module
MS12-027 MSCOMCTL ActiveX Buffer Overflow
| Disclosed | Created |
|---|---|
| 2012-04-10 | 2018-05-30 |
Disclosed
2012-04-10
Created
2018-05-30
Description
This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious
RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited
in the wild on April 2012.
This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office
2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses
"msgr3en.dll", which will load after office got load, so the malicious file must
be loaded through "File / Open" to achieve exploitation.
RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited
in the wild on April 2012.
This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office
2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses
"msgr3en.dll", which will load after office got load, so the malicious file must
be loaded through "File / Open" to achieve exploitation.
Authors
Unknown
juan vazquez juan.vazquez@metasploit.com
sinn3r sinn3r@metasploit.com
juan vazquez juan.vazquez@metasploit.com
sinn3r sinn3r@metasploit.com
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.