit modes */
+                        (void) netoprintf("%c%c%c%c%c%c%c", IAC, SB,
+                                TELOPT_LINEMODE, LM_MODE, useeditmode,
+                                IAC, SE);
+                        editmode = useeditmode;
+# ifdef KLUDGELINEMODE
+                }
+# endif /* KLUDGELINEMODE */
+                linemode = uselinemode;
+                goto done;
+        }
+
+# ifdef KLUDGELINEMODE
+        /*
+         * None of what follows is of any value if not using
+         * real linemode.
+         */
+        if (lmodetype < REAL_LINEMODE)
+                goto done;
+# endif /* KLUDGELINEMODE */
+
+        if (linemode && his_state_is_will(TELOPT_LINEMODE)) {
+                /*
+                 * If edit mode changed, send edit mode.
+                 */
+                 if (useeditmode != editmode) {
+                        /*
+                         * Send along appropriate edit mode mask.
+                         */
+                        (void) netoprintf("%c%c%c%c%c%c%c", IAC, SB,
+                                TELOPT_LINEMODE, LM_MODE, useeditmode,
+                                IAC, SE);
+                        editmode = useeditmode;
+                }
+                                                        
+
+                /*
+                 * Check for changes to special characters in use.
+                 */
+                start_slc(0);
+                check_slc();
+                (void) end_slc(0);
+        }
+
+done:
+        if (need_will_echo)
+                send_will(TELOPT_ECHO, 1);
+        /*
+         * Some things should be deferred until after the pty state has
+         * been set by the local process.  Do those things that have been
+         * deferred now.  This only happens once.
+         */
+        if (_terminit == 0) {
+                _terminit = 1;
+                defer_terminit();
+        }
+
+        netflush();
+        set_termbuf();
+        return;
+
+}  /* end of localstat */
+#endif  /* LINEMODE */
+
+
+/*
+ * clientstat
+ *
+ * Process linemode related requests from the client.
+ * Client can request a change to only one of linemode, editmode or slc's
+ * at a time, and if using kludge linemode, then only linemode may be
+ * affected.
+ */
+void clientstat(register int code, register int parm1, register int parm2)
+{
+        /*
+         * Get a copy of terminal characteristics.
+         */
+        init_termbuf();
+
+        /*
+         * Process request from client. code tells what it is.
+         */
+        switch (code) {
+#ifdef  LINEMODE
+        case TELOPT_LINEMODE:
+                /*
+                 * Don't do anything unless client is asking us to change
+                 * modes.
+                 */
+                uselinemode = (parm1 == WILL);
+                if (uselinemode != linemode) {
+# ifdef KLUDGELINEMODE
+                        /*
+                         * If using kludge linemode, make sure that
+                         * we can do what the client asks.
+                         * We can not turn off linemode if alwayslinemode
+                         * and the ICANON bit is set.
+                         */
+                        if (lmodetype == KLUDGE_LINEMODE) {
+                                if (alwayslinemode && tty_isediting()) {
+                                        uselinemode = 1;
+                                }
+                        }
+                
+                        /*
+                         * Quit now if we can't do it.
+                         */
+                        if (uselinemode == linemode)
+                                return;
+
+                        /*
+                         * If using real linemode and linemode is being
+                         * turned on, send along the edit mode mask.
+                         */
+                        if (lmodetype == REAL_LINEMODE && uselinemode)
+# else  /* KLUDGELINEMODE */
+                        if (uselinemode)
+# endif /* KLUDGELINEMODE */
+                        {
+                                useeditmode = 0;
+                                if (tty_isediting())
+                                        useeditmode |= MODE_EDIT;
+                                if (tty_istrapsig)
+                                        useeditmode |= MODE_TRAPSIG;
+                                if (tty_issofttab())
+                                        useeditmode |= MODE_SOFT_TAB;
+                                if (tty_islitecho())
+                                        useeditmode |= MODE_LIT_ECHO;
+                                (void) netoprintf("%c%c%c%c%c%c%c", IAC,
+                                        SB, TELOPT_LINEMODE, LM_MODE,
+                                                        useeditmode, IAC, SE);
+                                editmode = useeditmode;
+                        }
+
+
+                        tty_setlinemode(uselinemode);
+
+                        linemode = uselinemode;
+
+                }
+                break;
+        
+        case LM_MODE:
+            {
+                register int ack, changed;
+
+                /*
+                 * Client has sent along a mode mask.  If it agrees with
+                 * what we are currently doing, ignore it; if not, it could
+                 * be viewed as a request to change.  Note that the server
+                 * will change to the modes in an ack if it is different from
+                 * what we currently have, but we will not ack the ack.
+                 */
+                 useeditmode &= MODE_MASK;
+                 ack = (useeditmode & MODE_ACK);
+                 useeditmode &= ~MODE_ACK;
+
+                 if (changed = (useeditmode ^ editmode)) {
+                        /*
+                         * This check is for a timing problem.  If the
+                         * state of the tty has changed (due to the user
+                         * application) we need to process that info
+                         * before we write in the state contained in the
+                         * ack!!!  This gets out the new MODE request,
+                         * and when the ack to that command comes back
+                         * we'll set it and be in the right mode.
+                         */
+                        if (ack)
+                                localstat();
+                        if (changed & MODE_EDIT)
+                                tty_setedit(useeditmode & MODE_EDIT);
+
+                        if (changed & MODE_TRAPSIG)
+                                tty_setsig(useeditmode & MODE_TRAPSIG);
+
+                        if (changed & MODE_SOFT_TAB)
+                                tty_setsofttab(useeditmode & MODE_SOFT_TAB);
+
+                        if (changed & MODE_LIT_ECHO)
+                                tty_setlitecho(useeditmode & MODE_LIT_ECHO);
+
+                        set_termbuf();
+
+                        if (!ack) {
+                                (void) netoprintf("%c%c%c%c%c%c%c", IAC,
+                                        SB, TELOPT_LINEMODE, LM_MODE,
+                                        useeditmode|MODE_ACK,
+                                        IAC, SE);
+                        }
+                
+                        editmode = useeditmode;
+                }
+
+                break;
+
+            }  /* end of case LM_MODE */
+#endif  /* LINEMODE */
+
+        case TELOPT_NAWS:
+#ifdef  TIOCSWINSZ
+            {
+                struct winsize ws;
+
+                def_col = parm1;
+                def_row = parm2;
+#ifdef  LINEMODE
+                /*
+                 * Defer changing window size until after terminal is
+                 * initialized.
+                 */
+                if (terminit() == 0)
+                        return;
+#endif  /* LINEMODE */
+
+                /*
+                 * Change window size as requested by client.
+                 */
+
+                ws.ws_col = parm1;
+                ws.ws_row = parm2;
+                (void) ioctl(pty, TIOCSWINSZ, (char *)&ws);
+            }
+#endif  /* TIOCSWINSZ */
+                
+                break;
+        
+        case TELOPT_TSPEED:
+            {
+                def_tspeed = parm1;
+                def_rspeed = parm2;
+#ifdef  LINEMODE
+                /*
+                 * Defer changing the terminal speed.
+                 */
+                if (terminit() == 0)
+                        return;
+#endif  /* LINEMODE */
+                /*
+                 * Change terminal speed as requested by client.
+                 * We set the receive speed first, so that if we can't
+                 * store seperate receive and transmit speeds, the transmit
+                 * speed will take precedence.
+                 */
+                tty_rspeed(parm2);
+                tty_tspeed(parm1);
+                set_termbuf();
+
+                break;
+
+            }  /* end of case TELOPT_TSPEED */
+
+        default:
+                /* What? */
+                break;
+        }  /* end of switch */
+
+        netflush();
+
+}  /* end of clientstat */
+
+#ifdef  LINEMODE
+/*
+ * defer_terminit
+ *
+ * Some things should not be done until after the login process has started
+ * and all the pty modes are set to what they are supposed to be.  This
+ * function is called when the pty state has been processed for the first time. 
