id: CVE-2017-7269

info:
  name: Windows Server 2003 & IIS 6.0 RCE
  author: thomas_from_offensity,geeknik
  severity: critical
  description: Buffer overflow in the ScStoragePathFromUrl function in the WebDAV service in Internet Information Services (IIS) 6.0 in Microsoft Windows Server 2003 R2 allows remote attackers to execute arbitrary code via a long header beginning with "If <http://" in a PROPFIND request.
  reference:
    - https://blog.0patch.com/2017/03/0patching-immortal-cve-2017-7269.html
    - https://github.com/danigargu/explodingcan/blob/master/explodingcan.py
  tags: cve,cve2017,rce

requests:
  - method: OPTIONS
    path:
      - "{{BaseURL}}"

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 200

      - type: word
        words:
          - "IIS/6.0"
        part: header

      - type: dsl
        dsl:
          - regex("<DAV:sql>", dasl)    # lowercase header name: DASL
          - regex("[\d]+(,\s+[\d]+)?", dav)    # lowercase header name: DAV
          - regex(".*?PROPFIND", public)    # lowercase header name: Public
          - regex(".*?PROPFIND", allow)    # lowercase header name: Allow
        condition: or
        part: header