Rapid7 Vulnerability & Exploit Database

7-Technologies IGSS 9 IGSSdataServer .RMS Rename Buffer Overflow

Back to Search

7-Technologies IGSS 9 IGSSdataServer .RMS Rename Buffer Overflow

Disclosed
03/24/2011
Created
05/30/2018

Description

This module exploits a vulnerability found on 7-Technologies IGSS 9. By supplying a long string of data to the 'Rename' (0x02), 'Delete' (0x03), or 'Add' (0x04) command, a buffer overflow condition occurs in IGSSdataServer.exe while handing an RMS report, which results arbitrary code execution under the context of the user. The attack is carried out in three stages. The first stage sends the final payload to IGSSdataServer.exe, which will remain in memory. The second stage sends the Add command so the process can find a valid ID for the Rename command. The last stage then triggers the vulnerability with the Rename command, and uses an egghunter to search for the shellcode that we sent in stage 1. The use of egghunter appears to be necessary due to the small buffer size, which cannot even contain our ROP chain and the final payload.

Author(s)

  • Luigi Auriemma <aluigi@autistici.org>
  • sinn3r <sinn3r@metasploit.com>

Platform

Windows

Development

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/scada/igss9_igssdataserver_rename
msf exploit(igss9_igssdataserver_rename) > show targets
    ...targets...
msf exploit(igss9_igssdataserver_rename) > set TARGET < target-id >
msf exploit(igss9_igssdataserver_rename) > show options
    ...show and set options...
msf exploit(igss9_igssdataserver_rename) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security

;