This module exploits a vulnerability found in VisiWave's Site Survey Report application. When processing .VWR files, VisiWaveReport.exe attempts to match a valid pointer based on the 'Type' property (valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text', 'Image'), but if a match isn't found, the function that's supposed to handle this routine ends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10] instruction. This allows attackers to overwrite it with any arbitrary value, and results code execution. A patch is available at visiwave.com; the fix is done by XORing the return value as null if no match is found, and then it is validated before use. NOTE: During installation, the application will register two file handles, VWS and VWR, which allows a victim user to 'double click' the malicious VWR file and execute code. This module was also built to bypass ASLR and DEP.
Windows
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/windows/fileformat/visiwave_vwr_type
msf exploit(visiwave_vwr_type) > show targets
...targets...
msf exploit(visiwave_vwr_type) > set TARGET < target-id >
msf exploit(visiwave_vwr_type) > show options
...show and set options...
msf exploit(visiwave_vwr_type) > exploit
Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.
– Jim O’Gorman | President, Offensive Security