From 5f9432ed6ab6171fcdf4524ec2d4185ad2386a08 Mon Sep 17 00:00:00 2001 From: Shelby Pace Date: Thu, 23 Aug 2018 16:12:13 -0500 Subject: [PATCH] added rca to cloudme doc --- .../modules/exploit/windows/misc/cloudme_sync.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/documentation/modules/exploit/windows/misc/cloudme_sync.md b/documentation/modules/exploit/windows/misc/cloudme_sync.md index dad36f3df3..75fcf7c861 100644 --- a/documentation/modules/exploit/windows/misc/cloudme_sync.md +++ b/documentation/modules/exploit/windows/misc/cloudme_sync.md @@ -1,5 +1,17 @@ ## Description -This module exploits a buffer overflow vulnerability in [CloudMe Sync v1.10.9](https://www.cloudme.com/downloads/CloudMe_1109.exe). + +This module exploits a buffer overflow vulnerability found in [CloudMe Sync v1.10.9](https://www.cloudme.com/downloads/CloudMe_1109.exe). + +## Vulnerable Application + +`CloudMe.00564B00` sets up a buffer that is intended to take up 1048 bytes on the stack to read in data from port 8888. The CloudMe function then passes a pointer to the stack buffer and a max size to `Qt5Core._ZN9QIODevice4readEPcx`. + +![alt text](https://user-images.githubusercontent.com/40177151/44545528-f21f0280-a6da-11e8-898b-edd0a17e0d10.png "CloudMe.00564B00") + +The call to `Qt5Core._ZN9QIODevice4readEPcx` shows the pointer and the max size arguments passed in by `CloudMe.00564B00`. +![alt text](https://user-images.githubusercontent.com/40177151/44545559-09f68680-a6db-11e8-8a0b-36466dafd21e.png "Qt Read Args") + +Because neither functions check the max size against the actual amount of space allocated on the stack, the program writes past the buffer's allocated space and allows for arbitrary code execution. ## Verification Steps 1. Install CloudMe for Desktop version `v1.10.9`