+ * It calls other functions that do things that were deferred in each module.
+ */
+        void
+defer_terminit()
+{
+
+        /*
+         * local stuff that got deferred.
+         */
+        if (def_tspeed != -1) {
+                clientstat(TELOPT_TSPEED, def_tspeed, def_rspeed);
+                def_tspeed = def_rspeed = 0;
+        }
+
+#ifdef  TIOCSWINSZ
+        if (def_col || def_row) {
+                struct winsize ws;
+
+                bzero((char *)&ws, sizeof(ws));
+                ws.ws_col = def_col;
+                ws.ws_row = def_row;
+                (void) ioctl(pty, TIOCSWINSZ, (char *)&ws);
+        }
+#endif
+
+        /*
+         * The only other module that currently defers anything.
+         */
+        deferslc();
+
+}  /* end of defer_terminit */
+
+/*
+ * terminit
+ *
+ * Returns true if the pty state has been processed yet.
+ */
+        int
+terminit()
+{
+        return _terminit;
+
+}  /* end of terminit */
+#endif  /* LINEMODE */
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/utility.c b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/utility.c
new file mode 100644
index 0000000..c51e65d
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetd/utility.c
@@ -0,0 +1,1266 @@
+/*
+ * Copyright (c) 1989 Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by the University of
+ *      California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * From: @(#)utility.c  5.8 (Berkeley) 3/22/91
+ */
+char util_rcsid[] = 
+  "$Id: utility.c,v 1.11 1999/12/12 14:59:45 dholland Exp $";
+
+#define PRINTOPTIONS
+
+#include <stdarg.h>
+#include <sys/utsname.h>
+#include <sys/time.h>
+
+#ifdef AUTHENTICATE
+#include <libtelnet/auth.h>
+#endif
+
+#include "telnetd.h"
+
+struct buflist {
+        struct buflist *next;
+        char *buf;
+        size_t len;
+};
+
+static struct buflist head = { next: &head, buf: 0, len: 0 };
+static struct buflist *tail = &head;
+static size_t skip;
+static int trailing;
+static size_t listlen;
+static int doclear;
+static struct buflist *urg;
+
+/*
+ * ttloop
+ *
+ *      A small subroutine to flush the network output buffer, get some data
+ * from the network, and pass it through the telnet state machine.  We
+ * also flush the pty input buffer (by dropping its data) if it becomes
+ * too full.
+ */
+
+void
+ttloop(void)
+{
+
+    DIAG(TD_REPORT, netoprintf("td: ttloop\r\n"););
+                     
+    netflush();
+    ncc = read(net, netibuf, sizeof(netibuf));
+    if (ncc < 0) {
+        syslog(LOG_INFO, "ttloop: read: %m\n");
+        exit(1);
+    } else if (ncc == 0) {
+        syslog(LOG_INFO, "ttloop: peer died: EOF\n");
+        exit(1);
+    }
+    DIAG(TD_REPORT, netoprintf("td: ttloop read %d chars\r\n", ncc););
+    netip = netibuf;
+    telrcv();                   /* state machine */
+    if (ncc > 0) {
+        pfrontp = pbackp = ptyobuf;
+        telrcv();
+    }
+}  /* end of ttloop */
+
+/*
+ * Check a descriptor to see if out of band data exists on it.
+ */
+int stilloob(int s)             /* socket number */
+{
+    static struct timeval timeout = { 0, 0 };
+    fd_set      excepts;
+    int value;
+
+    do {
+        FD_ZERO(&excepts);
+        FD_SET(s, &excepts);
+        value = select(s+1, (fd_set *)0, (fd_set *)0, &excepts, &timeout);
+    } while ((value == -1) && (errno == EINTR));
+
+    if (value < 0) {
+        fatalperror(pty, "select");
+    }
+    if (FD_ISSET(s, &excepts)) {
+        return 1;
+    } else {
+        return 0;
+    }
+}
+
+void    ptyflush(void)
+{
+        int n;
+
+        if ((n = pfrontp - pbackp) > 0) {
+                DIAG((TD_REPORT | TD_PTYDATA),
+                     netoprintf("td: ptyflush %d chars\r\n", n););
+                DIAG(TD_PTYDATA, printdata("pd", pbackp, n));
+                n = write(pty, pbackp, n);
+        }
+        if (n < 0) {
+                if (errno == EWOULDBLOCK || errno == EINTR)
+                        return;
+                cleanup(0);
+        }
+        pbackp += n;
+        if (pbackp == pfrontp)
+                pbackp = pfrontp = ptyobuf;
+}
+
+/*
+ * nextitem()
+ *
+ *      Return the address of the next "item" in the TELNET data
+ * stream.  This will be the address of the next character if
+ * the current address is a user data character, or it will
+ * be the address of the character following the TELNET command
+ * if the current address is a TELNET IAC ("I Am a Command")
+ * character.
+ */
+static
+const char *
+nextitem(
+        const unsigned char *current, const unsigned char *end,
+        const unsigned char *next, const unsigned char *nextend
+) {
+        if (*current++ != IAC) {
+                while (current < end && *current++ != IAC)
+                        ;
+                goto out;
+        }
+
+        if (current >= end) {
+                current = next;
+                if (!current) {
+                        return 0;
+                }
+                end = nextend;
+                next = 0;
+        }
+
+        switch (*current++) {
+        case DO:
+        case DONT:
+        case WILL:
+        case WONT:
+                current++;
+                break;
+        case SB:                /* loop forever looking for the SE */
+                for (;;) {
+                        int iac;
+
+                        while (iac = 0, current < end) {
+                                if (*current++ == IAC) {
+                                        if (current >= end) {
+                                                iac = 1;
+                                                break;
+                                        }
+iac:
+                                        if (*current++ == SE) {
+                                                goto out;
+                                        }
+                                }
+                        }
+
+                        current = next;
+                        if (!current) {
+                                return 0;
+                        }
+                        end = nextend;
+                        next = 0;
+                        if (iac) {
+                                goto iac;
+                        }
+                }
+        }
+
+out:
+        return next ? next + (current - end) : current;
+}  /* end of nextitem */
+
+
+/*
+ * netclear()
+ *
+ *      We are about to do a TELNET SYNCH operation.  Clear
+ * the path to the network.
+ *
+ *      Things are a bit tricky since we may have sent the first
+ * byte or so of a previous TELNET command into the network.
+ * So, we have to scan the network buffer from the beginning
+ * until we are up to where we want to be.
+ *
+ *      A side effect of what we do, just to keep things
+ * simple, is to clear the urgent data pointer.  The principal
+ * caller should be setting the urgent data pointer AFTER calling
+ * us in any case.
