89 lines
No EOL
2.6 KiB
Text
89 lines
No EOL
2.6 KiB
Text
#####################################################################################
|
|
|
|
Application: Microsoft Office XP Remote code Execution
|
|
|
|
Platforms: Windows Vista
|
|
|
|
Exploitation: Remote code execution
|
|
|
|
CVE Number:
|
|
|
|
Microsoft Bulletin:
|
|
|
|
{PRL}: 2011-07
|
|
|
|
Author: Francis Provencher (Protek Research Lab's)
|
|
|
|
WebSite: http://www.protekresearchlab.com/
|
|
|
|
Twitter: @ProtekResearch
|
|
|
|
|
|
#####################################################################################
|
|
|
|
1) Introduction
|
|
2) Report Timeline
|
|
3) Technical details
|
|
4) POC
|
|
|
|
#####################################################################################
|
|
|
|
===============
|
|
1) Introduction
|
|
===============
|
|
|
|
Microsoft Office is a proprietary commercial office suite of inter-related desktop
|
|
|
|
applications, servers and services for the Microsoft Windows and Mac OS X operating
|
|
|
|
systems, introduced by Microsoft in 1989. Initially a marketing term for a bundled
|
|
|
|
set of applications, the first version of Office contained Microsoft Word,
|
|
|
|
Microsoft Excel, and Microsoft PowerPoint. Over the years, Office applications have
|
|
|
|
grown substantially closer with shared features such as a common spell checker,
|
|
|
|
OLE data integration and Microsoft Visual Basic for Applications scripting language.
|
|
|
|
http://en.wikipedia.org/wiki/Microsoft_Office
|
|
|
|
#####################################################################################
|
|
|
|
============================
|
|
2) Report Timeline
|
|
============================
|
|
|
|
2011-01-03 - Vulnerability reported to vendor
|
|
2011-06-14 - Uncoordinated public release of advisory
|
|
|
|
|
|
#####################################################################################
|
|
|
|
====================
|
|
3) Technical details
|
|
====================
|
|
|
|
This vulnerability allows remote attackers to execute arbitrary code on vulnerable
|
|
|
|
installations of Microsoft Office Word. User interaction is required to exploit this
|
|
|
|
vulnerability in that the target must visit a malicious page or open a malicious file.
|
|
|
|
0:000> g
|
|
(c18.bf4): Access violation - code c0000005 (!!! second chance !!!)
|
|
eax=41424344 ebx=00000011 ecx=00000010 edx=00000001 esi=00000000 edi=41424344
|
|
eip=308eb16d esp=00125450 ebp=00125474 iopl=0 nv up ei pl zr na pe nc
|
|
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
|
|
winword!wdGetApplicationObject+0x150fac:
|
|
308eb16d 8b07 mov eax,dword ptr [edi] ds:0023:41424344=????????
|
|
|
|
|
|
#####################################################################################
|
|
|
|
===========
|
|
4) POC
|
|
===========
|
|
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17399.doc (PRL-2011-07.doc)
|
|
http://www.protekresearchlab.com/exploits/PRL-2011-07.doc |