MS13-096 Microsoft Tagged Image File Format (TIFF) Integer Overflow
This module exploits a vulnerability found in Microsoft's Tagged Image File Format. It was originally discovered in the wild, targeting Windows XP and Windows Server 2003 users running Microsoft Office, specifically in the Middle East and South Asia region. The flaw is due to a DWORD value extracted from the TIFF file that is embedded as a drawing in Microsoft Office, and how it gets calculated with user-controlled inputs, and stored in the EAX register. The 32-bit register will run out of storage space to represent the large vlaue, which ends up being 0, but it still gets pushed as a dwBytes argumenet (size) for a HeapAlloc call. The HeapAlloc function will allocate a chunk anyway with size 0, and the address of this chunk is used as the destination buffer of a memcpy function, where the source buffer is the EXIF data (an extended image format supported by TIFF), and is also user-controlled. A function pointer in the chunk returned by HeapAlloc will end up being overwritten by the memcpy function, and then later used in OGL!GdipCreatePath. By successfully controlling this function pointer, and the memory layout using ActiveX, it is possible to gain arbitrary code execution under the context of the user.
- sinn3r <sinn3r [at] metasploit.com>
- Windows XP SP3 with Office Standard 2010
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/windows/fileformat/mswin_tiff_overflow msf exploit(mswin_tiff_overflow) > show targets ...targets... msf exploit(mswin_tiff_overflow) > set TARGET <target-id> msf exploit(mswin_tiff_overflow) > show options ...show and set options... msf exploit(mswin_tiff_overflow) > exploit