+ */
+void netclear(void)
+{
+        doclear++;
+        netflush();
+        doclear--;
+}  /* end of netclear */
+
+static void
+netwritebuf(void)
+{
+        struct iovec *vector;
+        struct iovec *v;
+        struct buflist *lp;
+        ssize_t n;
+        size_t len;
+
+        vector = malloc(listlen * sizeof(struct iovec));
+        if (!vector) {
+                return;
+        }
+
+        len = listlen - (doclear & trailing);
+        v = vector;
+        lp = head.next;
+        while (lp != &head) {
+                if (lp == urg) {
+                        len = v - vector;
+                        if (!len) {
+                                n = send(net, lp->buf, 1, MSG_OOB);
+                                if (n > 0) {
+                                        urg = 0;
+                                }
+                                goto epi;
+                        }
+                        break;
+                }
+                v->iov_base = lp->buf;
+                v->iov_len = lp->len;
+                v++;
+                lp = lp->next;
+        }
+
+        vector->iov_base = (char *)vector->iov_base + skip;
+        vector->iov_len -= skip;
+
+        n = writev(net, vector, len);
+
+epi:
+        free(vector);
+
+        if (n < 0) {
+                if (errno != EWOULDBLOCK && errno != EINTR)
+                        cleanup(0);
+                return;
+        }
+
+        len = n + skip;
+
+        lp = head.next;
+        while (lp->len <= len) {
+                len -= lp->len;
+
+                head.next = lp->next;
+                listlen--;
+                free(lp->buf);
+                free(lp);
+
+                lp = head.next;
+                if (lp == &head) {
+                        tail = &head;
+                        break;
+                }
+        }
+
+        skip = len;
+}
+
+/*
+ *  netflush
+ *             Send as much data as possible to the network,
+ *     handling requests for urgent data.
+ */
+void
+netflush(void)
+{
+        if (fflush(netfile)) {
+                /* out of memory? */
+                cleanup(0);
+        }
+        if (listlen) {
+                netwritebuf();
+        }
+}
+
+
+/*
+ * miscellaneous functions doing a variety of little jobs follow ...
+ */
+
+
+void
+fatal(int f, const char *msg)
+{
+        char buf[BUFSIZ];
+
+        (void) snprintf(buf, sizeof(buf), "telnetd: %s.\r\n", msg);
+#if     defined(ENCRYPT)
+        if (encrypt_output) {
+                /*
+                 * Better turn off encryption first....
+                 * Hope it flushes...
+                 */
+                encrypt_send_end();
+                netflush();
+        }
+#endif
+        (void) write(f, buf, (int)strlen(buf));
+        sleep(1);       /*XXX*/
+        exit(1);
+}
+
+void
+fatalperror(int f, const char *msg)
+{
+        char buf[BUFSIZ];
+        snprintf(buf, sizeof(buf), "%s: %s\r\n", msg, strerror(errno));
+        fatal(f, buf);
+}
+
+char *editedhost;
+struct utsname kerninfo;
+
+void
+edithost(const char *pat, const char *host)
+{
+        char *res;
+
+        uname(&kerninfo);
+
+        if (!pat)
+                pat = "";
+
+        res = realloc(editedhost, strlen(pat) + strlen(host) + 1);
+        if (!res) {
+                if (editedhost) {
+                        free(editedhost);
+                        editedhost = 0;
+                }
+                fprintf(stderr, "edithost: Out of memory\n");
+                return;
+        }
+        editedhost = res;
+
+        while (*pat) {
+                switch (*pat) {
+
+                case '#':
+                        if (*host)
+                                host++;
+                        break;
+
+                case '@':
+                        if (*host)
+                                *res++ = *host++;
+                        break;
+
+                default:
+                        *res++ = *pat;
+                        break;
+                }
+                pat++;
+        }
+        if (*host)
+                (void) strcpy(res, host);
+        else
+                *res = '\0';
+}
+
+static char *putlocation;
+
+static 
+void
+putstr(const char *s)
+{
+    while (*s) putchr(*s++);
+}
+
+void putchr(int cc)
+{
+        *putlocation++ = cc;
+}
+
+static char fmtstr[] = { "%H:%M on %A, %d %B %Y" };
+
+void putf(const char *cp, char *where)
+{
+        char *slash;
+        time_t t;
+        char db[100];
+
+        if (where)
+        putlocation = where;
+
+        while (*cp) {
+                if (*cp != '%') {
+                        putchr(*cp++);
+                        continue;
+                }
+                switch (*++cp) {
+
+                case 't':
+                        slash = strrchr(line, '/');
+                        if (slash == NULL)
+                                putstr(line);
+                        else
+                                putstr(slash+1);
+                        break;
+
+                case 'h':
+                        if (editedhost) {
+                                putstr(editedhost);
+                        }
+                        break;
+
+                case 'd':
+                        (void)time(&t);
+                        (void)strftime(db, sizeof(db), fmtstr, localtime(&t));
+                        putstr(db);
+                        break;
+
+                case '%':
+                        putchr('%');
+                        break;
+
+                case 'D':
+                        {
+                                char    buff[128];
+
+                                if (getdomainname(buff,sizeof(buff)) < 0
+                                        || buff[0] == '\0'
+                                        || strcmp(buff, "(none)") == 0)
+                                        break;
+                                putstr(buff);
+                        }
+                        break;
+
+                case 'i':
+                        {
+                                char buff[3];
+                                FILE *fp;
+                                int p, c;
+
+                                if ((fp = fopen(ISSUE_FILE, "r")) == NULL)
+                                        break;
+                                p = '\n';
+                                while ((c = fgetc(fp)) != EOF) {
+                                        if (p == '\n' && c == '#') {
+                                                do {
+                                                        c = fgetc(fp);
+                                                } while (c != EOF && c != '\n');
+                                                continue;
+                                        } else if (c == '%') {
+                                                buff[0] = c;
+                                                c = fgetc(fp);
+                                                if (c == EOF) break;
+                                                buff[1] = c;
+                                                buff[2] = '\0';
+                                                putf(buff, NULL);
+                                        } else {
+                                                if (c == '\n') putchr('\r');
+                                                putchr(c);
+                                                p = c;
+                                        }
+                                };
+                                (void) fclose(fp);
+                        }
+                        return; /* ignore remainder of the banner string */
+                        /*NOTREACHED*/
+
+                case 's':
+                        putstr(kerninfo.sysname);
+                        break;
+
+                case 'm':
+                        putstr(kerninfo.machine);
+                        break;
+
+                case 'r':
+                        putstr(kerninfo.release);
+                        break;
+
+                case 'v':
+#ifdef __linux__
+                        putstr(kerninfo.version);
+#else
+                        puts(kerninfo.version);
+#endif
+                        break;
+                }
+                cp++;
+        }
+}
+
+#ifdef DIAGNOSTICS
+/*
+ * Print telnet options and commands in plain text, if possible.
