2021-02-24 18:11:44 +00:00
|
|
|
id: CVE-2017-7269
|
2021-02-24 13:29:23 +00:00
|
|
|
|
|
|
|
info:
|
|
|
|
name: CVE-2017-7269
|
|
|
|
author: thomas_from_offensity
|
|
|
|
severity: critical
|
|
|
|
description: RCE - Buffer overflow in ScStoragePathFromUrl function (WebDAV service - IIS 6.0) - Windows Server 2003 R2
|
|
|
|
|
|
|
|
# this was implemented based on the "check"-method in:
|
|
|
|
# https://github.com/danigargu/explodingcan/blob/master/explodingcan.py
|
|
|
|
|
|
|
|
requests:
|
|
|
|
- method: OPTIONS
|
|
|
|
path:
|
|
|
|
- "{{BaseURL}}"
|
|
|
|
matchers-condition: and
|
|
|
|
matchers:
|
|
|
|
- type: status
|
|
|
|
status:
|
|
|
|
- 200
|
|
|
|
- type: word
|
|
|
|
words:
|
|
|
|
- "IIS/6.0"
|
|
|
|
part: header
|
|
|
|
- type: dsl
|
|
|
|
dsl:
|
|
|
|
- regex("<DAV:sql>", dasl) # lowercase header name: DASL
|
|
|
|
- regex("[\d]+(,\s+[\d]+)?", dav) # lowercase header name: DAV
|
|
|
|
- regex(".*?PROPFIND", public) # lowercase header name: Public
|
|
|
|
- regex(".*?PROPFIND", allow) # lowercase header name: Allow
|
|
|
|
condition: or
|
|
|
|
part: header
|