Posts

Showing posts from April, 2018

03 - VXSearch Enterprise 10.2.14 BoF SEH

Image
Well, I haven't figured out the others yet. Maybe I'm a slow learner, not sure, but I'm fairly determined.

EDIT:  Totally figured out the others, I'll edit them soon... ish.

0x00 VX Search Enterprise 10.2.14 Buffer OverflowExploit-DB Link

So this is kinda funny-- I started looking on Exploit DB for other exploits for apps that I might find a bit... easier, and stumbled across a buffer overflow in this app, via a web port.  Originally, I was pretty adamant about only attempting exploits against unknown protocols, or at least proprietary / non-RFC'd (is that a thing?) protocols.  While I'm still really, really interested in how to go about accomplishing that from start to finish, even just one, I decided that getting better acquainted with the process was critical.  The kicker is, this is basically the same app as Disk Savvy, it's actually made by the same company.
Ha.  I wasn't even aware until I installed it.  Anyway, This one does seem a lot simpler…

02x02 - How to maybe not be as bad at fuzzing unknown binary protocols as you were before reading this, part two

Image
Disclaimer:  I wrote this post a while ago, and definitely before I had enough knowledge to really share accurately.  Feel free to read on, but there's probably a lot of bad info in this.

I'm still bad at fuzzing, but I've learned a lot.

0x01 - Replicating the Crash
Alright, so at this point I need to restart using Windows 7, instead of 10.  Or at least, I thought as much.  I was expecting that in Windows 7 the available buffer space would be larger, as looking that the publicly available exploits, they clearly send a lot more data than I can seem to fit in a buffer on Windows 10.  Here's the kicker though-- after getting my Win 7 VM ready to rock, I send a malformed packet meant to crash the app with a larger buffer (500h bytes), seen below:

Looks... familiar.  Crap.  There goes that idea.  I'm starting to think that perhaps the crash I am causing is indeed, not the crash that the known exploits take advantage of.  It's possible it is, but at this point, I dou…