+ */
+void
+printoption(const char *fmt, int option)
+{
+        if (TELOPT_OK(option))
+                netoprintf("%s %s\r\n", fmt, TELOPT(option));
+        else if (TELCMD_OK(option))
+                netoprintf("%s %s\r\n", fmt, TELCMD(option));
+        else
+                netoprintf("%s %d\r\n", fmt, option);
+}
+
+/* direction: '<' or '>' */
+/* pointer: where suboption data sits */
+/* length: length of suboption data */
+void
+printsub(char direction, unsigned char *pointer, int length)
+{
+    register int i = -1;
+#ifdef AUTHENTICATE
+    char buf[512];
+#endif
+
+        if (!(diagnostic & TD_OPTIONS))
+                return;
+
+        if (direction) {
+            netoprintf("td: %s suboption ",
+                       direction == '<' ? "recv" : "send");
+            if (length >= 3) {
+                register int j;
+
+                i = pointer[length-2];
+                j = pointer[length-1];
+
+                if (i != IAC || j != SE) {
+                    netoprintf("(terminated by ");
+                    if (TELOPT_OK(i))
+                        netoprintf("%s ", TELOPT(i));
+                    else if (TELCMD_OK(i))
+                        netoprintf("%s ", TELCMD(i));
+                    else
+                        netoprintf("%d ", i);
+                    if (TELOPT_OK(j))
+                        netoprintf("%s", TELOPT(j));
+                    else if (TELCMD_OK(j))
+                        netoprintf("%s", TELCMD(j));
+                    else
+                        netoprintf("%d", j);
+                    netoprintf(", not IAC SE!) ");
+                }
+            }
+            length -= 2;
+        }
+        if (length < 1) {
+            netoprintf("(Empty suboption???)");
+            return;
+        }
+        switch (pointer[0]) {
+        case TELOPT_TTYPE:
+            netoprintf("TERMINAL-TYPE ");
+            switch (pointer[1]) {
+            case TELQUAL_IS:
+                netoprintf("IS \"%.*s\"", length-2, (char *)pointer+2);
+                break;
+            case TELQUAL_SEND:
+                netoprintf("SEND");
+                break;
+            default:
+                netoprintf("- unknown qualifier %d (0x%x).",
+                                pointer[1], pointer[1]);
+            }
+            break;
+        case TELOPT_TSPEED:
+            netoprintf("TERMINAL-SPEED");
+            if (length < 2) {
+                netoprintf(" (empty suboption???)");
+                break;
+            }
+            switch (pointer[1]) {
+            case TELQUAL_IS:
+                netoprintf(" IS %.*s", length-2, (char *)pointer+2);
+                break;
+            default:
+                if (pointer[1] == 1)
+                    netoprintf(" SEND");
+                else
+                    netoprintf(" %d (unknown)", pointer[1]);
+                for (i = 2; i < length; i++) {
+                    netoprintf(" ?%d?", pointer[i]);
+                }
+                break;
+            }
+            break;
+
+        case TELOPT_LFLOW:
+            netoprintf("TOGGLE-FLOW-CONTROL");
+            if (length < 2) {
+                netoprintf(" (empty suboption???)");
+                break;
+            }
+            switch (pointer[1]) {
+            case 0:
+                netoprintf(" OFF"); break;
+            case 1:
+                netoprintf(" ON"); break;
+            default:
+                netoprintf(" %d (unknown)", pointer[1]);
+            }
+            for (i = 2; i < length; i++) {
+                netoprintf(" ?%d?", pointer[i]);
+            }
+            break;
+
+        case TELOPT_NAWS:
+            netoprintf("NAWS");
+            if (length < 2) {
+                netoprintf(" (empty suboption???)");
+                break;
+            }
+            if (length == 2) {
+                netoprintf(" ?%d?", pointer[1]);
+                break;
+            }
+            netoprintf(" %d %d (%d)",
+                pointer[1], pointer[2],
+                (int)((((unsigned int)pointer[1])<<8)|((unsigned int)pointer[2])));
+            if (length == 4) {
+                netoprintf(" ?%d?", pointer[3]);
+                break;
+            }
+            netoprintf(" %d %d (%d)",
+                pointer[3], pointer[4],
+                (int)((((unsigned int)pointer[3])<<8)|((unsigned int)pointer[4])));
+            for (i = 5; i < length; i++) {
+                netoprintf(" ?%d?", pointer[i]);
+            }
+            break;
+
+        case TELOPT_LINEMODE:
+            netoprintf("LINEMODE ");
+            if (length < 2) {
+                netoprintf(" (empty suboption???)");
+                break;
+            }
+            switch (pointer[1]) {
+            case WILL:
+                netoprintf("WILL ");
+                goto common;
+            case WONT:
+                netoprintf("WONT ");
+                goto common;
+            case DO:
+                netoprintf("DO ");
+                goto common;
+            case DONT:
+                netoprintf("DONT ");
+            common:
+                if (length < 3) {
+                    netoprintf("(no option???)");
+                    break;
+                }
+                switch (pointer[2]) {
+                case LM_FORWARDMASK:
+                    netoprintf("Forward Mask");
+                    for (i = 3; i < length; i++) {
+                        netoprintf(" %x", pointer[i]);
+                    }
+                    break;
+                default:
+                    netoprintf("%d (unknown)", pointer[2]);
+                    for (i = 3; i < length; i++) {
+                        netoprintf(" %d", pointer[i]);
+                    }
+                    break;
+                }
+                break;
+                
+            case LM_SLC:
+                netoprintf("SLC");
+                for (i = 2; i < length - 2; i += 3) {
+                    if (SLC_NAME_OK(pointer[i+SLC_FUNC]))
+                        netoprintf(" %s", SLC_NAME(pointer[i+SLC_FUNC]));
+                    else
+                        netoprintf(" %d", pointer[i+SLC_FUNC]);
+                    switch (pointer[i+SLC_FLAGS]&SLC_LEVELBITS) {
+                    case SLC_NOSUPPORT:
+                        netoprintf(" NOSUPPORT"); break;
+                    case SLC_CANTCHANGE:
+                        netoprintf(" CANTCHANGE"); break;
+                    case SLC_VARIABLE:
+                        netoprintf(" VARIABLE"); break;
+                    case SLC_DEFAULT:
+                        netoprintf(" DEFAULT"); break;
+                    }
+                    netoprintf("%s%s%s",
+                        pointer[i+SLC_FLAGS]&SLC_ACK ? "|ACK" : "",
+                        pointer[i+SLC_FLAGS]&SLC_FLUSHIN ? "|FLUSHIN" : "",
+                        pointer[i+SLC_FLAGS]&SLC_FLUSHOUT ? "|FLUSHOUT" : "");
+                    if (pointer[i+SLC_FLAGS]& ~(SLC_ACK|SLC_FLUSHIN|
+                                                SLC_FLUSHOUT| SLC_LEVELBITS)) {
+                        netoprintf("(0x%x)", pointer[i+SLC_FLAGS]);
+                    }
+                    netoprintf(" %d;", pointer[i+SLC_VALUE]);
+                    if ((pointer[i+SLC_VALUE] == IAC) &&
+                        (pointer[i+SLC_VALUE+1] == IAC))
+                                i++;
+                }
+                for (; i < length; i++) {
+                    netoprintf(" ?%d?", pointer[i]);
+                }
+                break;
+
+            case LM_MODE:
+                netoprintf("MODE ");
+                if (length < 3) {
+                    netoprintf("(no mode???)");
+                    break;
+                }
+                {
+                    char tbuf[32];
+                    snprintf(tbuf, sizeof(tbuf), "%s%s%s%s%s",
+                        pointer[2]&MODE_EDIT ? "|EDIT" : "",
+                        pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "",
+                        pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "",
+                        pointer[2]&MODE_LIT_ECHO ? "|LIT_ECHO" : "",
+                        pointer[2]&MODE_ACK ? "|ACK" : "");
+                    netoprintf("%s", tbuf[1] ? &tbuf[1] : "0");
+                }
+                if (pointer[2]&~(MODE_EDIT|MODE_TRAPSIG|MODE_ACK)) {
+                    netoprintf(" (0x%x)", pointer[2]);
+                }
+                for (i = 3; i < length; i++) {
+                    netoprintf(" ?0x%x?", pointer[i]);
+                }
+                break;
+            default:
+                netoprintf("%d (unknown)", pointer[1]);
+                for (i = 2; i < length; i++) {
+                    netoprintf(" %d", pointer[i]);
+                }
+            }
+            break;
+
+        case TELOPT_STATUS: {
+            const char *cp;
+            register int j, k;
+
+            netoprintf("STATUS");
+
+            switch (pointer[1]) {
+            default:
+                if (pointer[1] == TELQUAL_SEND)
+                    netoprintf(" SEND");
+                else
+                    netoprintf(" %d (unknown)", pointer[1]);
+                for (i = 2; i < length; i++) {
+                    netoprintf(" ?%d?", pointer[i]);
+                }
+                break;
+            case TELQUAL_IS:
+                netoprintf(" IS\r\n");
+
+                for (i = 2; i < length; i++) {
+                    switch(pointer[i]) {
+                    case DO:    cp = "DO"; goto common2;
+                    case DONT:  cp = "DONT"; goto common2;
+                    case WILL:  cp = "WILL"; goto common2;
+                    case WONT:  cp = "WONT"; goto common2;
+                    common2:
+                        i++;
+                        if (TELOPT_OK((int)pointer[i]))
