CVE-2011-1566
published 2011-04-05CVE-2011-1566: Directory traversal vulnerability in dc.exe 9.00.00.11059 and earlier in 7-Technologies Interactive Graphical SCADA System (IGSS) allows remote attackers to…
PriorityP272critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
66.98%
99.2th percentile
Directory traversal vulnerability in dc.exe 9.00.00.11059 and earlier in 7-Technologies Interactive Graphical SCADA System (IGSS) allows remote attackers to execute arbitrary programs via ..\ (dot dot backslash) sequences in opcodes (1) 0xa and (2) 0x17 to TCP port 12397.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
00000100 00000000 00000100 00000017 00000000 00000000 00000000 00000000 00000000 00000000 00000000
- →Monitor TCP port 12397 (dc.exe) for inbound packets containing opcode 0x17 (bytes 0x00000017 at offset 12) combined with directory traversal sequences (..\ repeated) in the payload body. ↗
- →Monitor TCP port 12397 for inbound packets containing opcode 0x0A (bytes 0x0000000A at offset 12) with directory traversal sequences, as both opcodes 0xa and 0x17 are exploitable. ↗
- →Alert on dc.exe spawning child processes (e.g., cmd.exe, calc.exe) via CreateProcessA, as exploitation causes dc.exe to run attacker-supplied payloads as a new thread. ↗
- →Detect the Metasploit exploit packet structure: first 4-byte little-endian value 0x00000100, followed at offset 12 by 0x00000017, followed by the traversal string targeting windows\system32\cmd.exe. ↗
- →Monitor TCP port 12401 (IGSSdataServer.exe) for Write packets using opcode 0x0D that may be used to stage a malicious binary prior to triggering execution via dc.exe on port 12397. ↗
- ·Payload space is constrained to 153 bytes for the command injection via opcode 0x17; attackers must stage or chain payloads to execute larger shellcode. ↗
- ·The directory traversal path depth uses 12 levels of ..\ to reach the filesystem root; the exact depth may vary depending on the IGSS installation path depth. ↗
- ·The stack overflow via opcode 0x8/command 0x4 on port 12401 (256-byte SQL buffer) has unclear exploitability for code execution and may only cause a crash. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Interactive Graphical SCADA System - Remote Command Injection (Metasploit)
exploitdb·2013-10-22
CVE-2011-1566 Interactive Graphical SCADA System - Remote Command Injection (Metasploit)
Interactive Graphical SCADA System - Remote Command Injection (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 'Interactive Graphical SCADA System Remote Command Injection',
'Description' => %q{
This module abuses a directory traversal flaw in Interactive
Graphical SCADA System v9.00. In conjunction with the traversal
flaw, if opcode 0x17 is sent to the dc.exe process, an attacker
may be able to execute arbitrary system commands.
},
'Author' =>
[
'Luigi Auriemma',
'MC'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2011-1566'],
[ 'OSVDB', '72349'],
[ 'URL', 'http://aluigi.org/adv/igss_8-adv.txt' ],
],
'Platform' => 'win',
'Arch' => ARCH_
Exploit-DB
7-Technologies IGSS 9.00.00.11059 - Multiple Vulnerabilities
exploitdb·2011-03-22
CVE-2011-1568 7-Technologies IGSS 9.00.00.11059 - Multiple Vulnerabilities
7-Technologies IGSS 9.00.00.11059 - Multiple Vulnerabilities
---
Sources:
http://aluigi.org/adv/igss_1-adv.txt
http://aluigi.org/adv/igss_2-adv.txt
http://aluigi.org/adv/igss_3-adv.txt
http://aluigi.org/adv/igss_4-adv.txt
http://aluigi.org/adv/igss_5-adv.txt
http://aluigi.org/adv/igss_6-adv.txt
http://aluigi.org/adv/igss_7-adv.txt
http://aluigi.org/adv/igss_8-adv.txt
Advisory Archive: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17024-adv.tar.gz (igss_adv.tar.gz)
PoC Archive: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17024-poc.tar.gz (igss_poc.tar.gz)
#######################################################################
Luigi Auriemma
Application: IGSS (Interactive Graphical SCADA System)
http://www.igss.com
Metasploit
Interactive Graphical SCADA System Remote Command Injection
metasploit
Interactive Graphical SCADA System Remote Command Injection
Interactive Graphical SCADA System Remote Command Injection
This module abuses a directory traversal flaw in Interactive Graphical SCADA System v9.00. In conjunction with the traversal flaw, if opcode 0x17 is sent to the dc.exe process, an attacker may be able to execute arbitrary system commands.
Metasploit
7-Technologies IGSS 9 Data Server/Collector Packet Handling Vulnerabilities
metasploit
7-Technologies IGSS 9 Data Server/Collector Packet Handling Vulnerabilities
7-Technologies IGSS 9 Data Server/Collector Packet Handling Vulnerabilities
This module exploits multiple vulnerabilities found on IGSS 9's Data Server and Data Collector services. The initial approach is first by transferring our binary with Write packets (opcode 0x0D) via port 12401 (igssdataserver.exe), and then send an EXE packet (opcode 0x0A) to port 12397 (dc.exe), which will cause dc.exe to run that payload with a CreateProcessA() function as a new thread.
No writeups or analysis indexed.
http://aluigi.org/adv/igss_8-adv.txthttp://secunia.com/advisories/43849http://www.exploit-db.com/exploits/17024http://www.securityfocus.com/bid/46936http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-03.pdfhttp://www.vupen.com/english/advisories/2011/0741http://aluigi.org/adv/igss_8-adv.txthttp://secunia.com/advisories/43849http://www.exploit-db.com/exploits/17024http://www.securityfocus.com/bid/46936http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-03.pdfhttp://www.vupen.com/english/advisories/2011/0741
2011-04-05
Published