The talent determines the upper limit you can reach, and the level of effort determines the lower limit you can reach.This article is used to record information about IIS6.0 WebDav remote command execution vulnerability, detection and utilization methods, and most of the contents. From the Internet, record your notes here.
With the low level of effort of the vast majority of people, it is far from reaching the point of talenting.
Disclaimer: * The tools in the article are for personal testing and research. Please delete them within 24 hours after downloading. Do not use them for commercial or illegal purposes.
Vulnerability ID: CVE-2017-7269
Discovered personnel: Zhiniang Peng and Chen Wu (Information Security Laboratory, School of Computer Science and Engineering, South China University of Technology)
Vulnerability brief: IIS 6.0 with WebDAV service is vulnerable to cache overflow caused by remote code execution. Currently, it can be used stably for Windows Server 2003 R2. The vulnerability was first exploited in the field in July and August 2016.
Vulnerability Type: Buffer Overflow
Vulnerability level: high risk
Impact product: Microsoft Windows Server 2003 R2 IIS6.0 with WebDAV service enabled (currently verified, other versions have not been verified)
Trigger function: ScStoragePathFromUrl function
Additional Information: The ScStoragePathFromUrl function was called twice
Vulnerability Details: A buffer overflow vulnerability exists in the ScStoragePathFromUrl function of the WebDAV service of IIS 6.0 in Windows Server 2003. The attacker executes arbitrary code through a PROPFIND request with a longer header header starting with “If: <Http://“.
- Enable WebDav function (specifically PROPFIND method, return 207 or 200 if successful)
- windows server 2003 R2
Modify the code sock.connect((‘127.0.0.1’,80)), change the ip address to the target website ip, run the py file, and generate a calc process (calculator) on the target server.
Create a new file, such as: cve-2017-7269.rb, copy the above code (or download the file directly).
Locate the metasploit installation directory and place the cve-2017-7269.rb file in the opt/metasploit/apps/pro/msf3/modules/exploit/windows/iis/ directory. (I tried it on the mac, the directory is different, and it is placed in this directory for the convenience of classification management).
Run msfconsole and load the cve-2017-7269 module
Running the exploit will monitor the 4444 port on the local machine. The vulnerable target server will connect to the local 4444 port and bounce a meterpreter. (provided the target server can ping the machine)
Execute shell commands via meterpreter, bounce cmdshell
This module will load the reverse_tcp payload by default, which is used to make the target server remotely connect to a local port. Of course, we can also change the payload and change it to bind_tcp, which is used to let the target server listen to a port and the local active connection pops up the shell.
After the change, test again
Run the exploit, the target server listens on port 4444, and the machine connects to the 4444 port of the target, bounces a meterpreter. (provided that the machine can ping the target server)
Enter set in the msf module to view the items that can be modified, all than the show options.
- Close the WebDAV service
- Use related protective equipment