+                            netoprintf(" %s %s", cp, TELOPT(pointer[i]));
+                        else
+                            netoprintf(" %s %d", cp, pointer[i]);
+
+                        netoprintf("\r\n");
+                        break;
+
+                    case SB:
+                        netoprintf(" SB ");
+                        i++;
+                        j = k = i;
+                        while (j < length) {
+                            if (pointer[j] == SE) {
+                                if (j+1 == length)
+                                    break;
+                                if (pointer[j+1] == SE)
+                                    j++;
+                                else
+                                    break;
+                            }
+                            pointer[k++] = pointer[j++];
+                        }
+                        printsub(0, &pointer[i], k - i);
+                        if (i < length) {
+                            netoprintf(" SE");
+                            i = j;
+                        } else
+                            i = j - 1;
+
+                        netoprintf("\r\n");
+
+                        break;
+                                
+                    default:
+                        netoprintf(" %d", pointer[i]);
+                        break;
+                    }
+                }
+                break;
+            }
+            break;
+          }
+
+        case TELOPT_XDISPLOC:
+            netoprintf("X-DISPLAY-LOCATION ");
+            switch (pointer[1]) {
+            case TELQUAL_IS:
+                netoprintf("IS \"%.*s\"", length-2, (char *)pointer+2);
+                break;
+            case TELQUAL_SEND:
+                netoprintf("SEND");
+                break;
+            default:
+                netoprintf("- unknown qualifier %d (0x%x).",
+                                pointer[1], pointer[1]);
+            }
+            break;
+
+        case TELOPT_ENVIRON:
+            netoprintf("ENVIRON ");
+            switch (pointer[1]) {
+            case TELQUAL_IS:
+                netoprintf("IS ");
+                goto env_common;
+            case TELQUAL_SEND:
+                netoprintf("SEND ");
+                goto env_common;
+            case TELQUAL_INFO:
+                netoprintf("INFO ");
+            env_common:
+                {
+                    register int noquote = 2;
+                    for (i = 2; i < length; i++ ) {
+                        switch (pointer[i]) {
+                        case ENV_VAR:
+                            if (pointer[1] == TELQUAL_SEND)
+                                goto def_case;
+                            netoprintf("\" VAR " + noquote);
+                            noquote = 2;
+                            break;
+
+                        case ENV_VALUE:
+                            netoprintf("\" VALUE " + noquote);
+                            noquote = 2;
+                            break;
+
+                        case ENV_ESC:
+                            netoprintf("\" ESC " + noquote);
+                            noquote = 2;
+                            break;
+
+                        default:
+                        def_case:
+                            if (isprint(pointer[i]) && pointer[i] != '"') {
+                                if (noquote) {
+                                    netoprintf("\"");
+                                    noquote = 0;
+                                }
+                                netoprintf("%c", pointer[i]);
+                            } else {
+                                netoprintf("\" %03o " + noquote,
+                                                        pointer[i]);
+                                noquote = 2;
+                            }
+                            break;
+                        }
+                    }
+                    if (!noquote)
+                        netoprintf("\"");
+                    break;
+                }
+            }
+            break;
+
+#if     defined(AUTHENTICATE)
+        case TELOPT_AUTHENTICATION:
+            netoprintf("AUTHENTICATION");
+        
+            if (length < 2) {
+                netoprintf(" (empty suboption???)");
+                break;
+            }
+            switch (pointer[1]) {
+            case TELQUAL_REPLY:
+            case TELQUAL_IS:
+                netoprintf(" %s ", (pointer[1] == TELQUAL_IS) ?
+                                                        "IS" : "REPLY");
+                if (AUTHTYPE_NAME_OK(pointer[2]))
+                    netoprintf("%s ", AUTHTYPE_NAME(pointer[2]));
+                else
+                    netoprintf("%d ", pointer[2]);
+                if (length < 3) {
+                    netoprintf("(partial suboption???)");
+                    break;
+                }
+                netoprintf("%s|%s",
+                        ((pointer[3] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+                        "CLIENT" : "SERVER",
+                        ((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+                        "MUTUAL" : "ONE-WAY");
+
+                auth_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+                netoprintf("%s", buf);
+                break;
+
+            case TELQUAL_SEND:
+                i = 2;
+                netoprintf(" SEND ");
+                while (i < length) {
+                    if (AUTHTYPE_NAME_OK(pointer[i]))
+                        netoprintf("%s ", AUTHTYPE_NAME(pointer[i]));
+                    else
+                        netoprintf("%d ", pointer[i]);
+                    if (++i >= length) {
+                        netoprintf("(partial suboption???)");
+                        break;
+                    }
+                    netoprintf("%s|%s ",
+                        ((pointer[i] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
+                                                        "CLIENT" : "SERVER",
+                        ((pointer[i] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+                                                        "MUTUAL" : "ONE-WAY");
+                    ++i;
+                }
+                break;
+
+            case TELQUAL_NAME:
+                i = 2;
+                netoprintf(" NAME \"");
+                /*
+                 * Was:
+                 *    while (i < length)
+                 *       *nfrontp += pointer[i++];
+                 *    *nfrontp += '"';
+                 *
+                 * but I'm pretty sure that's wrong...
+                 */
+                while (i < length)
+                    netoprintf("%c", pointer[i++]);
+                netoprintf("\"");
+                break;
+
+            default:
+                    for (i = 2; i < length; i++) {
+                        netoprintf(" ?%d?", pointer[i]);
+                    }
+                    break;
+            }
+            break;
+#endif
+
+#if     defined(ENCRYPT)
+        case TELOPT_ENCRYPT:
+            netoprintf("ENCRYPT");
+            if (length < 2) {
+                netoprintf(" (empty suboption???)");
+                break;
+            }
+            switch (pointer[1]) {
+            case ENCRYPT_START:
+                netoprintf(" START");
+                break;
+
+            case ENCRYPT_END:
+                netoprintf(" END");
+                break;
+
+            case ENCRYPT_REQSTART:
+                netoprintf(" REQUEST-START");
+                break;
+
+            case ENCRYPT_REQEND:
+                netoprintf(" REQUEST-END");
+                break;
+
+            case ENCRYPT_IS:
+            case ENCRYPT_REPLY:
+                netoprintf(" %s ", (pointer[1] == ENCRYPT_IS) ?
+                                                        "IS" : "REPLY");
+                if (length < 3) {
+                    netoprintf(" (partial suboption???)");
+                    break;
+                }
+                if (ENCTYPE_NAME_OK(pointer[2]))
+                    netoprintf("%s ", ENCTYPE_NAME(pointer[2]));
+                else
+                    netoprintf(" %d (unknown)", pointer[2]);
+
+                encrypt_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+                netoprintf("%s", buf);
+                break;
+
+            case ENCRYPT_SUPPORT:
+                i = 2;
+                netoprintf(" SUPPORT ");
+                while (i < length) {
+                    if (ENCTYPE_NAME_OK(pointer[i]))
+                        netoprintf("%s ", ENCTYPE_NAME(pointer[i]));
+                    else
+                        netoprintf("%d ", pointer[i]);
+                    i++;
+                }
+                break;
+
+            case ENCRYPT_ENC_KEYID:
+                netoprintf(" ENC_KEYID", pointer[1]);
+                goto encommon;
+
+            case ENCRYPT_DEC_KEYID:
+                netoprintf(" DEC_KEYID", pointer[1]);
+                goto encommon;
+
+            default:
+                netoprintf(" %d (unknown)", pointer[1]);
+            encommon:
+                for (i = 2; i < length; i++) {
+                    netoprintf(" %d", pointer[i]);
+                }
+                break;
+            }
+            break;
+#endif
+
+        default:
+            if (TELOPT_OK(pointer[0]))
+                netoprintf("%s (unknown)", TELOPT(pointer[0]));
+            else
+                netoprintf("%d (unknown)", pointer[i]);
+            for (i = 1; i < length; i++) {
+                netoprintf(" %d", pointer[i]);
+            }
+            break;
+        }
+        netoprintf("\r\n");
+}
+
+/*
+ * Dump a data buffer in hex and ascii to the output data stream.
