4th time’s the charm? IIS DoS and how it doesn’t work

a few days ago a bugtraq post was made about an iis dos.

the post was almost completely ignored by everybody, and today we saw a post on sans isc about a vague vulnerability in iis 5.1 (xp) after a post about it on securiteam:

now, the funny thing about this exploit is that it will only return an exception on the 4th attempt.

every time, only on the 4th attempt.

this is the best anti-exploitation effort i have ever seen, it is either:
1. a way to avoid exploits.. which is simply unbelievable. ms has gone nuts. this is hillarious. and if do it, why stop at 4 times? make it go to infinity… uh huh.
2. a way to avoid bugs! hey we are all kind of annoyed from qa and fixing bugs.. if it’s important enough to show up 4 times, let us know and crash the program, will ya?
3. a complete fluke! some bored reverser will let us know why iis does this, no doubt.

still, let us go to the conspiratorial side for a minute:
this is why iis vulnerabilities are hard to come by these days!! microsoft made sure you will only get an exception after 4 times!

so much for all the fuzzers that have been hammering iss all these years, eh? :p

try the exploit, it’s just one url. enter it 4 times, follow it in a debugger and be amazed!

the original text can be found at:

gadi evron,

  • http://blogs.securiteam.com/index.php/archives/author/mattmurphy/ Matthew Murphy


    the explanation i can think of for the requirement that four requests be submitted is some kind of memory corruption vulnerability. perhaps this is some kind of use-after-free condition or something of that nature that is causing heap corruption? just a thought. i’m not bored enough to hack iis 5.1. the six people who use it don’t have anything critical to protect.

  • sunshine

    Don’t ruin it for me… this is an evil evil evil stupid protection mechanism. Got it?

    BTW: I know where you live!! :)

    And I really don’t see who would run IIS on XP…

  • http://www.BeyondSecurity.com noam

    Without doing too much disassembling work, one thing that I did notice was a counter counting from 3 to 0 (decrementing each time the attack is conducted).

    When the counter reaches 0, the code jumps to a different section, i.e. an exception occurs…

    This could be some kind of SEH (Software Exception Handler) type of behavior, I am not sure, someone with more Ninja-Skills of debugging/analyzing might have better insight to why its counting from 3 to 0.