Budabot 4.0 Denial Of Service

`<!--  
# Exploit Title: Budabot !calc Denial of Service  
# Date: 15-10-2018  
# Exploit Author: Ryan Delaney  
# Author Contact: [email protected]  
# Author LinkedIn: https://www.linkedin.com/in/infosecrd/  
# Vendor Homepage: http://budabot.com/  
# Software Link: https://github.com/Budabot/Budabot/releases  
# Version: 0.6 -> 4.0  
# Tested on: 4.0  
# CVE: CVE-2018-19290  
  
1. Description  
  
In modules/HELPBOT_MODULE in Budabot 0.6 through 4.0, lax syntax validation  
allows remote attackers to perform a command injection attack against the  
PHP daemon with a crafted command, resulting in a denial of service or  
possibly unspecified other impact. In versions before 3.0,  
modules/HELPBOT_MODULE/calc.php has the vulnerable code; in 3.0 and above,  
modules/HELPBOT_MODULE/HelpbotController.class.php has the vulnerable code.  
  
2. Proof of Concept  
  
Start the Budabot listener, set valid configuration options, and wait for  
the chatbot to announce it's ready in-game.  
Send the chatbot a private message containing "!calc 5 x 5", and the  
Budabot listener will terminate.  
  
3. Solution  
  
Edit the relevant file to remove "x" and " " (space) from the strspn() mask.  
-->  
  
  
`