| Name | wp_ms10_104 |
| CVE | CVE-2010-3964 |
| Exploit Pack | White_Phosphorus |
| Description | MS10-104 Microsoft Office SharePoint Server 2007 Crafted SOAP Request Remote Code Execution |
| Notes | References: http://www.microsoft.com/technet/security/bulletin/MS10-104.mspx http://www.zerodayinitiative.com/advisories/ZDI-11-023/ CVE Name: CVE-2010-3964 VENDOR: Microsoft Notes: This module exploits a pre auth remote code execution vulnerability in Microsoft Office SharePoint Server 2007. The first stage requests the Document Conversions Launcher URL from the Document Conversions LoadBalancer. The second stage sends the payload. The Auto Privesc target attempts SYSTEM privesc by writing a malicious MOF file to %systemroot%\system32\wbem\mof\ using the Wbem Mof technique found in the Stuxnet worm. When the MOF is executed it drops a MOSDEF PE Trojan in the Default User profile directory and runs it. If this option fails to return a node retry the module and select the standard Windows Universal target. The standard Windows Universal target writes the payload to the Document Conversions TransformApps directory. A third stage is required to execute it. This target returns a node with lower sharepoint document conversions guest account privilages. All .exe payloads must be removed manually. Repeatability: Unlimited MSADV: MS10-104 Date public: 2010-12-14 CVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3964 CVSS: 7.5 |
| Learn more about the CANVAS Exploit Pack here: White_Phosphorus |