7269) the most complete utilization, from remote utilization, to local empowerment, to common failure reasons

Posted by millikan at 2020-03-26

The utilization articles of iis6.0 (cve-2017-7269) seen on the Internet, either only remote utilization does not include local rights, or local rights, but there is no common reason for failure. Therefore, this article is for students with a little windows command line foundation, Kali foundation, MSF foundation

Attack system: kali2019; attacked system: 03; prerequisites: IIS enable WebDAV function

2: Go to the Internet and find out that dmchell's exploit script is available

1: Restart MSF (if the script cannot be found, try to reload \ all and restart MSF again)

2: There is a pit named cve-2017-7269.rb, which will cause MSF to load with an error. Because msfconsole does not recognize the symbol "-", you need to change the name to cve_.rb

3: Restart MSF, module loaded successfully

Enter the shell, execute the command whoamI, and find that the permission is network service, so you need to raise the permission

0: after exploiting the vulnerability, uploading the file directly will prompt "access denied", enter the system, and create the directory TMP under the C disk,

1: Using msfvenom to generate payload

2: Open another msfconsole and enter the listening state

3: Go back to the first meterpreter, and upload the program and payload used for lifting weights to the target C: \ TMP (note that under meterpreter, when there are backslashes in the path, 2 backslashes are needed)

4: Switch to C: \ TMP, and use the power lifting tool to execute payload

5: The other side successfully gets the meterpreter (there's a point to be noted when claiming power. Using kb952004-escalate.exe and then backing back to the meterpreter may cause the meterpreter session to timeout and fail), but the session will always be stuck here

6: After testing, we found that we need to rename pr.exe to obtain the anti connection shell successfully

0: port and domain name binding problems in the actual environment, the domain name and port bound by IIS may not be the default, so the two URLs in the if header information in exp are required to match the site binding, otherwise only one 502 can be received. The matching here means that the port of the URL in the if header must match the port of the site binding, and the domain name in the if header only needs to be consistent with the host header. (the domain name here needs to be consistent with the host header. I personally understand that the domain name in exp is not the domain name in the host header in the case of CDN.)

2: Multiple execution errors shellcode multiple execution errors shellcode will overwrite a lot of code that should not be overwritten, resulting in the correct shellcode execution returning 500. The prompt message is: "incorrect parameter", or nothing

3: After the successful execution of exp, after the successful execution of exp for a period of time (about 10 minutes to 20 minutes, no matter whether there is access or not, the time of being suspended by WinDbg does not count), the execution of exp for this site will never succeed, and 400 will be returned at the same time.

4: Win03 x64win03 x64 is rare. This type of attack cannot be directly carried out with POC on the Internet.

0: for the above failure reasons, dmchell's exp can not be used successfully after corresponding adjustment. It is found that the exp of zcgonvh can be used successfully after corresponding adjustment

1: Change the default website directory: right click website properties change website settings

4: Using the exp of zcgonvh, setting the parameters and exploiting the vulnerability, we successfully obtained the meterpreter