module
7-Technologies IGSS 9 IGSSdataServer .RMS Rename Buffer Overflow
Disclosed | Created |
---|---|
Mar 24, 2011 | May 30, 2018 |
Disclosed
Mar 24, 2011
Created
May 30, 2018
Description
This module exploits a vulnerability found on 7-Technologies IGSS 9. By supplying
a long string of data to the 'Rename' (0x02), 'Delete' (0x03), or 'Add' (0x04) command,
a buffer overflow condition occurs in IGSSdataServer.exe while handing an RMS report,
which results arbitrary code execution under the context of the user.
The attack is carried out in three stages. The first stage sends the final payload to
IGSSdataServer.exe, which will remain in memory. The second stage sends the Add command
so the process can find a valid ID for the Rename command. The last stage then triggers
the vulnerability with the Rename command, and uses an egghunter to search for the
shellcode that we sent in stage 1. The use of egghunter appears to be necessary due to
the small buffer size, which cannot even contain our ROP chain and the final payload.
a long string of data to the 'Rename' (0x02), 'Delete' (0x03), or 'Add' (0x04) command,
a buffer overflow condition occurs in IGSSdataServer.exe while handing an RMS report,
which results arbitrary code execution under the context of the user.
The attack is carried out in three stages. The first stage sends the final payload to
IGSSdataServer.exe, which will remain in memory. The second stage sends the Add command
so the process can find a valid ID for the Rename command. The last stage then triggers
the vulnerability with the Rename command, and uses an egghunter to search for the
shellcode that we sent in stage 1. The use of egghunter appears to be necessary due to
the small buffer size, which cannot even contain our ROP chain and the final payload.
Authors
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.