This Metasploit module attempts to brute-force a valid session token for the Syncovery File Sync and Backup Software Web-GUI by generating all possible tokens, for every second between DateTime.now and the given X day(s). By default today and yesterday (DAYS = 1) will be checked. If a valid session token is found, the module stops. The vulnerability exists, because in Syncovery session tokens are basically just base64(m/d/Y H:M:S) at the time of the login instead of a random token. If a user does not log out (Syncovery v8.x has no logout) session tokens will remain valid until reboot.
35774315caca7f89f98bfc845f009123bd6450981504bf93e08596306cfc0432