Microsoft Excel Malformed FEATHEADER Record Vulnerability

This module exploits a vulnerability in the handling of the FEATHEADER record by Microsoft Excel. Revisions of Office XP and later prior to the release of the MS09-067 bulletin are vulnerable. When processing a FEATHEADER (Shared Feature) record, Microsoft used a data structure from the file to calculate a pointer offset without doing proper validation. Attacker supplied data is then used to calculate the location of an object, and in turn a virtual function call. This results in arbitrary code exection. NOTE: On some versions of Office, the user will need to dismiss a warning dialog prior to the payload executing.

Search Other Modules

Exploit Rank

• Good

Exploit Authors

• Sean Larsson < >
• jduck < jduck [at] metasploit.com >

Vulnerability References

• CVE-2009-3129
• OSVDB-59860
• MSB-MS09-067
• BID-36945
• http://www.zerodayinitiative.com/advisories/ZDI-09-083/
• http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=832

Exploit Targets

• 0 - Microsoft Office 2002 (XP) SP3 base English on Windows XP SP3 English
• 1 - Microsoft Office 2002 (XP) SP3 w/kb969680 English on Windows XP SP3 English
• 2 - Microsoft Office 2003 SP0 English on Windows XP SP3 English
• 3 - Microsoft Office 2007 SP2 English on Windows XP SP3 English
• 4 - Crash Target for Debugging

Exploit Development

• Source Code
• History

Similar Exploit Modules

• exploit/windows/fileformat/a-pdf_wav_to_mp3
• exploit/windows/fileformat/acdsee_fotoslate_string
• exploit/windows/fileformat/acdsee_xpm
• exploit/windows/fileformat/activepdf_webgrabber
• exploit/windows/fileformat/adobe_collectemailinfo
• exploit/windows/fileformat/adobe_cooltype_sing
• exploit/windows/fileformat/adobe_flashplayer_button
• exploit/windows/fileformat/adobe_flashplayer_newfunction
• exploit/windows/fileformat/adobe_flatedecode_predictor02
• exploit/windows/fileformat/adobe_geticon

Exploit Usage Information

Exploit Module Options