+ */
+void
+printdata(const char *tag, const char *ptr, int cnt)
+{
+        register int i;
+        char xbuf[30];
+
+        while (cnt) {
+                /* add a line of output */
+                netoprintf("%s: ", tag);
+                for (i = 0; i < 20 && cnt; i++) {
+                        netoprintf("%02x", *ptr);
+                        if (isprint(*ptr)) {
+                                xbuf[i] = *ptr;
+                        } else {
+                                xbuf[i] = '.';
+                        }
+                        if (i % 2) { 
+                                netoprintf(" ");
+                        }
+                        cnt--;
+                        ptr++;
+                }
+                xbuf[i] = '\0';
+                netoprintf(" %s\r\n", xbuf );
+        } 
+}
+#endif /* DIAGNOSTICS */
+
+static struct buflist *
+addbuf(const char *buf, size_t len)
+{
+        struct buflist *bufl;
+
+        bufl = malloc(sizeof(struct buflist));
+        if (!bufl) {
+                return 0;
+        }
+        bufl->next = tail->next;
+        bufl->buf = malloc(len);
+        if (!bufl->buf) {
+                free(bufl);
+                return 0;
+        }
+        bufl->len = len;
+
+        tail = tail->next = bufl;
+        listlen++;
+
+        memcpy(bufl->buf, buf, len);
+        return bufl;
+}
+
+static ssize_t
+netwrite(void *cookie, const char *buf, size_t len)
+{
+        size_t ret;
+        const char *const end = buf + len;
+        int ltrailing = trailing;
+        int ldoclear = doclear;
+
+#define wewant(p)       ((*p&0xff) == IAC) && \
+                                ((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL)
+
+        ret = 0;
+
+        if (ltrailing) {
+                const char *p;
+                size_t l;
+                size_t m = tail->len;
+
+                p = nextitem(tail->buf, tail->buf + tail->len, buf, end);
+                ltrailing = !p;
+                if (ltrailing) {
+                        p = end;
+                }
+
+                l = p - buf;
+                tail->len += l;
+                tail->buf = realloc(tail->buf, tail->len);
+                if (!tail->buf) {
+                        return -1;
+                }
+
+                memcpy(tail->buf + m, buf, l);
+                buf += l;
+                len -= l;
+                ret += l;
+                trailing = ltrailing;
+        }
+
+        if (ldoclear) {
+                struct buflist *lpprev;
+
+                skip = 0;
+                lpprev = &head;
+                for (;;) {
+                        struct buflist *lp;
+
+                        lp = lpprev->next;
+
+                        if (lp == &head) {
+                                tail = lpprev;
+                                break;
+                        }
+
+                        if (lp == tail && ltrailing) {
+                                break;
+                        }
+
+                        if (!wewant(lp->buf)) {
+                                lpprev->next = lp->next;
+                                listlen--;
+                                free(lp->buf);
+                                free(lp);
+                        } else {
+                                lpprev = lp;
+                        }
+                }
+        }
+
+        while (len) {
+                const char *p;
+                size_t l;
+
+                p = nextitem(buf, end, 0, 0);
+                ltrailing = !p;
+                if (ltrailing) {
+                        p = end;
+                } else if (ldoclear) {
+                        if (!wewant(buf)) {
+                                l = p - buf;
+                                goto cont;
+                        }
+                }
+
+                l = p - buf;
+                if (!addbuf(buf, l)) {
+                        return ret ? ret : -1;
+                }
+                trailing = ltrailing;
+
+cont:
+                buf += l;
+                len -= l;
+                ret += l;
+        }
+
+        netwritebuf();
+        return ret;
+}
+
+void
+netopen() {
+        static const cookie_io_functions_t funcs = {
+                read: 0, write: netwrite, seek: 0, close: 0
+        };
+
+        netfile = fopencookie(0, "w", funcs);
+}
+
+extern int not42;
+void
+sendurg(const char *buf, size_t len) {
+        if (!not42) {
+                fwrite(buf, 1, len, netfile);
+                return;
+        }
+
+        urg = addbuf(buf, len);
+}
+
+size_t
+netbuflen(int flush) {
+        if (flush) {
+                netflush();
+        }
+        return listlen;
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetlogin/Makefile b/exploits/7350855-netkit/netkit-telnet-0.17/telnetlogin/Makefile
new file mode 100644
index 0000000..74d2680
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetlogin/Makefile
@@ -0,0 +1,18 @@
+all: telnetlogin
+
+include ../MCONFIG
+include ../MRULES
+
+OBJS = telnetlogin.o
+
+telnetlogin: $(OBJS)
+        $(CC) $(LDFLAGS) $^ $(LIBS) -o $@
+
+$(OBJS): ../version.h
+
+install: telnetlogin
+        install -s -m4750 -oroot -gtelnetd telnetlogin $(INSTALLROOT)$(SBINDIR)
+        install -m$(MANMODE) telnetlogin.8 $(INSTALLROOT)$(MANDIR)/man8
+
+clean:
+        rm -f *.o telnetlogin
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetlogin/telnetlogin.8 b/exploits/7350855-netkit/netkit-telnet-0.17/telnetlogin/telnetlogin.8
new file mode 100644
index 0000000..2433fd8
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetlogin/telnetlogin.8
@@ -0,0 +1,91 @@
+.\" Copyright (c) 2000 David A. Holland.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in the
+.\"    documentation and/or other materials provided with the distribution.
+.\" 3. All advertising materials mentioning features or use of this software
+.\"    must display the following acknowledgement:
+.\"     This product includes software developed by David A. Holland.
+.\" 4. Neither the name of the Author nor the names of any contributors
+.\"    may be used to endorse or promote products derived from this software
+.\"    without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND ANY CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR ANY CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\"     $Id: telnetlogin.8,v 1.4 2000/07/30 23:57:10 dholland Exp $
+.\"
+.Dd April 12, 2000
+.Dt TELNETLOGIN 8
+.Os "Linux NetKit (0.17)"
+.Sh NAME
+.Nm telnetlogin
+.Nd login wrapper for telnetd
+.Sh SYNOPSIS
+.Nm telnetlogin
+.Op Fl h Ar host
+.Op Fl p
+.Op Ar username
+.Sh DESCRIPTION
+.Nm telnetlogin
+is a setuid wrapper that runs
+.Xr login 1 .
+It is meant to be invoked by
+.Xr telnetd 8 ;
+the idea is to remove the necessity of running telnetd as root.
+.Pp
+.Nm telnetlogin
+should be installed mode 4750, user root, group telnetd. Then,
+telnetd may be run from
+.Pa /etc/inetd.conf
+as user ``nobody'', group ``telnetd'', and with the option
+.Fl L Ar path-to-telnetlogin .
+.Pp
+.Nm telnetlogin
+accepts only the subset of options to
+.Xr login 1
+shown above, in the order listed. This is the order 
+.Nm telnetd 8
+normally provides them in.
+.Nm telnetlogin
+also does sanity checks on the environment variables
+.Ev TERM , 
+and
+.Ev REMOTEHOST .
