a few days ago a bugtraq post was made about an iis dos.

the post was almost completely ignored by everybody, and today we saw a post on sans isc about a vague vulnerability in iis 5.1 (xp) after a post about it on securiteam:
http://www.securiteam.com/windowsntfocus/6e00e2keus.html

now, the funny thing about this exploit is that it will only return an exception on the 4th attempt.

every time, only on the 4th attempt.

this is the best anti-exploitation effort i have ever seen, it is either:
1. a way to avoid exploits.. which is simply unbelievable. ms has gone nuts. this is hillarious. and if do it, why stop at 4 times? make it go to infinity… uh huh.
2. a way to avoid bugs! hey we are all kind of annoyed from qa and fixing bugs.. if it’s important enough to show up 4 times, let us know and crash the program, will ya?
3. a complete fluke! some bored reverser will let us know why iis does this, no doubt.

still, let us go to the conspiratorial side for a minute:
this is why iis vulnerabilities are hard to come by these days!! microsoft made sure you will only get an exception after 4 times!

so much for all the fuzzers that have been hammering iss all these years, eh? :p

try the exploit, it’s just one url. enter it 4 times, follow it in a debugger and be amazed!

the original text can be found at:
http://ingehenriksen.blogspot.com/2005/12/microsoft-iis-remote-dos-dll-url.html

gadi evron,
ge@beyondsecurity.com.