Rapid7 Vulnerability & Exploit Database

VisiWave VWR File Parsing Vulnerability

Back to Search

VisiWave VWR File Parsing Vulnerability



This module exploits a vulnerability found in VisiWave's Site Survey Report application. When processing .VWR files, VisiWaveReport.exe attempts to match a valid pointer based on the 'Type' property (valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text', 'Image'), but if a match isn't found, the function that's supposed to handle this routine ends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10] instruction. This allows attackers to overwrite it with any arbitrary value, and results code execution. A patch is available at visiwave.com; the fix is done by XORing the return value as null if no match is found, and then it is validated before use. NOTE: During installation, the application will register two file handles, VWS and VWR, which allows a victim user to 'double click' the malicious VWR file and execute code. This module was also built to bypass ASLR and DEP.


  • mr_me <steventhomasseeley@gmail.com>
  • TecR0c <roccogiovannicalvi@gmail.com>




Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/windows/fileformat/visiwave_vwr_type
msf exploit(visiwave_vwr_type) > show targets
msf exploit(visiwave_vwr_type) > set TARGET < target-id >
msf exploit(visiwave_vwr_type) > show options
    ...show and set options...
msf exploit(visiwave_vwr_type) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security