Full title: Microsoft Office Word 2003+2007+2010 Universal 0day Exploit Category: local exploits Platform: windows This module targets Office 2003 [no-SP/SP1/SP2/SP3] + 2007 [no-SP/SP/SP2/SP3] + Office 2010 [no-SP/SP1] versions. This module exploits a stack buffer overflow in SCOMCTL.OCX. It uses a malicious RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited in the wild on April 2012. Exploitation on this one is easy. We created a VM with Windows 7 fully patched and then installed Microsoft Office 2007 (no SP). We rebooted the VM. We loaded up the MS Office Word 2003+2007+2010 mscomctl Universal Exploit exploit in metasploit and setup a meterpreter reverse tcp payload. We created the malicious msf.doc file by exploiting the module and then setup a multi-handler with a reverse tcp payload. We copied the malicious msf.doc file to the target machine using a SMB transfer. The stage was sent when we opened the msf.doc file and a meterpreter session was opened with our user account. We installed the SP 3 patch for Office and rebooted the machine. We tested the exploit again and received a meterpreter shell. We rolled back the VM to a clean Windows install and then installed Office Professional 2010 with SP1. We repeated the above exploitation steps and were given another meterpreter session. # 0day.today @ http://0day.today/