Author: k0shl reprint please indicate the source author of the blog: http://whereisk0shl.top
CVE-2017-7269 IIS 6.0 in the presence of a stack overflow vulnerability in IIS6. 0 processing PROPFIND command when, due to the length of the url without the effective length of the control and inspection lead to the implementation of memcpy on a virtual path configuration when the trigger stack overflow, this vulnerability can lead to remote code execution.
Currently on github there is one in windows server 2003 r2 on the stable use of the exploit, this exp the current implementation of the function is playing the calculator, and use the shellcode method is the alpha shellcode, this is due to the url in memory to the width of the bytes stored in the form, and which contains some of the badchar, making it impossible to directly use the shellcode code execution, and require first order alpha shellcode method, in ascii form to the width of the byte write to memory, and then through a small section after decrypting the execution code.
github address: https://github.com/edwardz246003/IIS_exploit
This vulnerability is in fact the principle is very simple, but its use method is very interesting, Iβm in the start when debugging a lot of stack overflow and exp, but most are covered by a ret, overwrite the seh and other methods to complete the attack, until I saw this exploit, feeling very artistic. But this vulnerability is also present its limitations, such as for aslr seems to have no use of the surface, and therefore in a higher version of windows server in use seems to be very difficult, the windows server 2003 r2 without aslr protection.
In this article, I will first briefly explain the vulnerability of the use case; then, I will and everyone together to analyze this vulnerability causes; then I will give you a detailed description of this exploits, and finally I will briefly examine the vulnerability of the rop and shellcode is.
Iβm a rookie, as there are irregularities, but also hope you get to correct me, thanks for reading!
The vulnerability of the environment of the build is very simple, my environment is windows server 2003 r2 32-bit English Corporate Edition, installed after the need to enter the system to configure the iis6. 0, first in the login windows, select the configuration server, the installation of iis6. 0 service, after entering the iis6. 0 Manager, In Manager, there is a windows extension, in the extension there is a webdav option, the default is to enter the state, on the left side choose allow, turn on the webdav, and then after the iis Manager the default Web page to create a virtual directory in this step does not matter, and then select run->services. msc->the WebClient service, which is open, so to complete my configuration.
The vulnerability trigger is very simple, directly in the local implementation of python exp. py can be, here in order to observe the process, I modify the exp, The it into the remote, we go through the wireshark capture, you can see and the target machine interactions.
! [](/Article/UploadPic/2017-4/20174111131240. png)
You can see, the attacking host to the target machine sends a PROPFIND packet, this is responsible for the webdav processing of an instruction, which contains our attack data, a<>includes two Extra-Long httpurl request, wherein the two http url in the middle there is a lock token of the instruction content.
Then we can see that in the drone to perform the calc, which is the process of creating in the w2wp process, the user group is a NETWORK SERVICE.
! [](/Article/UploadPic/2017-4/20174111132235. png)
I in the beginning thought that this calc is due to the SW_HIDE parameter settings lead to run in the background, and later find out it was due to the webdav service process itself is no window, led to calc even define SW_SHOWNORMAL, also just started in the background.
In fact, this vulnerability in a timely manner not later< a>of the http url, an IF:<>can also be a trigger, and the reason for adding the second<>as well as the lock token, is because the author wanted to use the first and second http request to complete an exquisite use of, and finally in the instructions to complete the final blow.
I try to remove the second<>as well as request, also can cause the iis services to crash.
! [](/Article/UploadPic/2017-4/20174111132202. png)
This vulnerability causes the WebDav service Dynamic Link Library httpext. dll ScStorageFromUrl function, here for convenience, we directly to track and analyze the function, in the next section, I will look at the whole subtle use of the process. I will be the first dynamic analysis of the entire process, and then patch the vulnerability function of the pseudo-code.
In ScStorageFromUrl function, first will call ScStripAndCheckHttpPrefix Function, This function is mainly to obtain the head information to be checked and the host name to be checked.
0:009> p//call CchUrlPrefixW get the url header information
eax=67113bc8 ebx=00fffbe8 ecx=00605740 edx=00fff4f8 esi=0060c648 edi=00605740
eip=671335f3 esp=00fff4b4 ebp=00fff4d0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
httpext! ScStripAndCheckHttpPrefix+0x1e:
671335f3 ff5024 call dword ptr [eax+24h] ds:0023:67113bec={httpext! CEcbBaseImpl<IEcb>::CchUrlPrefixW (6712c72a)}
0:009> p
eax=00000007 ebx=00fffbe8 ecx=00fff4cc edx=00fff4f8 esi=0060c648 edi=00605740
eip=671335f6 esp=00fff4b8 ebp=00fff4d0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
httpext! ScStripAndCheckHttpPrefix+0x21:
671335f6 8bd8 mov ebx,eax
0:009> dc esi l6//esi stored header information, as well as the server name, the localhost will later get to.
0060c648 00740068 00700074 002f003a 006c002f h. t. t. p.:././. l.
0060c658 0063006f 006c0061 o. c. a. l.
Check the complete http header and a hostname, calls wlen function to get the current http url length.
0:009> p
eax=0060e7d0 ebx=0060b508 ecx=006058a8 edx=0060e7d0 esi=00605740 edi=00000000
eip=67126ce8 esp=00fff330 ebp=00fff798 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
httpext! ScStoragePathFromUrl+0x6d:
67126ce8 50 push eax
0:009> p
eax=0060e7d0 ebx=0060b508 ecx=006058a8 edx=0060e7d0 esi=00605740 edi=00000000
eip=67126ce9 esp=00fff32c ebp=00fff798 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
httpext! ScStoragePathFromUrl+0x6e:
67126ce9 ff1550121167 call dword ptr [httpext!_ imp__wcslen (67111250)] ds:0023:67111250={applications like! wcslen (77bd8ef2)}
0:009> r eax
eax=0060e7d0
0:009> dc eax
0060e7d0 0062002f 00620062 00620062 00620062 /. b. b. b. b. b. b. b.
0060e7e0 61757948 6f674f43 48456b6f 67753646 HyuaCOgookEHF6ug
0060e7f0 38714433 5a625765 56615435 6a536952 3Dq8eWbZ5TaVRiSj
0060e800 384e5157 63555948 43644971 34686472 WQN8HYUcqIdCrdh4
0060e810 71794758 6b55336b 504f6d48 34717a46 XGyqk3UkHmOPFzq4
0060e820 74436f54 6f6f5956 34577341 7a726168 ToCtVYooAsW4harz
0060e830 4d493745 5448574e 367a4c38 62663572 E7IMNWHT8Lz6r5fb
0060e840 486d6e43 61773548 61744d5a 43654133 CnmHH5waZMta3AeC
0:009> p
eax=000002fd ebx=0060b508 ecx=00600000 edx=0060e7d0 esi=00605740 edi=00000000
eip=67126cef esp=00fff32c ebp=00fff798 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
httpext! ScStoragePathFromUrl+0x74:
67126cef 59 pop ecx
0:009> r eax
eax=000002fd