+It also insists that the standard input, output, and error streams are
+open on a terminal, and that it is the process group leader of the
+foreground process of that terminal. After checking all of these
+conditions, checking the values of the above environment variables for
+reasonable values, resetting signal handlers, and so forth, it execs
+login.
+.Sh SEE ALSO
+.Xr login 1 ,
+.Xr inetd.conf 5 ,
+.Xr inetd 8 ,
+.Xr telnetd 8
+.Sh RESTRICTIONS
+.Nm telnetlogin
+does not permit the
+.Fl f
+option to login, so will not
+work with telnetds that perform authentication via Kerberos or SSL.
+.Pp
+THIS IS PRESENTLY EXPERIMENTAL CODE; USE WITH CAUTION.
+.Sh HISTORY
+.Nm telnetlogin
+was written during the development of NetKit 0.17.
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/telnetlogin/telnetlogin.c b/exploits/7350855-netkit/netkit-telnet-0.17/telnetlogin/telnetlogin.c
new file mode 100644
index 0000000..bf81c12
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/telnetlogin/telnetlogin.c
@@ -0,0 +1,230 @@
+/*
+ * Copyright (c) 2000 David A. Holland.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *      This product includes software developed by David A. Holland.
+ * 4. Neither the name of the Author nor the names of any contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND ANY CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR ANY CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+char copyright[] =
+ "@(#) Copyright (c) 2000 David A. Holland.\n"
+ "All rights reserved.\n";
+
+char rcsid[] =
+  "$Id: telnetlogin.c,v 1.1 2000/04/13 01:07:22 dholland Exp $";
+#include "../version.h"
+
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <netdb.h>
+#include <fcntl.h>
+#include <ctype.h>
+#include <paths.h>
+#include <signal.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <syslog.h>
+
+#ifndef _PATH_LOGIN
+#define _PATH_LOGIN "/bin/login"
+#endif
+
+static const char *remhost = NULL;
+
+static void die(const char *fmt, ...) {
+   va_list ap;
+   openlog("telnetlogin", LOG_PID, LOG_AUTHPRIV);
+   va_start(ap, fmt);
+   vsyslog(LOG_CRIT, fmt, ap);
+   va_end(ap);
+   exit(1);
+}
+
+static int check_a_hostname(char *hname) {
+   int i=0;
+   /* should we check length? */
+   for (i=0; hname[i]; i++) {
+      if (hname[i]<=32 && hname[i]>126) return -1;
+   }
+   return 0;
+}
+
+static int check_term(char *termtype) {
+   int i;
+   if (strlen(termtype) > 32) return -1;
+   for (i=0; termtype[i]; i++) {
+      if (!isalnum(termtype[i]) && !strchr("+._-", termtype[i])) return -1;
+   }
+   return 0;
+}
+
+static int check_remotehost(char *val) {
+   if (check_a_hostname(val)) return -1;
+   if (remhost && strcmp(val, remhost)) return -1;
+   return 0;
+}
+
+struct {
+   const char *name;
+   int (*validator)(char *);
+} legal_envs[] = {
+   { "TERM", check_term },
+   { "REMOTEHOST", check_remotehost },
+   { NULL, NULL }
+};
+
+static void validate_tty(void) {
+   struct stat buf, buf2;
+   const char *tty;
+   pid_t pgrp;
+
+   tty = ttyname(0);
+   if (!tty) die("stdin not a tty");
+
+   if (fstat(0, &buf)) die("fstat stdin");
+   if (!S_ISCHR(buf.st_mode)) die("stdin not char device");
+
+   if (fstat(1, &buf2)) die("fstat stdout");
+   if (!S_ISCHR(buf2.st_mode)) die("stdout not char device");
+   if (buf.st_rdev!=buf2.st_rdev) die("stdout and stdin not same tty");
+
+   if (fstat(2, &buf2)) die("fstat stderr");
+   if (!S_ISCHR(buf2.st_mode)) die("stderr not char device");
+   if (buf.st_rdev!=buf2.st_rdev) die("stderr and stdin not same tty");
+   
+   if (ioctl(0, TIOCGPGRP, &pgrp)) die("cannot get tty process group");
+   if (pgrp != getpgrp()) die("not foreground pgrp of tty");
+   if (pgrp != getpid()) die("not process group leader");
+}
+
+int main(int argc, char *argv[]) {
+   static char argv0[] = "login";
+   int argn, i, j;
+   const char *rh = NULL;
+   char **envs = __environ;
+
+   /* make as sure as possible no library routines or anything can use it */
+   __environ = NULL;
+
+   /* first, make sure our stdin/stdout/stderr are aimed somewhere */
+   i = open("/", O_RDONLY);
+   if (i<3) {
+      /* Oops. Can't even print an error message... */
+      exit(100);
+   }
+   close(i);
+
+   /* check args */
+   argn=1;
+   if (argc<1) {
+      die("Illegal args: argc < 1");
+   }
+   if (argn < argc && !strcmp(argv[argn], "-h")) {
+      argn++;
+      if (argn==argc) die("Illegal args: -h requires argument");
+      if (check_a_hostname(argv[argn])) die("Illegal remote host specified");
+      rh = argv[argn];
+      argn++;
+   }
+   if (argn < argc && !strcmp(argv[argn], "-p")) {
+      argn++;
+   }
+   if (argn < argc && argv[argn][0] != '-') {
+      argn++;
+   }
+   if (argn < argc) die("Illegal args: too many args");
+   argv[0] = argv0;
+
+   /* check environment */
+   if (envs) for (i=0; envs[i]; i++) {
+      char *testenv = envs[i];
+      size_t testlen = strlen(testenv);
+      for (j=0; legal_envs[j].name; j++) {
+         const char *okenv = legal_envs[j].name;
+         size_t oklen = strlen(okenv);
+         int sign;
+
+         if (testlen < oklen) continue;
+         if (testenv[oklen]!='=') continue;
+         if ((sign = memcmp(testenv, okenv, oklen)) < 0) {
+            continue;
+         } else if (sign > 0) {
+            break;
+         }
+         if (legal_envs[j].validator(testenv+oklen+1)) {
+            die("Invalid environment: bad value for %s", okenv);
+         }
+         break;
+      }
+   }
+
+   /* unignore all signals so they get cleared at exec time */
+   for (i=1; i<NSIG; i++) {
+      signal(i, SIG_DFL);
+   }
+
+   /* just in case */
+   if (chdir("/")) die("chdir to / failed");
+
+   /* 
+    * don't do anything with uids and gids, as login is normally meant
+    * to be able to take care of them.  
+    * 
+    * but, should we insist that ruid==nobody?
+    */
+
+#ifdef debian
+   /*
+    * Debian's /bin/login doesn't work properly unless we're really root.
+    */
+   setuid(0);
+#endif
+
+   /*
+    * don't do anything with limits, itimers, or process priority either
+    */
+
+   /*
+    * should we check to make sure stdin=stdout=stderr and they're a tty
+    * and it's our controlling tty [hard] and we're the leader of the 
+    * foreground process group?
+    *
+    * Yeah, we should.
+    */
+   validate_tty();
+
+   /*
+    * now exec login
+    * argv[0] was set up above.
