But '0' is not ascii NUL (0x00), it's ascii 0 (0x30).

eis · on April 15, 2015

Additionally there are a bunch of other things very wrong with the exploit code.

If the connect() fails, it will use file descriptor 1 which is usually stdout and write the request to it and try to read from it.

And there is a problem with strstr() not getting a null terminated string (if the stack memory for recvBuff wasn't automatically zero'd out which some compilers can do).

Why do these people bother writing the exploit in C? A curl one liner is good enough.

Also the check for 'The request has an invalid header name' seems dubious to me because a proxy in front would likely return a different error (the header name is not invalid but rather the range not satisfyable).