+    */
+   execve(_PATH_LOGIN, argv, envs);
+   exit(255);
+}
diff --git a/exploits/7350855-netkit/netkit-telnet-0.17/version.h b/exploits/7350855-netkit/netkit-telnet-0.17/version.h
new file mode 100644
index 0000000..ad92951
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet-0.17/version.h
@@ -0,0 +1,5 @@
+/*
+ * String to embed in binaries to identify package
+ */
+
+char pkg[]="$NetKit: netkit-telnet-0.17 $";
diff --git a/exploits/7350855-netkit/netkit-telnet_0.16-4potato.1.diff.gz b/exploits/7350855-netkit/netkit-telnet_0.16-4potato.1.diff.gz
new file mode 100644
index 0000000..834255f
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet_0.16-4potato.1.diff.gz
diff --git a/exploits/7350855-netkit/netkit-telnet_0.16-4potato.1.dsc b/exploits/7350855-netkit/netkit-telnet_0.16-4potato.1.dsc
new file mode 100644
index 0000000..9c2f3f2
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet_0.16-4potato.1.dsc
@@ -0,0 +1,23 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+
+Format: 1.0
+Source: netkit-telnet
+Version: 0.16-4potato.1
+Binary: telnet, telnetd
+Maintainer: Herbert Xu <herbert@debian.org>
+Architecture: any
+Standards-Version: 3.0.1
+Files: 
+ d829b432eec6a2ff0d866869445f1303 130043 netkit-telnet_0.16.orig.tar.gz
+ f045357b3041d23be595b484355669b1 8327 netkit-telnet_0.16-4potato.1.diff.gz
+
+-----BEGIN PGP SIGNATURE-----
+Version: 2.6.3ia
+Charset: noconv
+
+iQCVAwUBOctRj4fMnsf5AzQhAQGUVAP+Lsk8f2sXSnIhQ/XrtQUjpVjJwpS3Nzrq
+SWPok5C2QjERmN8W3/HmrYl2y1/3VQ5z5sVyVA3bcx+IMvs0U1130LVmhDOlANrP
+wmsRQ+8v5XJ9MD7eZs7FWligqlLfAno1WGIKZenTyKMPXrYjZD6pKUwk/54gITKB
+g5nCfW7xGvM=
+=X0FD
+-----END PGP SIGNATURE-----
diff --git a/exploits/7350855-netkit/netkit-telnet_0.16.orig.tar.gz b/exploits/7350855-netkit/netkit-telnet_0.16.orig.tar.gz
new file mode 100644
index 0000000..d0f2b45
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet_0.16.orig.tar.gz
diff --git a/exploits/7350855-netkit/netkit-telnet_0.17-14.diff.gz b/exploits/7350855-netkit/netkit-telnet_0.17-14.diff.gz
new file mode 100644
index 0000000..33b44a8
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet_0.17-14.diff.gz
diff --git a/exploits/7350855-netkit/netkit-telnet_0.17-14.dsc b/exploits/7350855-netkit/netkit-telnet_0.17-14.dsc
new file mode 100644
index 0000000..bb6f1e7
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet_0.17-14.dsc
@@ -0,0 +1,24 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+
+Format: 1.0
+Source: netkit-telnet
+Version: 0.17-14
+Binary: telnetd, telnet
+Maintainer: Herbert Xu <herbert@debian.org>
+Architecture: any
+Standards-Version: 3.5.6
+Build-Depends: debhelper, libncurses-dev
+Files: 
+ d6beabaaf53fe6e382c42ce3faa05a36 133749 netkit-telnet_0.17.orig.tar.gz
+ db744ae7670fd74c2e59461f8dfbdab2 20569 netkit-telnet_0.17-14.diff.gz
+
+-----BEGIN PGP SIGNATURE-----
+Version: 2.6.3ia
+Charset: noconv
+
+iQCVAwUBO3WsSofMnsf5AzQhAQHEUwP/VRhkHF/UGnQuIs+mrwX3rUTMZm1Cca1e
+LEM76qyNNdaHWl+150onqjouiOr0J5JKw+GD8+aPIClu7MhO1cyiJ05rbW+bK9WB
+Pb08HRYbrgfFtgV7AcxTakGaO4rX5TvIv78YeIUfgIIPOXZujthF12xBNSkJ2OTr
+UMANDZanXhc=
+=yuuq
+-----END PGP SIGNATURE-----
diff --git a/exploits/7350855-netkit/netkit-telnet_0.17.orig.tar.gz b/exploits/7350855-netkit/netkit-telnet_0.17.orig.tar.gz
new file mode 100644
index 0000000..5e7284a
--- /dev/null
+++ b/exploits/7350855-netkit/netkit-telnet_0.17.orig.tar.gz
diff --git a/exploits/7350855-netkit/telnetd-0.16.tgz b/exploits/7350855-netkit/telnetd-0.16.tgz
new file mode 100644
index 0000000..53c4909
--- /dev/null
+++ b/exploits/7350855-netkit/telnetd-0.16.tgz
diff --git a/exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/lib/telnetd/login b/exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/lib/telnetd/login
new file mode 100644
index 0000000..deb821b
--- /dev/null
+++ b/exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/lib/telnetd/login
diff --git a/exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/doc/telnetd/changelog.Debian.gz b/exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/doc/telnetd/changelog.Debian.gz
new file mode 100644
index 0000000..c8f1138
--- /dev/null
+++ b/exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/doc/telnetd/changelog.Debian.gz
diff --git a/exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/doc/telnetd/changelog.gz b/exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/doc/telnetd/changelog.gz
new file mode 100644
index 0000000..d064fe7
--- /dev/null
+++ b/exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/doc/telnetd/changelog.gz
diff --git a/exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/doc/telnetd/copyright b/exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/doc/telnetd/copyright
new file mode 100644
index 0000000..94881eb
--- /dev/null
+++ b/exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/doc/telnetd/copyright
@@ -0,0 +1,18 @@
+This package was split from netstd by Herbert Xu herbert@debian.org on
+Mon, 28 Sep 1998 16:50:43 +1000.
+
+netstd was created by Peter Tobias tobias@et-inf.fho-emden.de on
+Wed, 20 Jul 1994 17:23:21 +0200.
+
+It was downloaded from ftp://ftp.uk.linux.org/pub/linux/Networking/telnet+ftp/.
+
+Copyright:
+
+Copyright (c) 1988, 1993 The Regents of the University of California.
+Copyright (c) 1995 David A. Holland
+Copyright (c) 1994 Peter Tobias (issue.net(5))
+Copyright (c) 1983, 1995 Eric P. Allman (setproctitle.[ch])
+
+The license can be found at /usr/doc/copyright/BSD.
+
+$Id: copyright,v 1.2 2000/03/08 01:14:59 herbert Exp $
diff --git a/exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/man/man5/issue.net.5.gz b/exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/man/man5/issue.net.5.gz
new file mode 100644
index 0000000..ffcbe91
--- /dev/null
+++ b/exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/man/man5/issue.net.5.gz
diff --git a/exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/man/man8/in.telnetd.8.gz b/exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/man/man8/in.telnetd.8.gz
new file mode 100644
index 0000000..42dec03
--- /dev/null
+++ b/exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/man/man8/in.telnetd.8.gz
diff --git a/exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/man/man8/telnetd.8.gz b/exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/man/man8/telnetd.8.gz
new file mode 120000
index 0000000..c433e1e
--- /dev/null
+++ b/exploits/7350855-netkit/telnetd-potato-0.16-4-bin/usr/share/man/man8/telnetd.8.gz
@@ -0,0 +1 @@
+in.telnetd.8.gz
\ No newline at end of file
diff --git a/exploits/7350855-netkit/telnetd_0.16-4potato.1.deb b/exploits/7350855-netkit/telnetd_0.16-4potato.1.deb
new file mode 100644
index 0000000..2798ed0
--- /dev/null
+++ b/exploits/7350855-netkit/telnetd_0.16-4potato.1.deb
diff --git a/exploits/7350855-netkit/telnetd_0.17-13_i386.deb b/exploits/7350855-netkit/telnetd_0.17-13_i386.deb
new file mode 100644
index 0000000..195cbaa
--- /dev/null
+++ b/exploits/7350855-netkit/telnetd_0.17-13_i386.deb